0

I have a problem with JMeter. I am trying to perform performance tests with the BlazeMeter extension. When making some requests, I get an error with the CSRF. I already tried extracting the token with a regular expression extractor, but it doesn't find it.

  <!doctype html>
<html lang="en">
 <head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <meta name="robots" content="NONE,NOARCHIVE">
  <title>403 Forbidden</title>
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    #info { background:#f6f6f6; }
    #info ul { margin: 0.5em 4em; }
    #info p, #summary p { padding-top:10px; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>
 </head>
 <body>
  <div id="summary">
   <h1>Prohibido <span>(403)</span></h1>
   <p>Verificación CSRF fallida. Solicitud abortada</p>
   <p>Estás viendo este mensaje porqué esta web requiere una cookie CSRF cuando se envían formularios. Esta cookie se necesita por razones de seguridad, para asegurar que tu navegador no ha sido comprometido por terceras partes.</p>
   <p>Si has inhabilitado las cookies en tu navegador, por favor habilítalas nuevamente al menos para este sitio, o para solicitudes del mismo origen.</p>
  </div>
  <div id="info">
   <h2>Help</h2>
   <p>Reason given for failure:</p>
   <pre>    CSRF cookie not set.
    </pre>
   <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when <a href="https://docs.djangoproject.com/en/2.1/ref/csrf/">Django's CSRF mechanism</a> has not been used correctly. For POST forms, you need to ensure:</p>
   <ul>
    <li>Your browser is accepting cookies.</li>
    <li>The view function passes a <code>request</code> to the template's <a href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> method.</li>
    <li>In the template, there is a <code>{% csrf_token %}</code> template tag inside each POST form that targets an internal URL.</li>
    <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li>
    <li>The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.</li>
   </ul>
   <p>You're seeing the help section of this page because you have <code>DEBUG = True</code> in your Django settings file. Change that to <code>False</code>, and only the initial error message will be displayed.</p>
   <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
  </div>
 </body>
</html>

I tried to create this regular expression

enter image description here

Improve this question

1 Answer 1

Reset to default
0

Using regular expressions for getting values from HTML responses is not the best idea, if the token is in the response body the most obvious choice is CSS Selector Extractor

And you need to apply the extractor to the Sampler where the token appears in the response, see Scoping Rules user manual entry

If you need more comprehensive help you need to share at least partial response where the token appears, this way we'll be able to come up with proper Post-Processor setup.

In the meantime I can only suggest to get familiarized with What is CSRF & How to Load Test CSRF-Protected Websites article

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.