CSRF Tokens using macros in Burp suite (III)

In our last two posts we have seen the problem of getting a good DAST in some applications CSRF protected.

Now is the moment of put hands on and solve the problem. We need somehow to be able to retrieve a token each time a new request is going to be sent to the server. You don’t need the professional version for this PoC but if you want to perform the scan with burp you will.

The initial scenario assumes you have proxified the browser through burp suite. Ensure the intercept is off. Lets start doing the next test:

Screen Shot 2016-11-07 at 20.02.46.png
Repeating a Request previously used for CSRF checking.
  • We are going to send this request to the repeater and to to the Repeater tab.

  • We need to invalidate the token to see what happens server side. Just delete the last character in the &crsf_token value in the body of the request. Then click GO.
Screen Shot 2016-11-07 at 20.20.26.png
Internal server error caused by an invalid CSRF Token.
  • As you can see in the previous screenshot, you will get an Internal Server Error.
  • Now we go to Project options > Sessions and we are going to add a new Session Handling Rules clicking on add. We give a name to the rule and click to add a new Rule selecting macro in the menu.
Screen Shot 2016-11-07 at 20.41.00.png
Adding a new Session Handling Rule using Burp Suite.
  • In the select macro part of the window we are going to click on add. At this point we need to highlight the GET request because is the one which is retrieving the CSRF token and that is the parameter we are interested to update.
Screen Shot 2016-11-08 at 19.15.19.png
Selecting the request to update the CSRF token.
  • We can add a macro description and then we are going to configure the item. We need to tell burp suite where it can find the parameter . Once we click in Configure item, we are going to highlight the value of the parameter in the response body. In the parameter name just copy the name of the parameter :).
Screen Shot 2016-11-08 at 19.39.14.png
Telling burp suite where to find the value.
  • Click in OK in the next window and if you want you can test the macro, even when it is just one request. If you run the test you will see that a new request is directed to the server and we get a new token as a part of the response, as expected.
  • Coming back to the Session handling action editor in our CSRF Rule clicking OK, we have to change the radio button to Update only the following parameters and click on edit, adding there the name of the parameter we want to update, again “crsf_token”.
Screen Shot 2016-11-08 at 19.34.09.png
Allowing burp suite to track the parameter.
  • We are almost ready, click in OK and now we go to the Scope tab in the Session handling rule editor. We are going to tick Target, Scanner and Repeater and change the URL scope to “Use suite scope” indicating burp suite that we will define in the target tab what is in our scope and we want it to apply this rule to that specific scope.
Screen Shot 2016-11-08 at 19.48.25.png
Defining the scope of the rule and setting the suite scope.
  • Now we are going to open the Session Tracer which is at the bottom of the Session Handling Rules section.
Screen Shot 2016-11-08 at 19.50.59.png
Opening Session Tracer.
  • Now go to the Target tab and press right click on the URL > add to scope. After this we go over the Proxy tab and send to the repeater the search we previously did (The POST Request). If you want, you can use the same one you already had in the repeater tab.
Screen Shot 2016-11-08 at 19.54.45.png
Including the URL in the Scope.
Screen Shot 2016-11-08 at 20.00.15.png
Our request in Repeater to check if everything is working.

What is the idea at this point?. We want to test our macro in the right way. What we are going to do is invalidate the token deleting some values and then send the request. We will monitor everything in the Session handling tracer. This is the sequence we expect to happen after our configuration:

  1. A request containing and invalid token is sent from the repeater.
  2. The CSRF Rule will will trigger as the request is in the scope.
  3. As a part of the rule, the macro will issue the request to the server.
  4. As the response is coming back burp suite will update the crsf_token parameter with the one in the response.
  5. Burp suite will issue the new request with the updated value and you will in see in Repeater the 200 OK response from the server.
Screen Shot 2016-11-08 at 20.29.41.png
Tracking the requests with Session Tracer. CSRF Rule and Macro in action.
  • As we kept the scanner in the scope of our rule, we can directly run it and the rule will be automatically executed. Go to the Target tab and clicking in the site URL with the right button you will find the option Active Scan this place (if you have a licensed version, if not, I will tell you how to scan using Macros in burp suite without the license. Nothing illegal, I promise you, but not in this post).
Screen Shot 2016-11-08 at 20.40.45.png
XSS detected using Macros in Burp suite.

See you in the next (and last) post with some troubleshooting that could help you if you find some problems with the example or in the future. I want to offer you my conclusions on the use of this feature as a whole as well so, do not miss it!.

++Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s