MY Message Processors donesn't show Anti-CSRF Token Refresher
80 views
Skip to first unread message
intheside
May 25, 2021, 9:18:38 PM5/25/21
to OWASP ZAP User Group
ZAP version : 2.10.0
Fuzzer version : 13.1.0
Why cannot I use Anti-CSRF Token Refresher Message Processors?
thc...@gmail.com
May 26, 2021, 1:47:11 AM5/26/21
to zaprox...@googlegroups.com
Hi.
If the processor is not shown it's because the request does not have an
anti-csrf token.
You seem to be showing the HTML page that contains the anti-csrf token
(response).
Best regards.
If the processor is not shown it's because the request does not have an
anti-csrf token.
You seem to be showing the HTML page that contains the anti-csrf token
(response).
Best regards.
intheside
May 26, 2021, 2:23:09 AM5/26/21
to OWASP ZAP User Group
HI
The request have an anti-csrf token.
ZAP also detect it(AntiCSRF in tags).
Why message processor doesn't show it?
thc202 在 2021年5月26日 星期三下午1:47:11 [UTC+8] 的信中寫道:
Simon Bennetts
May 26, 2021, 4:16:24 AM5/26/21
to OWASP ZAP User Group
The token is in a URL parameter on a GET request.
its possible that the code is just looking for then in POST bodies.
intheside
May 26, 2021, 4:43:35 AM5/26/21
to OWASP ZAP User Group
HI
If it is POST and token in post bodies, it still not show the
Anti-CSRF Token Refresher option!!
HELP :(
psi...@gmail.com 在 2021年5月26日 星期三下午4:16:24 [UTC+8] 的信中寫道:
kingthorin+owaspzap
May 26, 2021, 9:54:49 AM5/26/21
to OWASP ZAP User Group
You need to add "user_token" as a recognized Anti-CSRF Token.
intheside
May 26, 2021, 8:05:22 PM5/26/21
to OWASP ZAP User Group
HI
Sure, I added token name "
user_token
" there.
Otherwise, it will not be tagged as AntiCSRF.
kingthorin+owaspzap 在 2021年5月26日 星期三下午9:54:49 [UTC+8] 的信中寫道:
Reply all
Reply to author
Forward
0 new messages