Active checks handle AntiCSRF tokens
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Purpose
It is best practice to include some kind of AntiCSRF token with a form submit. These tokens are generated every time the form is viewed, and the token is checked server side on submit to ensure that it is valid and has been used only once.
AntiCSRF tokens will break active checks because the active check will be using a stale AntiCSRF token.
Proposal
Prior to submitting a form as part of an active check attack, determine whether or not the HTTP request is submitting an AntiCSRF token. This could be based on known token names:
anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken,
authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret,
__csrf_magic, CSRF, _token, _csrf_token
Or it could be based on the randomness of any of the form query values.
If an AntiCSRF token is found, then view page should be loaded first (or, potentially the entire path) prior to running the active check. The AntiCSRF token should be extracted and used in the request (alternatively, the new HTTP request with AntiCSRF token could be used to create a new attack request).