I have implemented CSRF (corss site request forgery) in login page of my application.
when i try to do load test using apache jmeter, i am getting (login time exceeded) error.
if i create custom debug.jar to remove csrf it is working fine.
it is getting very tedious for each time to load the debug.jar while doing load test.
I am new to jmeter can any one help me out with this.
Thanks.
CSRF usually results in mandatory either header or cookie which needs to exist elsewise the request won't be served. CSRF token usually lives in every response so it's "classic" correlation example. So the flow should look as follows:
GET first page
Extract CSRF token using one of the following:
Regular Expression Extractor
CSS/JQuery Extractor
XPath Extractor
GET next page
Send CSRF header or cookie using
HTTP Cookie Manager
HTTP Header Manager
These "managers" should be added as a child of "next" request.
Related
Having application with SAML authentication along with Azure AD as IDP. When I hit Login SSO button the following happens:
Hits SAML Redirect URL (/Saml/SAMLLoginRedirect)
Redirects automatically to Ping Federator. Redirected URL is received with the response header of the first request. URL consist some SAMLRequest Token and RelayState value. Final response has Submit Form along with new SAMLRequest token and RelayState.
Hitting IDP (login.microsoftonline.com//saml2 with the SAMLRequest and RelayState from the final response not works as expected.
I have resolved this issue in jmeter. I have just enabled Follow Redirect so jmeter provides the response and cookie. I am extracting the Header value of first the request from URL. It is just because Jmeter has the feature of accumulating redirect sample into the original request.
So I am again hitting Ping Federator with the Token and RelayState received using URL extractor along with final response Cookie.
Further I am able to complete the IDP process successfully.
I am not able to achieve the same using RestAssured. When I disable redirect I am able to get the url from header. Processing the URL from the header value throws 500 error code though I have added the cookie information.
If I enabled redirect I am getting 200 response code along with expected response body and cookie.
But I am unable to proceed to the Ping Federator with the token and relay state received from the response. So I have to hit again the Ping Federator with the previous SAML Token again as I did with jMeter to achieve the proper response.
Problem: Unable to get the header value if I enable the redirect and further processing fails. If I disable the redirect then I am not getting Cookie and expected response when processing the URL from header value. Here all are GET request until the IDP (login.microsoftonline.com)
JMeter's HTTP Cookie Manager automatically extracts cookies from the Set-Cookie response header and sends them with the next request via Cookie request header if domain and path match and the cookie isn't expired.
RestAssured doesn't do this automatically so you will need to extract the cookies from the response and add them to the next request manually.
References:
REST Assured Tutorial 49 – How To Retrieve Single and MultiValue Headers From Response Using Rest Assured
Headers, Cookies and Parameters with REST-assured
Going forward you can just use a sniffer tool like Fiddler or Wireshark to compare requests coming from JMeter and RestAssured, given you send the same request (apart from dynamic parameteres which need to be correlated) you will get the same response
I need to perform one app that is signed in via login.microsoftonline.com, but I get this error "We can`t sign you in your browser is currently set to block cookies. you need to allow cookies to use this service." maybe someone else has experienced something similar.
I tried changing HTTP Cookie Manager type from standart to others, also I used CookieManager.save.cookies with true and false but nothing worked.
HTTP Cookie Manager
request
error
You're not supposed to have the request to login.microsoftonline.com as the very first request in your JMeter script.
My expectation is that you're trying to test an application which uses Microsoft Identity Platform as authentication provider so depending on your application auth flow you need to pass some parameters to this login.microsoftonline.com page and the parameters need to be extracted from the previous request.
So try starting with your application login page and I believe you should be redirected to the login.microsoftonline.com with valid cookies and appropriate parameters
I have recorded a login flow of an application and found some URIs like below:
/api/oauth2/initiate GET
/oauth2/authorize GET
/api/v1/oauth2/authorize GET
/api/v1/oauth2/authenticate POST
{"username":"${Username}","password":"${Password}","client_id":"${client_Id}","response_type":"code","redirect_uri":"${scheme}://${host}/api/oauth2/callback","server_id":"${server_Id}"}
When I am hitting above in sequence via JMeter I am getting 200 response. Just like JMeter I tried recording in Postman and it worked same, but instead of JSON it gave response in XML format.
It doesn't generate a access_token, it works via session cookies.
My question is - Do I really have API access or it is just browser record n play? If Yes, Does this mean I can get access to any API, if I am a registered user of that application? For ex: Facebook, YouTube or any startup website.
JMeter works on the protocol level. This means that whatever request you are generating. Say a simple browser request or an API call, you can do that easily.
Now the thing is replicating requests. You don't need to record the requests necessarily using the browser. You need to analyze the few things that are required. Say Postman is generating a request. You specify the things you want to send and you use the API Token there. The same things can be specified there as well. It all depends on how you are understanding the concept of request generation.
You simply need to replicate the samplers and the parameters. And the request headers in postman can be replicated here in the same way.
For each HTTP Request Sampler make sure you add a corresponding child HTTP Header Manager config element.
Headers basically tell the server that what client we are using and in what form data is being sent and then server responds accordingly with the information.
What you're recorded is OAuth2 flow and you won't be able to replay it without correlating the dynamic values.
You can have access to Google API or Facebook Graph API given you have proper access_token but I don't think you should be testing them directly, you should focus on solely your application.
I have internal web application, which I have to test using Jmeter.
The application has secure protections as a username, password and auth token.
Auth token is changing with every new session. I'm unable to path through secure token. Token is include in URL, which look like
http://mytraining.application.net/(S(vj1ckr0nqyvjq3blehcl2jwl))/ApplDefault.aspx?tabid=1. Cookies has look like
Cookie: AUTH_TOK_vj1ckr0nqyvjq3blehcl2jwl=vj1ckr0nqyvjq3blehcl2jwl; AUTH_TOK_syq3r1yu4equ515xzunjobhb=syq3r1yu4equ515xzunjobhb;
So, my Jmeter able to successfully run only when I submit current token in URL.
Please let me know if you have any idea, how to avoid submitting token in all places (35) every time.
[![enter image description here][1]][1]
My AUTH_TOKEN
Regular Expression
It seems you can figure you your Auth_TOK value from the cookies
Add the next line to user.properties file (located in JMeter's "bin" folder
CookieManager.save.cookies=true
Restart JMeter to pick the property up
Add HTTP Cookie Manager to your Test Plan
Now you should be able to see Cookies stored as JMeter Variables using Debug Sampler and View Results Tree listener combination and use cookies values as part of your URL
I would also recommend checking out ASP.NET Login Testing with JMeter as my expectation is that you will have to deal with few other dynamic parameters.
First try with HTTP Cookie Manager as mentioned by Dmitri. This would work if auth token is used in Headers, like Cookie header. Jmeter automatically fetches from Set-Cookie Header, set by server, (when you add HTTP Cookie Manager) for each thread and store it locally, so that it can use in subsequent requests.
If Auth token is used in other places (but not headers) such as part of Url, request body etc, then we should explicitly capture it using Regular Expression Extractor (post processor) and
Regular Expressions Jmeter to correlate the dynamic values. Once you capture the value into a local_variable, we replace the actual values by local_variable (Reference name field in Regular Expression Extractor) wherever we observe the dynamic value in subsequent requests, here auth token, using syntax ${local_variable}.
normally browser stores and adds authentication header automaticly after successfull authentication.
I have a XMLHttpRequest and added the authentication header for basic auth. No problem at all.
Then I try to send a second request to the same url that is basic http protected without adding manually the http request header to this request. Poorly it seems that the browser is not storing the authentication provided in request 1. My goal is to add the authentication handler transparently to every request that follows the first one (like a native browser do).
Any idea? Thanks.
Browser only storing authetication requested from user. So, if you send 1st request w/o authentication fields, browser will prompt user for auth this time, remember credentials and use it for next requests transparently.