重放脚本时获取无效的 CSRF 令牌
Getting Invalid CSRF Token while replaying the script
我在重放录制的脚本时遇到了一些奇怪的问题。我已经将所有内容关联起来,对于其余步骤,CSRF 令牌工作正常,但对于下面的步骤,它为我提供了错误。
录制的脚本为:
web_add_header("X-CSRF-TOKEN",
"1f285aef-f9b1-4709-a76b-6789e785ca8a");
web_add_header("X-Requested-With",
"XMLHttpRequest");
lr_think_time(33);
web_custom_request("saveScheduleAcademyMapping",
"URL=http://localhost:8080/ams/saveScheduleAcademyMapping",
"Method=POST",
"Resource=0",
"RecContentType=application/json",
"Referer=http://localhost:8080/ams/manage_academy?scheduleInstanceId={scheduleID}",
"Snapshot=t1553.inf",
"Mode=HTTP",
"EncType=application/json; charset=UTF-8",
"Body=[{JSON values]",
LAST);
下面是录制和回放脚本时的请求和响应
用于录制
要求:
POST /ams/saveScheduleAcademyMapping HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 791
Accept: */*
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230044
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=B9C8BB02040E49246E1C7BA4CC16F6CF
[{JSON VALUE}]
响应:
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application:dev
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:09:17 GMT
[{JSON VALUE}]
重播:
要求:
POST /ams/saveScheduleAcademyMapping HTTP/1.1
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230046
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Accept: */*
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=E61AF0BA93B173F3D597244508FE11DD
Content-Length: 791
[{JSON VALUE}]
响应:
HTTP/1.1 403
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:25:05 GMT
{"timestamp":"2018-04-25T12:25:05.690+0000","status":403,"error":"Forbidden","message":"Invalid CSRF Token '1f285aef-f9b1-4709-a76b-6789e785ca8a' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/ams/saveScheduleAcademyMapping"}
谁能帮我解决这个问题。
自己回答我的问题很奇怪,但需要关闭它,因此发布它。
只是又关联了一次并在脚本中添加了如下行及其现在的工作。使用 web_reg_save_param_ex() 函数获取 CSRF 并使用它。
web_add_header("X-CSRF-TOKEN",
"{CSRF}");
web_add_header("X-Requested-With",
"XMLHttpRequest");
我在重放录制的脚本时遇到了一些奇怪的问题。我已经将所有内容关联起来,对于其余步骤,CSRF 令牌工作正常,但对于下面的步骤,它为我提供了错误。
录制的脚本为:
web_add_header("X-CSRF-TOKEN",
"1f285aef-f9b1-4709-a76b-6789e785ca8a");
web_add_header("X-Requested-With",
"XMLHttpRequest");
lr_think_time(33);
web_custom_request("saveScheduleAcademyMapping",
"URL=http://localhost:8080/ams/saveScheduleAcademyMapping",
"Method=POST",
"Resource=0",
"RecContentType=application/json",
"Referer=http://localhost:8080/ams/manage_academy?scheduleInstanceId={scheduleID}",
"Snapshot=t1553.inf",
"Mode=HTTP",
"EncType=application/json; charset=UTF-8",
"Body=[{JSON values]",
LAST);
下面是录制和回放脚本时的请求和响应
用于录制
要求:
POST /ams/saveScheduleAcademyMapping HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Content-Length: 791
Accept: */*
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230044
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=B9C8BB02040E49246E1C7BA4CC16F6CF
[{JSON VALUE}]
响应:
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
X-Application-Context: application:dev
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:09:17 GMT
[{JSON VALUE}]
重播:
要求:
POST /ams/saveScheduleAcademyMapping HTTP/1.1
Content-Type: application/json; charset=UTF-8
Referer: http://localhost:8080/ams/manage_academy?scheduleInstanceId=230046
Origin: http://localhost:8080
X-CSRF-TOKEN: 1f285aef-f9b1-4709-a76b-6789e785ca8a
X-Requested-With: XMLHttpRequest
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Accept: */*
Connection: Keep-Alive
Host: localhost:8080
Cookie: JSESSIONID=E61AF0BA93B173F3D597244508FE11DD
Content-Length: 791
[{JSON VALUE}]
响应:
HTTP/1.1 403
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Wed, 25 Apr 2018 12:25:05 GMT
{"timestamp":"2018-04-25T12:25:05.690+0000","status":403,"error":"Forbidden","message":"Invalid CSRF Token '1f285aef-f9b1-4709-a76b-6789e785ca8a' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.","path":"/ams/saveScheduleAcademyMapping"}
谁能帮我解决这个问题。
自己回答我的问题很奇怪,但需要关闭它,因此发布它。
只是又关联了一次并在脚本中添加了如下行及其现在的工作。使用 web_reg_save_param_ex() 函数获取 CSRF 并使用它。
web_add_header("X-CSRF-TOKEN",
"{CSRF}");
web_add_header("X-Requested-With",
"XMLHttpRequest");