skipping csrf parameter injection try

2025-07-28 09:00:08 +03:00 · 2018-12-09 17:52:18 +01:00 · 2018-12-09 17:52:18 +01:00 · faedc45399
commit faedc45399
parent f745a0b1d0
2 changed files with 12 additions and 6 deletions
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@ -470,7 +470,19 @@ def start():

                    paramType = conf.method if conf.method not in (None, HTTPMETHOD.GET, HTTPMETHOD.POST) else place

+                    csrfTokenPattern = r""
+                    strings = conf.csrfToken.split("*")
+                    for index, string in enumerate(strings):
+                        csrfTokenPattern += re.escape(string)
+                        if index < len(strings) - 1:
+                            csrfTokenPattern += ".*"
+
                    for parameter, value in paramDict.items():
+                        if (re.match(csrfTokenPattern, parameter)):
+                            infoMsg = "skipping csrf parameter '%s'" % parameter
+                            logger.info(infoMsg)
+                            continue
+
                        if not proceed:
                            break

--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -249,7 +249,6 @@ class Connect(object):

        url = kwargs.get("url", None) or conf.url
        get = kwargs.get("get", None)
-        print get
        post = kwargs.get("post", None)
        method = kwargs.get("method", None)
        cookie = kwargs.get("cookie", None)
@ -773,11 +772,6 @@ class Connect(object):
        if not multipart:
            logger.log(CUSTOM_LOGGING.TRAFFIC_IN, responseMsg)

-        #if "Invalid csrf token." in page:
-        #    print "Invalid CSRF Token!"
-        #else:
-        #    print "Valid CSRF Token!"
-
        return page, responseHeaders, code

    @staticmethod