psiinon edited this page Jun 3, 2015 · 1 revision

Anti CSRF Tokens

Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks. However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.

ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen. When ZAP detects these tokens it records the token value and which URL generated the token. Other scanners, like active scanner, have options which cause ZAP to automatically regenerate the tokens when required.

See also

     UI Overview for an overview of the user interface
     Features provided by ZAP
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.