Absence of Anti-CSRF Tokens when CSRFToken is in html head script before body.
11 views
Skip to first unread message
Yong Park
Apr 29, 2026, 4:14:11 AM (8 days ago) Apr 29
to ZAP User Group
Hello!
Absence of Anti-CSRF Tokens Alert when CSRFToken is in html head script before body.
ZAP doesn't detect CSRFToken. Can it be False Positive?
Code is as follows.
<script>
.....
window.addEventListener('load', function() {
// Find all form elements on the page
const forms = document.getElementsByTagName('form');
// Define the prefix to add and the path to match.
const elementName = 'CSRFToken';
const elementValue = 'gdommjf84j7amhnn';
// Find all form elements on the page
const forms = document.getElementsByTagName('form');
// Define the prefix to add and the path to match.
const elementName = 'CSRFToken';
const elementValue = 'gdommjf84j7amhnn';
.....
</script>
<script language="javascript">
.....
<body>
.....
Simon Bennetts
May 6, 2026, 9:52:44 AM (18 hours ago) May 6
to ZAP User Group
Hiya,
Yes, this will be a false positive.
The passive scan rule which checks for anti-CSRF tokens just looks at the HTML so cannot see that a token has been set up in a script.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages