Working around ValidateAntiForgeryTokenAttribute() with WCAT load testing

I'm sure it could be done, but I am not aware of a way to script a WCAT transaction that will produce a valid anti-forgery token.

Instead, what I have done is to implement a conditional filter which applies the ValidateAntiForgeryTokenAttribute() to all my POST actions. Once you have the conditional filter in place you can then add an AppSettings value which allows you to turn on/off the attribute. i.e. when you are load testing, you turn it off.

You can learn how to implement a conditional filter here.

In my project, I enable and disable the conditional filter in the Global.asax.cs Application_Start() like this:

bool useAntiForgeryToken = string.Compare(ConfigurationManager.AppSettings["useAntiForgeryToken"], "true", StringComparison.InvariantCultureIgnoreCase) == 0;
if (useAntiForgeryToken) {

    // Ensure that all POST actions are automatically decorated with the ValidateAntiForgeryTokenAttribute.
    IEnumerable<Func<ControllerContext, ActionDescriptor, object>> conditions =
        new Func<ControllerContext, ActionDescriptor, object>[] {
        (controllerContext, actionDescriptor) =>
            string.Equals(controllerContext.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase ) ? new ValidateAntiForgeryTokenAttribute() : null
    };

    // Create the conditional filter using the condition we defined
    var provider = new ConditionalFilterProvider(conditions);

    // And add the conditional filter
    FilterProviders.Providers.Add(provider);
}

And I have an AppSetting like this in my web.config:

<appSettings>
    <add key="useAntiForgeryToken" value="true">
</appSettings>

Note: in addition to disabling the anti forgery token, you will also need to set the requestValidation mode to 2.0 in your web.config, like this (reference):

<httpRuntime requestValidationMode="2.0">

Once you have those things in place, run your WCAT scripts again and you should be golden.