Can't it detect and grab the token automatically after giving it an example? As you know tokens aren't static because if they were that would make them totally useless and kill the purpose that they were made for !

Question

Can't it detect and grab the token automatically after giving it an example? As you know tokens aren't static because if they were that would make them totally useless and kill the purpose that they were made for !

Opened this issue 5 years ago · 5 comments

Answer 1 · 2020-04-04T10:38:07.000Z

No, it can't detect CSRF tokens automatically, at the moment.
But when you provide the CSRF token name(s), it'll automatically grab the unique value relevant to that token(s) send it with the next request is made. This process will continue for each word in the rest of the word list. This script was made when I'm playing CTFs. I have a few ideas to modify the tool. I'll update the tool soon. Thanks for your feedback. :)

Answer 2 · 2020-04-04T10:43:00.000Z

Thanks for the clarification.

Also you should get it support multiple tokens not just one.

And maybe perform some process on the password like md5 hashing it..

Or merging it to the token then hashing it to sha256 .... as some login pages do these.

Answer 3 · 2020-04-04T10:43:49.000Z

An argument to what to do with the token and passwords before sending.

Answer 4 · 2020-04-04T10:46:16.000Z

Thank you very much for your suggestions! Really this feedback motivated me a lot. I'll update the tool soon. :)

Answer 5 · 2020-04-04T11:21:18.000Z

You are welcome mate...

Really this feedback motivated me a lot

It's my pleasure :).