Anti-CSRF token not detected in Authentication
226 views
Skip to first unread message
Hector Uriostegui
Oct 18, 2021, 12:39:26 PM10/18/21
to OWASP ZAP User Group
I'm attempting Form Based authentication on https://wmx.staging.benchprep.com/login using ZAP 2.11.0
I've set up my Authentication Session Properties properly including the Login Request POST data, set the username and password parameters and also the Regex for logged out identifier. I've also set up a Forced User with the correct credentials.
I've set up my Authentication Session Properties properly including the Login Request POST data, set the username and password parameters and also the Regex for logged out identifier. I've also set up a Forced User with the correct credentials.
When I attempt to access https://wmx.staging.benchprep.com/login with the forced user enabled, I see an attempted authentication in the History log of ZAP. I see a GET and then a POST followed by another GET for the login page which seems unusual. The request for the POST appears to be passing in the correct username and password credentials. The forced user does not actually get logged in on screen.
I paired with a developer within my organization to attempt to troubleshoot this issue. After troubleshooting for a bit and checking the logs in the backend we believe that ZAP is failing to detect our authenticity_token that is also passed in on the POST data. ZAP should be able to detect this anti-CSRF token and sub in the current one for the forced user to use. Instead, it appears that ZAP continues to pass in the same authenticity_token that was used to set up Form Based Auth Login Request. Thus, our site is failing to log in.
We attempted to do some troubleshooting with the Fuzz tool, but we were not able to find any changes to make that weren't already applied. So we ultimately believe we may have found a bug here with Anti-CSRF tokens.
Thanks,
Hector
kingthorin+owaspzap
Oct 18, 2021, 2:12:23 PM10/18/21
to OWASP ZAP User Group
You probably need to add "authenticity_token" as a known anti-csrf token in the options panel.
Also to use Forced User mode in troubleshooting you want to try to access a page that requires auth, while proxying through ZAP, and you should be automatically logged in.
Hector Uriostegui
Oct 18, 2021, 2:50:11 PM10/18/21
to OWASP ZAP User Group
Thanks for following up so quickly. "authenticity_token" is already listed as a known anti-csrf token. I've also removed and re-added this just to make sure. Also. I am accessing the login page which requires auth. As you can see in my screen shot on my last message, an auth attempt is made.
Hector Uriostegui
Nov 4, 2021, 10:45:30 AM11/4/21
to OWASP ZAP User Group
I'm following up to see if there are any updates on this. I'm still experiencing the same issue. I've attempted to log in with a forced user on the latest Zap Weekly 11/01. I continue to see the same Authenticity Token being used in POST data for every login attempt. Looks like ZAP is not grabbing the current one for the login attempt and instead continues to use the same one used when setting up the Form Based Auth Login Request.
Appreciate any help on this.
Reply all
Reply to author
Forward
0 new messages