CSRF Tokens
Hello,
Just a quick question about how Arachni manages CSRF tokens.
I have three scenarios on the top of my mind :
1) Anti CSRF token assigned and does not change through all of
the session (I know is not the best implementation);
2) Anti CSRF token changes on every form submission;
3) Anti CSRF is not validated properly by the application so can be
omitted and session would still work (I know is an issue);
Thanks a lot for any information provided
Regards,
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 23 Apr, 2016 07:03 AM
If the token doesn't change with each page refresh then it won't be marked as a nonce and the form is going to be submitted as usual.
If it changes, then the form is going to be refreshed by fetching its parent page prior to each submission.
In the case of #3 this is suboptimal but it's hard to optimize for it.
Cheers
2 Posted by urand0m on 23 Apr, 2016 07:14 AM
Hello,
Ok for #3 case I understand.
So basically arachni gives some sort of assurance that will handle automatically with anti csrf tokens?
Could you suggest me how to debug arachni behaviour, in order to obtain complete confidence with this? Using the session check?
I am passing initially all arachni requests in burp to observe its behaviour.
Thanks for any additional suggestion
Regards,
Support Staff 3 Posted by Tasos Laskos on 23 Apr, 2016 07:16 AM
Yeah you got the right idea, about debugging, you can use
--output-debug
option, values range from 1 to 5.The bigger the value the deeper you'll be able to see into the system.
Cheers
Tasos Laskos closed this discussion on 04 May, 2016 05:42 PM.