Adapting requests to include Anti-CSRF tokens


#1

Hi,

I was wondering what the best approach (using mitmproxy/mitmdump) would be for interacting with a site that uses Anti-CSRF tokens. Basically, I need to do the following:

  1. GET a login page, parse the body looking for a token, and extract its value (using a regex or markers)
  2. Submit the page again along with a username and password, this time with an updated header of the value from (1)
  3. Repeat until login succeeds

I have done this previously using Burp macros + Intruder, however I am keen to use mitmproxy for future testing.

Any advice on how to approach this would be really appreciated.

Anton.


#2

@mhils any advice for the above?


#3

Hi,

Not really - maybe @cortesi has some good suggestions. I would probably hack something together similar to the stickycookie addon - it’s a tricky problem though as it will remain manual to some extent.