Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Suite Anti-CSRF POST

Rey | Last updated: Oct 22, 2018 05:22AM UTC

I am trying to run intruder on an app that employs anti-CSRF tokens within forms. Each form has a unique token that must be submitted with a POST request otherwise the session is invalidated. The process is as follows: 1. A GET request is made for a form. 2. The server responds with a token in the body: <meta name="csrf-token" content="bSw4lWeAV" /> 3. A POST request is made to the form, including the token in the body with a different parameter name: authenticity_token=bSw4lWeAV 4. The app performs the request. As sending a response to intruder includes a static authenticity_token value, the tokens are not updating and thus invalidating the request and session. Can I get a pointer to a detailed or step-by-step instructions on how to do this? There are a few different ways (recursive grep, macros, extender) but have not been able to get these to work from the documentation on line, including the portswigger site. Thanks in advance.

PortSwigger Agent | Last updated: Oct 22, 2018 02:29PM UTC

You can do this using macros and session handling rules. As a general introduction to this, please consult this tutorial: - https://support.portswigger.net/customer/portal/articles/2906338-using-burp-s-session-handling-rules-with-anti-csrf-tokens The difficulty in your situation is that the token comes in a meta tag. To cope with this: 1) Go through the form in your browser, so the GET request is in your proxy history. 2) Create a macro with the GET request. Click configure item and add a custom parameter location. 3) Set the location to extract the CSRF token value and set the parameter name to "authenticity_token" 4) Create a session handling rule that runs this macro when the POST request is encountered I suggest you test this using Repeater and the session tracer. When that's working, you should be able to scan the form successfully. You may want to use the Logger++ extension to monitor what Scanner is doing.

Burp User | Last updated: Jun 08, 2019 07:19AM UTC

I have kind of similar problem. I am getting this in response body. Reqest1->token 1: <input type="hidden" name="8c8c" id="8c8c" value="ansnnasnansfjbfqwbashfha"/> Request2->token 2: <input type="hidden" name="ile5" id="ile5" value="ewiryiqiriqriansfjbfqwbashfdha"/> So in my case the parameter name also changes for each token. While configuring macro for this, i experienced that you can only choose the position for the parameter value, not for the parameter name. Configuring macro window is assuming that I have a specific parameter name. Kindly help with solution for this problem

PortSwigger Agent | Last updated: Jun 10, 2019 09:38AM UTC

You're quite right, Burp macros are not able to handle this scenario. There's two ways you can try to handle this: 1) Use Burp 2 and the crawler. The intention is that the crawler will automatically cope with situations like this. If it doesn't work, we'd be interested to work with you to diagnose why. 2) Code an extension to cope with this specific scenario. It's unlikely that macros are going to be improved in the short term, as the plan is for the crawler to cope with more scenarios automatically.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.