Two-Stage CSRF Token Bypass Generator (GET-based) 

This generator is mainly dedicated to WebGoat lessons. But who knows you can apply it in real-world applications?

First URL to be loaded: 

Anti-CSRF token input name in First URL (e.g. <input name='CSRFToken' .....>): 

Second URL to be loaded with Anti-CSRF token: 

Hidden Frames:



Suggest/Request new test pages to pentest @ yehg dot net.