How to capture X-CSRF-TOKEN using Jmeter from HTTP Header Manager

2
votes

I have recorded login scenario of a page (built on Java and Angular) and the very first request doesn't show X-CSRF-TOKEN in the Response Data tab, but the second HTTP request has X-CSRF-TOKEN in the HTTP Header Manager, and when I try to run the script the 2nd HTTP Request shows the response code 401 as the recorded X-CSRF-TOKEN is no longer valid, so I was wondering how to write a regular expression to capture the X-CSRF-TOKEN by creating reg expression as a post processor.

Please let know how to capture the X-CSRF-TOKEN dynamically.

Thanks

2
jmeter

2 Answers

1
votes

Looking into Angular’s XSRF: How It Works article:

  • Look for a cookie named XSRF-TOKEN on the current domain.

  • If that cookie is found, it reads the value and adds it to the request as the X-XSRF-TOKEN header.

So you will not be able to locate X-XSRF-TOKEN in the response data, instead you should be looking for XSRF-TOKEN Cookie in the Set-Cookie response header.

  1. Add the next line to user.properties file (lives in "bin" folder of your JMeter installation)

    CookieManager.save.cookies=true

  2. Restart JMeter to pick up the change

  3. Add HTTP Cookie Manager to your Test Plan

  4. Add HTTP Header Manager to your Test Plan and configure it to send the following header:

    • Name: X-XSRF-TOKEN
    • Value: ${COOKIE_XSRF-TOKEN}

More information: How to Load Test CSRF-Protected Web Sites

0
votes

Can you please check embedded resource of 1st requests-response from JMeter or browser? If you don't see it there then can you check with the developer? sometimes tokens generated at client/browser side (like using javascript) and this activity won't get captured in Jmeter.