Burp Suite User Forum

Login to post

Anti CSRF Token

Justin | Last updated: Feb 25, 2022 06:49PM UTC

I keep spending hours on something so simple that should be part of this product... I can't bypass a simple setup like below to perform a scan. GET /comment provide anti csrf value in body let's call it {tokencode} any post request for example POST /comment requires a header called X-CSRF-TOKEN: {tokencode} I tried several plugins, I think I'm not the only person that would struggle with this and don't feel like this is revolutionary. Your product supports passing this into a parameter, why not the request header!

Hannah, PortSwigger Agent | Last updated: Feb 28, 2022 11:30AM UTC

Hi We have an ongoing feature request for this functionality, to which I have added your +1. In the meantime, there are extensions that can provide this functionality. For example, "Add custom header" may be useful. You may also like "TokenJar" or "Authentication Token Obtain and Replace". There are also other extensions to specifically help with CSRF tokens, but it sounds like you may have looked at these already.

Ben, PortSwigger Agent | Last updated: Jun 21, 2022 11:19AM UTC

Hi Justin, We just wanted to let you know that the recent 2022.5 release contains the functionality to add headers and values using session handling rules.

You need to Log in to post a reply. Or register here, for free.