重放脚本时获取无效的CSRF令牌

时间:2018-04-25 12:53:24

标签: performance csrf performance-testing loadrunner vugen

在重放录制的脚本时,我遇到了一些奇怪的问题。我已经关联了所有内容,对于其余的步骤,CSRF令牌工作正常,但对于下面的步骤,它给我的错误。

录制的脚本为: 

web_add_header("X-CSRF-TOKEN", 
        "1f285aef-f9b1-4709-a76b-6789e785ca8a");

    web_add_header("X-Requested-With", 
        "XMLHttpRequest");

    lr_think_time(33);

        web_custom_request("saveScheduleAcademyMapping", 
        "URL=http://localhost:8080/ams/saveScheduleAcademyMapping", 
        "Method=POST", 
        "Resource=0", 
        "RecContentType=application/json", 
        "Referer=http://localhost:8080/ams/manage_academy?scheduleInstanceId={scheduleID}", 
        "Snapshot=t1553.inf", 
        "Mode=HTTP", 
        "EncType=application/json; charset=UTF-8", 
        "Body=[{JSON values]", 
        LAST);

以下是录制和重播脚本时的请求和响应

录制

请求: 

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 791
Accept: */*
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230044
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=B9C8BB02040E49246E1C7BA4CC16F6CF

[{JSON VALUE}]

响应: 

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application:dev
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:09:17 GMT

[{JSON VALUE}]

重播:

请求: 

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230046
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Accept: */*
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=E61AF0BA93B173F3D597244508FE11DD
Content-Length: 791

[{JSON VALUE}]

响应: 

HTTP/1.1 403 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:25:05 GMT

{"timestamp":"2018-04-25T12:25:05.690+0000","status":403,"error":"Forbidden","message":"Invalid CSRF Token '1f285aef-f9b1-4709-a76b-6789e785ca8a' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/ams/saveScheduleAcademyMapping"}

任何人都可以帮助我。

1 个答案:

答案 0 :(得分:2)

回答我的问题本身很奇怪,但需要关闭它,因此postintg它。 刚刚关联了一次,并在脚本中添加了如下所示的行和现在的工作。使用web_reg_save_param_ex()函数获取CSRF并使用它。

web_add_header("X-CSRF-TOKEN", 
    "{CSRF}");

web_add_header("X-Requested-With", 
    "XMLHttpRequest");
相关问题
最新问题