Hello all,
Im trying to set automatic login and scan of my application, but currently I have an issue with Anti CSRF token - ZAP doesnt read it on any request, so all my requests are marked as unauthorized.
Im using laravel for the application and laravel generates csrf token with name of "_token" in each page. I have set and enabled _token at Options -> Anti CSRF tokens, but it doesnt help.
Also I have set Conext for my application and flagged login request (also updated all needed info and set how ZAP should recognise if login is succesfull).
If I disable CSRF protection in my app, ZAP is able to authenticate and scan the application.
Does anyone has an idea what is the problem?
P.S. My flagged login request has username, password and _token as form parameters, but when ZAP starts scanning, it always set different values to the _token - like it is fuzzing different values.