- CSRF Tokens using macros in Burp suite I
- CSRF Tokens using macros in Burp suite II
- CSRF Tokens using macros in Burp suite III
- CSRF Tokens using macros in Burp suite IV
In our last two posts we have seen the problem of getting a good DAST in some applications CSRF protected.
Now is the moment of put hands on and solve the problem. We need somehow to be able to retrieve a token each time a new request is going to be sent to the server. You don’t need the professional version for this PoC but if you want to perform the scan with burp you will.
The initial scenario assumes you have proxified the browser through burp suite. Ensure the intercept is off. Lets start doing the next test:
- Go to the browser opening our test web http://sleepy-tor-8086.herokuapp.com/
- Perform a search
- Go to the HTTP history tab in burp suite where you will find your previous POST request
We are going to send this request to the repeater and to to the Repeater tab.
- We need to invalidate the token to see what happens server side. Just delete the last character in the &crsf_token value in the body of the request. Then click GO.
- As you can see in the previous screenshot, you will get an Internal Server Error.
- Now we go to Project options > Sessions and we are going to add a new Session Handling Rules clicking on add. We give a name to the rule and click to add a new Rule selecting macro in the menu.
- In the select macro part of the window we are going to click on add. At this point we need to highlight the GET request because is the one which is retrieving the CSRF token and that is the parameter we are interested to update.
- We can add a macro description and then we are going to configure the item. We need to tell burp suite where it can find the parameter . Once we click in Configure item, we are going to highlight the value of the parameter in the response body. In the parameter name just copy the name of the parameter :).
- Click in OK in the next window and if you want you can test the macro, even when it is just one request. If you run the test you will see that a new request is directed to the server and we get a new token as a part of the response, as expected.
- Coming back to the Session handling action editor in our CSRF Rule clicking OK, we have to change the radio button to Update only the following parameters and click on edit, adding there the name of the parameter we want to update, again “crsf_token”.
- We are almost ready, click in OK and now we go to the Scope tab in the Session handling rule editor. We are going to tick Target, Scanner and Repeater and change the URL scope to “Use suite scope” indicating burp suite that we will define in the target tab what is in our scope and we want it to apply this rule to that specific scope.
- Now we are going to open the Session Tracer which is at the bottom of the Session Handling Rules section.
- Now go to the Target tab and press right click on the URL > add to scope. After this we go over the Proxy tab and send to the repeater the search we previously did (The POST Request). If you want, you can use the same one you already had in the repeater tab.
What is the idea at this point?. We want to test our macro in the right way. What we are going to do is invalidate the token deleting some values and then send the request. We will monitor everything in the Session handling tracer. This is the sequence we expect to happen after our configuration:
- A request containing and invalid token is sent from the repeater.
- The CSRF Rule will will trigger as the request is in the scope.
- As a part of the rule, the macro will issue the request to the server.
- As the response is coming back burp suite will update the crsf_token parameter with the one in the response.
- Burp suite will issue the new request with the updated value and you will in see in Repeater the 200 OK response from the server.
- As we kept the scanner in the scope of our rule, we can directly run it and the rule will be automatically executed. Go to the Target tab and clicking in the site URL with the right button you will find the option Active Scan this place (if you have a licensed version, if not, I will tell you how to scan using Macros in burp suite without the license. Nothing illegal, I promise you, but not in this post).
See you in the next (and last) post with some troubleshooting that could help you if you find some problems with the example or in the future. I want to offer you my conclusions on the use of this feature as a whole as well so, do not miss it!.