Autorize icon indicating copy to clipboard operation
Autorize copied to clipboard

Published 20 hours ago verified publisher icon Quitten

CSRF TOKEN GENERATOR

Open pwneddesal opened this issue 5 years ago • 2 comments

HI, there is a way to generate CSRF TOKEN for every user or grab a csrf token form another request then use it to the URL endpoint that you want to test for idor since every user has a different CSRF token

pwneddesal avatar Jun 19 '19 00:06 pwneddesal

Currently, this feature is not supported, the implementation should be a URL defined under the configuration tab, which will have regex to fetch value from the response. This URL needs to be fetched before each request and be added into a placeholder that will be injected to requests. I dont have enough time to write it now, you or anyone else reading this will be able to develop it :)

Quitten avatar Jun 19 '19 09:06 Quitten

I have a somewhat related issue: each user has a per-session CSRF Token that is submitted in POST request. Did I understand the configuration correctly, that you cannot specify BOTH a cookie header AND a POST Parameter you wish to send in the low-priv request?

That is: I can not configure Autorize to set SESSIONID=xxxxx and also replace the _token parameter in the request with that for my low priv user?

er4z0r avatar Nov 17 '21 13:11 er4z0r