New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a button on the resend screen to inject a CSRF token #111
Comments
Original issue reported on code.google.com by
|
Original issue reported on code.google.com by
|
Original issue reported on code.google.com by |
Original issue reported on code.google.com by |
Hello, I would like to work on this issue, thanks! |
@madanalogy great - go for it! What can we do to help you? |
I have some questions actually if you happen to have the time! I managed to set up my dev environment on IntelliJ (Mac OS) and use gradle to run the dev build. I can see that it's different from the distributed build (e.g. no quick start or HUD). I'm new to ZAP so I guess my main problem right now is that I don't really know where to start. More specifically, I would like to clarify the original issue/request if possible:
I want to help contribute to this project primarily because I want to learn more about web application security while honing my software engineering skills. I'm committed to seeing this through, just need to be pointed in the right direction haha If you feel these questions would be better served via a post in the ZAP Developer Group do let me know and I'll post there! :) |
A significant part of the ZAP functionality is implemented as add-ons - the non core ones are in the https://github.com/zaproxy/zap-extensions repo - import that and install which ever ones you need. This issue is specifically for the Manual Request dialog - the fuzzer already supports anti CSRF tokens. Have a look at those classes and then ask more questions here - I'm sure you'll have some :) |
I've tried to look at the code and I also read up extensively on CSRF attacks and anti-CSRF tokens. It seems this request isn't as straight forward as it seems. I'm a bit stuck right now and I would like to share what I already know just in case I'm acting on false assumptions. From what I understand, ZAP will store any Anti-CSRF tokens it encounters with its passive scanner. This is an automated feature turned on by default. In order to inject a token manually however, we would first need to search the list of tokens for one that matches the target URL in the HTTP message to be sent. Since the URL is manually typed in the editor box, would I need to have the button parse the message first to ensure that the site is valid and that there is already a token in ZAP's list from that site? I couldn't see a way of doing this from within |
IMO the first implementation can just replace/inject the token before sending the message, like done in |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Original issue reported on code.google.com by
darrengarsden
on 2011-06-13 12:04:38The text was updated successfully, but these errors were encountered: