Burp Suite User Forum

Create new post

Anti-CSRF Token Question

AA | Last updated: Sep 12, 2023 09:07AM UTC

In order to brute force the main login page of DVWA, I followed the guide given here: https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokens It did work but I have a few questions as to how and why it works. When I make the macro, I tell it what are the custom parameter locations in the file which it extracts based on some regex (as far as I understand). Let's say I extract user_token from some hidden input field based on some regex. But how does Burp automatically know to insert it into the POST parameter user_token? In the Session Handling Action Editor, I see an option "Update current requests with parameters matched from final macro response" unchecking which stops it from working. But how does it know which field to populate with what?

Michelle, PortSwigger Agent | Last updated: Sep 12, 2023 01:10PM UTC

Hi When using macros and the option to "Update current requests with parameters matched from final macro response", Burp will automatically try to find relationships between parameters based on the parameter name and the URL. You can read more about parameter handling with macros here: https://portswigger.net/burp/documentation/desktop/settings/sessions/macros I hope this helps.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.