Since some of the requests failed, I made another web test for the failures; browse to the login page, enter script tags in the username and password, and click the Login button. The test was failing because it returned a 500. There is a way to validate the HTTP status code returned by a Web Performance Test request. There is a property on the request called Expected HTTP Status Code. When it is 0 a return code in the 200 – 300 range is success. I set the Expected HTTP Status Code to 500 to verify error page is returned when script tags are input to username/password and also checked for this text: "System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (userNameTextBox="")."
I ended up with two data driven tests for the login page. One to check for the normal error message when login information is incorrect and another to check that page validation is working when script tags are submitted.
This is the error page when request validation is enabled:
Server Error in '/WebPARCS' Application.
A potentially dangerous Request.Form value was detected from the client (userNameTextBox="").Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (userNameTextBox="").
[No relevant source lines]
Source File: c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\webparcs\b39bbbab\1a2d57ab\App_Web_gjejbkkx.0.cs Line: 0