Generate CSRF PoC
[Pro version] This function can be used
to generate a proof-of-concept (PoC) cross-site request forgery (CSRF)
attack for a given request.
To access this function, select a URL or HTTP request anywhere within
Burp, and choose "Generate CSRF PoC"
within "Engagement tools" in the context menu.
When you execute this function, Burp shows the full request you selected
in the top panel, and the generated CSRF HTML in the lower panel. The HTML
uses a form with a suitable action URL, encoding type and parameters, to
generate the required request when the browser submits the form.
You can edit the request manually, and click the "Regenerate" button to
regenerate the CSRF HTML based on the updated request.
You can test the effectiveness of the generated PoC in your browser,
using the "Test in browser" button. When you select this option, Burp gives
you a unique URL that you can paste into your browser (configured to use the
current instance of Burp as its proxy). The resulting browser request is
served by Burp with the currently displayed HTML, and you can then determine
whether the PoC is effective by monitoring the resulting request(s) that are
made through the Proxy.
Some points should be noted regarding form encoding:
- Some requests (e.g. those containing raw XML or JSON) have bodies
that can only be generated using a form with plain text encoding. With
each type of form submission using the POST method, the browser will
include a Content-Type header indicating the encoding type of the form
that generated the request. In some cases, although the message body
exactly matches that required for the attack request, the application
may reject the request due to an unexpected Content-Type header. Such
CSRF-like conditions might not be practically exploitable. Burp will
display a warning in the CSRF PoC generator if this is liable to occur.
- If you manually select a form encoding type
that cannot be used to produce the required request, Burp will generate
a best effort at a PoC and will display a warning.
- If the CSRF PoC generator is using plain text encoding, then the
request body must contain an equals character in order for Burp to
generate an HTML form which results in that exact body. If the original
request does not contain an equals character, then you may be able to
introduce one into a suitable position in the request, without affecting
the server's processing of it.
Options
The following options are available:
- Include auto-submit script - Using this option
causes Burp to include a small script in the HTML that causes a
JavaScript-enabled browser to automatically submit the form (causing the
CSRF request) when the page is loaded.
- Form encoding - This option lets you specify the
type of encoding to use in the form that generates the CSRF request. The
"Auto" option is generally preferred, and causes Burp to select the most
appropriate encoding capable of generating the required request.
User Forum
Get help from other users, at the Burp Suite User Forum:
Visit the forum ›
Monday, October 8, 2012
v1.5rc3
This release fixes a bug which was introduced in the v1.5rc2
release, and which caused the active scan checks for XSS to fail
to execute in some situations
See all release notes ›