Make the anti-CSRF Token option more detailed #95376
Replies: 1 comment
-
From reviewing the code from 3 years back, the token is added everywhere, to header, to query string and to request body (brutal I reckon). And it's the only use case covered by integration test, I didn't have the CSRF URL in mind when it was implemented, so thanks for the proposal and for the reference. The tooltip is not really clear when hovering the Preferences options, I confirm it should be clearer.
The token is fetched both from the HTML body and from the cookies of ongoing URL, a CSRF URL feature has to be implemented for the URL use case. First I'll verify that Spring API provides a way to define a CSRF URL, because I need to make it work on the integration platform prior to start implementing. If Spring provides the use case then I'll add the integration test to validate and implement the feature. Though from Spring documentation I don't see any reference to the CSRF URL use case, it seems weird but I'll have a look.
jSQL exists because I found other tools too slow, or using the wrong strategy, etc, also other tools with complex GUI and terminal were not for me. I'm not sure if you're comparing speed to other tools, but your feedback seems aligned with my initial goal, the speed :) |
Beta Was this translation helpful? Give feedback.
-
The current anti-CSRF options are still lacking in detail, such as where will the token be placed: header, cookie or body? Then there is no option which page the token is fetched from. --csrf-url, --csrf-token --csrf-retries from SQLMap would be a good reference. I am really amazed by the speed with which jSQL gets the data and visualizes it. I hope jSQL in the future will be even more dynamic
Beta Was this translation helpful? Give feedback.
All reactions