Cross Site Request Forgery Postman Web API Web Application Security

How To Read Cookie Value In POSTMAN For Request Chaining

Written by Ishan Girdhar

How To Read Cookie Value (CSRF token in our case) In POSTMAN For Request Chaining

In postman, writing and executing automated tests are possible with the launch of Jetpacks, you can write your basic API tests in JavaScript. Use of JavaScript gives you the power and freedom of writing any test scenario for automation testing.

However, there is a limitation where you can not read the Cookie value from response headers but here is a good news – POSTMAN has recently released a new version, which allows you to read cookies from within your Test Editor programmatically.

You can now write test scripts to read the cookie value and set them as Environment (or Global) Variable to use them in subsequent API calls (or Request Chaining).

Read Cookie Value In POSTMAN

1. We need to send a request to ‘UserInfo‘ Web API to receive user details but we can not send request directly.

2. We need to send a ‘login’ request (with valid credentials) to receive a token as a cookie value and then set it as an ‘environment variable’.

3. Finally, we will use the ‘environment variable’  in ‘request’ header to send an authorized request to ‘Userinfo’ Web API.

Let’s Begin

1. Send the ‘login request’ with the valid credentials, to receive the token in cookie  as shown in the snapshot below:

2.  As you can see in screenshot above, highlighted text is XID cookie we have received, this is our token which we need to read programmatically (using JavaScript) from test editor and set it as Environment variable, as shown in the snapshot below:

Postman does not handle cookies as part of response headers, instead postman receives cookies from chrome (using interceptor plugin), to read the cookies received from response, postman has provided us the following method: postman.getResponseCookie(“Cookie-name”).value

Reading CSRF Token in POSTMAN

Line 1:  token1 is declared as a new variable which is used to save value from ‘getResponseCookie(“cookie name”).value’ method to read the ‘xid’ cookie value.

Line 2: As you can see it in screenshot 1, value of ‘xid’ cookie is received in two lines which adds a new line character “<br/>” in our cookie value, we need to get rid of this to receive the correct cookie value, therefore we are using the JavaScript replace function to find the new line character from the string and replace it with empty character “”.

Setting CSRF Token in POSTMAN

Line 3: We are using the method provided by the postman, to set the token2 variable which now contains the correct cookie value and set it as “EnvironmentVariable” with the name, X-CSRF-TOKEN, we can use this as our variable {{X-CSRF-TOKEN}} in other requests.

3. After writing that script in test editor, don’t forget to save it.

4. Now go to POSTMAN -> Manage Environment -> Pentest Environment -> Edit and add X-CSRF-TOKEN as variable & {{X-CSRF-TOKEN}} as value, as shown below:

5. Go to ‘userinfo’ web api -> click on headers -> open and add X-CSRF-TOKEN as variable & {{X-CSRF-TOKEN}} as value, as shown below:

6. Go to ‘login’ web API, send the request and you will get the response, script will be executed and you will have X-CSRF-TOKEN set as ‘environment’ variable, to confirm run the ‘userinfo’ web API and you will get the response just like an authenticated request would get, as shown in the snapshot below:

You can use this for request chaining and running a suite of Web API’s to test a specific scenario.

About the author

Ishan Girdhar

OSCP Certified, Infosec Consultant/Penetration Tester/Adrenaline Junkie/Influential Speaker/Pythoneer/traveler/Blogger/Social Engineer/Science Lover & husband.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.