Capturing Form Variables and Injecting into Subsequent Requests

In certain application scenarios like ASP.NET Forms you may need to capture values on one page and provide that value on a POST back page. In ASP.NET this is the __RequestVerificationToken that is captured the GET page, and then has to be provided as part of the POST request for validation of the request.

There may be other scenarios such as validation algorithms or some login routines that require you to capture form variables and provide them in subsequent requests for submission.

You can do this in WebSurge as follows. I'll use Request Validation in ASP.NET as an example.

Variable Injection Requires Users

In order for form variable capture to work, you need to configure User Sessions for at least one User Session. You can find out more about how to set up User Sessions here.

This is done so the captured form variables can be scoped to a specific user as it's possible for multiple users to use separate sessions during a load test. Ideally you'll want to match your number of users to the number of threads you're running in a load test.

Capturing Request Validation Requests

ASP.NET Request validation works by creating a unique token on the initial forms page when accessing via a GET operation. A __RequestVerificationToken is created and embedded into the initial page request (token truncated for readability):

<input name="__RequestVerificationToken" type="hidden" 
       value="CfDJ8MEIzOTexpVHiU3PqQ5v04rX7IXhWWOG" />

You can capture this value in an HTTP request in WebSurge like this:

User-Agent: Mozilla/5.0...
Accept: text/html
WebSurge-Request-CaptureFormVariable: __RequestVerificationToken

You specify a form variable by name to be captures via the WebSurge-Request-CaptureFormVariable

  • WebSurge-Request-CaptureFormVariable
    This WebSurge specific header allows you to specify a name of a form variable to be captured and stored with a specific user session.

WebSurge-Request-CaptureFormVariable captures the form variable and stores it in the active session user record.

Sessions execute in sequential order and as subsequent requests are accessed they have access to this variable.

Injecting the Form Variable

To inject a previously captured form variable you can use the WebSurge-Request-InjectFormVariable header with the name of the variable. For ASP.NET Request validation that value is __RequestVerificationToken.

Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0...
Accept: text/html
WebSurge-Request-InjectFormVariable: __RequestVerificationToken

By doing this WebSurge does the following:

  • Checks if a Users are configured for the session
  • Looks up the session specific user
  • Checks it's Captured Form Variables list
  • If it finds a match, adds the variable to the request form variables

The request POST content with the updated token then looks like this:


© West Wind Technologies, 2014-2022 • Updated: 12/29/21
Comment or report problem with topic