Анти-CSRF токены

Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks.
However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.

ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens is configured using the Options Anti CSRF screen.
When ZAP detects these tokens it records the token value and which URL generated the token.
The active scanner and fuzzer both have options which cause ZAP to automatically regenerate the tokens when required.

See also

     UI Overviewfor an overview of the user interface
     Featuresprovided by ZAP