0

I am facing some weird problem while replaying my recorded script. I have correlated everything and for rest of the steps the CSRF token is working fine but for the below step its giving error for me.

The recorded script is: 

web_add_header("X-CSRF-TOKEN", 
        "1f285aef-f9b1-4709-a76b-6789e785ca8a");

    web_add_header("X-Requested-With", 
        "XMLHttpRequest");

    lr_think_time(33);

        web_custom_request("saveScheduleAcademyMapping", 
        "URL=http://localhost:8080/ams/saveScheduleAcademyMapping", 
        "Method=POST", 
        "Resource=0", 
        "RecContentType=application/json", 
        "Referer=http://localhost:8080/ams/manage_academy?scheduleInstanceId={scheduleID}", 
        "Snapshot=t1553.inf", 
        "Mode=HTTP", 
        "EncType=application/json; charset=UTF-8", 
        "Body=[{JSON values]", 
        LAST);

Below are the request and response while recording and replaying the script

For Recording

Request:

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 791
Accept: */*
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230044
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=B9C8BB02040E49246E1C7BA4CC16F6CF

[{JSON VALUE}]

Response:

HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application:dev
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:09:17 GMT

[{JSON VALUE}]

For Replay:

Request:

POST /ams/saveScheduleAcademyMapping HTTP/1.1
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230046
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Accept: */*
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=E61AF0BA93B173F3D597244508FE11DD
Content-Length: 791

[{JSON VALUE}]

Response:

HTTP/1.1 403 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:25:05 GMT

{"timestamp":"2018-04-25T12:25:05.690+0000","status":403,"error":"Forbidden","message":"Invalid CSRF Token '1f285aef-f9b1-4709-a76b-6789e785ca8a' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/ams/saveScheduleAcademyMapping"}

Can anyone help me with this.

Prateek Naik
  • 2,522
  • 4
  • 18
  • 38
  • Isn't the point of CSRF token that you cannot hard code it into the script and you need to extract it from a previous request? – Buzzy Apr 25 '18 at 13:44
  • Yup am not hard-coding it. What ever the design studio provided am using that one. But for rest of the steps its working fine. Only for this step its failing – Prateek Naik Apr 25 '18 at 14:03
  • It is not clear from your description what was parameterized and what wasn't. I think you are missing some correlation but it is hard to tell. – Buzzy Apr 25 '18 at 14:07
  • Could you please tell me how to add csrf token for the above vugen script. – Prateek Naik Apr 25 '18 at 15:06
  • I think you will have to find it in a previous request and correlate it. Only once you have the token value you can add it to the headers with web_add_header – Buzzy Apr 26 '18 at 05:13
  • Sorry forgot to reply. Figured out and now its working. Thanks for your help – Prateek Naik Apr 26 '18 at 12:32

1 Answers1

3

Its weird to answer my question itself but need to close it hence postintg it. Just correlated one more time and added the lines in script like below and its working now. using web_reg_save_param_ex() function fetched the CSRF and used it.

web_add_header("X-CSRF-TOKEN", 
    "{CSRF}");

web_add_header("X-Requested-With", 
    "XMLHttpRequest");
Prateek Naik
  • 2,522
  • 4
  • 18
  • 38