Burp Suite User Forum

Create new post

fuzzing - Burp suite - csrf macro

NazarMedeiros | Last updated: Oct 11, 2016 05:41PM UTC

Hello, I implemented a website using the vaadin-framework. When I send a request to my server, there is some data in my POST-Request which looks like: {"csrfToken":"3df2f528-15c7-434c-8505-539be1c44157","rpc":[["13","v","v",["text",["s","Nazar Medeiros"]]],["13","v","v",["c",["i",4]]],["15","com.vaadin.shared.ui.button.ButtonServerRpc","click",[{"altKey":false,"button":"LEFT","clientX":82,"clientY":286,"ctrlKey":false,"metaKey":false,"relativeX":45,"relativeY":18,"shiftKey":false,"type":1}]]],"syncId":3,"clientId":3} Now the interesting part for me are three parameters: Nazar Medeiros, "syncId":3 and "clientId":3". The content (Response) I receive from the server looks like: for(;;);[{"syncId": 4, "clientId": 4, "changes" : [["change",{"pid":"13"},["1",{"id":"13"}]]], "state":{"13":{"text":"Nazar Medeiros"}}, "types":{"13":"1","25":"19","26":"21","6":"20"}, "hierarchy":{"25":[],"26":[],"6":["7","10","11","12","25","26"]}, "rpc" : [["25","com.vaadin.shared.data.DataProviderRpc","resetDataAndSize",[0]],["25","com.vaadin.shared.data.DataProviderRpc","setRowData",[0,[]]]], "meta" : {}, "resources" : {}, "timings":[3306, 1]}] I want to use burp suite and a macro for an automatic fuzzing process. When I use another value instead of Nazar Medeiros I have to increase clientId and syncId by 1 for each request. What I have done so far, is to configure a macro with the two parameters. But the problem is that using the macro gives me not the result I want. for(;;);[{"syncId": 26, "resynchronize": true, "clientId:4"... The syncId is increased by 2 instead of 1 whereas the clientId remains at the same value. To give you more background information: 1.) I used a post-request macro 2.) I selected the request I wanted to add 3.) I configured the items (clientId and syncId manually, because they haven't been recognized) 4.) I clicked on "Update the first macro request matched from the response to the current request" 5.) Clicked on "Update only the following parameters (syncId, clientId)" 6.) URL Scope - Include all URLs 7.) I tested the configuration with the repeater... One solution I used (without macros) was to send the three paramteres to the Intruder, set the payload option to Pitchfork and give each of them a payload. The payload for syncId and clientId is the same and contains numbers for increasing the values at each request. To use this approach you have to be sure that clientId and syncId start at 0 (refresh the page). Otherwise the numbers do not fit to the requests. I am currenty working on my own extension to solve this problem but if there is another more simply solution,I would be very happy to hear. Best regards, Nazar Medeiros

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.