CSRF Tokens

urand0m's Avatar

urand0m

23 Apr, 2016 05:30 AM

Hello,

Just a quick question about how Arachni manages CSRF tokens.
I have three scenarios on the top of my mind :

1) Anti CSRF token assigned and does not change through all of the session (I know is not the best implementation);
2) Anti CSRF token changes on every form submission;
3) Anti CSRF is not validated properly by the application so can be omitted and session would still work (I know is an issue);

Thanks a lot for any information provided
Regards,

  1. Support Staff 1 Posted by Tasos Laskos on 23 Apr, 2016 07:03 AM

    Tasos Laskos's Avatar

    If the token doesn't change with each page refresh then it won't be marked as a nonce and the form is going to be submitted as usual.
    If it changes, then the form is going to be refreshed by fetching its parent page prior to each submission.

    In the case of #3 this is suboptimal but it's hard to optimize for it.

    Cheers

  2. 2 Posted by urand0m on 23 Apr, 2016 07:14 AM

    urand0m's Avatar

    Hello,

    Ok for #3 case I understand.
    So basically arachni gives some sort of assurance that will handle automatically with anti csrf tokens?
    Could you suggest me how to debug arachni behaviour, in order to obtain complete confidence with this? Using the session check?
    I am passing initially all arachni requests in burp to observe its behaviour.

    Thanks for any additional suggestion
    Regards,

  3. Support Staff 3 Posted by Tasos Laskos on 23 Apr, 2016 07:16 AM

    Tasos Laskos's Avatar

    Yeah you got the right idea, about debugging, you can use --output-debug option, values range from 1 to 5.
    The bigger the value the deeper you'll be able to see into the system.

    Cheers

  4. Tasos Laskos closed this discussion on 04 May, 2016 05:42 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac