Posts

Showing posts from July, 2016

Use marco to Anti-CSRF token in Burpsuite

Image
When i am reading one paper about Burpsuite trick, this talk about: Burpsuite marco, and we can use it to anti-csrf token.
I tried it with this demo: http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php
First request to get token in htlm (formtoken), and post request (request 2) use it to check.
Now, we need use marco to automatic get token, add to post data.
Make sure 2 request and response in http proxy, and intercept is off
Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule:
Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor.
Add new marcos by click add, new marco editor and marco recorder windows open
Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (choose by select it). 
Clic…