Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CSRF test using CSRF PoC Generator

Garry | Last updated: Feb 22, 2017 05:11AM UTC

Hi, Received "{"message": "Unsupported Media Type"} message is displayed on the browser. I am testing CSRF PoC Generator from Burp Its a JSON message . This browser message is not conclusive w.r.t anti CSRF test Appreciate quick response on this

Liam, PortSwigger Agent | Last updated: Feb 22, 2017 09:20AM UTC

Hi Garry Thanks for your message. Could you explain what the problem you are experiencing with the CSRF PoC generator? Did you expect expect to get a different message from the server?

Burp User | Last updated: Feb 24, 2017 03:31PM UTC

Yes, I am not sure if my test was successful. My guess is attack is not reaching the server instead its been blocked by some load balancer which is set between client and server ideally, what should be error message? Appreciate help on this!

Liam, PortSwigger Agent | Last updated: Feb 24, 2017 03:33PM UTC

Ideally, there shouldn't be an error message. The key with this attack is whether or not the PoC is able to change the state of the application. E.g. altering a user's account details. Have you checked out our Methodology Article for using Burp to test for CSRF? - https://support.portswigger.net/customer/portal/articles/1965674-using-burp-to-test-for-cross-site-request-forgery-csrf-

Burp User | Last updated: Feb 27, 2017 12:28PM UTC

Hi Liam, I did follow the steps mentioned in the link: https://support.portswigger.net/customer/portal/articles/1965674-using-burp-to-test-for-cross-site-request-forgery-csrf My target server is hosted on AWS cloud and there is an elastic load balancer eg. CLOUDFRONT that is acting between my client and server. My doubt is whether my attack is reaching the server or not? I feel load balance is stopping the request and throwing error on the browser and attack is not reaching the server. So, I am not able to conclude. Do I need to request the client to allow access to their server directly WITHOUT the load balancer to test? Hope the question is clear

Liam, PortSwigger Agent | Last updated: Feb 27, 2017 01:27PM UTC

Hi Garry If you're unable to successfully perform a CSRF attack, is it not the case that the application isn't vulnerable. Whether or not you contact your client and ask them to alter their network configuration for additional testing would be dependant on your knowledge of the clients security posture and the application.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.