I am doing performance testing of one of the application.
Below are the specifications of Application.
1. It is based on sharepoint 2013.It uses
2. It uses JSON for interchanging data between the pages.
3. It uses NTLM authentication.
4. CSRF security fix is implemented in the application
Please fund below the problem description
When I am running the recorded script, one of my page is showing "{ : "d":false| CSRF attack" "
CSRF token it basically dynamic parameter, for Sharepoint it's usually called __RequestVerificationToken. You need to extract it from first page using one of the following PostProcessors:
Regular Expression Extractor
XPath Extractor
CSS/JQuery Extractor
and use extracted value in second request. See How to Load Test CSRF-Protected Web Sites article for comprehensive explanation and bypass example.
In order to deal with NTLM authentication use HTTP Authorization Manager
Use a Regular Expression Extractor, as Dmitri suggests.
The token must be there somewhere - CSRF works by sending a token as part of one request, then checking that the same token is received with the following request. Can you add an example of your JSON to your question?
Related
We have an requirement to test Keycloak Login/Registration using Keycloak application. When I open portal and click on continue to Login/Registration, it is redirecting to the following URL and taking Query Parameter.
I am not aware how and from which section we can get the value of Query parameter to pass
https://keycloak..com/realms//protocol/openid-connect/auth?client_id=&redirect_uri=http***personal-information
state= f707ae75-4543-46a8-8204-538492251966
nonce= 03d80815-c174-4453-83d4-0324726b87df
code challenge= OpSGM55wKbL4suTi_-FJcyWIdD63UryMV8fX4Mu-dc4
code challenge method= S256
tab id= ub4Sj_h_Cho
Please help here, if possible
Thanks
You've mentioned you're redirected which means that one of the previous request responds with i.e. 302 HTTP Status Code and its Location header contains the keycloak URL and all these query parameters.
If you need to extract them for future use - go for Regular Expression Extractor or Boundary Extractor, just make sure to choose the relevant "Field to check"
Your app uses Authorization Code Flow with Proof Key for Code Exchange (PKCE), so you need to understand:
1.) OIDC auth request (client_id,redirect_uri,state parameters - they configured in your IDP/Keyclok usually): https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
2.) PKCE part (code_challenge,code_challenge parameters - they are generated usually): https://datatracker.ietf.org/doc/html/rfc7636
I am getting below error in jmeter performance testing
ERROR:
The token in the request does not match the one in the session!
Scenarios:
user logs into the appln
click on the modify user from the menu
search for the user
select the user
adding roles to the user
6.click submit
7.click on return to search button.
8.click on logout.
I am getting the csrf token in the post method and i captured the csrf token in 2 samples before in the GET method.I added regular expression in GET method and i used that regular expression variable in the Post method token.
Please let me know how to fix the token error.
Thanks,
It's hard to provide a comprehensive response without seeing network dump of requests from the real browser and from JMeter, most probably you need to extract the CSRF token from every response, not "2 samples before", try moving your Regular Expression Extractor to the same level as HTTP Request samplers - this way it will be applied to all of them and will extract the "fresh" CSRF token from each response. See JMeter Scoping Rules - The Ultimate Guide article for more information
As per Cross-Site Request Forgery Prevention Cheat Sheet
The site then requires that every transaction request include this pseudorandom value as a hidden form value (or other request parameter/header)`
The following guidance will demonstrate how to create overrides in JavaScript libraries to have CSRF tokens included automatically with every AJAX request for the state changing methods mentioned above.
CSRF tokens should be generated on the server-side. They can be generated once per user session or for each request.
Does any one knows how to solve it with regular expression? here i am putting screen shot with valid access token and error response token.
thanks in advance.
Valid response token
invalid response token
and Regular expression exctracter
it is fine if you guys have any other solution for this unauthorized access thing.
Add JSON Extractor as a child of the authserver request and configure it as follows:
Variable Names: anything meaningful, i.e. token
JSON Path expressions: $.access_token
Add HTTP Header Manager as a child of the student request and configure it to send Authorization header with the value of Bearer ${token}
Going forward you can go for an alternative way of recording a JMeter test which is capable of exporting the recorded requests in SmartJMX mode with automatic correlation of dynamic parameters applied so you will be able to save your time for more creative work. See How to Cut Your JMeter Scripting Time by 80% article for more details.
I m new in jmeter i want to know if i send post request for login with cookies then in Response below information is displaying .
Request Error We’re sorry, there was a problem with your request.
Please make sure you have cookies enabled and try again.
What could be going wrong.?
It may be not about the missing or incorrect cookies.
You need to provide valid loginCsrfParam value as well, it needs to be extracted from previous response via one of the following PostProcessors:
Regular Expression Extractor
XPath Extractor
CSS/JQuery Extractor
converted into a JMeter Variable and used as a parameter in your login request.
See How to Load Test CSRF-Protected Web Sites guide for comprehensive information on bypassing CSRF protection in your JMeter test.
I am creating a jmeter load test plan for RESTful API request. I need to use the dynamic API key generated in my first sampler SignIn API in the next set of API requests I am going to create.
Can someone help out with how to pass the selected data parameters from response and input to the another api request in other required format for that post request.
Response Header
WebxxxHeader: {"UserName":"xxxxx","UserID":1,"ApiKey":"ea9a3572-de75-4a85-848a-8fed874f2269","ValidFrom":"2015-06-05 05:54:35","ValidTo":"2015-06-12 05:54:35","UserRole":null,"Password":null,"DeviceToken":null,"DeviceType":null,"IsRetina":false,"UniqueId":null}
Header to be posted in the next set of APIs
WebxxxHeader: {"UserName":"xxxxx","ApiKey":"ea9a3572-de75-4a85-848a-8fed874f2269"}
One more issue here is I have to pass the user email in the header instead of UserName.
Please share advanced JMeter blog references.
Thanks in advance for your suggestions.
I would suggest searching the web for something like "JMeter correlation" - that should give you the answers you're looking for.
Particular this API key bit can be handled via Regular Expression Extractor postprocessor.
Add Regular Expression Extractor as a child of the request which returns the API Key
Configure it as follows:
Field to check: Response Headers
Reference Name: anything meaningful, i.e. API_KEY
Regular Expression: "ApiKey":"(.+?)"
Template: $1$
Other fields can be left as is
Add HTTP Header Manager as a child of the second request and configure it as follows:
Name: WebxxxHeader
Value: `{"UserName":"xxxxx","ApiKey":"${API_KEY}"}
If you testing REST API I think that JSON Path Extractor available via JMeter Plugins could be extremely useful. See Using the XPath Extractor in JMeter guide (scroll to "Parsing JSON") for installation and usage instructions and some form of JSON Path language reference.