Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How are certain vulnerabilities listed in the labs meant to be found

Jaak | Last updated: Jun 17, 2022 11:50AM UTC

Hi, while doing the labs and thinking about taking the Burpsuite Practitioner exam, I was wondering how some of these vulnerabilities are meant to be found. As an example, let's look at the CSRF labs. The following labs are listed: - CSRF where token validation depends on request method - CSRF where token validation depends on token being present - CSRF where token is not tied to user session - CSRF where token is tied to non-session cookie - CSRF where token is duplicated in cookie - CSRF where Referer validation depends on header being present - CSRF with broken Referer validation Now, while I understand that these are vulnerabilities and also how they work, I am unsure about how vulnerabilities like "CSRF where token validation depends on request method" or "CSRF where token is tied to non-session cookie" (where you can basically use the csrf tokens of user A for the requests of user B) are meant to be found in the exam but also in the wild? Does the exam require to manually check for each of the vulnerabilities? I know that in real world pentests, scanners like Nessus and Acunetix are often used, but do such scanners really test for stuff like that? Like sending the request with a different request method and checking whether the request is accepted despite not having the correct csrf token? Thanks :)

Liam, PortSwigger Agent | Last updated: Jun 17, 2022 01:25PM UTC