tsung, django, and cross-site request forgery protection

Wednesday, 22nd June, 2011

Tsung is an excellent tool for stress-testing websites. With tsung-recorder you can record different visits (called sessions) to the target website, and later run many randomised versions of the visits.

One complication with testing a Django website, is that forms are generally protected against cross-site request forgery attacks by a hidden field in the form (see Cross Site Request Forgery protection).

Thanks to help from a respondent on django-users, we can overcome this complication: using dyn_variable, tsung can find values in a requested webpage and store them for use in later requests. The simplified session config below shows this in action.

<session name='login_with_csrf' probability='100'  type='ts_http'> 

<request> 
  <dyn_variable name="csrfmiddlewaretoken" ></dyn_variable> 
  <http url='http://mysite.com/' method='GET'></http> 
</request> 

<request subst="true"> 
  <http url='/home/' contents='csrfmiddlewaretoken=%%_csrfmiddlewaretoken%%&amp;csrfmiddlewaretoken=%%_csrfmiddlewaretoken%%&amp;username=xxxxxx&amp;password=xxxxxx&amp;next=%2F' content_type='application/x-www-form-urlencoded' method='POST'></http> 
</request> 

</session>
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: