CSRF Token Help



  • I'm working on a config that needs to send the CSRF via POST. Here's the code for the config....

    REQUEST GET "https://site.com/esn" 
      
      HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" 
      HEADER "Pragma: no-cache" 
      HEADER "Accept: */*" 
    
    PARSE "<SOURCE>" LR "type='hidden' name='csrfmiddlewaretoken' value='" "' />" -> VAR "TOKEN" 
    
    REQUEST POST "https://site.com/esn/status" 
      CONTENT "csrfmiddlewaretoken=<TOKEN>&esn=<USER>" 
      CONTENTTYPE "application/x-www-form-urlencoded" 
      HEADER "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36" 
      HEADER "Pragma: no-cache" 
      HEADER "Accept: */*"
    

    The config captures the CSRF token, and put it in POST correctly, but I still keep getting this error

    Forbidden (403)
    CSRF verification failed. Request aborted.
    
    You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
    
    If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.
    

    Thank you for any help!



  • the answer is in the error, i think you only need to put the correct headers to it works...



  • @tiolxpe it has all the headers applied. I thought the same, however no custom header fixes the issue 😞 I've tried applying all the headers not applied by default, and still got the same error



  • I figured it out. Weird enough, it was a hidden cookie missing.

    Thank you @tiolxpe and anyone else who may have viewed the thread in an attempt to help!


  • Mod

    Hey @TrillyReign
    I'm not available at the moment if you haven't received any help send me a discord message here GrossZouille#5887



  • How to get the token and the page is wrong XD



  • @xomx12 already solved it. It was a missing hidden cookie. Please read before commenting, thank you for helping!


Log in to reply