I am trying to do the load testing of salesforce.com. I am logging via test.salesforce.com which is redirecting me to the console url. Now, subsequent post request accepts following post parameters.
ViewStateCSRF
ViewStateMAC
visualforce.ViewState
But this post request is failing with "invalid session" error message.
I am guessing this is because of CSRF token. I am trying to extract(post processor in Jmeter) CSRF token, but I am unable to find this token anywhere in the response/cookie of previous requests. In one of the HTML response, I can find few CSRF tokens(e.g: runApexCsrfToken, consoleAjaxCsrfToken etc). I have tried all of them but no result.
To summarize my problem: I need to pass csrf token in post login request but I am unable to find this token in previous responses.
Could you please help me with this.
PS: I have tried get request on "https://c.salesforce.com/libs/granite/csrf/token.json" after login but did not find any token in response.
Make sure to add HTTP Cookie Manager to your Test Plan
Make sure to check all response fields as the token can be a part of URL or come as a HTTP Header
You need to correlate not only ViewStateCSRF but all other dynamic parameters as well
If you have problems with identifying the source for the dynamic parameters values you can try recording your scenario using cloud-based proxy service, it is capable of exporting recorded scripts in "SmartJMX" mode with automatic detection and correlation of dynamic parameters. See How to Cut Your JMeter Scripting Time by 80% article for more details
Related
I'm doing Jmeter scripting for Login flow which is having SSO authentication.
I have correlated almost all the token values like SAML request, SAML response,Request verification token & client id request ,but I'm not getting proper response in the login call.The SSO calls is failing with 401 response code.
When we try to decode the SAML response(using online SAML decoder) which i'm getting it from the previous request call response in Jmeter, the Status is showing as Responder. but the same is showing as Success when we decode the SAML response which we are getting it from the LoadRunner or Developer Console
Note : The same script is working fine in Load Runner
Can Someone help me
enter image description here
If "the same script is working fine in Load Runner" and doesn't work in JMeter - this is not the same script. You need to figure out what are the differences and amend your JMeter configuration so JMeter will send the same requests as Load Runner (or even better a real browser)
I have correlated almost all the token values
"almost all" is not sufficient, you need to correlate all the dynamic parameters.
Use a 3rd-party sniffer tool like Fiddler or Wireshark to capture the requests originating from JMeter and Load Runner (or real browser).
The requests must be exactly the same (apart from dynamic values which need to be correlated). Once you send the same request you will get the same response. Pay attention to literally everything: not only request body matters, take a look at URL query strings, request headers and so on.
I am getting below error in jmeter performance testing
ERROR:
The token in the request does not match the one in the session!
Scenarios:
user logs into the appln
click on the modify user from the menu
search for the user
select the user
adding roles to the user
6.click submit
7.click on return to search button.
8.click on logout.
I am getting the csrf token in the post method and i captured the csrf token in 2 samples before in the GET method.I added regular expression in GET method and i used that regular expression variable in the Post method token.
Please let me know how to fix the token error.
Thanks,
It's hard to provide a comprehensive response without seeing network dump of requests from the real browser and from JMeter, most probably you need to extract the CSRF token from every response, not "2 samples before", try moving your Regular Expression Extractor to the same level as HTTP Request samplers - this way it will be applied to all of them and will extract the "fresh" CSRF token from each response. See JMeter Scoping Rules - The Ultimate Guide article for more information
As per Cross-Site Request Forgery Prevention Cheat Sheet
The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header)`
The following guidance will demonstrate how to create overrides in JavaScript libraries to have CSRF tokens included automatically with every AJAX request for the state changing methods mentioned above.
CSRF tokens should be generated on the server-side. They can be generated once per user session or for each request.
I am working with Jmeter to do load testing. I created a simple login script using BlazeMeter. Then I imported the file into Jmeter.
Whenever I try to run the script, it fails. The first problem I encounter here is that in my first http request I receive a 403 response code:
I added a cookie manager and an authorization manager to try and solve this but it is not working. I think the problem is with cors in the manager header as 403 code means that it received the petition but the access to it was denied. Do you have any suggestions on how to resolve this? I tried adding post processors but couldn't make them work. Maybe because I am a newbie to jmeter and load testing. Idk.
As per HTTP Status 403 description
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.
so most probably your request is missing some authentication context.
Your recording seems to be incomplete, you seem to be testing a GeneXus-based application and it is using AJAX_SECURITY_TOKEN header as the security parameter.
From your screenshot it seems that you're sending recorded hard-coded value, however you should design your script as follows:
Perform initial request, i.e. open login page
Extract AJAX_SECURITY_TOKEN header value using Regular Expression Extractor
Substitute this e8985.... recorded value with the JMeter Variable from the Regular Expression Extractor
Check out Using Regular Expressions to Extract Tokens and Session IDs to Variables article for more information.
I am testing an API endpoint for which there is a form based authentication(for additional security). Can someone suggest how to handle form based authentication in Jmeter. I tried with HTTP Authorization Manage, still my request is failing.
You basically need to submit a HTML Form by sending a HTTP POST request using JMeter's HTTP Request sampler.
Given you provide correct credentials you should be authorized for further actions.
In some cases you will need to perform correlation as you might have to provide a dynamic parameter (or several) along with the credentials as your application can use these parameters for i.e. CSRF protection or for other reasons so make sure to carefully inspect the request sent by the real browser (you can capture the original request using browser developer tools) and if there are any dynamic parameters - you should extract them from the previous response using a suitable JMeter Post-Processor
Once you successfully log in it should be enough to add HTTP Cookie Manager to maintain the user session.
I'm having trouble with getting my site normally loaded during the performance testing in Apache JMeter. Firstly I recorded the script (by BadBoy), containing authorization and visiting some pages, unavailable without login. Next, I exported it to JMeter, configured Regular Expression Extractor to get the csrftoken from the request right before the authorization request and it looks like it works just fine:
no errors in http-requests
But if to look at the tab "Response data" of every post-authorized request, the content isn't like correctly loaded page, it just starts page with the empty authorization form, i.e. in some way session is new though all the requests have the same session id and csrftoken in Cookie Data and in Set-Cookie (Sample result), appeared in authorization request result.
HTTP Cookie Manager is added.
Did anyone face this trouble?
UPDATE: I've conducted an experiment with transferring cookies from Chrome to Mozilla Firefox, copied 'csrftoken' and 'session id', and - voila! - it worked, I got the same authorized session in two browsers. Still have no idea what's wrong with JMeter
JMeter automatically treats HTTP Response Codes below 400 as successful, it doesn't perform any checks of response body. Most likely your Regular Expression Extractor failed, add a Debug Sampler and double check resulting variable value.
There could be also the following possible reasons:
You might need to send CSRF token in encoded/escaped form so using i.e. __urlEncode() function will be required. Or vice versa.
Application may expect the token in multiple locations, i.e. not only as a form parameter, but as an extra HTTP Header. In that case you will need to pass it via HTTP Header Manager
You might also want to try the new step-by-step debugger for JMeter to get to the bottom of the issue.
This is the default behavior of this token. 1. make sure where these tokens are passed. It might be passed multiple times. Check the header. Generally, "xref-token" is again passed.
It should be in exact format, decode it if required, also remove , or ; or /. You can also use fiddler.
The solution was found after recording a script by Blazemeter plugin in Chrome and further exporting it in '.JMX' format. Adding an HTTP Header Manager like this (with its special fields, of course) to each HTTP Request solved the problem.