Moodle Penetration Testing
This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers.
sesskey param is a CSRF token
Many pentests highlight the use of the ?sesskey=xxx http param as an issue because it leaks to session id. The moodle session is stored in a cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.