Burp Suite User Forum

Login to post

CSRF Token Bypass

Franky | Last updated: Jun 26, 2017 12:43AM UTC

I really need to bypass CSRF token. in my case every time i request, the CSRF will generate new token in the header. so the next request in repeater i need to put the new csrf. i tried to use macro but support said its for token in the body only. so i cant use it for my case. please make a feature to able repeat with the new csrf token

PortSwigger Agent | Last updated: Jun 26, 2017 06:54AM UTC

At present this is only possible by coding an extension. I have written you a quick extension to do this: - https://gist.github.com/pajswigger/a6a1950b3e90ee1fdffe24b30f9aef0b You'll need to record a macro that fetches a new token, then create a rule that runs the macro, and set the "After running the macro, invoke a Burp extension action handler" option. The header name Csrf-Token is hardcoded; you'll need to edit the script to change that. Creating a built-in feature to do this is on our backlog. However, it will probably only be implemented when we look at a refactor of the session handling rules. Do let me know how you get on.

Liam, PortSwigger Agent | Last updated: Jun 26, 2017 01:44PM UTC

Thanks for the update Stevie.

Burp User | Last updated: Aug 21, 2018 08:04PM UTC

I know I've been searching for an answer to this issue for a while and I came back to let everyone know I've found a solution.. https://citadelo.com/en/blog/extendedmacro-burpsuite-plugin/ Hope this helps!

Ben, PortSwigger Agent | Last updated: Jun 21, 2022 12:33PM UTC

Hi all, It has been awhile but we just wanted to update this forum thread and let people know that the recent 2022.5 release now contains functionality to add headers and values using session handling rules.

You need to Log in to post a reply. Or register here, for free.