NamHB's Blog
Use marco to Anti-CSRF token in Burpsuite

Use marco to Anti-CSRF token in Burpsuite

Nam Ha Bach's photo
Nam Ha Bach
·

3 min read

When i am reading one paper about Burpsuite trick, this talk about: Burpsuite marco, and we can use it to anti-csrf token.
I tried it with this demo: http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php
First request to get token in htlm (formtoken), and post request (request 2) use it to check.
Now, we need use marco to automatic get token, add to post data.
Make sure 2 request and response in http proxy, and intercept is off

Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule:

Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor.

Add new marcos by click add, new marco editor and marco recorder windows open

Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (choose by select it).

Click OK, 2 request will be send to Marco Editor:

You can re-order 2 request, before request is top (number 1), and after request is bottom (number 2). In many case, burpsuite can auto analyze to extract parameter. We can manual extract by use: Configure item.

Click request 1, and click Configure item. In config marco item for.... click add. Now we can instructor for burpsuite extract exactly value in html code. And we can assign name for it (form_token):

Click ok, and go to, we can see form_token in custom parameter. Click Ok to return Marco editor.

Select request 2, and click configure item. In parameter handling, formtoken select Deriver from pior response, and select response 1

Ok to return Marco editor. You can test marco. Ok to return Session handling editor. you can select: Update only following parameter, and choose your parameter.

Make sure click on the final request in marco. Click OK to return Session handling rule editor

Click to scope tab, make sure click on Tool scope you need (Extender, Intruder, Repeater ...). In url scope you can click on all url, or enter specific url

Ok to return Project option, we can see new Session handling rule and maro

Now you can use this macro in your tool. To monitor, debug it you can open session trace.

You can use it for intruder (run your payload), or repeater.

But it is marco only, so you can only select in prior response. If need extract, and need calculate bla bla, this trick can not used. I think we need program new extender to solve it

Note: If you need run marco before run main request (like login), you must choose "Run marco" when add rule action.

----------------------------------------------------------

Thanks for reading

--------------------------------------------------------------------------

Security Research

SecurityLab - Linux Lab -- Window and Cisco Lab

to be continued - I will update more.

Nam Habach