Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

"Invalid CSRF token" after Receiving 400 Bad Request

Andrea | Last updated: Oct 01, 2020 10:55AM UTC

Hello, I've been trying to Lab: 2FA Broken Logic. I have managed to brute force the 4-digit security code for the username "carlos". However, whenever I enter the code in the security prompt, it gives me "Invalid CSRF token (session does not contain a CSRF token)" error. This error shows up whenever I reach the 400 Bad request after receiving 302 response. Any help will be appreciated!

Uthman, PortSwigger Agent | Last updated: Oct 01, 2020 11:16AM UTC

Hi Andrea, You may have lost an active session. Are you using Burp Community? If so, the Intruder attack is time-throttled so this will also have an impact. Can you wait 15 minutes for the lab to reset and try again? Do you see a CSRF token in the body of the request that generates a 302 response?

Andrea | Last updated: Oct 02, 2020 02:23AM UTC

Thanks for your answer! Yes, I see a CSRF token in the body of the request when I get the 302 response. When I reload my browser to that response, however, it gives me the CSRF token error. I did waited for the lab to reset, and also tried doing it again the next day. No luck, the error still appears whenever I enter the 4-digit code that should generate 302 response. Is there any other workaround for this?

Uthman, PortSwigger Agent | Last updated: Oct 02, 2020 10:43AM UTC

It appears to be working as expected for me. Can you attempt the lab a few more times? Are you using the official solution? Or a video solution from YouTube?

Andrea | Last updated: Oct 05, 2020 08:09AM UTC

I used Burp Community, but it is slow when I do Intruder attack, so I tried another software. However, the error is still there. Here is a gif on the error: https://drive.google.com/file/d/10cYVDO2f9ZD1OGzOY_cM3XLaQxNlgO0a/view?usp=sharing

Uthman, PortSwigger Agent | Last updated: Oct 05, 2020 11:22AM UTC

Thanks a lot. Have you tried right-clicking the 302 response in Burp > Show response in browser?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.