Design & execute Postman script, for web pages having CSFR tokens to Login

3 min readApr 10, 2020

In this article we will learn how to login to legacy systems which are using a form-bases / session-based / cookie-based authentication which involve CSRF tokens.

Application Under Test: https://gitlab.com

We are going to use Chrome browser for accessing the application. Launch developer tools to know what exactly is happening when accessing this URL. Open Network Tab, and make sure you are preserving the log before navigating to this URL.

As you see login page has got an Authenticity Token to safeguard from security attacks.

This token is dynamic and is passed together with userid and password information during login to the server. We will see how to handle this token.

For now, enter credentials(If you do’t have an account, register for it) and login to gitlab.

Now, goto “Other” tab, most of the time this tab contains login information in Form Data that we need. Sometimes it may also be present in “Doc” tab.

Copy as cURL, to get all the request information.

Goto Postman, and Import it as Raw Text.

So, Postman will be able to figure out what needs to be done, it will generate Body and Headers for us. Also, as you see it has got Authentication token.

In Postman, we can also manually create this request with above body and headers. But, that will be error prone and time consuming process.

Now, we need to have two requests, one get request to render login page and retrieve the token value, and other request to pass this value together with username and password to login to the website.

Now, to capture dynamic token value from first response we need to use Cherrio Java Script library .

Create a get request and add below lines of code in Tests section of the first request.

//Parse HTML and get the CSRF token
var responseHTML = cheerio(pm.response.text());
var auth_token=responseHTML.find('[name="authenticity_token"]').val();
console.log(auth_token);
pm.globals.set("authenticity_token", auth_token);