Anti forgery token and web testing - asp.net-mvc-4

I am trying to do a web test in VS2012 for an MVC site.
One of the scenarios is to login and go through a list of products, select the one you want and follow through to the purchase page.
Problem is that when the web test is run, I get an error about the anti forgery token and that it does not match.
How on earth is it possible to do the testing with the anti forgery token? The user must login - there will be thousands of users for the load test (eventually) but need to make it work for 1 user first.
the login view/action does do an AntiForgeryToken in the view and validation on the controller.
any advice and tips are appreciated.

Once you run your script and it fails, go to the call proceeding the one that fails.
Go to the response tab
In the body, find the __RequestVerificationToken name which is in an input tag and extract everything in between the value attribute.
Select the value and right click > add extraction rule and press OK.
You will find an Extraction rules folder and underneath it, the Extraction rule we just created. Feel free to rename the Context Parameter Name.
Go to the next page , which should be the one that failed, and find the Form Post Parameter named "__RequestVerificationToken". View it's properties
Bind it to the Context Parameter Name created previously. To do so, view the properties of this post parameter and set the "Value" to be:
{{Name Of Context Parameter}}
(Include the 2x curly braces)
Press enter to confirm/save
Next time you run the script - all works
This is how it worked for me...

I was seeing a similar problem. After recording a web test script, the script would fail at the point of log-in on with the following message:
The provided anti-forgery token was meant for user "Domain\UserName", but the current user is "".
The solution was to set the PreAuthenticate property to false in the test properties. By default the web tests will pass an authentication header to the server which was being used in the generation the token.

I am not familiar with "web testing in VS2012" but as I know "Anti-Forgery Token" requires sending the token from browser to the server back.
I had an experience with Selenium-Webdriver and suggest you use it because it provides an API to interact with supported browsers as real user does.
You can easily start using Selenium WebDriver if you add Selenium WebDriver 2.37.0 NuGet package to you test project.
Selenium-WebDriver makes direct calls to the browser using each
browser’s native support for automation. How these direct calls are
made, and the features they support depends on the browser you are
using.
Selenium-webdriver currently supports the following drivers:
Chrome
Internet Explorer
Firefox
Opera
HtmlUnit
Android

Related

How to find session cookie when not found in the developer tools?

I want to automate requests on a website and when doing so, I need a session cookie in order to identify myself.
When checking the network tab, I can clearly see the session cookie, but when checking the Application tab, this cookie is not shown. After accessing this website with selenium and calling driver.get_cookies() with Python, I only get the cookies shown in the Application tab.
I need to do this with selenium because this way it's possible to login. Only using requests will not work.
I do not have many clues on how to get that cookie and have almost 0 experience in this field, hence my question.

Symfony 3.4 Custom Authentication Listener

I have implemented a login form manually in Twig and I am using the default authentication provided by Symfony 3.4 (based on username and password). Users are stored in a database, therefore I have an Entity which extends AdvancedUserInterface. I am using neither FOSUserBundle nor form builder. Just a simple form. It actually works.
The problem is that I want to integrate Google reCAPTCHA in the login process. I know how to check if the captcha is valid and implemented a custom AuthenticationListener (let's call it MyAuthenticationListener).
I know that Symfony uses UsernamePasswordFormAuthenticationListener as its default listener. The problem is that I could not find a way to change the used listener to that I have implemented.
It seems that in Symfony2 it was as easy as adding the following line in the config.yml:
parameters:
security.authentication.listener.form.class:
MyBundle\EventListener\MyAuthenticationListener
However, I cannot find a way for Symfony3. Any suggestions?
I also tried to find a specific bundle for Symfony3, but I actually could not find anything that is correctly integrated with Symfony Security, allowing me to use the recaptcha in a login form.
Thank you
Your question may be answered here:
https://stackoverflow.com/a/50800993/7408561
The solution is based on a custom-listener triggered by SecurityEvents::INTERACTIVE_LOGIN. That event is fired after verification of credentials but before redirecting to default_target_path defined in security.yml. At this position you can verify the request parameter g-recaptcha-response by calling the google recaptcha api with the corresponding secret.
If the verification fails you can throw an exception and you will be redirected to the login page.

How to work with apache Jmeter for login applications?

Hi I would like to test using Jmeter for my application which has login page. I am able to write Sample http request for login page which is working ( passing username and password as POST parameters).
But the another Sample HttpRequest (home.do) is not working which is again redirecting to login page. I also added HttpCookieManager at Thread level. Not sure why the authentication is not carry forward to other pages, Can anyone please help me on this.
Most probably your test doesn't work due to missing or incorrect correlation. The absolute majority of modern web applications use dynamic parameters for different reasons (client state tracking, security, etc.) so you need to setup your test plan like:
Open Login Page (usually GET request)
Extract dynamic parameters
Perform Login (usually POST request), provide credentials and dynamic parameters extracted from the previous request
Extract dynamic parameters
Open Home Page (usually GET request)
etc.
You can extract dynamic parameters using JMeter Post-Processors
Also make sure you add HTTP Cookie Manager to your Test Plan to represent browser cookies and deal with cookie based authentication.
BTW, you can quickly build test plan "skeleton" by simply recording your test scenario using HTTP(S) Test Script Recorder

Customizing Rally using Rally app builder

Trying to customize Portfolio Item Burnup , got source code from https://github.com/RallyApps/app-catalog/tree/master/src/apps/charts/rpm/burn
Now after compiling using "rally-app-builder build" command and after that running with "rally-app-builder run" command, I am able to run the page. In another tab of chrome, Rally is logged in. the launched page is getting authentication from rally session and able to get some data like searching some PFG/PF etc.
Now problem is after applying some settings and selecting some PF/PFG, its again demands authentication (for rally1.rallydev.com/slm/webservice/v2.0/security/authorize). This authentication is not working with my credential.
I have also generated some api key from rally1.rallydev.com/login/accounts/index.html#/keys ,but, that also not working.
Pls help on this.
Thanks,
Udayan
I'm assuming you use SSO to login? If so, you won't be able to correctly authenticate against that /security/authorize endpoint (which is used for generating a CSRF token when making POST/PUT/DELETE calls against wsapi- GETS are fine).
You were on the right track with the api key. Generate a key and then just add it to the query string of your app url:
http://localhost:1337/App-debug.html?apiKey=83h3lkb4b43302bfvlav
There's also a guide in the App SDK docs that describes this in greater detail: https://help.rallydev.com/apps/2.1/doc/#!/guide/embedding_apps

How do you test pages that require authentication with Selenium?

I need to test a web application using Selenium. The app is fairly common in its setup: it requires signing in for most of the functionality to be exposed. Upon loading a page, if the user is not authenticated, it will redirect to a login form and then back to the requested page once credentials are supplied.
What's the usual way to go around this with Selenium? I take it people are not logging in on every single test as this would cause significant overhead on big test suites. Is there a way to set up a session in a test and then use the cookie information for subsequent tests, or do a conditional sign-in (without incurring in massive code repetition!)?
I am using PHPUnit with Selenium ATM.
Thank you!
Gonzalo
(I'm using C#+NUnit+Selenium RC)
Most of the time, each test goes through the login form. However, if I'm writing a series of tests that are very short (< 10 seconds each) and there are a lot of them, I usually share the same browser instance across tests by moving the selenium start\close calls from the SetUp\TearDown methods to the Test Fixture SetUp\TearDown methods. This avoids the cost of re-authenticating as well as the cost of launching a new browser every time. I'm sure you can do something similar with PHPUnit.
If this is basic http auth you can use the username/password with the url request as documented in the Selenium FAQ: http://wiki.openqa.org/display/SEL/Selenium+Core+FAQ#SeleniumCoreFAQ-HowdoIuseSeleniumtologintositesthatrequireHTTPbasicauthentication%28wherethebrowsermakesamodaldialogaskingforcredentials%29%3F
How do I use Selenium to login to
sites that require HTTP basic
authentication (where the browser
makes a modal dialog asking for
credentials)?
Use a username and password in the
URL, as described in RFC 1738: Test
Type open
http://myusername:myuserpassword#myexample.com/blah/blah/blah
Note that on Internet Explorer this
won't work, since Microsoft has
disabled usernames/passwords in URLs
in IE. However, you can add that
functionality back in by modifying
your registry, as described in the
linked KB article. Set an
"iexplore.exe" DWORD to 0 in
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE.
If you don't want to modify the
registry yourself, you can always just
use Selenium Remote Control, which
automatically sets that that registry
key for you as of version 0.9.2.