Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Best manage CSRF in Alfresco

Simon | Last updated: Dec 02, 2016 05:53PM UTC

Scanning Alfresco, and wanted to do automated scans of "create-site" function (for example). GET of the "create-site" URL (or any URL) seems to refresh the CSRF token sometimes (Alfresco-CSRFToken), I think the first GET after one or more POSTs. POST to the "create-site" has both HTTP header "Alfresco-CSRFToken: HEX" and Cookie "Alfresco-CSRFToken=HEX;" There seems to be various ways to make Intruder do what I want, so I tried adding a specific Project Option Session handling rule, this fetches page and records a new CSRF token in the Cookie Jar, but doesn't seem to update the requests as expected, but I'm not clear how to apply this rule to the header. I see CSurfer, but not sure how it should handle two replacements in the regex?! I see lots of grep functionality in Intruder, but again it isn't clear to me how to use it immediately. I see the Port Swigger guys have been over Alfresco, which of the approaches did you use and why?!

PortSwigger Agent | Last updated: Dec 05, 2016 02:52PM UTC

Burp's native macros and session handling aren't currently able to handle session tokens that are submitted in HTTP headers, only those in conventional parameter locations. You could possibly create an extension to do the processing that you need, and then create a session handling rule that invokes your extension after running the relevant macro to fetch a token.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.