Burp Suite User Forum

Login to post

CSRF Token

Tengri | Last updated: Jun 11, 2016 03:27PM UTC

Hello, Custom parameter location in response but csrf not writing in response. Why not in the request? Because csrf parameter (_csrf_token=MXnHkkFn_GDk96WoRucoS26JJb4zAQA76jOhdeLG-Uc) in only request. Is it possible to anti csrf? Image: http://s33.postimg.org/oh7x026e7/burp.png Thanks.

PortSwigger Agent | Last updated: Jun 13, 2016 01:46PM UTC

Where does the _csrf_token request parameter come from when you interact with the application in the normal way using your browser? If it is a hidden form field, then Burp's handling of parameters in macros should deal with it automatically if you include a step to fetch the form containing the field? If it is elsewhere, then you can maybe configure a custom parameter location in the prior response to tell Burp where to derive the parameter from.

You need to Log in to post a reply. Or register here, for free.