skipping csrf parameter injection try

2025-07-28 09:00:08 +03:00 · 2018-12-09 17:52:18 +01:00 · 2018-12-09 17:52:18 +01:00 · faedc45399
commit faedc45399
parent f745a0b1d0
2 changed files with 12 additions and 6 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -470,7 +470,19 @@ def start():
                    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place
                    csrfTokenPattern = r""
                    strings = conf.csrfToken.split("*")
                    for index, string in enumerate(strings):
                        csrfTokenPattern += re.escape(string)
                        if index < len(strings) - 1:
                            csrfTokenPattern += ".*"
                    for parameter, value in paramDict.items():
                        if (re.match(csrfTokenPattern, parameter)):
                            infoMsg = "skipping csrf parameter '%s'" % parameter
                            logger.info(infoMsg)
                            continue
                        if not proceed:
                            break
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -249,7 +249,6 @@ class Connect(object):
        url = kwargs.get("url", None) or conf.url
        get = kwargs.get("get", None)
        print get
        post = kwargs.get("post", None)
        method = kwargs.get("method", None)
        cookie = kwargs.get("cookie", None)
@ -773,11 +772,6 @@ class Connect(object):
        if not multipart:
            logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)
        #if "Invalid csrf token." in page:
        #    print "Invalid CSRF Token!"
        #else:
        #    print "Valid CSRF Token!"
        return page, responseHeaders, code
    @staticmethod