performancecsrfperformance-testingloadrunnervugen

Getting Invalid CSRF Token while replaying the script


I am facing some weird problem while replaying my recorded script. I have correlated everything and for rest of the steps the CSRF token is working fine but for the below step its giving error for me.

The recorded script is:

web_add_header("X-CSRF-TOKEN", 
        "1f285aef-f9b1-4709-a76b-6789e785ca8a");

    web_add_header("X-Requested-With", 
        "XMLHttpRequest");

    lr_think_time(33);

        web_custom_request("saveScheduleAcademyMapping", 
        "URL=http://localhost:8080/ams/saveScheduleAcademyMapping", 
        "Method=POST", 
        "Resource=0", 
        "RecContentType=application/json", 
        "Referer=http://localhost:8080/ams/manage_academy?scheduleInstanceId={scheduleID}", 
        "Snapshot=t1553.inf", 
        "Mode=HTTP", 
        "EncType=application/json; charset=UTF-8", 
        "Body=[{JSON values]", 
        LAST);

Below are the request and response while recording and replaying the script

For Recording

Request:

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 791
Accept: */*
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230044
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=B9C8BB02040E49246E1C7BA4CC16F6CF

[{JSON VALUE}]

Response:

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application:dev
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:09:17 GMT

[{JSON VALUE}]

For Replay:

Request:

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230046
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Accept: */*
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=E61AF0BA93B173F3D597244508FE11DD
Content-Length: 791

[{JSON VALUE}]

Response:

HTTP/1.1 403 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:25:05 GMT

{"timestamp":"2018-04-25T12:25:05.690+0000","status":403,"error":"Forbidden","message":"Invalid CSRF Token '1f285aef-f9b1-4709-a76b-6789e785ca8a' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/ams/saveScheduleAcademyMapping"}

Can anyone help me with this.


Solution

  • Its weird to answer my question itself but need to close it hence postintg it. Just correlated one more time and added the lines in script like below and its working now. using web_reg_save_param_ex() function fetched the CSRF and used it.

    web_add_header("X-CSRF-TOKEN", 
        "{CSRF}");
    
    web_add_header("X-Requested-With", 
        "XMLHttpRequest");