Anti CSRF Tokens Scanner
462 views
Skip to first unread message
Demetri
Nov 9, 2017, 8:40:44 AM11/9/17
to OWASP ZAP User Group
Hi,
we are using ZAP2.6 to scan our application and receiving some high alerts from Anti CSRF Tokens Scanner for pages for which the token is already set. They appear to be false positives.
I have added our token in ZAP at Tools-->Options-->Anti CSRF Tokens.
I have added our token in ZAP at Tools-->Options-->Anti CSRF Tokens.
Also, Handle AntiCSRF Tokens is enabled in Tools-->Options-->ActiveScan
Subsequent scans are still showing these alerts. i would like to have them removed or ignored but not sure how to do this.
I've also tried setting the Tools-->Options-->RuleConfigurations and added rules.csrf.ignorelist but still getting the same alerts reported. In the list, i added the urls for which the alert is being reported, so i would expect those urls to be ignored from the results.
I haven't used this "ignore" feature before - Perhaps , im missing something ?
Is there a better way to ignore false positives or just have them removed from the report generated?
thanks,
thanks,
Demetri
Simon Bennetts
Nov 10, 2017, 12:42:38 PM11/10/17
to OWASP ZAP User Group
Can you show a sanitized HTML snippet showing the forms that contain the tokens ZAP is complaining about?
Putting the token you're using in the options should do the trick, so something strange is going on.
Cheers,
Simon
Putting the token you're using in the options should do the trick, so something strange is going on.
Cheers,
Simon
kingthorin+owaspzap
Nov 10, 2017, 1:10:48 PM11/10/17
to OWASP ZAP User Group
Were the tokens added to the options before the alerts were raised?
Demetri
Nov 10, 2017, 2:15:35 PM11/10/17
to OWASP ZAP User Group
Hi Simon,
thanks for your response. Please check the following in case I have something wrong/missing ..?
Here is an example of such an alert in ZAP:
Going to that page and viewing source, the token is highlighted :
The same token has been added in ZAP UI :
I have enabled the Handle anti-CSRF tokens option in Active Scan.
Here is the html snippet containing the token:
<form action="/app/DoAction?returnUrl=https%3A%2F%2FsommeUrl%2F%3FreloadSession%3DTrue"
method="post">
...
<div class="clearfix">
</div>
<br />
<input name="__RequestVerificationToken" type="hidden" value="Cwbi7hsjjF5_oyfexnm56GVTEOXuK-Kl1hDVOwp-1Q_zLGOEmnRzazOe8O857k0LstfkwpU0waFuBC7_OLLwFuwwE4nxNRmwG7U8MqYWvOG8QUJSKeKBJS5yJpc2rIh2MGss3Eg3dKFypl5_UPWdMtXEVvAGo_XHoxNZ_nJLus81" />
<input class="xxx" type="submit" value="Ok" name="Submit" />
<input class="yyy" type="button" value="Cancel"
onclick="window.location.href='https://someUrl/?reloadSession=True'" />
</form>
Demetri
Nov 10, 2017, 2:22:35 PM11/10/17
to OWASP ZAP User Group
Hello,
I think the tokens were added in ZAP options before the alerts were raised... not 100% sure though.
I'm assuming that is the correct order ?
i can try adding them again and repeating the scan to see if it changes something..
thanks !
Demetri
kingthorin+owaspzap
Nov 10, 2017, 4:13:58 PM11/10/17
to OWASP ZAP User Group
Yes they need to be added first. Just wanted to ensure you weren’t thinking that setting them would retro-actively alter the alerts.
Reply all
Reply to author
Forward
0 new messages