Form based authentication in combination with CSRF fails

[TeeWeTee]

I want to test an application wich uses a form based application. I followed the tutorial (https://www.alldaydevops.com/zap-in-ten) and set up everything up accordingly. However the login does not work. I analyzed the requests and the app has the CSRF set. It is using '_csrf' which is already in Anti-CSRF Tokens list. However I don't see it in the actual authentication POST request.

Since the csrf token is generated dynamically it needs to be extracted on the fly. In a request before the actual authentication it is passed in a hidden input field e.g.:

<input type="hidden" name="_csrf" value="d8c23bke-6432-1234-91ba-bb5ea1op55zc"/>

When the actual POST login request is fired it needs to be passed to the POST data:

(Taken from session properties \ authentication \ Form-based authentication\Login Request POST Data (if any))

username={%username%}&password={%password%}&_csrf={CSRF-2-Go-In-Here}

Now I did a bit of research and it seems that support for this was added a while ago:

https://github.com/zaproxy/zaproxy/issues/2182

So how can I reference the csrf token which has been detected before inside the authentication mechanism? I tried _csrf={%_csrf%} but the variable is not replaced.

Or do I need to setup a ZEST script for that? (Which I wanted to avoid but if its the only way then be it)

Thanks!

[thc...@gmail.com]

Hi.

ZAP will automatically replace the anti-CSRF tokens it finds by name,
the POST data should look like, e.g.:
username={%username%}&password={%password%}&_csrf=d8c23bke-6432-1234-91ba-bb5ea1op55zc

If the login page is not the same as to where the login form is
submitted you need to indicate that, ZAP uses that page to obtain the token.

Best regards.

[TeeWeTee]

But the csrf token is not sent / the invalid (static) one is sent

What I meant above with "taken from session properties" is the following:

If I put the csrf token in there which is then static. I also tried to remove it however then it is not appended to the POST body...

POST Body:

j_username=user&j_password=password&_csrf=d8c23bke-6432-1234-91ba-bb5ea1op55zc

but should be (e.g.)

j_username=user&j_password=password%21&_csrf=32a44444-58f6-4890-9080-44fjjzjgdggh

[Tikali]

I'm also facing this problem.

Is there any way to automatically add  the csrf token to a form based login request? Maybe something like {%csrf%}?

[thc...@gmail.com]

The anti-csrf tokens are automatically refreshed if ZAP knows about them:
https://www.zaproxy.org/docs/desktop/start/features/authmethods/#formBased

You just need to leave the field as is (name and value) and ZAP will
request the login page and replace the value of the token.

Best regards.

[TeeWeTee]

Yeah but actually it is not (at least not in my case...).

I gave up on this and chose the manual browsing / crawl using HUD.

[thc...@gmail.com]

You'd have to provide more details on the steps/data you are using.

Did you set the correct login page? (The one that contains the
form/anti-csrf token.)

Best regards.

[Tikali]

This is what im seeing as well.
The login page is correctly set to the one where the form and the csrf token are located.

In the parameters tab, the CSRF token is correctly detected however.

And on other POST requests during the active scan, the content of this parameter is correctly entered for the "_csrf" parameter that is used here.

With the form based login however I tried two options which did not work.

1. I can leave the _csrf parameter in the field "Login Request POST data (if any)" (as is shown in the screenshot from TeeWeTee above). Then ZAP just sends the request with the exact value I entered there.

2. Or I can remove the "_csrf=..." part from the Login request. In this case the parameter is also not added but completely missing from the request.