Ctrlk
Page cover
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Week 2 - CSRF Token Bypass

CSRF Token Bypass Using BurpSuite

Continuing the Web App Hacking Tips & Tricks series, this week’s tip focuses on bypassing CSRF tokens.

Have you ever found a web endpoint that’s vulnerable to SQL injection, but uses a CSRF token that makes SQLMap automation difficult?

Boy, have we got a show for you!

It turns out you can set a macro in BurpSuite to retrieve a valid CSRF token, and instantly add it to the request being intercepted through the proxy. To do so, follow the below steps:

  1.  Launch Burp and Intercept the HTTP Request of the page containing the CSRF token.
  2.  Go to Project Options -> Sessions -> Macros and click the Add button
  3.  Select the Intercepted HTTP Request and press OK
  4.  Select ‘Configure item’ and press Add
  5.  Scroll through the HTTP Response and select the CSRF token (see below screenshot). Don’t forget to name the Parameter based upon where the CSRF token is being used (GET or POST).
  6.  Press Ok to create the macro
  7.  Scroll up to ‘Session Handling Rules’ and press Add
  8.  In ‘Rule Actions’ press Add and ‘Run a macro’. Select your macro.
  9.  Move over to the Scope tab and add the target domain in the URL Scope. Don’t Forget to Check the ‘Proxy (use with caution)’ box at the top.

  10. Press OK and you’re done!

Now to put your Macro to work, use the following SQLMap syntax to proxy traffic through Burp:

sqlmap -u --proxy=”http://localhost:8080”

That’s it!! Now CSRF tokens will no longer prevent you from dumping a DB.

PreviousWeek 1 - XSS Filter EvasionNextWeek 3 - CORS Exploitation