Moodle Penetration Testing: Difference between revisions
From MoodleDocs
(Created page with "This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers.") |
No edit summary |
||
Line 1: | Line 1: | ||
This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers. | This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers. | ||
== sesskey param is a CSRF token == | |||
Many pentests highlight the use of the ?sesskey=xxx http param as an issue because it leaks to session id. The moodle session is stored in a cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param. | |||
https://docs.moodle.org/dev/Security:Cross-site_request_forgery#Session_key |
Revision as of 13:48, 18 April 2020
This is information for people who want to performing a penetration test of their Moodle instance as well as information for pen testers.
sesskey param is a CSRF token
Many pentests highlight the use of the ?sesskey=xxx http param as an issue because it leaks to session id. The moodle session is stored in a cookie, and the sesskey is actually instead a somewhat poorly named CSRF token param.
https://docs.moodle.org/dev/Security:Cross-site_request_forgery#Session_key