When I try to run performance testing on ASP.net web application, always i am getting either "The anti-forgery cookie token and form field token do not match."
or
"The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster."
Could you please help me how to resolve this. I have tried multiple methods like adding regular expression extractor to extract "__RequestVerificationToken", but nothing worked out.
Note: this is happening only when i run from Jmeter. if I browse application directly on web, i dont see any issue.
Thanks,
Pani
Looking into XSRF/CSRF Prevention in ASP.NET MVC and Web Pages it appears that you're either sending an incorrect __RequestVerificationToken parameter value or completely miss the step.
If the current HTTP request already contains an anti-XSRF session token (the anti-XSRF cookie __RequestVerificationToken), the security token is extracted from it. If the HTTP request does not contain an anti-XSRF session token or if extraction of the security token fails, a new random anti-XSRF token will be generated.
So your test should look like:
Open Login Page (HTTP Get Request)
Extract __RequestVerificationToken dynamic parameter value using suitable JMeter PostProcessor, I would recommend going for CSS Selector Extractor, the configuration would be something like:
Once done you can refer the extracted value as ${token} in the next request
Check out ASP.NET Login Testing with JMeter article for more detailed information and step-by-step instructions if needed
Related
I am facing one problem that i am unable to login to the liferay website using JMeter.
The problem i know already but don't know how to hanmdle it.
I get to know that "p_auth" token is requried to access the sub pages, but here i am facing an issue in which i don't even able to acccess the login page itself if run the script second time.
My concerns:
how to check "p_auth" token parameter for login page (i.e without login)
Please help me to solve the problem.
Note: i tried to extract the "p_auth" token , but i am unable to see any "p_auth" token for login page itself(i.e without login.. just a login page(get api))
Your test plan need to look like:
Open Login Page - HTTP GET request
Extract p_auth dynamic parameter value using a suitable JMeter Post-Processor
Perform the login - HTTP POST request where you need to provide your credentials and the p_auth token value from the previous request
You won't be able to "see" the token in the page, it's hidden in the page source so you will need to use browser developer tools or JMeter's View Results Tree listener in order to "see" the token value.
Also don't forget to add HTTP Cookie Manager to your test plan as missing CSRF token is not the only thing which can stop you from logging in.
Im currently trying to load test a website with keycloak authorization.
The problem is that i cant find the authorization code anywhere in the previous https requests, so i cant use the regular expression extractor to grab it and turn it to a dynamic variable. So how do i configure it to be dynamic?
the auhorization code as it was recorded with blazemeter
i already turned to session_code, tab_id and executive into dynamic variables, but it still returns "{"error":"invalid_grant","error_description":"Code not valid"}"
As per Authorization Code Flow:
Browser visits application. The application notices the user is not logged in, so it redirects the browser to Keycloak to be authenticated. The application passes along a callback URL (a redirect URL) as a query parameter in this browser redirect that Keycloak will use when it finishes authentication.
Keycloak authenticates the user and creates a one-time, very short lived, temporary code. Keycloak redirects back to the application using the callback URL provided earlier and additionally adds the temporary code as a query parameter in the callback URL.
The application extracts the temporary code and makes a background out of band REST invocation to Keycloak to exchange the code for an identity, access and refresh token. Once this temporary code has been used once to obtain the tokens, it can never be used again. This prevents potential replay attacks.
My expectation is that you don't see the code anywhere because the code has been passed from keycloak to the application via the redirect URL.
So instead of asking keycloak to send the redirect back to application with the temporary code you need to ask it to send the request to JMeter and catch it via i.e. HTTP Mirror Server, once the request reaches JMeter you should be able to get the temporary code using Regular Expression Extractor or Boundary Extractor from the Location header.
I am trying to perform load testing using JMeter on my project's web service (search web service for instance), the problem I am facing is that I am getting {"Message":"Authorization has been denied for this request."} in "Response data" tab in JMeter
This same message I also get when I try to paste the same query string (which I am using in JMeter as Path) in browser new tab without logging in first,, but if I login on my project first and then try to paste the query string in browser's new tab then it works fine.
Now the actual problem that I am facing in JMeter is that I am unable to log in to the system using "HTTP Header Manager"
I tried by adding Basic authentication in "HTTP Header Manager" but it didn't worked, then my developer told me that he is using "ASP Membership" authentication instead of Basic authentication,, now I am not sure how to use this type of authentication in JMeter.
I think I have explained my problem in detail here, can any one please help me in this as I am really stuck into it.
Thanks in advance
You need to add a cookie-manager to your Thread Group. This will preserve the cookies ( hence sessions) between requests. Next add a http request which will do a POST of your login form then another HTTP Request with your actual request. This way you are imitating the steps you do on your browser - that is - login followed by request.
Looking into ASP.NET Forms Authentication Overview article:
Forms authentication lets you authenticate users by using your own code and then maintain an authentication token in a cookie or in the page URL.
So depending on implenentation of ASP.NET Forms on server side you can use one of the following test elements:
HTTP Cookie Manager
HTTP URL Re-writing Modifier
Also you may need to perform the correlation of the mandatory dynamic parameters such as VIEWSTATE or EVENTVALIDATION. See ASP.NET Login Testing with JMeter guide for detailed explanation and walkthrough.
I just simply want to create a UserSignIn performance testing. My Web app is using ROR to implement after pass the credential it appear that the authenticity_token can be used per individual page I have determine Parameters tab and I receive error
ActionController::InvalidAuthenticityToken in Devise::SessionsController#create
ActionController::InvalidAuthenticityToken
How can I pass the authenticy_token to the Sign page
authenticity_token is the dynamic mandatory parameter which is used in Ruby on Rails for protection from CSRF (Cross Site Request Forgery) attacks
It needs to be correlated as any other dynamic parameter.
For details on how to bypass CSRF protection in your JMeter test check out How to Load Test CSRF-Protected Web Sites guide.
I am testing some api for our product using jmeter. To test the api to verify the user's email address I need to login to the mail account. I have the email and password of a test user. How can I login using an api or any other way in jmeter?
Is it possible at all?
Yes that is possible. You'll have to create a test plan with multiple steps but these depend on the concrete implementation of the login.
First you must identify the following two locations:
The GET request that gets the initial login form (if this is required).
The POST request that posts the login credentials.
If your service has a stateless login form you can even skip the first step.
Otherwise the response of the GET request will contain stuff which needs to be extracted (e.g. the JSESSIONID if you are using JSF) and sent as a parameters in the POST request. You can use the Regular Expression Extractor of JMeter to extract these values and provide them as variables for use in the subsequent requests.
Here is an example screenshot of a HTTP Request element configured to POST login data to the url /common/j_security_check
You might also need to intercept an authentication token from the server response and then pass that into following requests.
Here is a blog entry with a couple of video tutorials on logins with JMeter:
http://community.blazemeter.com/knowledgebase/articles/80479-how-to-use-jmeter-for-login-authentication
You can use jmeter to login,
two ways:
parameterization using csv file(for more users)/user defined variables(UDV)
Login config elements(for single user)
Now that I understand you want to automatically click on a confirmation link from an email using JMeter, here is a blog entry that explains exactly how to do that:
http://blazemeter.com/blog/how-create-jmeter-script-check-email-during-registration-and-grab-confirmation-url
Ophir