Support Center

Burp Community

See what our users are saying about Burp Suite:

How do I?

New Post View All

Feature Requests

New Post View All

Burp Extensions

New Post View All

Bug Reports

New Post View All

Burp Suite Documentation

Take a look at our Documentation section for full details about every Burp Suite tool, function and configuration option.

Full Documentation Contents Burp Projects
Suite Functions Burp Tools
Options Using Burp Suite

Burp Extender

Burp Extender lets you extend the functionality of Burp Suite in numerous ways.

Extensions can be written in Java, Python or Ruby.

API documentation Writing your first Burp Suite extension
Sample extensions View community discussions about Extensibility

Using Burp's Session Handling Rules with anti-CSRF Tokens

Anti-CSRF tokens are randomly generated "challenge" tokens that are associated with the user’s current session. They are inserted within HTML forms and links associated with sensitive server-side operations. When users perform the sensitive operation (e.g. a banking transfer) the anti-CSRF token should be included in the request. The server should then verify the existence and authenticity of this token before processing the request. If the token is missing or incorrect, the request is rejected.

Using Burp Suite against a target application that has developed a strong defence against CSRF attacks can be cause issues, due to the fact that the application should not allow a request to be repeated without updating the anti-CSRF token.

In this article we demonstrate how to use Burp's session handling rules and a macro to automatically retrieve a response, extract the anti-CSRF token, and insert the token within the appropriate request.

This tutorial uses the login function from the "DVWA".


Identifying the Token

The first step is to identify the anti-CSRF token.

In this example, when we submit our credentials to the application during the login process, the request includes a user_token. This token is the anti-CSRF token.

If the value of this token does not match the value expected by the web server then this request will be deemed invalid.


The token is sent to the browser in the previous server response.

In this example as a hidden fieldset in a web form.




Creating a Macro

A macro is a predefined sequence of one or more requests. You can use macros within session handling rules to perform various tasks.

We can use a macro to fetch the token.

Go to Project options > Sessions > Add to record a new macro.


The Burp Macro Recorder and Macro Editor windows will pop up.

In our example we want the macro to fetch the token from the response of the initial GET request.

We select the appropriate item from the proxy history and click "OK".



In the Macro Editor we can change the description, configure, re-record, re-analyze or test the macro.


Configuring The Session Handling Rule

Burp lets you define a list of session handling rules, giving you very fine-grained control over how Burp deals with an application's session handling mechanism and related functionality.

Go to Project options > Sessions > Session Handling Rules > Add to create a new rule.




Add an appropriate rule description.

Then click the ‘Add’ button, under the ‘Rule Actions’ section.

Click the ‘Run a macro’ in the drop down menu.


In the Session handling action editor pop-up window, select the macro you want to run.


Click the ‘Scope’ tab.

Select the tools you want the rule to be applied to.


Testing The Rule

We can use Burp Intruder to test our configuration.

Intruder allows us to evaluate each request to determine if the POST parameter that possesses the anti-CSRF token is being updated.

The anti-CSRF token parameter should be updated within each request.