A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same-origin policy, which is designed to prevent different websites from interfering with each other.
In short CSRF token is used to handle the Cross-site request forgery. In terms of Jmeter scripts, it’s just a dynamic variable. You can handle the same as the correlation concept.
Steps to handle
- Load the Home page /Try to find CSRF token in Response
I am going to demonstrate this using same website https://opensource-demo.orangehrmlive.com/ .
If you open the website , you can find the Csrf Token in response
- Check the request where CSRF token is used
For this application it’s getting used in Login
- Add Regex for CSRF token
- Replace Token in the Request parameter
- Test the Script