Forum Discussion

NicoSuave's avatar
NicoSuave
New Contributor
9 years ago

SoapUI and AntiForgeryTokens

I am trying to do something with SoapUI, and I'm suspecting that it is not possible. I'm hoping someone here can prove me wrong. My situation is this: We have an API that we'd like to start testing with SoapUI. Typical, right? There's a slight rub though: before we can make any API calls, we must get authenticated. In order to get authenticated, we must not only submit a username and password, but one of MVCs AntiForgeryTokens that is automatically generated and stuck in a hidden form field.

 

I can think of several solutions to this, but I'm not sure that SoapUI can do any of them (though admittedly I am a total newbie when it comes to SoapUI).

 

1.) Have SoapUI bring up the login page, let the tester login normally, and then have the test proceed with the stored cookie.

2.) Load the login page, scrape the token from the form field, and then submit it.

 

My fear is that the AntiForgeryToken system was designed to prevent people from doing exactly what I am trying to do, that is submit web requests via automated means. If anyone has any information on how I might implements one of my ideas, or better yet, an even smarter solution to this problem, I would be very grateful.

3 Replies

  • nmrao's avatar
    nmrao
    Champion Level 3
    From the 2 steps, not sure how you used it, Is it HTTP Request in Step1? And also like to understand how token needs to be passed, as a header? If this the case then I guess possibly done automatic.
    • NicoSuave's avatar
      NicoSuave
      New Contributor

      Ah, those are not steps, those are the two possible solutions I can think of to solve the problem.

       

      Basically, to get authenticated, I need to submit two tokens. One is in a cookie I get from the server. I don't see that as a problem, I believe I can just set the test to maintain HTTP state and then it would maintain cookies. The challenge is that there is a second token that is generated server side and stuck inside a hidden form field. Now, a browser client would normally seemlessly transmit this cookie along with the username and password as web form data. The problem is that in SoapUI I am not a browser client, but I have to do a form submit as if I were. I've had a think since I've posted this, and here is what I think I need to do.

       

      1.) Load the page

      2.) Read the hidden form variable off the page and store it. (Essentially, parse the HTML response)

      3.) make an http request with the user, password, and that hidden token sent as form data

      4.) boom, done, authenticated

       

      I believe that's what I need to do. I'm just not sure how to do it.

       

      P.S. If it helps at all, this is the security system I am trying to test around: http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks