Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide a button on the resend screen to inject a CSRF token #111

Closed
zapbot opened this issue Jun 4, 2015 · 11 comments · Fixed by #5828
Closed

Provide a button on the resend screen to inject a CSRF token #111

zapbot opened this issue Jun 4, 2015 · 11 comments · Fixed by #5828
Assignees
@madanalogy
Labels
Component-UI enhancement good first issue An issue ideal for new contributors. IdealFirstBug An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons. Usability
Milestone
2.10.0

Comments

@zapbot
Copy link
Contributor

zapbot commented Jun 4, 2015 

It would be useful to have a button/check box that injects the CSRF token when re-sending
requests.

What is the expected output? What do you see instead?
1) A button or checkbox on the resend screen which would switch on injection of a token.
2) CSRF Token inserted into the request.

What version of the product are you using? On what operating system?
Zap version 1.3, Linux Fedora 14.

Original issue reported on code.google.com by darrengarsden on 2011-06-13 12:04:38
@zapbot
Copy link
Contributor Author

zapbot commented Jun 4, 2015 

Yep, this should be added in :)

Original issue reported on code.google.com by psiinon on 2011-06-13 12:06:05

  • Labels added: Type-Enhancement
  • Labels removed: Type-Defect

@zapbot
Copy link
Contributor Author

zapbot commented Jun 4, 2015 

1.4 candidate

Original issue reported on code.google.com by psiinon on 2011-09-17 16:30:59

  • Labels added: Priority-High
  • Labels removed: Priority-Medium

@zapbot
Copy link
Contributor Author

zapbot commented Jun 4, 2015 

I believe this functionality has already been addressed, has it not?

Original issue reported on code.google.com by kingthorin on 2014-06-05 00:18:52

@zapbot
Copy link
Contributor Author

zapbot commented Jun 4, 2015 

No.

Original issue reported on code.google.com by THC202 on 2014-06-05 01:36:53

@kingthorin kingthorin added Component-UI IdealFirstBug An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons. labels Jun 3, 2017
@kingthorin kingthorin added the good first issue An issue ideal for new contributors. label Oct 16, 2017
@thc202 thc202 mentioned this issue Mar 2, 2018
Closed
@kingthorin kingthorin added the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Oct 3, 2019
@kingthorin kingthorin removed the HacktoberFest Issues which are good candidates for HacktoberFest: https://hacktoberfest.digitalocean label Nov 4, 2019
@madanalogy
Copy link
Contributor

Hello, I would like to work on this issue, thanks!

@psiinon
Copy link
Member

psiinon commented Jan 19, 2020

@madanalogy great - go for it! What can we do to help you?

@madanalogy
Copy link
Contributor

madanalogy commented Jan 19, 2020
edited

@madanalogy great - go for it! What can we do to help you?

I have some questions actually if you happen to have the time!

I managed to set up my dev environment on IntelliJ (Mac OS) and use gradle to run the dev build. I can see that it's different from the distributed build (e.g. no quick start or HUD). I'm new to ZAP so I guess my main problem right now is that I don't really know where to start. More specifically, I would like to clarify the original issue/request if possible:

  1. Where are requests resent? I'm assuming it's sent through the Fuzzer but this is not available in the dev build. I thought it would be in the Manual Request Editor window but I'm not sure if that's where you would go to "resend" a request.

  2. How are CSRF tokens injected normally? From what I can gather reading the user guide, ZAP just records detected anti-CSRF tokens that it encounters. I was under the impression from the original issue filed that token injection was already an available feature, and all I would have to do was find some way to make this option available from the "resend request" screen.

I want to help contribute to this project primarily because I want to learn more about web application security while honing my software engineering skills. I'm committed to seeing this through, just need to be pointed in the right direction haha

If you feel these questions would be better served via a post in the ZAP Developer Group do let me know and I'll post there! :)

@psiinon
Copy link
Member

psiinon commented Jan 20, 2020

A significant part of the ZAP functionality is implemented as add-ons - the non core ones are in the https://github.com/zaproxy/zap-extensions repo - import that and install which ever ones you need.

This issue is specifically for the Manual Request dialog - the fuzzer already supports anti CSRF tokens.
That dialog is definied in the old Paros code: https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/java/org/parosproxy/paros/extension/manualrequest
The ZAP code that handles anti CSRF tokens is: https://github.com/zaproxy/zaproxy/tree/develop/zap/src/main/java/org/zaproxy/zap/extension/anticsrf

Have a look at those classes and then ask more questions here - I'm sure you'll have some :)

@madanalogy madanalogy mentioned this issue Jan 25, 2020
Merged
@madanalogy
Copy link
Contributor

I've tried to look at the code and I also read up extensively on CSRF attacks and anti-CSRF tokens. It seems this request isn't as straight forward as it seems.

I'm a bit stuck right now and I would like to share what I already know just in case I'm acting on false assumptions. From what I understand, ZAP will store any Anti-CSRF tokens it encounters with its passive scanner. This is an automated feature turned on by default.

In order to inject a token manually however, we would first need to search the list of tokens for one that matches the target URL in the HTTP message to be sent. Since the URL is manually typed in the editor box, would I need to have the button parse the message first to ensure that the site is valid and that there is already a token in ZAP's list from that site?

I couldn't see a way of doing this from within HttpSender. I tried to look at how the fuzzer implements the injection of anti-CSRF tokens but I just got even more confused. I'd appreciate any insight you have, thanks a lot for helping me so far :)

@thc202
Copy link
Member

thc202 commented Jan 26, 2020

IMO the first implementation can just replace/inject the token before sending the message, like done in AbstractPlugin#sendAndReceive(HttpMessage, boolean, boolean).

@thc202 thc202 added this to the 2.10.0 milestone Feb 21, 2020
@thc202 thc202 changed the title Enhancement : Provide a button on the resend screen to inject a CSRF token Provide a button on the resend screen to inject a CSRF token Feb 21, 2020
@github-actions
Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@madanalogy madanalogy

Labels
Component-UI enhancement good first issue An issue ideal for new contributors. IdealFirstBug An issue ideal for new contributors. Same as label "good first issue", kept for legacy reasons. Usability
Milestone
2.10.0
Development

Successfully merging a pull request may close this issue.

Add a button on the resend screen to inject a CSRF token madanalogy/zaproxy
5 participants
@psiinon @thc202 @kingthorin @zapbot @madanalogy