DEVHIDE
Login Or Sign up

How to By Pass CSRF token validation in ZAP Jenkins job

355 Views Asked by At

I am new to OWASP ZAP, I have a login based authenticated web application. Login expects Username, Password and csrf token gets generated dynamically when I debugged in OWASP. Now to allow the ZAP jenkins job to be successful how can I pass CSRF token in ZAP jenkins job?

I believe because of that I am getting below error -

[ZAP Jenkins Plugin] SPIDER SCAN STATUS [ 0% ]
[ZAP Jenkins Plugin] ALERTS COUNT [ 0 ]

9117 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Starting spider...
9117 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider  - Scan will be performed from the point of view of User: fred
9134 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: USER
9266 [ZAP-SpiderThreadPool-0-thread-1] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType  - Unable to prepare authentication message: Index: 0, Size: 0
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.rangeCheck(Unknown Source)
    at java.util.ArrayList.get(Unknown Source)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrfTokenValueIfRequired(PostBasedAuthenticationMethodType.java:420)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
    at org.zaproxy.zap.users.User.authenticate(User.java:265)
    at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:175)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
    at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
    at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
    at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
9270 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.users.User  - Authentication failed for user: USER
9326 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: USER
9389 [ZAP-SpiderThreadPool-0-thread-2] ERROR org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType  - Unable to prepare authentication message: Index: 0, Size: 0
java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
    at java.util.ArrayList.rangeCheck(Unknown Source)
    at java.util.ArrayList.get(Unknown Source)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.extractParametersFromPostData(PostBasedAuthenticationMethodType.java:458)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.replaceAntiCsrfTokenValueIfRequired(PostBasedAuthenticationMethodType.java:420)
    at org.zaproxy.zap.authentication.PostBasedAuthenticationMethodType$PostBasedAuthenticationMethod.authenticate(PostBasedAuthenticationMethodType.java:339)
    at org.zaproxy.zap.users.User.authenticate(User.java:265)
    at org.zaproxy.zap.users.User.processMessageToMatchUser(User.java:175)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:581)
    at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:573)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:478)
    at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:448)
    at org.zaproxy.zap.spider.SpiderTask.fetchResource(SpiderTask.java:445)
    at org.zaproxy.zap.spider.SpiderTask.runImpl(SpiderTask.java:218)
    at org.zaproxy.zap.spider.SpiderTask.run(SpiderTask.java:190)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
9391 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.users.User  - Authentication failed for user: USER
9438 [ZAP-SpiderThreadPool-0-thread-2] INFO org.zaproxy.zap.spider.Spider  - Spidering process is complete. Shutting down...
9441 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread  - Spider scanning complete: true
jenkins owasp zap
Original Q&A
1

There are 1 best solutions below

0
On

You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.

import jenkins.model.Jenkins

def instance = Jenkins.instance
instance.setCrumbIssuer(null)

Related Questions in JENKINS

Related Questions in OWASP

Related Questions in ZAP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.