I’m wondering how you guys go about this:
Say you want to test a form, but the form carries csrf-tokens, so you can send that form-request only once.
I’d be interested in how you handle that yourself, but if anyone happens to know how tools like sqlmap handle that internally when you define a crsf-token, I’d be all ears.
The best I can come up with today, is to send a get request before each post request, but I’m wondering if there are better ways to do it.
Most methods I see, seem to rely on manually defining the csrf token: burp suggests running a macro to capture the csrf-token, but I’m looking for ways to automate that.
Would anyone argue against the fact of turning the post into a get, send that, flip it back to a post and send that? I’m not sure if this will hold up in all scenario’s and I’d love to hear your thoughts on this.
Thanks in advance