Burp Suite User Forum

Create new post

How does Burp check for Anti-CSRF tokens?

Steven | Last updated: Feb 11, 2016 08:22PM UTC

How does Burp usually scan or validate anti-CSRF tokens? In other words, if the web application uses a form ID that does not contain one of the keywords which identify CSRF, does Burp use other methods? If so, how does it distinguish between Anti-CSRF tokens and other similar tokens such as authentication tokens, or other non-related tokens..? Thanks

PortSwigger Agent | Last updated: Feb 12, 2016 09:28AM UTC

In the context of the Scanenr reporting vulnerability to CSRF, Burp looks at the value of a parameter to see if the value looks like it might be a CSRF token (based on length and characters). It also sends requests without each possible token to see if the missing token causes a different response. If not, then most likely it isn't being used as a CSRF token.

Burp User | Last updated: Feb 12, 2016 08:20PM UTC

Thank you for the answer. This makes sense, however burp seems to report these findings as "Tentative" and for good reason. The question becomes, how can we manually confirm if there is indeed an anti-CSRF tokens used in a form, if those tokens do not use any name of fields related to CSRF? In other words, are there any criteria which all anti-CSRF tokens have to follow (for example a certain length or attribute), which will distinguish them from authentication tokens?

PortSwigger Agent | Last updated: Feb 15, 2016 08:59AM UTC

If you are testing manually, then to establish whether a request is vulnerable to CSRF you need to establish whether all of the (non-cookie) parameters that are needed for the request's server-side action to be performed can be determined in advance by the attacker. Regardless of the parameter names or what you label any token-like parameters, what matters is whether the attacker can generate a cross-domain request that will perform the desired action.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.