how to configure ZAP to bypass csrf tokens in spider attack

[Neena]

Hi,

I'm testing a django app on a local host using ZAP as a proxy. I have added authentication in context as form-based. The problem is that django generates csrf tokens for login form and ZAP puts this info into the Login Request POST data field

When I run the spider I get these alerts:

So how can I have ZAP bypass the csrf tokens or take the newly generated one?

Thanks..

[ryerson...@gmail.com]

I got the same issue :)

[Simon Bennetts]

OK, so its not a 'simple' form based authentication then.
I'd try recording a Zest authentication script.
Make sure that the anti CSRF token is configured in ZAP, then start recording the script and make sure you go to the page that generates the token first.
You can run Zest auth scripts on their own - try that and see if the authentication actually works.
Then we can look into using it for the spider and scanning :)

Cheers,

Simon

[Neena]

Ok I'll give it a shot. Thanks!

[Xavi]

Neena, did Simon's suggestion worked, I am facing the same issue :(?

[Zabee]

Thee recorded ZEST script is not working. It is throwing errors.

[Zabee]

The target web application is a single page app. Also, only one session service to handle login and logout.

[Simon Bennetts]

Right click on the first failing line and compare the request and response with the original.

Where is the anti CSRF token used?

If its in the first POST request then you'll have started recording the script too late - the script needs to know where to get the CSRF token from, which is often the result of a GET request.

[Zabee]

Thanks for the information.

This time I started recording before opening the browser itself and stopped as soon as I logged in to the target application.

Below headers are extra in comparison to the original request,

Host: <host>

Cookie: <cookie name and value> 

 

Response comparison shows that the original response has "OK" followed by proper response contents and the ZEST script ran response has something like this - //EX[x,x,["com.google.gwt.user.client.rpc.RpcTokenException/xxxxxxxxxxxx","Invalid RPC token (Invalid XSRF token)"],x,x] 

[hauschu...@gmail.com]

Hello!

Could you post a screenshot of the Zest script responses/errors you are seeing?

One thing to know is that the Zest recording will at first hardcode any unique session identifiers and tokens, so you will have to manually edit the Zest script in order to set the proper elements as variables.  

[Zabee]

Thanks for the reply. I got this sorted out. Assigned the values to as a regex and used them in subsequent request. 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/1ec97691-67e0-4123-8f6e-d5d6f25d5302%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[hauschu...@gmail.com]

Great!