Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

How does Burp check for Anti-CSRF tokens?

Steven | Last updated: Feb 11, 2016 08:22PM UTC

How does Burp usually scan or validate anti-CSRF tokens? In other words, if the web application uses a form ID that does not contain one of the keywords which identify CSRF, does Burp use other methods? If so, how does it distinguish between Anti-CSRF tokens and other similar tokens such as authentication tokens, or other non-related tokens..? Thanks

PortSwigger Agent | Last updated: Feb 12, 2016 09:28AM UTC

In the context of the Scanenr reporting vulnerability to CSRF, Burp looks at the value of a parameter to see if the value looks like it might be a CSRF token (based on length and characters). It also sends requests without each possible token to see if the missing token causes a different response. If not, then most likely it isn't being used as a CSRF token.

Burp User | Last updated: Feb 12, 2016 08:20PM UTC

Thank you for the answer. This makes sense, however burp seems to report these findings as "Tentative" and for good reason. The question becomes, how can we manually confirm if there is indeed an anti-CSRF tokens used in a form, if those tokens do not use any name of fields related to CSRF? In other words, are there any criteria which all anti-CSRF tokens have to follow (for example a certain length or attribute), which will distinguish them from authentication tokens?

PortSwigger Agent | Last updated: Feb 15, 2016 08:59AM UTC