We have a Grails application and we are currently doing some OWASP ZAP security scan. There has been some Anti CSRF Tokens Scanner alerts that have come up which is weird considering that some of the URLs have the token already as seen in the parameters. We have already used CSRF Guard (csrfguard-3.1.0) to remedy these but it seems that these are still appearing after the scan. Are there some configurations that needs to be done in order for them to go away. Current version of OWASP ZAP is 2.4.1
1 Answers
3
votes
ZAP includes a list of 'standard' anti CSRF token names. Its quite possible that the one you are using is not in that list.
Open the ZAP Options dialog and select the 'Anti CSRF Tokens' screen, then add your token name to the list.
If you still get those alerts and you think it might be a ZAP problem then try asking on the ZAP User Group: http://groups.google.com/group/zaproxy-users
Simon (ZAP Project Lead)
