In today’s web technologies a common defensive mechanism against csrf attacks is to use a synchronizer token.
This token is unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf.

The solution is to identify and extract the token from the html form.
Identification can be tricky as the dynamic data not always stand out in the html code.
A good practice is to record two test cases with different user credentials and compare the parameters.
Try to identify the technologies used and Google for some documentation.

In our example case we have a standard Django HTML form with a token which looks like this:

<input type="hidden" name="csrfmiddlewaretoken" value="KbyUmhTLMpYj7CD2di7JKP1P3qmLlkPt">

Now comes the token extraction. In JMeter there is a post-processor called Regular Expression Extractor.
It works with regular expression and it can extract almost anything.
We have to add one into the login get request as it is shown on the picture.
Adding the Regular Expression Extractor
Regular Expression Extractor Example
I will only go through the important settings:
Regular expression – example: name=’csrfmiddlewaretoken’ value='([^”]+?)’
Reference name: the name of the token variable
Template: $1$ – selects the string in the parenthesis
This expression will select the token.
Match number: which appearance of the expression should we use
Default Value: it is a good practice to set some text here to see if the regular expression extracted the value correctly for eg.: NOT FOUND
Now comes the interesting part where we put the freshly extracted token out to work.
Http request
As it is visible on the picture we just used the reference name of the token to put the value into the request, and it is done.
If the expression doesn’t work for some reason you will get the String NOT FOUND.

You can read more about cross site request forgery on Wikipedia and about the jmeter regular expression extractor on their Official site.

Posted By Tihomir Turzai

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>