Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

CSRF value = null when Request sent thru Burpsuite

Chim | Last updated: Oct 22, 2023 04:29AM UTC

When I send a request in the Repeater or Intruder, the CSRF Token in the Response show value = Null? However, within the History Tab of the Proxy, the CSRF value show the actual value. But in the Repeater, Macros, and Intruder, it show a null value? Does the Target website have the mechanism to disable the CSRF value from displaying when running Burp Suite? Please see below the script in the Response within the Proxy History Tab which show the CSRF value: $(function(){ var token = 'd3c78b8bd46cb14bf5ca6031c8c8d5e10c28380b'; $('a[href]').each(function(i){ var currHref = $(this).attr("href"); var isAfunction = currHref.substring(0,10); if(isAfunction == "javascript"){ $(this).attr("href",currHref); }else{ if (currHref.charAt(currHref.length - 1) === '?') $(this).attr("href",currHref); else if (currHref.indexOf('?') > 0) $(this).attr("href",currHref+"&token="+token); else $(this).attr("href",currHref+"?token="+token); } }); }); This is what is show thru out the Repeater, Intruder, and Macros when a request is sent within Burp Suite: $(function(){ var token = 'null'; $('a[href]').each(function(i){

Hannah, PortSwigger Agent | Last updated: Oct 23, 2023 04:10PM UTC

Hi To clarify, are you having issues retrieving the CSRF token when using a macro to retrieve the current CSRF value? Have you checked out any extensions available on the BApp Store to help keep track of your CSRF token, or are you performing this all with macros?

Chim | Last updated: Oct 24, 2023 03:07AM UTC

I am performing this with macros. In the Proxy Tab I can see that the CSRF token display, but when running thru Macros and and Repeater tab, CSRF token return null

Hannah, PortSwigger Agent | Last updated: Oct 24, 2023 04:55PM UTC

Does the JavaScript function run separately in the browser to generate the CSRF token, is the token retrieved from a specific endpoint, or is it directly retrieved form the response? There are a couple of extensions available in the BApp Store specifically designed to help manage CSRF tokens in Burp. These include: - CSRF Token Tracker - Token Extractor - TokenJar

Chim | Last updated: Oct 24, 2023 10:10PM UTC

The Token is retrieved from the response. I did try to use all the extension you mentioned above, since the value is null, it extracted only the null value.

Hannah, PortSwigger Agent | Last updated: Oct 25, 2023 04:45PM UTC

Hi Can you provide some more information on how the token is generated in the response when you use the browser?

Chim | Last updated: Oct 25, 2023 08:46PM UTC

When visit the main domain home page, the token automatically generated. Every time I refresh the website, it would generated the new token. However, when I run a Macros at the main domain Home page, the toke value is equal null

Hannah, PortSwigger Agent | Last updated: Oct 26, 2023 03:48PM UTC