Home page
LF

Test guides

Handling CSRF Tokens

LoadForge is a powerful platform for the locust.io load testing tool. One of its many capabilities includes the ability to handle CSRF (Cross-Site Request Forgery) tokens, which are commonly used in login processes of modern websites. This document will guide you through the process of managing CSRF tokens with LoadForge.

Understanding CSRF Tokens

CSRF is a type of attack where unauthorized commands are transmitted from a user that the web application trusts. To mitigate this, many websites implement CSRF tokens as a countermeasure. These tokens are temporary, random values provided to the client which must be sent back with every POST request to validate the authenticity of the request.

About CSRF

CSRF tokens are designed to prevent cross-site scripting attacks against your site. These tokens are temporary and unique to each page, which ensures that any post request comes from a trusted source. A common indication of a CSRF issue is receiving an HTTP 419 error.

How LoadForge Handles CSRF Tokens

LoadForge manages CSRF tokens by first making a request to the login page. It then scans the content for the specific input field that contains the CSRF token. Here's an illustrative example that details how to post to a login page and subsequently request /hello and /world:

Test Example with Laravel

The provided example showcases how to handle CSRF tokens in a Laravel framework. However, the general logic can be adapted and applied to many other frameworks.

Code Example

from locust import HttpUser, task, between
from pyquery import PyQuery


class QuickstartUser(HttpUser):
    # Wait between 5 and 9 seconds per request per user
    wait_time = between(5, 9)


    # on_start is executed when a user first starts
    def on_start(self):
        response = self.client.get("/login")
        pq = PyQuery(response.content)


        # Locate an input element with name="_token"
        elements = pq("input[name=_token]")
        for token in elements:
            csrftoken = token.value


        # For debugging purposes:
        #print("Retrieved CSRF token is:", csrftoken)


        # Post to the login using the retrieved CSRF token
        self.client.post("/login", {
            "email": "user@domain.com",
            "password": "secr3t",
            "_token" : csrftoken
        })


    @task(1)
    def index_page(self):
        # Request the /dashboard endpoint on your Host
        self.client.get("/dashboard")

Explanation:

  1. Fetching the CSRF Token: The script fetches the login page and uses PyQuery to parse the HTML content. It then searches for an input field named _token which usually holds the CSRF token.
  2. Posting with the CSRF Token: Once the token is retrieved, the script makes a POST request to the login page with the required login credentials (email and password), accompanied by the CSRF token.

Remember, while this example focuses on Laravel, the logic can be adjusted for other frameworks by merely changing the way you extract the CSRF token and how you use it in your requests.

Previous
Submitting forms
Next
Disabling SSL verification