How To Handle CSRF Token in Jmeter

Table of contents
Reading Time: 2 minutes

What is CSRF– CSRF  stands for Cross-Site Request Forgery. Generally when we login in website it always ask for authentication. For the security point of view developer mostly time pass the csrftoken with login parameter. but our topic is how to handle this csrf token in jmeter.

when we do load testing using jmeter and if we not handle the csrf token we get this type of error.csrf token


For handling the csrf token we have to use such Parameter in jmeter.





For extracting csrf we have to add post processors in test plan then we have to add Regular expression extractor.

csrf token value

Regular expression extractor handle this csrfToken  and its value because each time this value is changed.

In Regular expression extractor we have to defined certain field.

Reference Name: value

Regular expression:   name=”csrfToken” value=”(.+?)”

Template: $1$

Match no: 1

regular expression extractor

WE just pass this JMeter variable in Request Parameter.

request parameter

Now we execute the script and see the result.

login with extractor

This is how you can deal with CSRF protection in your Apache JMeter test script.

Written by 

Principal Architect at Knoldus Inc

9 thoughts on “How To Handle CSRF Token in Jmeter1 min read

  1. and some times just to be tricky (Like in SAP) it can be hiding in the header, rather than the body. The trick with Jmeter in my experience is that if you combine it with fiddler, perl or another very good text parsing language and an excellent vis tool you can do some very very powerful things with it

  2. Hi i have one query without doing regular expression also my login is successful shown in jmeter how ever my application logs shows the security denied messages but why jmeter request passed(login) is shown in green instead of orrange please answer my query i am a beginner 🙂

  3. Hi, I am trying to record a scenario in which payment has to be made through credit card. Once I select the Payment button, I am getting redirected to a different server and I receive timeout error. Could you please help me with this. Thanks.

  4. I have CSRF token to handle in large number of requests, is there any way to handle in bulk instead of passing variable in each request individually. It is being passed in each request in header.

Comments are closed.