Anti CSRF tokens are (pseudo) random parameters used to protect against Cross Site Request Forgery (CSRF) attacks.
However they also make a penetration testers job harder, especially if the tokens are regenerated every time a form is requested.
ZAP detects anti CSRF tokens purely by attribute names - the list of attribute names considered to be anti CSRF tokens
is configured using the Options Anti CSRF screen.
When ZAP detects these tokens it records the token value and which URL generated the token.
Other tools, like the active scanner, have options which cause ZAP to automatically regenerate the tokens when required.
|for an overview of the user interface
|provided by ZAP