Description: Here we use Burp with Macros and Session Handling to get around tokens Synchronizer Token Pattern Anti-CSRF (Cross-Site Request Forgery )
* this is 2-3 times more traffic then Recursive Grep Method
* this is 'easy' and maco can be applied on all attacks not just intruder
* be sure to check out other Burp Extentions JSON JS decoders are a great help!
help me get
http://blog.spiderlabs.com/2012/09/adding-anti-csrf-support-to-burp-suite-intruder.html working !!! -rmccurdy.com
Try to use Makros at: Options -> Sessions -> Session Handling -> Add -> Rule Actions and enable the Sequencer at the Scope Tab within the Session handling rule editor. Looks like you have to define Makros to "visit the Link" aka call the URL the link points to with the given Token. Look around the Sessions-Tab for the appropiate way to accomplish the task.
http://sleepy-tor-8086.herokuapp.com/
http://blog.nvisium.com/2014/02/using-burp-intruder-to-test-csrf.html
http://blog.securenet.de/2013/06/07/automated-scanning-with-burp-despite-anti-csrf-token/
https://www.google.com/search?q=burp+macros+xsrf
https://www.netspi.com/blog/entryid/121/fuzzing-parameters-in-csrf-resistant-applications-with-burp-proxy
https://www.notsosecure.com/blog/2014/07/02/pentesting-web-service-with-csrf-token-with-burp-pro/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.