[JMeter] Obtaining CSRF token and POST request

Hello! This is Fukui from the System Development Department!

This time, when creating a scenario using JMeter, I received a 403 error several times when making a POST request from a CSRF-protected page, so I would like to introduce a solution!

In this article,

we will mainly introduce two points: - Obtaining a CSRF token
, and POST requests using the obtained token

*By the way, I have listed the JMeter settings that you should remember at the end of the blog, which also serves as a personal memo. If you are going to use JMeter from now on, we hope you will read this to the end.

Obtain CSRF token

Let's start by explaining how to obtain a CSRF token.
Use the "regular expression extraction" to obtain the CSRF token

■ Addition of "regular expression extraction" function

to add it by configuring

"Add" → "Post-processing" → "Regular expression extraction" for the sampler of the HTTP request displayed on the screen that is issuing the CSRF token. You can. *For example, if there is a POST request for login processing and a CSRF token is required in the request parameter, regular expression extraction will be added to the GET request for "display login screen" in advance.

Once added, the following screen will be displayed, allowing you to configure each item.

■ “Regular expression extraction” settings

This time, as an example, I configured the settings as follows. We will explain the items that need to be configured.

①Field to check

Select the value target you want to extract. This time, select
“Body” *To use the response body of the GET request of the page to extract the CSRF token.

② Reference name

Enter the variable that will contain the extracted value (CSRF token in this case) We will use it later as the value of the CSRF parameter when sending POST. Please enter any string.

③ Regular expression

Enter the input tag that contains the CSRF token You can obtain the value of the CSRF token by
writing the value of the value attribute using a regular expression *The input content in the image above is an example. Please modify it to match the format of the input tag that can actually be obtained in the response displayed on the screen. If the format of the input tag is different, you will not be able to obtain the CSRF token value (presence or absence of the id attribute, typo in the name attribute, etc.). This is a particularly easy point to stumble upon, so if possible, we recommend that you actually use the developer tools to copy the input tag in the HTML and modify the value of the value attribute.

④ Template

Specify whether to use the "~th" extracted value. enter "$1$" to use the first value obtained

The settings for regular expression extraction are as follows.

POST request using the obtained token

Next, we will show you how to include the acquired CSRF token in the request parameter and send a POST.

Below is an example of request parameter settings.

you can send the acquired CSRF token by setting parameters in the format of "${Reference name set by regular expression extraction}" to the target POST request sampler

The rest is done by setting the request headers and other necessary parameters depending on the situation.

Bonus (JMeter settings to remember)

As I introduced at the beginning, I would like to introduce two JMeter settings that you should remember.

■ Basic authentication

When performing a load test, if Basic authentication is required, you can log in using "HTTP Authentication Manager".
An HTTP authentication manager can be added as a "thread group", "simple controller", or "initial HTTP request sampler" that requires basic authentication.
You can add it by selecting

"Add" → "Configuration Element" → "HTTP Authentication Manager" Once the HTTP authentication manager has been added, the above screen will be displayed. Enter the "Base URL", "Username" and "Password" to complete the settings.

■ HTTP cookie manager

Next, regarding the case where cookie retention is required in the scenario, cookie information can be used by configuring the "HTTP cookie manager".
An HTTP cookie manager can also be added to any "thread group", "simple controller", or "sampler", and can be added by selecting

"Add" → "Configuration Element" → "HTTP Cookie Manager" Once added, the above screen will be displayed, but the HTTP cookie manager can be used as is unless there is a value that you would like to use for testing.
*The item "Do you want to discard cookies at each loop?" By checking this item, you can discard cookies at each loop.
*After adding the HTTP cookie manager, run the scenario and confirm that Cookie Data is sent in the request body, then the settings are complete.

lastly

I have opened the system development service site "SEKARAKU Lab" to which I belong.
Beyond is a one-stop service for everything from server design and construction to operation, so if you have any trouble with server-side development, please feel free to contact us.
SEKARAKU Lab: [https://sekarakulab.beyondjapan.com/](https://sekarakulab.beyondjapan.com/)

That’s it for this time!
Thank you for reading to the end!