David Hoerster Posts: 1
2/20/2012
|
Hi there. I'm in the process of evaluating StresStimulus and I was wondering if this tool can work with sites that use Anti-Forgery Tokens to prevent cross-site request forgeries. Our application uses ASP.NET MVC's ValidateAntiForgeryToken on POSTs. When I run StresStimulus against those action methods, I get a 500 back - which is understandable since I'm replaying the session with the same _RequestVerificationToken parameter (which is now invalid).
Is there a way to load test sites using this with Fiddler/StresStimulus, or do I need to have a switch in code that turns this ValidateAntiForgeryToken on and off?
I like your product very much and integration into Fiddler is a very logical place for it. Looking forward to more updates!
Thank you, David
|
|
0
link
|
Vadim @StresStimulus Administrator Posts: 583
2/20/2012
|
Hi David,
Thanks for complimenting StresStimulus.
If the _RequestVerificationToken is a hidden field in Post messages that should be carried over from every response to the subsequent request, then it should be handled by StresStimulus similarly to how it works for _VIEWSTATE field, using the built-in automatic autocorrelation. In this case, if you select the Post request in the Fiddler grid, then the Parameterization grid in the Test Case -> Parameterization -> Requests section should show {{Auto-Correlated}} as shown below.
If, on the other hand, ValidateAntiForgeryToken works differently, then I can try to research it further if you can point out its difference from _VIEWSTATE or provide an example of a public site using ValidateAntiForgeryToken.
Cheers,
Vadim
|
|
0
link
|
rino batin Posts: 2
5/15/2012
|
Hi Vadim, I am evaluating version 1.7.4517. In some (not all) recorded requests, the __RequestVerificationToken is not set {{Auto-Correlated}}. I tried setting it manually and run a verification but the request still fails ("A required anti-forgery token was not supplied or was invalid."). It seems this only happens if the recorded request resulted to HTTP 302.
I am using ASP.NET MVC 3. The request that failed is using RenderToAction that causes HTTP 302.
|
|
0
link
|
Vadim @StresStimulus Administrator Posts: 583
5/15/2012
|
Hi Rino, Here is my guess what is happening here. When StresStimulus decides when to use the autocorrelation, it searches for response values used in the next primary request. If between the response and the request with the autocorrelated value there will be another primary request(s) (for example, Ajax request(s) that is somehow marked as primary), then StresStimulus will not detect the autocorrelation. Furthermore, if you try manually to enforce the autocorrelation, StresStimulus will try to apply it only on the next primary request, which in this case will be unrelated Ajax request, so autocorrelation will not work. If this is the case, then instead of autocorrelation you should use a pair of an extractor / parameterization, because extractors can be used not only on the immediate, but on any subsequent requests. To do so, define an extractor using the __RequestVerificationToken value, and then use it to parameterize the necessary request. As far as relationship between HTTP 302 response and broken autocorrelation, I think the former is the consequence of the later, not the other way around. Let me know if this was helpful.
Cheers, -Vadim
|
|
0
link
|
rino batin Posts: 2
5/16/2012
|
Hi Vadim, Thanks for the reply. I was able to get it running. I added to a Regex extractor to the request that will load the form. Then set the __RequestVerificationToken to use the extractor when the form is submitted.
This is the regex I used: <input name="__RequestVerificationToken" type="hidden" value="([^>]*[^/])"
Now the next problem is how to parameterize the {ID} in a URL like /Edit/{ID} where the extractor is attached to.
|
|
0
link
|
Vadim @StresStimulus Administrator Posts: 583
5/16/2012
|
Hi Rino, Congrats on figuring out the extractor, and thanks for sharing your regex, as it may be helpful to others. On your second question: if you wish to use the extractor to parameterize a URL (in opposed to a Header or Body), then click the Requests node and select the "URL and Query" tab ( in opposed to the Headers or Body tab). if your URL does not have a query string, (e.g RESTfull URL), StresStimulus will display the parameterization editor, as shown on the screenshot below. Simply select the recorded value, right-click, and select your extractor that you wish to use to parameterize the value. You are done.
If, on the other hand, your URL has a query string, then, instead of displaying the parameterization editor, StresStimulus will display the parameterization grid, as shown on the second screenshot. Right-click in the Value column of the required parameter and select your extractor.
Does it make sense?
Cheers, -Vadim
|
|
0
link
|