未经授权的CSRF验证在jMeter测试中失败 [英] Unauthorized CSRF validation failed in jMeter testing

问题描述

我是jMeter测试的新手.我想测试UI上的字段更新.因此，当我运行测试时，出现CSRF验证错误.我该如何解决.我的测试计划如下:

I'm new to jMeter testing. I want to test the field update on UI. So When I run my test I'm getting the CSRF validation error. How can I resolve this. My test plan looks as,

采样器结果如下，

Thread Name: Thread Group 1-1
Sample Start: 2014-11-18 23:37:49 IST
Load time: 688
Latency: 688
Size in bytes: 483
Headers size in bytes: 457
Body size in bytes: 26
Sample Count: 1
Error Count: 1
Response code: 401
Response message: Unauthorized : CSRF validation failed

Response headers:
HTTP/1.1 401 Unauthorized : CSRF validation failed
Date: Tue, 18 Nov 2014 18:08:07 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.5
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Tue, 18 Nov 2014 18:08:07 +0000
Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0
ETag: "1416334087"
Vary: Accept
Content-Length: 26
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json

为什么会出现CSRF验证错误以及解决方法.

Why do we get CSRF validation error and how to resolve it.

推荐答案

CSRF代表跨站点请求伪造，由于缺少必需的动态请求参数(通常是Cookie或标题)，您会收到CSRF验证错误.

CSRF stands for Cross-site request forgery and you're getting CSRF Validation error due to missing mandatory dynamic request parameter, usually a Cookie or a Header.

我建议在 Firefox浏览器中使用 HttpFox 或

I would suggest executing your scenario in i.e. Firefox Browser with HttpFox or FireBug extension enabled and inspect request details. CSRF token usually comes as a cookie in server's response and needs to be passed as a header or request parameter. So it is similar to usual correlation. So the flow should look as follows:

1. 第一个HTTP请求:打开第一页
2. 通过以下后处理器之一从响应中提取CSRF令牌
   • 正则表达式提取器
   • XPath提取器
   • CSS/JQuery提取器

1. First HTTP Request: open first page
2. Extract CSRF token from response via one of the following Post Processors
   • Regular Expression Extractor
   • XPath Extractor
   • CSS/JQuery Extractor

• HTTP请求参数
• HTTP标头管理器
• HTTP Cookie管理器

• HTTP Request Parameter
• HTTP Header Manager
• HTTP Cookie Manager

取决于服务器期望令牌驻留的位置.

Depending on where your server expects the token to live.

为了将来，请查看您的"localhost"服务器名称-不要在应用程序所在的同一台计算机上运行JMeter性能测试.

For the future, looking at your "localhost" server name - don't run JMeter performance tests on the same machine where application lives.

这篇关于未经授权的CSRF验证在jMeter测试中失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！