Generating Anti CSRF Test Form

[MC]

First off, thank you so much for always answering my seemingly unending questions about ZAP 2.0!

Is there a link or tutorial on testing for CSRF with ZAP anywhere? I tried to google but didnt find much.  I wanted to test this feature , and took a POST request from a few logins and tried to right click and select the "Generate Anti CSRF Test Form".  It is always grayed out. 

Could you point me in the right direction as to why? Thanks again for all of your time and support on ZAP. I really appreciate this, and have been telling as many people I can about the project. 

-Michael

[Simon Bennetts]

Thats OK - I take any questions as in indication that either the UI is not intuitive enough or the documentation is not complete / easily discoverable :)
And publicising ZAP is a great way to pay us back :D

In this case we do have some documentation, both in the ZAP help guide and in the wiki (the bit that is generated from the help file):
http://code.google.com/p/zaproxy/wiki/HelpUiTabsSites
http://code.google.com/p/zaproxy/wiki/HelpUiTabsHistory

Both have a section which says:

Generate anti CSRF test form

This will open a URL which will give you a generated form for testing for CSRF issues.
It will only be enabled for POST requests, if the API is enabled and if Java supports the opening of URLs in a browser on your platform.

Does that make more sense now?
The latter is (I think) just a problem on Linux (but its still annoying) - if anyone knows how to fix this let me know!
If you're not using Linux then hopefully you just need to enable the API (via the options).

And yes, this (and many other features) needs to have tutorials. Unfortunately that takes time :(
You could always write something up yourself - eg in a blog post or on the ZAP wiki ;)

Cheers,

Simon

[MC]

Yikes, embarrassing, it was a simple mistake, I did not have the API enabled. Thank you for the reminder on the wiki/docs and again for all of your support.

[Frank Vickers]

I'm having this same problem, i'm running zap on ubuntu but unfortunately i'm unable to generate the csrf form, it's greyed out. is that only with zap running on linux?

[thc...@gmail.com]

Hi.

No, it should work on any OS.

Which ZAP version are you using?

Do you have the API enabled?

In which tab are you invoking the context menu? ("Sites", "History", ...)
Is the selected request a POST? Does the request body contain any data?

Best regards.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.