tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/12819-csrf-tokensArachni: Discussion 2016-05-04T17:42:46Ztag:support.arachni-scanner.com,2012-07-01:Comment/397136482016-04-23T07:03:53Z2016-04-23T07:03:53ZCSRF Tokens<div><p>If the token doesn't change with each page refresh then it won't
be marked as a nonce and the form is going to be submitted as
usual.<br>
If it changes, then the form is going to be refreshed by fetching
its parent page prior to each submission.</p>
<p>In the case of #3 this is suboptimal but it's hard to optimize
for it.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/397136482016-04-23T07:14:42Z2016-04-23T07:14:43ZCSRF Tokens<div><p>Hello,</p>
<p>Ok for #3 case I understand.<br>
So basically arachni gives some sort of assurance that will handle
automatically with anti csrf tokens?<br>
Could you suggest me how to debug arachni behaviour, in order to
obtain complete confidence with this? Using the session check?<br>
I am passing initially all arachni requests in burp to observe its
behaviour.</p>
<p>Thanks for any additional suggestion<br>
Regards,</p></div>urand0mtag:support.arachni-scanner.com,2012-07-01:Comment/397136482016-04-23T07:16:56Z2016-04-23T07:16:56ZCSRF Tokens<div><p>Yeah you got the right idea, about debugging, you can use
<code>--output-debug</code> option, values range from 1 to 5.<br>
The bigger the value the deeper you'll be able to see into the
system.</p>
<p>Cheers</p></div>Tasos Laskos