csrf protection and testing with tsung

263 views
Skip to first unread message

Ivan Uemlianin

unread,
Jun 21, 2011, 11:48:48 AM6/21/11
to Django users
Dear All

I have a live(ish) django website which I'm testing with tsung.

With tsung you record a site visit (called a session) --- log in, view
various pages, do a few things, log out --- and tsung will then hit
the site with lots of randomised versions of this session.

Many of the views are csrf protected, and the automated requests tsung
generates don't get through the protection. For the moment I'm just
commenting out the csrf middleware in settings.py, but this is
obviously inconvenient.

Has anyone used tsung on csrf-protected views? If so, how did you do
it?

Has anyone done similar automated requests on csrf-protected views?
How?

I've read the django docs about csrf protection, but I'm not quite
clear how it works. Can anyone point me to documentation on how it
works (and then I might be able to write something into the tsung
scripts to comply with it).

With thanks and best wishes

Ivan

Malcolm Box

unread,
Jun 21, 2011, 12:54:59 PM6/21/11
to django...@googlegroups.com
On 21 June 2011 16:48, Ivan Uemlianin <ivan.l...@gmail.com> wrote:
> With tsung you record a site visit (called a session) --- log in, view
> various pages, do a few things, log out --- and tsung will then hit
> the site with lots of randomised versions of this session.
>

> Many of the views are csrf protected, and the automated requests tsung
> generates don't get through the protection.  For the moment I'm just
> commenting out the csrf middleware in settings.py, but this is
> obviously inconvenient.
>

I think you'll need to do some work with dyn_variable to pull the csrf
token out of the original form and re-inject it into the post you send
back. As far as I understand it, all that the csrf protection is is an
opaque value hidden in any form that needs to be present in the
submitted version to be valid. That stops "loose" posts from CSRF
attacks working as they don't know the magic key.

Malcolm

Ivan Uemlianin

unread,
Jun 21, 2011, 4:38:07 PM6/21/11
to django...@googlegroups.com
Dear Malcolm

Thanks, this is a good clue. I'll try it out tomorrow and report back.

Best wishes

Ivan


--
============================================================
Ivan A. Uemlianin
Speech Technology Research and Development

iv...@llaisdy.com
www.llaisdy.com
llaisdy.wordpress.com
www.linkedin.com/in/ivanuemlianin

"Froh, froh! Wie seine Sonnen, seine Sonnen fliegen"
(Schiller, Beethoven)
============================================================

Ivan Uemlianin

unread,
Jun 22, 2011, 4:52:52 AM6/22/11
to Django users
Dear Malcom

Thanks very much for your help! You were exactly right. The
following config works (simplified for exposition).

Best wishes

Ivan

<session name='with_csrf' probability='100' type='ts_http'>

<request>
<dyn_variable name="csrfmiddlewaretoken" ></dyn_variable>
<http url='http://mysite.com/' method='GET'></http>
</request>

<thinktime random='true' value='6'/>

<request subst="true">
<http url='/home/' contents='csrfmiddlewaretoken=%
%_csrfmiddlewaretoken%%&amp;csrfmiddlewaretoken=%%_csrfmiddlewaretoken%
%&amp;username=xxxxxx&amp;password=xxxxxx&amp;next=%2F'
content_type='application/x-www-form-urlencoded' method='POST'></http>
</request>

</session>


On Jun 21, 5:54 pm, Malcolm Box <malcolm....@gmail.com> wrote:

Malcolm Box

unread,
Jun 22, 2011, 5:21:24 AM6/22/11
to django...@googlegroups.com
On 22 June 2011 09:52, Ivan Uemlianin <ivan.l...@gmail.com> wrote:
>
> Thanks very much for your help!  You were exactly right.  The
> following config works (simplified for exposition).

Glad that helped, and thank you for coming back with the working
settings for anyone else who runs into the same problem.

Malcolm

Reply all
Reply to author
Forward
0 new messages