How to get CSRF token on authorization request with OWASP ZAP in bruteforce mode

[dmitrij.sh...@privatbank.ua]

Hi all.

I am a new in OWASP ZAP, so I need your help.

I have vulnerability site - DVWA. I am trying to work on token (CSRF) in bruteforce.

When page load I have HTML form with login, password and user-token. Third field are filled by dynamic token (CSRF).

I need to use bruteforce with CSRF token.

1) Receive user_token from loaded page

2) Send form through Fuzzer

As I understand, I need to create script for receiving user_token from loaded page and then run Attak -> Fuzz on authorization link, then select user_token value and add playload script that will fill it on each request.

But I can't find any information in Internet how to create this script, please help me.

[kingthorin+owaspzap]

This should help you:
https://github.com/zaproxy/zaproxy/issues/2093#issuecomment-163002923

[Simon Bennetts]

As long as ZAP has detected the CSRF token correctly then the fuzzer should automatically regenerate it correctly, you shouldnt have to do anything.

We should mention that in the help :/

[thc...@gmail.com]

The help page mention something:
https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsFuzzHttpmessageprocessors#anti-csrf-token-refresher

Once the user_token is added to ZAP (Options > Anti-CSRF Tokens) and the
form accessed, the fuzzer should allow to add the "Anti-CSRF Token
Refresher" processor ("Refresh anti-CSRF token: user_token").

Best regards.

On 31/01/17 13:53, Simon Bennetts wrote:
> As long as ZAP has detected the CSRF token correctly then the fuzzer should
> automatically regenerate it correctly, you shouldnt have to do anything.
>
> We should mention that in the help :/
>
> On Tuesday, 31 January 2017 12:01:58 UTC,
> dmitrij.sh...@privatbank.ua wrote:
>>

>> *Hi all.*

>>
>>
>> I am a new in OWASP ZAP, so I need your help.
>>
>>

>> I have vulnerability site - DVWA. *I am trying to work on token (CSRF) in
>> bruteforce.*

>>
>> When page load I have HTML form with login, password and user-token. Third
>> field are filled by dynamic token (CSRF).
>>
>>
>> I need to use bruteforce with CSRF token.
>>
>> 1) Receive user_token from loaded page
>>
>> 2) Send form through Fuzzer
>>
>>

>> *As I understand, I need to create script for receiving user_token from

>> loaded page and then run Attak -> Fuzz on authorization link, then select

>> user_token value and add playload script that will fill it on each request.*

[dmitrij.sh...@privatbank.ua]

>> Once the user_token is added to ZAP (Options > Anti-CSRF Tokens) and the 
>> form accessed, the fuzzer should allow to add the "Anti-CSRF Token 
>> Refresher" processor ("Refresh anti-CSRF token: user_token"). 

This is what I have:

And this is request with token (user_toke) in Fuzzer

[dmitrij.sh...@privatbank.ua]

>> This should help you:
>> https://github.com/zaproxy/zaproxy/issues/2093#issuecomment-163002923

Thanks, will try.

[thc...@gmail.com]

ZAP does not support anti-CSRF tokens in the URL (yet [1]), you would
have to POST instead.

If you do, you should be able to add the processor in the Messages
Processor tab (as in the attached image).


[1] https://github.com/zaproxy/zaproxy/issues/1133

Best regards.

[dmitrij.sh...@privatbank.ua]

Thanks, but I need to use GET request.

As I understand, only script can help me?

[thc...@gmail.com]

Yes, at the moment only using a script.

Do you need guidance doing that? It's similar to what was linked by
kingthorin but with a Fuzzer HTTP Processor script.

Best regards.

[dmitrij.sh...@privatbank.ua]

With POST everything fine. But with GET Request, still trying to understand.

Have some problems with this:
>> 3. Verify authentication is working, create seed for the spider and configure DVWA:

Can't understand, where I can make it and why spider, why not Fuzzer?

вторник, 31 января 2017 г., 17:30:56 UTC+2 пользователь thc202 написал:

[dmitrij.sh...@privatbank.ua]

This is my context (Anti CSRF):

This is context properties:

User created:

As I understand, I need to create and configure scope for Authentication with script.

And if I will make Atake -> Fuzz, I need configure Message Processor with my context (Anti CSRF) and user Administrator

And start Fuzzer.

But user_token always the same.

As I understand, script is not started:

Whats wrong? Thanks!

[dmitrij.sh...@privatbank.ua]

Sorry, images lost.

[Дмитрий Сергеевич Шкарбатов]

Images lost sorry :(

[thc...@gmail.com]

Those steps are for authentication/spider, in this case you just need to
create the Fuzzer HTTP Processor script and add it when fuzzing.

The attached script should do what you want.

Notes:
- The script works with Nashorn script engine (Java 8), if you are
using Java 7 it needs some changes (the changes are mentioned in the
original script).
- The constants defined in the beginning of the file might need to be
changed (e.g. SOURCE_URL to match the target server/webapp).
- The script assumes that the message being fuzzed has a valid DVWA
session.

Any question just let us know.

Best regards.

On 31/01/17 20:35, dmitrij.shkarbatov.01 via OWASP ZAP User Group wrote:
> Sorry, images lost.
>
> *This is my context (Anti CSRF):*
> [image: Встроенное изображение 1]
>
> *This is context properties:*
> [image: Встроенное изображение 6]
>
>
> *User created:*

[dmitrij.sh...@privatbank.ua]

Thanks a lot! It works :)

Also I have a question, I know that request timeout set in sec, but how I can made it 0.5 sec or less?

And can I user different connection timeout for getting csrf (until receive it) and for authorized request 1 sec or less?

[dmitrij.sh...@privatbank.ua]

And how I can filtrate response.

For example use word "Welcome" or something else.

среда, 1 февраля 2017 г., 13:15:01 UTC+2 пользователь dmitrij.sh...@privatbank.ua написал:

[kingthorin+owaspzap]

The timeout is the maximum time ZAP waits for a response. If one comes faster it's processed.

There is no way to enforce different timeouts for different requests.

[kingthorin+owaspzap]

It depends what you're trying to filter.

The history table has search functionality.

You could also follow a script like: https://github.com/zaproxy/community-scripts/blob/master/standalone/historySourceTagger.js to iterate through the history table and add a custom tag.

In the fuzzer you could add a processor script that looks for a particular response element and adds a custom state. Though there is currently an open issue related to that: https://github.com/zaproxy/zaproxy/issues/3166

You could use a HTTP Sender script to parse responses from a particular initiator and log something to the script console.

etc...