Unable to login with Zest script (csrf tokens)

[Ben Pick]

Hello, 

I have a question similar to Jason Notovny's January 5th post. 

The problem I am facing is that I need a way to run a scan for authenticated users when a csrf token is passed within Post requests on login as "_token". This value can be found within the header as a "csrf-token" variable. 

I have been unable to use ZAP's functionality to write such a custom script and have opted to use Zest. 

What I have ended up with is a custom Script-based Authentication login. This works when run alone, in that it successfully grants a given used into the application through login. However no scans or spidering takes place. When I attempted to apply this Zest script to the ZAP scans, it did not work. This has resulted in spidering that is not performed while authenticated and many Internal 500 errors when running an active scan. 

The later shows that the Zest script appears to be ignored. The applied _token value appears to be a static value from an earlier scan and is no longer valid. Does anyone know the best method of overcoming this obstacle or a better method of simply including the csrf token?

Please note that I have created csrf tokens and enabled them within ZAP's options menu. My assumption is that this has thus far failed due to the fact that the value sent in the response is "csrf-token" and the value I need to include in the post is "_token".

Any ideas are greatly appreciated.

Thanks.

- Ben 

[Ben Pick]

As an point of clarification, the _token value sent with the login request (while running the spider and scan functions) is the same value pulled from the previous Zest scan. Except it is not updating the csrf-token.

Put another way, when manually running the Zest script it can login successfully and obtains a csrf-token. However, when running the spider or active scanning function with this script, the Zest script is not rerun. The csrf token value used is outdated and rejected. How can I force Zap to rerun the Zest script and renew the values? 

I have the working script setup to run as the authentication method through the Context. I just need a new instance of the Zest script to run for every authentication.

Thanks. 

- Ben 

[Simon Bennetts]

Hi Ben,

Does the Zest script request and use a new token when its run?
Does it work correctly when you use forced user mode, even after a suitable period of time has elapsed for the original token to be invalidated?
I'm working on the same sort of thing right now and I am getting new tokens generated.
It might be worth having a look at the latest ZAP Newsletter re Contexts: http://zaproxy.blogspot.co.uk/2016/02/zap-newsletter-2016-february.html

Cheers,

Simon

[Ben Pick]

Hello Simon,

Thank you for your support. The issue has been resolved and the scans are running without issue. 

To answer your question, the Zest script would obtain a new token correctly every time it was run from the Script Console tab. 

The solution was 1 of 2 things. As I performed both steps at the same time, I am not sure which resolved this. First of all, I disabled Forced User Mode. Then I changed the loginURL value within the Context from https://website/auth/login to https://website/. The homepage included the needed csrf-token in the response, which may have been skipped when the custom script was initiated on the /auth/login page. 

Also, I am not sure how this fits in, but I needed to run a spider of the website before running an active scan. Otherwise the login authentication did not update the csrf token. 

Thanks again for getting back to me so quickly.

- Ben