Anti CSRF token

[Mirza Oglecevac]

Hello all,

Im trying to set automatic login and scan of my application, but currently I have an issue with Anti CSRF token - ZAP doesnt read it on any request, so all my requests are marked as unauthorized.

Im using laravel for the application and laravel generates csrf token with name of "_token" in each page. I have set and enabled _token at Options -> Anti CSRF tokens, but it doesnt help.

Also I have set Conext for my application and flagged login request (also updated all needed info and set how ZAP should recognise if login is succesfull).

If I disable CSRF protection in my app, ZAP is able to authenticate and scan the application.

Does anyone has an idea what is the problem?

P.S. My flagged login request has username, password and _token as form parameters, but when ZAP starts scanning, it always set different values to the _token - like it is fuzzing different values.

[psiinon]

First of all - if you can easily disable CSRF protection in your app then why not do so, just when you are scanning it with ZAP in a safe environment of course.

However ZAP should be able to handle it.

Did you enable the Anti CSRF token support before exploring your app?

Does the token get shown as an Anti CSRF token in the Params tab?

Cheers,

Simon