loadrunner Reading Malcolm Isaacs 2013 article on using JavaScript in a LR...

  • perf-test.com need your contributions to build up a strong repository of performance engineering resources.

S

Scott Moore

Guest
Reading Malcolm Isaacs 2013 article on using JavaScript in a LR web/http script. It's great, but I would like to see some other examples. Anyone know a good source? I have a CSRF request being generated by the OWASP CSRFGuard project and I can see the JS code making the token request, but I am not familiar with how to call it from Vugen to be able to get this value and use it in the script as a dynamic correlation. It appears they are calling a JavaScript servlet and the JS is: xhr.setRequestHeader("FETCH-CSFR-TOKEN", "1"); I believe that is what is getting the token, although I may be wrong. How could I run the function to get the token information manually?
 
I also tried Richard Bishop's article on adding an extra .js file and calling the function with web_js_run() but I get errors trying to use them. Is there someone in the LR who is a JS Guru I could talk with?
 
I have a better idea for you. Take LoadRunner 12.50. It has full JavaScript support in Web HTTP protocol. You can generate the script in JS and have the whole script in JS instead of C.
 
That isn't a realistic solution for this specific problem. I don't have time to learn the JavaScript as well as I know C to fix this specific problem, which has a deadline. I was able to get the CSFR token by simply mimicing the same JavaScript Servlet and capturing the response with web_reg_save_param_ex, and this did allow me to get the value. BUT - the CSRF is actually working because it knows the token response is not coming from the right place so it doesn't allow real pages to come through. The answer is going to be to TURN OFF CSRF for testing and then turn it on before going to production. Sometimes the answer isn't a scripting one. Now that I think about it, if I figure out a way to work around this issue, I have defeated the CSRF mechanism and have then hacked their solution to prevent the same activity that LoadRunner mimics which is very much like a hacker.
 
I've been meaning to give JavaScript scripting a go and maybe this is an extra reason why I should give it a go.