How to do CSRF testing with ZAP?
5,088 views
Skip to first unread message
skzaproxy
Apr 28, 2016, 6:26:58 AM4/28/16
to OWASP ZAP User Group
Please let me know how to perform CSRF testing with ZAP API?
Regards
Simon Bennetts
Apr 28, 2016, 6:53:49 AM4/28/16
to OWASP ZAP User Group
If you want to use the API then I'm assuming you want to do automated testing rather than manual.
In that case its just like testing for any other vulnerabilities but just focusing on CSRFs.
I think its always easier to start by using the ZAP UI, even if you want to use the API in the end.
The first thing you need to do is explore your app.
Do you have regression tests you can proxy through ZAP?
If not you'll need to use the spider and/or ajax spider.
Does you app use authentication?
If so you'll need to handle that one way or another.
Having explored you app the passive scan rule "Absence of Anti-CSRF Tokens" will have been used - has this reported any problems?
That might be all you need.
However we also have a beta active scan rule which does more testing: "Anti CSRF Tokens Scanner"
You can run an active scan with just this rule enabled.
Cheers,
Simon
In that case its just like testing for any other vulnerabilities but just focusing on CSRFs.
I think its always easier to start by using the ZAP UI, even if you want to use the API in the end.
The first thing you need to do is explore your app.
Do you have regression tests you can proxy through ZAP?
If not you'll need to use the spider and/or ajax spider.
Does you app use authentication?
If so you'll need to handle that one way or another.
Having explored you app the passive scan rule "Absence of Anti-CSRF Tokens" will have been used - has this reported any problems?
That might be all you need.
However we also have a beta active scan rule which does more testing: "Anti CSRF Tokens Scanner"
You can run an active scan with just this rule enabled.
Cheers,
Simon
Dulanja Liyanage
May 22, 2016, 3:27:26 AM5/22/16
to OWASP ZAP User Group
Hi Simon,
I'm using ZAP 2.4.3 (on Windows 7 64bit) and trying to scan an application for CSRF from the UI. I still couldn't find out how to get it done.
I'm using ZAP 2.4.3 (on Windows 7 64bit) and trying to scan an application for CSRF from the UI. I still couldn't find out how to get it done.
There's no "Absence of Anti-CSRF Tokens" rule in Passive Scan Rules. And there's no "Anti CSRF Tokens Scanner" in Active Scan Rules. I have attached couple of screenshots of the rules I have - all came by default, nothing changed by me.
I'm probably looking at the wrong place. Appreciate your help on this!
Cheers,
Dulanja
I'm probably looking at the wrong place. Appreciate your help on this!
Cheers,
Dulanja
kingthorin+owaspzap
May 22, 2016, 5:54:45 AM5/22/16
to OWASP ZAP User Group
Visit the Marketplace
https://github.com/zaproxy/zap-extensions/wiki/images/zap-screenshot-browse-addons.png
https://github.com/zaproxy/zap-extensions/wiki/images/zap-screenshot-browse-addons.png
Install the alpha and beta, active and passive scan addons.
Dulanja Liyanage
May 22, 2016, 9:10:30 AM5/22/16
to OWASP ZAP User Group
Hey Thanks a lot! Now I have those options :) Will try with them and see.
laksh
Nov 15, 2018, 1:17:00 PM11/15/18
to OWASP ZAP User Group
Hi
I am trying to test CSRF using ZAP's latest version, as suggested installed alpha and beta active, passive scan addons. However unable to see csrf option under passive scanner rules. Attached the file.
Please suggest.
On Sunday, May 22, 2016 at 3:24:45 PM UTC+5:30, kingthorin+owaspzap wrote:
kingthorin+owaspzap
Nov 15, 2018, 2:49:31 PM11/15/18
to OWASP ZAP User Group
I bet you installed the alpha and beta Active scan rules, not the passives :)
laksh
Nov 16, 2018, 12:10:06 AM11/16/18
to OWASP ZAP User Group
Thank you for guiding. Yes, passive scan rules addon installation was missing. After addon installation, able to see.
Reply all
Reply to author
Forward
0 new messages