Currently Browsing

Posts Tagged ‘ CSRF prevention ’

Handling CSRF prevention tokens / dynamic data in JMeter

In today’s web technologies a common defensive mechanism against csrf attacks is to use a synchronizer token.
This token is unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf.

The solution is to identify and extract the token from the html form.
Identification can be tricky as the dynamic data not always stand out in the html code.
A good practice is to record two test cases with different user credentials and compare the parameters.
Try to identify the technologies used and Google for some documentation.