How does Anti CSRF Token Scanner work?

[Umesh Salian]

Hello,

I would like to know how Anti CSRF token scanner is supposed to be used.

I was hoping that this scanner would identify if a form submission does not have protection against CSRF attack. But I have not able to prove one or the other using ZAP.

Here are the 4 tests I did using a test application that had a form submission.

1) Submitted the form without any CSRF token.

2) Submitted the form WITH a hidden variable "csrfToken" but it was not populated with any value.

3) Submitted the form with a proper csrfToken  (populated on server side during page load) but did not have any validation on server side.while processing the posted form.

4) Submitted the form with a proper csrfToken and validated the token on server side.

So only test #4 had CSRF protection implemented and my hope was that Anti CSRF token scanner of ZAP would report CSRF vulnerability with tests 1-3 and would pass the check with test #4,

But when I ran the active scan, all 4 tests reported that there was NO CSRF protection..

So I am not sure I understand how the scanner is supposed to be used. Any help would be much appreciated.

[Simon Bennetts]

How are you at reading code?

The source code for the active rule is here: Csrftokenscan.java
Note that theres also a passive scan rule: CSRFCountermeasures.java

There are some comments but feel free to ask if the code doesnt make any sense to you.

Cheers,

Simon

[Umesh Salian]

Thanks Simon. I took a quick look at active rule source code and also ran ZAP in debug mode to look at the logs.

It appears to me that the logic in active rule scanner is to look for a hidden variable in a form whose name and value stay the same in a form in another page, and if finds one such variable then it reports that as the presence of a csrf token. I see couple of issues here unless I am completely mistaken:

1)  The scanner will fail and give a false negative when the scope of scan has only one form and the form has a proper csrf token in it.

2)  The scanner will fail and give false negatives if the token is reset with new value on every page visit.

3)  I am not sure how the scanner works if there are multiple forms on a page with different csrf tokens.

My test application has a situation of #2 above so I thought that is the reason why it failed. Then I hard coded the same value for csrf token on two successive pages but even then ZAP reported csrf vulnerability on both pages. From the logs I saw that my hidden variable is identified as a csrf candidate but I did not understand why the matching across two pages failed.