Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

"Invalid CSRF token" after Receiving 400 Bad Request

Andrea | Last updated: Oct 01, 2020 10:55AM UTC

Hello, I've been trying to Lab: 2FA Broken Logic. I have managed to brute force the 4-digit security code for the username "carlos". However, whenever I enter the code in the security prompt, it gives me "Invalid CSRF token (session does not contain a CSRF token)" error. This error shows up whenever I reach the 400 Bad request after receiving 302 response. Any help will be appreciated!

Uthman, PortSwigger Agent | Last updated: Oct 01, 2020 11:16AM UTC

Hi Andrea, You may have lost an active session. Are you using Burp Community? If so, the Intruder attack is time-throttled so this will also have an impact. Can you wait 15 minutes for the lab to reset and try again? Do you see a CSRF token in the body of the request that generates a 302 response?

Andrea | Last updated: Oct 02, 2020 02:23AM UTC

Thanks for your answer! Yes, I see a CSRF token in the body of the request when I get the 302 response. When I reload my browser to that response, however, it gives me the CSRF token error. I did waited for the lab to reset, and also tried doing it again the next day. No luck, the error still appears whenever I enter the 4-digit code that should generate 302 response. Is there any other workaround for this?

Uthman, PortSwigger Agent | Last updated: Oct 02, 2020 10:43AM UTC

It appears to be working as expected for me. Can you attempt the lab a few more times? Are you using the official solution? Or a video solution from YouTube?

Andrea | Last updated: Oct 05, 2020 08:09AM UTC

I used Burp Community, but it is slow when I do Intruder attack, so I tried another software. However, the error is still there. Here is a gif on the error: https://drive.google.com/file/d/10cYVDO2f9ZD1OGzOY_cM3XLaQxNlgO0a/view?usp=sharing

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 11:22AM UTC