I am working in a software company. I am testing a web application for security issues.
The web application contains the following characteristics:
4. Anti-CSRF token checking is implemented in GET/POST requests to prevent CSRF. These anti-CSRF tokens are included in parameters of GET/POST requests.
I am finding a web security scanner. The scanner should handle the following:
1. The scanner supports <FORM> and non-<FORM> authentication for scanning web pages requiring user authentication.
2. The scanner can scan the whole web application in a few steps (specifying the URL of the login page of the web application, user authentication information, the URL of the user logout link for exclusion).
5. The scanner can scan each GET/POST request for finding out missing anti-CSRF tokens.