Open pwnedDesal opened 5 years ago
Quitten
commented
5 years ago Currently, this feature is not supported, the implementation should be a URL defined under the configuration tab, which will have regex to fetch value from the response. This URL needs to be fetched before each request and be added into a placeholder that will be injected to requests. I dont have enough time to write it now, you or anyone else reading this will be able to develop it :)
er4z0r
commented
2 years ago I have a somewhat related issue: each user has a per-session CSRF Token that is submitted in POST request. Did I understand the configuration correctly, that you cannot specify BOTH a cookie header AND a POST Parameter you wish to send in the low-priv request?
That is: I can not configure Autorize to set SESSIONID=xxxxx and also replace the _token parameter in the request with that for my low priv user?
HI, there is a way to generate CSRF TOKEN for every user or grab a csrf token form another request then use it to the URL endpoint that you want to test for idor since every user has a different CSRF token