Looking into XSRF/CSRF Prevention in ASP.NET MVC and Web Pages it appears that you‘re either sending an incorrect __RequestVerificationToken
parameter value or completely miss the step.
If the current HTTP request already contains an anti-XSRF session token (the anti-XSRF cookie __RequestVerificationToken), the security token is extracted from it. If the HTTP request does not contain an anti-XSRF session token or if extraction of the security token fails, a new random anti-XSRF token will be generated.
So your test should look like:
-
Open Login Page (HTTP Get Request)
-
Extract
__RequestVerificationToken
dynamic parameter value using suitable JMeter PostProcessor, I would recommend going for CSS Selector Extractor, the configuration would be something like:
-
-
Once done you can refer the extracted value as
${token}
in the next request
Check out ASP.NET Login Testing with JMeter article for more detailed information and step-by-step instructions if needed