0ang3el / easycsrf Goto Github PK

Hi @0ang3el,

Thanks for making burp extension for this, I just installed and tried this, and as you said, it will update the request on the fly while browsing which is good way to do it indeed, but as we know, if application doesn't support the manipulation extension did then web application will be stuck and then we need to disable the ext for the further browsing which is not very practical I think, and I guess this can be done in better way if ext can replicate/clone the request in history tab and do needed manipulation on the duplicate request no the original and highlight that one, in this way we can obsever the all the manuplation in history tab and applicaiton will not be stuck while browsing as well.

let me know what you think about this.

@0ang3el , Good day, Please i actually need your help regarding your tools, EasyCsrf, i use the tool, i detect like two cases of CSRF in the Web application i was testing, but i can't figure out , how to construct a PoC for the succeeded cases , it was actually a "PUT" Request , application/json request , just like the one you show in the last Part of your Presentation at Zero Night" , but i can't figure out how to Construct the POC, if you don't mind i can send you the request so that you can take a look at it., am waiting for your response . Thanking you.

Здравствуйте, Михаил! У меня скрипт удаляет только последний добавленный csrf-токен. Возможно, это поведение скрипта только на ОС Windows. Я добавил вывод переменных (в цикле, 470-ая строка кода) self.text_area_to_list(self.csrf_params_text_area) и csrf_params_names и получил следующий вывод:[u'csrf\r', u'xsrf\r', u'token\r', u'auth\r', u'secret\r', u'csrf_token\r', u'csrf1']
['csrf', 'xsrf', 'token', 'auth', 'secret', 'csrf_token', 'csrf1'].
Видимо, проблема в '\r'.