{"id":9804,"date":"2017-03-16T13:45:43","date_gmt":"2017-03-16T12:45:43","guid":{"rendered":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/"},"modified":"2024-09-11T08:51:08","modified_gmt":"2024-09-11T06:51:08","slug":"apache-jmeter-cross-site-request-forgery-csrf-token-management","status":"publish","type":"post","link":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/","title":{"rendered":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management"},"content":{"rendered":"

Introduction<\/strong><\/p>\n

In Nowadays web technologies a common defensive mechanism against Cross-Site Request Forgery (CSRF) attacks is to use a synchronizer token. This token might be unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf.<\/p>\n

This blog will describe how this CSRF feature can be handled in JMeter.<\/p>\n

How to implement this feature
\n<\/strong><\/p>\n

The solution is to identify and extract the CSRF token from the response data or header depending how is it has been set.
\nThe site I was doing the Load test using JMeter is using a cookie to set the CSRF Token and adds a X-CSRFToken header to the following HTTP requests.<\/p>\n

The HTTP Response header contains something like:<\/p>\n

Set-Cookie: csrftoken=sTrKh7qgnuKtuNTkbwlyCv45W2sqOaiY; expires=Sun, 21-Jan-2017 11:34:43 GMT; Max-Age=31449600; Path=\/<\/pre>\n
To extract the CSRF token value from the HTTP Response header, add a Regular Expression Extractor Post Processor globally.
\nThis way if the token value is reset to a new value somehow, it will be dynamically updated in the following response.<\/p>\n
Now configure it as follows:<\/p>\n
Apply to: Main sample only
\nField to check: Response Headers
\nReference Name: csrfToken
\nRegular Expression: Set-Cookie: csrftoken=(.+?);
\nTemplate: $1$<\/p>\n
Get the Response Cookie via the Regular Expression Extractor<\/p>\n
\"DynCSRF_Regular_Expression\"<\/a><\/p>\n
It is always better to have a user variable attached to the extracted value to be kept during the complete load test run.
\nselect user defined variables and add a new variable with the same name as the reference name declared above in the regular expression Extractor.<\/p>\n
\"DynCSRF_variable\"<\/a><\/p>\n
The next step is to analyse each HTTP Request recorded in the scenario to replace the hard coded value for the X_CSRFToken header with the variable set by the Post Processor as shown below:<\/p>\n
\"DynCSRF_HTTP_Header\"<\/a><\/p>\n
To avoid having to check every request HTTP Header Manager as displayed above which can take some time and might introduce errors, a pre-processor can be used that checks the headers
\nand replace automatically the X_CSRFToekn hard coded value with the variable set by the post processor task. This kind of pre-processor can be time consuming and should be as simplest as possible. Thus I decided to not check if the X_CSRFToken exist in the request header and just call the remove header attribute and add the X_CSRFToken one to all requests. This worked fine for the site I was working on.<\/p>\n
The pre-processor code used was the following:<\/p>\n
import org.apache.jmeter.protocol.http.control.Header;\n\nsampler.getHeaderManager().removeHeaderNamed(\"X-CSRFToken\");\nnewValue=vars.get(\"csrfToken\");\nsampler.getHeaderManager().add(new Header(\"X-CSRFToken\",newValue));<\/pre>\n
\"DynCSRF_BeasnShell\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction In Nowadays web technologies a common defensive mechanism against Cross-Site Request Forgery (CSRF) attacks is to use a synchronizer token. This token might be unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf. This blog will describe how this CSRF feature can be handled […]<\/p>\n","protected":false},"author":40,"featured_media":9808,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197],"tags":[1041,950],"type_dbi":[],"class_list":["post-9804","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-application-integration-middleware","tag-csrf-token","tag-jmeter"],"acf":[],"yoast_head":"\nApache JMeter and Cross-Site Request Forgery (CSRF) token management - dbi Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Apache JMeter and Cross-Site Request Forgery (CSRF) token management\" \/>\n<meta property=\"og:description\" content=\"Introduction In Nowadays web technologies a common defensive mechanism against Cross-Site Request Forgery (CSRF) attacks is to use a synchronizer token. This token might be unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf. This blog will describe how this CSRF feature can be handled […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-16T12:45:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-11T06:51:08+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1097\" \/>\n\t<meta property=\"og:image:height\" content=\"519\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Middleware Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Middleware Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\"},\"author\":{\"name\":\"Middleware Team\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\"},\"headline\":\"Apache JMeter and Cross-Site Request Forgery (CSRF) token management\",\"datePublished\":\"2017-03-16T12:45:43+00:00\",\"dateModified\":\"2024-09-11T06:51:08+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\"},\"wordCount\":397,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png\",\"keywords\":[\"CSRF Token\",\"JMeter\"],\"articleSection\":[\"Application integration & Middleware\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\",\"name\":\"Apache JMeter and Cross-Site Request Forgery (CSRF) token management - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png\",\"datePublished\":\"2017-03-16T12:45:43+00:00\",\"dateModified\":\"2024-09-11T06:51:08+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png\",\"contentUrl\":\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png\",\"width\":1097,\"height\":519},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Apache JMeter and Cross-Site Request Forgery (CSRF) token management\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1\",\"name\":\"Middleware Team\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g\",\"caption\":\"Middleware Team\"},\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/middleware-team\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management - dbi Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/","og_locale":"en_US","og_type":"article","og_title":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management","og_description":"Introduction In Nowadays web technologies a common defensive mechanism against Cross-Site Request Forgery (CSRF) attacks is to use a synchronizer token. This token might be unique for each request and thus it blocks us from using the recorded JMeter test session off the shelf. This blog will describe how this CSRF feature can be handled […]","og_url":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/","og_site_name":"dbi Blog","article_published_time":"2017-03-16T12:45:43+00:00","article_modified_time":"2024-09-11T06:51:08+00:00","og_image":[{"width":1097,"height":519,"url":"http:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png","type":"image\/png"}],"author":"Middleware Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Middleware Team","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/"},"author":{"name":"Middleware Team","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"headline":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management","datePublished":"2017-03-16T12:45:43+00:00","dateModified":"2024-09-11T06:51:08+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/"},"wordCount":397,"commentCount":0,"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png","keywords":["CSRF Token","JMeter"],"articleSection":["Application integration & Middleware"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/","url":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/","name":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage"},"image":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage"},"thumbnailUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png","datePublished":"2017-03-16T12:45:43+00:00","dateModified":"2024-09-11T06:51:08+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1"},"breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#primaryimage","url":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png","contentUrl":"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2022\/04\/DynCSRF_BeasnShell.png","width":1097,"height":519},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/apache-jmeter-cross-site-request-forgery-csrf-token-management\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Apache JMeter and Cross-Site Request Forgery (CSRF) token management"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/8d8563acfc6e604cce6507f45bac0ea1","name":"Middleware Team","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/ddcae7ba0f9d1a0e7ae707f0e689e4a9c95bb48ec49c8e6d9cc86d43f4121cb6?s=96&d=mm&r=g","caption":"Middleware Team"},"url":"https:\/\/www.dbi-services.com\/blog\/author\/middleware-team\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/9804","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=9804"}],"version-history":[{"count":1,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/9804\/revisions"}],"predecessor-version":[{"id":34721,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/9804\/revisions\/34721"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media\/9808"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=9804"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=9804"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=9804"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=9804"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}