[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

[JMeter] Obtaining CSRF token and POST request

Hello! This is Fukui from the System Development Department!

This time, when creating a scenario using JMeter, I received a 403 error several times when making a POST request from a CSRF-protected page, so I would like to introduce a solution!

In this article,

we will mainly introduce two points: - Obtaining a CSRF token
, and POST requests using the obtained token

*By the way, I have listed the JMeter settings that you should remember at the end of the blog, which also serves as a personal memo. If you are going to use JMeter from now on, we hope you will read this to the end.

Obtain CSRF token

Let's start by explaining how to obtain a CSRF token.
Use the "regular expression extraction" to obtain the CSRF token

■ Addition of "regular expression extraction" function

to add it by configuring

"Add" → "Post-processing" → "Regular expression extraction" for the sampler of the HTTP request displayed on the screen that is issuing the CSRF token. You can. *For example, if there is a POST request for login processing and a CSRF token is required in the request parameter, regular expression extraction will be added to the GET request for "display login screen" in advance.

Once added, the following screen will be displayed, allowing you to configure each item.

■ “Regular expression extraction” settings

This time, as an example, I configured the settings as follows. We will explain the items that need to be configured.

①Field to check

Select the value target you want to extract. This time, select
“Body” *To use the response body of the GET request of the page to extract the CSRF token.

② Reference name

Enter the variable that will contain the extracted value (CSRF token in this case) We will use it later as the value of the CSRF parameter when sending POST. Please enter any string.

③ Regular expression

Enter the input tag that contains the CSRF token You can obtain the value of the CSRF token by
writing the value of the value attribute using a regular expression *The input content in the image above is an example. Please modify it to match the format of the input tag that can actually be obtained in the response displayed on the screen. If the format of the input tag is different, you will not be able to obtain the CSRF token value (presence or absence of the id attribute, typo in the name attribute, etc.). This is a particularly easy point to stumble upon, so if possible, we recommend that you actually use the developer tools to copy the input tag in the HTML and modify the value of the value attribute.

④ Template

Specify whether to use the "~th" extracted value. enter "$1$" to use the first value obtained

The settings for regular expression extraction are as follows.

POST request using the obtained token

Next, we will show you how to include the acquired CSRF token in the request parameter and send a POST.

Below is an example of request parameter settings.

you can send the acquired CSRF token by setting parameters in the format of "${Reference name set by regular expression extraction}" to the target POST request sampler

The rest is done by setting the request headers and other necessary parameters depending on the situation.

Bonus (JMeter settings to remember)

As I introduced at the beginning, I would like to introduce two JMeter settings that you should remember.

■ Basic authentication

When performing a load test, if Basic authentication is required, you can log in using "HTTP Authentication Manager".
An HTTP authentication manager can be added as a "thread group", "simple controller", or "initial HTTP request sampler" that requires basic authentication.
You can add it by selecting

"Add" → "Configuration Element" → "HTTP Authentication Manager" Once the HTTP authentication manager has been added, the above screen will be displayed. Enter the "Base URL", "Username" and "Password" to complete the settings.

■ HTTP cookie manager

Next, regarding the case where cookie retention is required in the scenario, cookie information can be used by configuring the "HTTP cookie manager".
An HTTP cookie manager can also be added to any "thread group", "simple controller", or "sampler", and can be added by selecting

"Add" → "Configuration Element" → "HTTP Cookie Manager" Once added, the above screen will be displayed, but the HTTP cookie manager can be used as is unless there is a value that you would like to use for testing.
*The item "Do you want to discard cookies at each loop?" By checking this item, you can discard cookies at each loop.
*After adding the HTTP cookie manager, run the scenario and confirm that Cookie Data is sent in the request body, then the settings are complete.

lastly

I have opened the system development service site "SEKARAKU Lab" to which I belong.
Beyond is a one-stop service for everything from server design and construction to operation, so if you have any trouble with server-side development, please feel free to contact us.
SEKARAKU Lab: [https://sekarakulab.beyondjapan.com/](https://sekarakulab.beyondjapan.com/)

That’s it for this time!
Thank you for reading to the end!

If you found this article helpful , please give it a like!
5
Loading...
5 votes, average: 1.00 / 15
9,842
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Hiroto Fukui

Joined Beyond in June 2020.
He works in the System Development Department (Yokohama office). His work focuses on PHP, developing game APIs and web systems, and developing Shopify private apps.
He likes music in general, mainly Western music, and plays the guitar as a hobby. His favorite TV shows are "Detective! Night Scoop" and "Infestation! Ad Street Heaven."