This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers.

sesskey param is a CSRF token

Many pentests highlight the use of the ?sesskey=xxx http param as an issue because it leaks to session id. The moodle session is stored in a cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.

https://docs.moodle.org/dev/Security:Cross-site_request_forgery#Session_key