Owasp ZAP not performing authentication during active scan using “Form-Based-Authentication” ON python project

I am facing roadblock on a owasp zap form based authentication. I setup zap property as per guidance. When i run active scan then “when to attempt login it give FORBIDDEN error. CSRF token not available.

Owasp ZAP not performing authentication during active scan using “Form-Based-Authentication” ON python project.

  • Spring boot connection reset after a few minutes in docker container
  • unable to find the /etc/default/docker with latest docker 17.03.0-ce
  • SBT incremental compilation with WebJars inside Docker
  • docker-compose, new container version and logs persistence
  • Registry can't find all images in the repository when doing Docker search
  • Best approach of using gpg key generation for docker images
  • [here is my zap screen
    My target url is:

    http://example.com:84/admin/login/?next=/admin/
    

    Post data ;

    csrfmiddlewaretoken=IjYwHHavnCYgcWYMy2oL3L9Z0ldUH95s&username={%username%}&password={%password%}&next=%2Fadmin%2F
    

    here is the html response i got:

    <div id="summary">
      <h1>Forbidden <span>(403)</span></h1>
      <p>CSRF verification failed. Request aborted.</p>
    
    
    </div>
    
    <div id="info">
      <h2>Help</h2>
    
        <p>Reason given for failure:</p>
        <pre>
        CSRF token missing or incorrect.
        </pre>
    
    
      <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when
      <a
      href="https://docs.djangoproject.com/en/1.8/ref/csrf/">Django's
      CSRF mechanism</a> has not been used correctly.  For POST forms, you need to
      ensure:</p>
    
      <ul>
        <li>Your browser is accepting cookies.</li>
    
        <li>The view function passes a <code>request</code> to the template's <a
        href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a>
        method.</li>
    
        <li>In the template, there is a <code>{% csrf_token
        %}</code> template tag inside each POST form that
        targets an internal URL.</li>
    
        <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use
        <code>csrf_protect</code> on any views that use the <code>csrf_token</code>
        template tag, as well as those that accept the POST data.</li>
    
      </ul>
    
      <p>You're seeing the help section of this page because you have <code>DEBUG =
      True</code> in your Django settings file. Change that to <code>False</code>,
      and only the initial error message will be displayed.  </p>
    
      <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
    </div>
    

  • How to pass an ARG to a Dockerfile in a docker-compose.yml
  • Upgrade docker container as part of docker-compose
  • docker push fails due to “unauthorized: authentication required”, using gitlab
  • What is the difference between docker-compose ports vs expose
  • kubernetes unhealthy ingress backend
  • Shortcut command for docker-compose build + down + up
  • One Solution collect form web for “Owasp ZAP not performing authentication during active scan using “Form-Based-Authentication” ON python project”

    Unfortunatley ZAP doesnt currently support the automatic regeneration of CSRF tokens when authenticating.

    A way around this is to record a Zest authentication script – make sure that you start by requesting the page token that generates that token.

    Recording Zest scripts is covered in this FAQ (which is otherwise unrelated): https://github.com/zaproxy/zaproxy/wiki/FAQreportFN

    Feel free to hassle us about supporting ACSR toeksn when authenticating on https://groups.google.com/group/zaproxy-users 🙂

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.