From 01f4b76817f83dd89557fdd2141ba9c826052e5f Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 23 Oct 2014 14:03:44 +0200 Subject: [PATCH] Minor update for the Issue #2 --- lib/core/settings.py | 4 ++-- lib/core/target.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index d6c739501..26f83d04c 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -603,8 +603,8 @@ METASPLOIT_SESSION_TIMEOUT = 300 # Reference: http://www.cookiecentral.com/faq/#3.5 NETSCAPE_FORMAT_HEADER_COOKIES = "# Netscape HTTP Cookie File." -# Prefixes used for automatic recognition of parameters carrying CSRF protection tokens -CSRF_TOKEN_PARAMETER_PREFIXES = ("csrf", "xsrf") +# Infixes used for automatic recognition of parameters carrying CSRF protection tokens +CSRF_TOKEN_PARAMETER_INFIXES = ("csrf", "xsrf") # Prefixes used in brute force search for web server document root BRUTE_DOC_ROOT_PREFIXES = { diff --git a/lib/core/target.py b/lib/core/target.py index f1d284b96..50a4d0d74 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -43,7 +43,7 @@ from lib.core.option import _setDBMS from lib.core.option import _setKnowledgeBaseAttributes from lib.core.option import _setAuthCred from lib.core.settings import ASTERISK_MARKER -from lib.core.settings import CSRF_TOKEN_PARAMETER_PREFIXES +from lib.core.settings import CSRF_TOKEN_PARAMETER_INFIXES from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import HOST_ALIASES @@ -353,7 +353,7 @@ def _setRequestParams(): else: for place in (PLACE.GET, PLACE.POST): for parameter in conf.paramDict.get(place, {}): - if any(parameter.lower().startswith(_) for _ in CSRF_TOKEN_PARAMETER_PREFIXES): + if any(parameter.lower().count(_) for _ in CSRF_TOKEN_PARAMETER_INFIXES): message = "%s parameter '%s' appears to hold CSRF protection token. " % (place, parameter) message += "Do you want sqlmap to automatically update it in further requests? [y/N] " test = readInput(message, default="N")