Automating Burp Suite -1 | Capturing CSRF Token Via Macro

3 years ago 193
BOOK THIS SPACE FOR AD
ARTICLE AD

Divyanshu Shukla

Burp suite allows pentesters to set session-management rules. It is possible to set up session-management rule via Macro. Here we will try to create a Macro for automating the process of capturing CSRF tokens. Then we will try to validate it via repeater and browser tab.

Anti-CSRF tokens are randomly generated tokens that are associated with the user’s current session. They are contained within HTML forms and links associated with sensitive server-side operations. An anti-CSRF token should be included in the request when users perform sensitive operations (e.g. banking transfer). The server should verify the existence and authenticity of this token before processing the request. If the token is missing or incorrect, the request will be denied.

We will use this method to automate login authentication in DVWA which uses CSRF token in the POST login request.

Reference Image

How To Do It:

Default DVWA login page on localhost, setup is done via:

docker run — — rm -it -p 80:80 vulnerable/web-dvwa

2. Add localhost in the Burp suite scope.

DVWA default login

3. After login out when the application redirected to http://localhost/login.php , the token is present in the response body.

Page after logging out

4. Switch to the proxy history tab and identify the request which is having a CSRF token in the response.

Login page after logout with user_token

5. Visit the Project Options tab > then the Sessions tab.

6. In the session handling rule, click on Add (Ignore pre-created rules.)

Project Options in Burp Suite

7. Then change the Rule Description and In the rule action. Select Run a macro.

Session handling via Macro

8. The Macro Recorder opens up, Select the http://localhost/login.php request with length 1860 bytes. Click ok.

This page comes after the user logs out. On clicking the logout button, user is redirected to login.php with CSRF token in the body. This is described in step 3.

User_token In Macro Recorder

9. In the Macro editor, enter the Macro Description and click on Configure Item .

Macro Editor

10. In the Configure Macro item, Click on add.

Configure Macro Item

11. We know that parameter used in the user_token for CSRF. Let’s quickly validate via proxy history.

Validate user_token parameter

12. From step 10, Select the parameter value for user_token which is automatically selected in the Burp Suite.

Define custom parameter

13. Now click ok and save it. The Macro Editor window will open up.

Capture value of user_token

14. In the Macro Editor, add the Macro Descriptionthen select ok.

Macro Editor

15. Then in the Session handling rule editor, change the tab to Scope. Select the scope and URL scope accordingly.

Scope

17. Macro for CSRF handling has been created. Save ok, let’s test this macro.

Macro description

18. Send the login.php request to the repeater and check the user token value.

User_token in repeater

19. Now resend the request and compare the value from the previous request. Both values are different.

User_token

This validates that the Macro is working fine and we can use it in the next tutorial.

How it Works:

Here, the Anti-csrf token is changed to a different value by replaying the request in the repeater. This allows to bypass the CSRF token mechanism automatically and provides flexibility while automated scanning via Burp suite.

It works by capturing the user_token value and then running the Macro by replacing old CSRF token with the new value captured .

Reference:

https://www.youtube.com/watch?v=LsMZnpUIFZI&list=PLDlltT2o4UZCrWiWx4cEzk8D7YhCAFX4T&index=10https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokenshttps://www.packtpub.com/product/burp-suite-cookbook/9781789531732

The next Burp Suite macro tutorial will guide you through automating the login process.

Read Entire Article