Missing Anti CSRF token alert for Anti CSRF token added to form using Javascript

[Mathew Joseph]

Hello everyone

I have a web page to which a Anti CSRF token is added dynamically using Javascript in an external script file   .

But still Zap proxy complains when I scan it using the Manual Scan option that the page does not contain an Anti CSRF token

If the hidden field is added to the HTML page directly the scan goes smoothly

To make this work do I need to change any settings in Zap?

Thanks in advance for any help

Regards

Mathew

[Simon Bennetts]

Hi Mathew,

The Absence of Anti-CSRF Tokens scan rule is a passive one which parses the HTML. It does not handle JavaScript and so will give you a false positive in these case.

The Anti-CSRF Tokens Check scan rule is an active one which dhould be more reliable in this case.

Cheers,

Simon

[Mathew Joseph]

Thanks a lot for your response.

I am quite new to Zap so could you guide me on how I should proceed in this case so that

the scan completes successfully