Where is the .NET __RequestVerificationToken based on?
I am doing some security research on an application and I am wondering where it is based on.
It appears to be changing each request (so not bound to a user session). Is it just a random value, which should exists within the system or even tied to a user?
Or is it based on the GUI/input elements rendered in the page, and thus invalid when supplying it with requests that are related to other functionality (the call expects some input params that should match some hash of the params + random value, and/or some step in a sequence of requests is consolidated in its value, for example)? Trying to use a __RequestVerificationToken value of a regular user on a call that stems from another form, or even using it for calls that are for privileged users only should not be working then.
My purpose is to detect broken access control (for privileged functionality) and for that a valid anti-CSRF token should be given.
