CSRF Tokens using macros in Burp suite (and… IV)

Across the past three posts we have learned what is a CSRF, its implications, what is a good fix, and the most important, we have learned how to bypass these tokens in order to get accurate results during a DAST ;).

Nevertheless, this is a toy example. You can find some problems in the real world so ensure to check the next if you have problems with this example or any other you try as a part of your tests:

  1. Mind the interception: sometimes we forget to switch off the interception what will stop everything in the proxy. Be careful with this point.
  2. Ensure the delimiters in the Macro are enough to guarantee the value of the parameter updated can be located by burp and there is no ambiguity. This is really important. When we highlighted the value, burp suite set the delimiters but the length of the delimiters could be not enough.
  3. Ensure all the tools in the scope of the rule are correct. If not, you will find nothing works and you get a 500 error when you proceed to check the macro in the repeater.
  4. Consider the services running in the same machine as the Proxy. If you have a collision in the Local Proxy Port, Burp Suite won’t tell it to you, it just doesn’t start.

To finish, I want to point out that the implementation of the example is not the most accurate to prevent against CSRF. If the token is really a nonce token, after sending any previous request to the repeater and click in go, the request should return a code 500. The same token shouldn’t be valid for two requests.

That is all from my side. Hope you have enjoyed this post serie. See you in the next post where I will explain how I beat the TOP KEK challenge in Hack the Vote CTF ;).

++Security

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s