How to get anti csrf token and something variable from response manually
68 views
Skip to first unread message
Asker
Oct 2, 2023, 6:12:37 AM10/2/23
to ZAP User Group
Hello!
Can you help me witn getting anti csrf token from response?
I'm use the zest script and In my case the anti csrf token in response looks like:
<!doctype html>
...
<meta name="_csrf" content="xxxxx-xxx-xxx">
...
<meta name="_csrf" content="xxxxx-xxx-xxx">
...
How I can get it and use in following requests?
Default anti csrf settings dont work.
And more generally question: how to use something variable from response to using in certain following respons?
Thank you.
Simon Bennetts
Oct 2, 2023, 8:53:08 AM10/2/23
to ZAP User Group
Hiya,
The default anti CSRF settings will only work with "standard" anti CSRF tokens, ie ones supported by HTML.
I'm pretty sure the meta tag is not a "standard" - I think your app will be using JavaScript to access it.
In Zest you can assign response values to variables.
So if 'name="_csrf" content="' only appears once in your doc then you can use "Assign variable via string delimiters" and use that string as the start and a since double quote as the end.
Is this for manual testing or for automation?
If its for automation (inc spidering and active scanning) then things might get a bit more complicated.
Cheers,
Simon
Test Testov
Oct 3, 2023, 9:28:47 AM10/3/23
to zaprox...@googlegroups.com
Thank you, it works.
Yes, its for automation, and this way works for getting auth header too, but only in case if I marked headers in every following response like {{{var_auth_header}} and {{var_anti_csrf}}. But it impossible for scanning.
How to automatically replace this headers? Can I set global variable or another parameter to use it for replacing specific header or parameter in scan-requests?
Thanks a lot.
пн, 2 окт. 2023 г. в 15:53, Simon Bennetts <psi...@gmail.com>:
--
You received this message because you are subscribed to a topic in the Google Groups "ZAP User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/zaproxy-users/Q0Sq8ElfF-M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/608ca919-6069-4e90-898d-a1409a4662b9n%40googlegroups.com.
Simon Bennetts
Oct 3, 2023, 9:51:09 AM10/3/23
to ZAP User Group
OK, so ZAP can successfully authenticate and detect the session handling?
But you still need to add additional headers in order to explore and attack your app?
Where are the values needed for these headers created?
Cheers,
Simon
Test Testov
Oct 3, 2023, 10:24:03 AM10/3/23
to zaprox...@googlegroups.com
In my case, most requests has a two authentication headers: "Cookie" and token header "auth_ID". Both of them I can get with authetication script with "assign variable via regex delimiters". But I don't known how to use it with scanning. Maybe I must use it in Session Management in Context? Or I must setup the Replacer with (global)variables?
вт, 3 окт. 2023 г. в 16:51, Simon Bennetts <psi...@gmail.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/45789626-3a54-4b1d-9d29-fc53bc7f0b4fn%40googlegroups.com.
Simon Bennetts
Oct 3, 2023, 10:30:39 AM10/3/23
to ZAP User Group
Can you try Authentication Autodetection?
If that works then it might solve some or all of your problems :)
If not we do have a set of options for replacing headers, but detecting and extracting the right values to use later will be key.
Cheers,
Simon
Test Testov
Oct 4, 2023, 7:59:00 AM10/4/23
to zaprox...@googlegroups.com
Hello!
No, auto-detection auth don't works with custom header authid. It don't changes. Maybe needs to be replaced automatically this header and use cookies too.
Is it possible if I choose cookie-based auth and turn on replacer? How to put auth token from authetication script to replacer?
Thanks.
вт, 3 окт. 2023 г. в 17:30, Simon Bennetts <psi...@gmail.com>:
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/6d086eb1-55ab-4aee-93bc-3aa6455b4f9en%40googlegroups.com.
Simon Bennetts
Oct 9, 2023, 11:05:19 AM10/9/23
to ZAP User Group
You can use global variables: https://www.zaproxy.org/docs/desktop/addons/script-console/#global-variables
This blog post goes through a similar scenario: https://www.zaproxy.org/blog/2023-02-01-authenticating-using-selenium/
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages