How to handle CSRF Token in Jmeter

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other.

In short CSRF token is used to handle the Cross-site request forgery. In terms of Jmeter scripts, it’s just a dynamic variable. You can handle the same as the correlation concept.

Steps to handle

  • Load the Home page /Try to find CSRF token in Response

I am going to demonstrate this using same website https://opensource-demo.orangehrmlive.com/ .

If you open the website , you can find the Csrf Token in response

  • Check the request where CSRF token is used

For this application it’s getting used in Login

  • Add Regex for CSRF token
  • Replace Token in the Request parameter
  • Test the Script

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: