Implement anti-CSRF protection bypass

[bdamele]

I think that this can be done taking advantage of the object that handles --forms (forms parsing) switch.

[bdamele]

Sometimes applications implement CSRF protection in a stronger way: the token is renewed upon a refresh and invalidated server-side once used.

sqlmap could handle this case as follows:

1. user provides --form (or a --data with inside some param named like nonce or token).
2. sqlmap recognizes possible CSRF token(s).
3. sqlmap asks user "are these X parameters, tokens?"
4. user says Yes.
5. sqlmap automatically performs a request to the original page.
6. sqlmap extracts from the response body the token value.
7. sqlmap performs the request to the target page (form in case of --forms, same page in case of --data) with the extracted value of token.

[tennessee]

Good day!

sqlmap does not recognize the CSRF token. The parameter name token is not quite standard, I tried to change it to mean 'token' or 'nonce' but that, unfortunately, had no effect! Can I somehow explicitly in sqlmap option to define a token. Thank you!

[stamparm]

Either user explicitly states the anti-CSRF token name (e.g. --csrf-token) or sqlmap automatically recognizes it (and asks user if it's correct in recognition) (e.g. csrf_token or csrf_nonce). If everything goes well, anti-CSRF token would be extracted after the dummy request/response and stored for usage in the following SQLI request.

p.s. case where this all would be problematic is the multi-threaded data retrieval