Settings when calling API using CSRF measures of Spring Security in JMeter

Thing you want to do

As the long title says. I made an API to call from a Vue.js application with Spring Boot, It was decided to load test the API. I use JMeter to create a scenario, but since I am using CSRF measures using CookieCsrfTokenRepository of Spring Security.

That's why we needed to do that in the scenario.

Rough specifications of the API under test

Only the image looks like this.

url HTTP method Overview
/login POST ID/Send Password to log in
Upon successful loginXSRF-TOKENCookies are given
Not subject to CSRF check
/orders POST Register an order
CSRF check target

environment

application

tool

JMeter settings

Get the value of XSRF-TOKEN

The / login response will contain the XSRF-TOKEN cookie, so we will extract it. For the time being, looking at the response of / login with DevTools, it looks like this.

XSRF-TOKEN.jpg

Setting

Calls to / login are defined in the HTTP Request sampler. (Details omitted) After running this sampler, use regular expression extraction to get a CSRF token.

procedure
  1. Select the HTTP Request sampler in / login and right-click
  2. Select ʻADD Post ProcessorsRegular Expression Extractor`
  3. Set as follows (Name and Comments are appropriate) csrfトークン取得.jpg

Is that the point? In subsequent scenarios, you can specify $ {xsrf_token} to resolve the extracted value from a variable.

Set the X-XSRF-TOKEN header

Since / orders is subject to CSRF checking, it is necessary to set the X-XSRF-TOKEN header at the time of calling.

Setting

Calls to / orders are defined in the HTTP Request sampler. (Details omitted) When running this sampler, use the HTTP Header Manager to set the X-XSRF-TOKEN header.

procedure
  1. Select the HTTP Request sampler in / orders and right-click
  2. Select ʻADD Config ElementHTTP Header Manager`
  3. Set as follows (Name and Comments are appropriate, content-type is set because it is necessary in this API-specific specification)

X-XSRF-TOKEN付与.jpg

The $ {xsrf_token} obtained earlier is set as the X-XSRF-TOKEN header.

Summary

With the above settings, you can pass the CSRF measures. If you're new to JMeter, you can't immediately think of such a small application. I thought it would be annoying (it's my unfamiliar experience), so I wrote it down.

Reference page

I referred to the following. Thank you very much.

https://www.blazemeter.com/blog/how-load-test-csrf-protected-web-sites

Recommended Posts

Settings when calling API using CSRF measures of Spring Security in JMeter
[Rails] When using ajax, be aware of "CSRF measures".
Unknown error in line 1 of pom.xml when using Spring Boot in Eclipse
Test the response JSON of the REST API created in Spring MVC using AssertJ in MockMvc
Create API key authentication for Web API in Spring Security
CSRF measures in Rails
Settings when calling API using CSRF measures of Spring Security in JMeter
Implement REST API in Spring Boot
Introduce swagger-ui to REST API implemented in Spring Boot
Implement REST API with Spring Boot and JPA (Application Layer)
Implement REST API with Spring Boot and JPA (Infrastructure layer)
How to call and use API in Java (Spring Boot)
Create API to send and receive Json data in Spring
Implement REST API with Spring Boot and JPA (domain layer)
Spring with Kotorin --4 REST API design
How to pass a proxy when throwing REST over SSL in Java
Authenticate 3 or more parameters in JSON format using Spring Security
Minimum configuration sample of RESTful API in Jersey + Spring Framework
JMeter Memorandum [Settings when sampling multipart / form-data in Java application]
Login with HttpServletRequest # login in Spring Security of Servlet 3.x environment
Spring Security usage memo CSRF
Try using Spring Boot Security