Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

CSRF PoC

olek | Last updated: Jul 05, 2021 08:47PM UTC

Hi Team sorry for to many question but I have to ask about CSRF Poc in burp.this is standard form: <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://website/" method="POST"> <input type="submit" value="Submit request" /> </form> </body> My question is how it works. If I'm able for example change my name or something in website Form but using this POC this is CSRF vulnerability.?? Step... Burp intercept I put this for repeater for example delete my name and last name.But I do not allow this doing burp only create CSRF PoC then I insert this in file.html and click.!! And I'm able delete my name and last name . This is CSRF vulnerability? or not ?? ============================================= alos your website see I want sen file Error 404 occurred when trying to upload your file.

Ben, PortSwigger Agent | Last updated: Jul 06, 2021 05:43PM UTC

Hi Olek, Have you read our documentation around the CSRF PoC functionality, how to test for CSRF vulnerabilities and CSRF vulnerabilities themselves? The information below might aid you in determining whether you have discovered a vulnerability or not: https://portswigger.net/burp/documentation/desktop/functions/generate-csrf-poc https://portswigger.net/web-security/csrf https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery

olek | Last updated: Jul 06, 2021 08:58PM UTC

Now I'm much more clever but still need answered .Team few fast question. ----------------------------------------------------------------------- 1.I log in my account on website.Change for example: email ,name all setting generate POC file.html but only on my profile this is Csrf Vulnerability.? YES or NOT 2.Adding comment on Forum for example here.Using POC file.html Only my profile here is Csrf Vulnerability.? YES or NOT 3.Why when I comment on forum using Poc.html works by click file but Poc generate test in Browser do not works.? 4.When somebody test website before me check all website and do not see any Csrf vulnerability this means next person who will be check website do not find nothing or he can find some Csrf problem.? 5.The self-Csrf is treat as Csft Vulnerability in bug bounty program.? thank Team

olek | Last updated: Jul 08, 2021 03:03PM UTC

Any Help?

olek | Last updated: Jul 09, 2021 03:31PM UTC

This is really simple question .This is importer for my to know .Please.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.