Moodle Penetration Testing
From MoodleDocs
This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers.
sesskey param is a CSRF token
Many pentests highlight the use of the ?sesskey=xxx http param as an issue because it leaks to session id. The moodle session is stored in a cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.
https://docs.moodle.org/dev/Security:Cross-site_request_forgery#Session_key