3

I am a new in OWASP ZAP, so I need your help.

I have vulnerability site - DVWA. I am trying to work on token (CSRF) in bruteforce.

When page load I have HTML form with login, password and user-token. Third field are filled by dynamic token (CSRF).

I need to use bruteforce with CSRF token.

  1. Receive user_token from loaded page
  2. Send form through Fuzzer

As I understand, I need to create script for receiving user_token from loaded page and then run Attak -> Fuzz on authorization link, then select user_token value and add playload script that will fill it on each request.

But I can't find any information on the Internet how to create this script. Can anyone please help me?

Anders
  • 64,406
  • 24
  • 178
  • 215
user2264941
  • 131
  • 1
  • 3

2 Answers2

2

Theres actually an easier option when using the fuzzer. Add the 'Anti-CSRF Token Refresher' Message Processor - that will automatically regenerate the token for you :) If its not available then you should just need to tell ZAP about the token name.

Its worth noting that currently we only support CSRF tokens in the body, not in the URL.

Oh, and FYI in the next version of the fuzzer addon this Message Processor will be added by default if we detect a CSRF token in the message being fuzzed :)

Simon Bennetts
  • 1,390
  • 7
  • 10
1

This FAQ might help you, it covers dvwa and fuzzing while handling tokens via script: https://github.com/zaproxy/zaproxy/wiki/FAQvulnappdvwa

var SOURCE_URL = "http://localhost/DVWA/vulnerabilities/brute/";
var CSRF_TOKEN_NAME = "user_token";
var REQUEST_URI = new org.apache.commons.httpclient.URI(SOURCE_URL, true);

function processMessage(utils, message) {
    var msg = message.cloneRequest();
    msg.getRequestHeader().setURI(REQUEST_URI);
    var csrfTokenValue = extractInputFieldValue(getPageContent(utils, msg), CSRF_TOKEN_NAME);

    var params = message.getUrlParams();
    replace(params, CSRF_TOKEN_NAME, encodeURIComponent(csrfTokenValue));
    message.getRequestHeader().setGetParams(params);
}

function processResult(utils, fuzzResult){
    return true;
}

function getPageContent(utils, msg) {
    utils.sendMessage(msg);
    utils.addMessageToResults("Refresh " + CSRF_TOKEN_NAME, msg)
    return msg.getResponseBody().toString();
}

function extractInputFieldValue(page, fieldName) {
    var Source = Java.type("net.htmlparser.jericho.Source");
    var src = new Source(page);

    var it = src.getAllElements('input').iterator();

    while (it.hasNext()) {
        var element = it.next();
        if (element.getAttributeValue('name') == fieldName) {
            return element.getAttributeValue('value');
        }
    }
    return '';
}

function replace(params, name, value) {
    var it = params.iterator();

    while (it.hasNext()) {
        var param = it.next();
        if (param.getName() == name) {
            param.setValue(value);
            return;
        }
    }
}
kingthorin
  • 574
  • 4
  • 6
  • [Please](https://security.stackexchange.com/a/154538/86652) [don't](https://security.stackexchange.com/a/154539/86652) [spam](https://security.stackexchange.com/a/154541/86652) – techraf Mar 22 '17 at 00:19
  • @techraf I think he doesn't advertise a product, although he posts without real answers. I think it is multiple comment-answer, but not spam. – peterh Mar 22 '17 at 00:57
  • 1
    Posting the same answer under multiple questions is spamming. – techraf Mar 22 '17 at 01:00
  • @peterh All answers by this user advertize the same GitHub repository. – S.L. Barth Mar 22 '17 at 07:37
  • @S.L.Barth It is not a reason to delete. The reason to delete is that it is link-only. Spamming would also reason harder measures (i.e. network-wide ban/deletion, maybe ip-level blocking), I think these circumstances aren't pass the current case. – peterh Mar 22 '17 at 09:02
  • Yup they do, because they're all about the same software, and our help docs contain the answers. I'll make the rounds and quote the content along with linking it.... – kingthorin Mar 22 '17 at 16:15
  • @S.L.Barth that's because these questions are *about that repository*, that's the official documentation for ZAP. And he happens to be one of the popular committers to that project. – AviD Mar 22 '17 at 17:01
  • That said @kingthorin as mentioned, link-only answers are not good answers on StackExchange, for reasons. I'd appreciate if you start fleshing out your posts with the actual answers to the asked questions, instead of just linking... Thanks! :-) – AviD Mar 22 '17 at 17:03
  • Understood, on it :-) – kingthorin Mar 22 '17 at 17:06