Getting values from hidden form fields

Hi,
Some authentication forms are protected with a hidden token (Drupal, Wordpress…) to avoid brute force.
How can i get the value of this field to pass it to a param the .post after the get of the page form?

thx

ex:

.exec(http(“Page SignIN”)
.get("/user-signin/")
.headers(headers_2)
.check(regex(“Welcome”).exists)
)

.exec(http(“Authentification”)
.post("/teq-api.php")
.headers(headers_6)
.param(""“login”"", “”“alogin”"")
.param(""“pass”"", “”“apassword”"")
.param(""“remember”"", “”“1"”")
.param("""_wp_nonce""", “”“ax9b32ea72"”") <<<<< one time token associated with the form
)

<div

class=“label” for=“signup-login”>Registration ID

</form

Hi,

You can either use a regex or a css-selector. I tend to prefer css selectors as they don’t take into account the HTML formatting.
So, in your case, it would look like that :

.exec(http(“Page SignIN”)
.get("/user-signin/")
.headers(headers_2)
.check(
regex(“Welcome”).exists,
css("#_wp_nonce", “value”).saveAs(“signin_token”)
))

.exec(http(“Authentification”)
.post("/teq-api.php")
.headers(headers_6)
.param(""“login”"", “”“alogin”"")
.param(""“pass”"", “”“apassword”"")
.param(""“remember”"", “”“1"”")
.param("""_wp_nonce""", “”"${signin_token}""")
)

does it answer your question ?
cheers
Nicolas

Hi,

You have to capture the value of _wp_nonce into the session.

To do so, you have to use another check on the “Page SignIn” request.

It could be either XPath if your HTML is xHTML (meaning that your HTML is XML well formed) or Regular Expression :

check(regex(""“name=”_wp_nonce" value="([a-z0-9]+)"""").saveAs(“wp_nonce”)

Then you can use this value in your second request:

.param("_wp_nonce", “${wp_nonce}”)

Hope this helps !

If your need more info, you can read the documentation : https://github.com/excilys/gatling/wiki it contains examples and a complete reference :slight_smile:

Cheers,

Romain

PS: Didn’t ry the regex, but it should be something like this :slight_smile:

Thx works well.
So easy regarding some other solutions.