tsung, django, and cross-site request forgery protection
Wednesday, 22nd June, 2011
Tsung is an excellent tool for stress-testing websites. With tsung-recorder you can record different visits (called sessions) to the target website, and later run many randomised versions of the visits.
One complication with testing a Django website, is that forms are generally protected against cross-site request forgery attacks by a hidden field in the form (see Cross Site Request Forgery protection).
Thanks to help from a respondent on django-users, we can overcome this complication: using dyn_variable, tsung can find values in a requested webpage and store them for use in later requests. The simplified session config below shows this in action.
<session name='login_with_csrf' probability='100' type='ts_http'> <request> <dyn_variable name="csrfmiddlewaretoken" ></dyn_variable> <http url='http://mysite.com/' method='GET'></http> </request> <request subst="true"> <http url='/home/' contents='csrfmiddlewaretoken=%%_csrfmiddlewaretoken%%&csrfmiddlewaretoken=%%_csrfmiddlewaretoken%%&username=xxxxxx&password=xxxxxx&next=%2F' content_type='application/x-www-form-urlencoded' method='POST'></http> </request> </session>