Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CSRF generator XHR payload

adad | Last updated: Oct 23, 2022 04:22PM UTC

Hey, how does the payload for the body is generated when using the XHR CSRF generator from burp? It seems like hex encoding but it is not decoded successfully, how do I replicate the same encoding on the body of my request? Thanks.

Hannah, PortSwigger Agent | Last updated: Oct 24, 2022 10:31AM UTC

Hi Do you have an example of the payload/encoding that you can provide?

adad | Last updated: Nov 09, 2022 05:08PM UTC

Hi! Yes ofcourse, ``` var body = "PK\x03\x04\x14\x00\x00\x00\x08\x00\xc0\x98iU\x7fA\xd0H\t\x00\x00\x00\t\x00\x00\x00\t\x00\x00\x00adasd.txtK,N\x01\xa2\x94\xe2D\x00PK\x01\x02\x1f\x00\x14\x00\x00\x00\x08\x00\xc0\x98iU\x7fA\xd0H\t\x00\x00\x00\t\x00\x00\x00\t\x00$\x00\x00\x00\x00\x00\x00\x00 \x00\x00\x00\x00\x00\x00\x00adasd.txt\n" + "\x00 \x00\x00\x00\x00\x00\x01\x00\x18\x00\xf7\xb3\xa0\x8b]\xf4\xd8\x01\xf7\xb3\xa0\x8b]\xf4\xd8\x01%2\xb2\x88]\xf4\xd8\x01PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00[\x00\x00\x000\x00\x00\x00\x00\x00\r\n"; ``` Thanks.

Hannah, PortSwigger Agent | Last updated: Nov 11, 2022 02:47PM UTC

Hi The CSRF generator is simply encoding the data already present into a JavaScript-safe string. If you show non-printable characters on your request ("\n" button), do you have some data contained that is not printable?

adad | Last updated: Nov 13, 2022 12:42PM UTC

My question is, how does it encodes it?

Hannah, PortSwigger Agent | Last updated: Nov 14, 2022 10:12AM UTC