Burp Suite User Forum

Create new post

Burp Extension CSRF Token

Casey | Last updated: Jan 09, 2017 05:01PM UTC

Hello, I'm working on an extension where it will automatically grab the last response csrf token and insert it into the HTML header parameter for the POST request. I was able to parse out the CSRF token received from the server in the response; however, for the request how do I access the header parameters? I was able to print the HTTP headers; however, it doesnt include the CSRF portion: def createRequest(self, messageInfo): requestInfo = self._helpers.analyzeRequest(messageInfo) headers = requestInfo.getHeaders() self._stdout.println("Printing headers") self._stdout.println(headers) Here is a sample request: POST /SomePage HTTP/1.1 Host: someserver.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Cookie: Some cookie values are set here Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 127 _csrf_form_param=be961302-cdf5-476a-90a7-de222fadffbc&com.blahstuff.morestuff.DO_LOGIN=true&redirectURL=

Burp User | Last updated: Jan 09, 2017 05:13PM UTC

Disregard, I figured out that I was able to access the parameter by analyzing the request.

Burp User | Last updated: Jan 13, 2017 08:47PM UTC

Here a JRUBY extension that will do the job with some minimal run-time configuration options require 'java' java_import 'javax.swing.JButton' java_import 'javax.swing.JOptionPane' class BButton < JButton def initialize(parent, caption, &onClick) super caption parent.add self self.add_action_listener onClick end end java_import 'javax.swing.JTextField' class BTextField < JTextField def initialize(parent, text, sz, &block) super(text, sz) parent.add self self.add_action_listener block self end end java_import 'javax.swing.JLabel' class BLabel #Aparently there are issue calling super when java classes have a varargs constructor :-( def initialize(parent, caption) @lbl = JLabel.new caption parent.add @lbl end def method_missing(method, *args, &block) @lbl.send(method, *args) end end java_import 'burp.ITab' java_import 'javax.swing.JPanel' class AbstractExtensionUI < JPanel include ITab attr_accessor :extensionName alias_method :getTabCaption, :extensionName def initialize(name=nil, extension) @extensionName = name @extension = extension super() buildUI end def buildUI end def getUiComponent self end end ################################ class MyExtensionUI < AbstractExtensionUI def buildUI BLabel.new self, 'Header:' @headerTxt = BTextField.new(self, @extension.header, 50) {|v| onEvtHeader } BLabel.new self, 'Exclude Value:' @excludeTxt = BTextField.new(self, @extension.exclude, 20) {|v| onEvtExclcude } end def onEvtHeader @extension.header = @headerTxt.getText.to_s end def onEvtExclude @extension.exclude = @excludeTxt.getText.to_s end end java_import 'burp.ISessionHandlingAction' java_import 'burp.IExtensionHelpers' java_import 'burp.IHttpRequestResponse' java_import 'burp.IRequestInfo' class MyExtension attr_accessor :header attr_accessor :exclude attr_reader :getActionName attr_accessor :helpers include ISessionHandlingAction def initialize(name) @header = 'X-CSRF-Token' @exclude = 'Fetch' @getActionName = name end def performAction(req, macro_results) puts "#{Time.new.to_s} Session Handler Called!" unless macro_results puts "#{Time.new.to_s} Empty macro response" return end return unless (token = getToken(macro_results[0].getResponse)) str_req = @helpers.bytesToString(req.getRequest) if str_req.match(/^#{@header}:\s#{@exclude}/) puts "#{Time.new.to_s} header value matched fetch pattern" return end str_req.gsub!(/^#{@header}:\s.*\n/, "#{header}: #{token}\n") req.setRequest(@helpers.stringToBytes(str_req)) puts "#{Time.new.to_s} Request Modification Complete" rescue => e puts e.message puts e.backtrace end def getToken(rsp) headers = @helpers.analyzeResponse(rsp).getHeaders headers.each do |header| if header.match(/^#{@header}:/) token = (header.split(':')[1]).lstrip puts "#{Time.new.to_s} Obtained #{token}" return token end end puts "#{Time.new.to_s} Could not locate token in maco response" nil rescue => e puts e.message puts e.backtrace end end java_import 'burp.IBurpExtender' class BurpExtender include IBurpExtender ExtensionName = 'Session-Header' def initialize @extension = MyExtension.new ExtensionName @extensionInterface = MyExtensionUI.new(ExtensionName, @extension) end def registerExtenderCallbacks(callbacks) callbacks.setExtensionName ExtensionName # callbacks.registerIntruderPayloadProcessor @payloadProcessor callbacks.registerSessionHandlingAction @extension @extension.helpers = callbacks.getHelpers callbacks.addSuiteTab @extensionInterface end end

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.