Owasp ZAP在使用“Form-Based-Authentication”进行主动扫描期间不执行身份validationON python项目
我正在面对基于owasp zap表单的authentication上的障碍。 我按照指导安装zap属性。 当我运行主动扫描然后“当试图login它给FORBIDDEN错误。CSRF令牌不可用。
Owasp ZAP在使用“Form-Based-Authentication”进行主动扫描期间不执行身份validationON python项目。
[ 
我的目标url是:
http://example.com:84/admin/login/?next=/admin/ 发布数据 ;
csrfmiddlewaretoken=IjYwHHavnCYgcWYMy2oL3L9Z0ldUH95s&username={%username%}&password={%password%}&next=%2Fadmin%2F
这里是我得到的HTML响应:
<div id="summary"> <h1>Forbidden <span>(403)</span></h1> <p>CSRF verification failed. Request aborted.</p> </div> <div id="info"> <h2>Help</h2> <p>Reason given for failure:</p> <pre> CSRF token missing or incorrect. </pre> <p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when <a href="https://docs.djangoproject.com/en/1.8/ref/csrf/">Django's CSRF mechanism</a> has not been used correctly. For POST forms, you need to ensure:</p> <ul> <li>Your browser is accepting cookies.</li> <li>The view function passes a <code>request</code> to the template's <a href="https://docs.djangoproject.com/en/dev/topics/templates/#django.template.backends.base.Template.render"><code>render</code></a> method.</li> <li>In the template, there is a <code>{% csrf_token %}</code> template tag inside each POST form that targets an internal URL.</li> <li>If you are not using <code>CsrfViewMiddleware</code>, then you must use <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li> </ul> <p>You're seeing the help section of this page because you have <code>DEBUG = True</code> in your Django settings file. Change that to <code>False</code>, and only the initial error message will be displayed. </p> <p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p> </div>
Unfortunatley ZAP当前不支持在身份validation时自动重新生成CSRF令牌。
解决这个问题的方法是logging一个Zest身份validation脚本 – 确保您首先请求生成该令牌的页面标记。
loggingZest脚本包含在这个常见问题(这是不相关的): https : //github.com/zaproxy/zaproxy/wiki/FAQreportFN
在https://groups.google.com/group/zaproxy-users上进行身份validation时, 请随时咨询我们是否支持ACSR toeksn