Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Invalid CSRF Token in Lab: 2FA bypass using a brute-force attack

Mike | Last updated: May 09, 2023 08:49AM UTC

As the subject above states, I am trying to solve this lab and I have followed the solutions and videos. The only difference is I am using turbo intruder as I am using the community version. When I try to brute force the mfa code every single attempt returns the 400 status with the message "Invalid CSRF token (session does not contain a CSRF token)". How do i solve this, am I doing anything wrong? I found a video of another user using the turbo intruder to solve this lab and i followed his steps exactly but i still encountered the same result.

Dominyque, PortSwigger Agent | Last updated: May 10, 2023 02:04PM UTC

Hi We were not able to replicate the issue, the lab seems to be functioning as it should. Have you tried following this solution: https://www.youtube.com/watch?v=uJMIV8oM0u0 or reading this article: https://hackmag.com/security/burp-stepper-intruder/ If you are unable to solve the lab and can provide us with some more details of the steps that you are taking to try so that we have a better idea of what you are doing (if it is easier, please feel free to provide us with some screenshots - you can send these via email at support@portswigger.net)?

Hyok | Last updated: Jul 04, 2023 09:31AM UTC

I am facing the same issue.

Dominyque, PortSwigger Agent | Last updated: Jul 04, 2023 10:02AM UTC

Hi Hyok I can confirm that the lab is working as it should. Have you followed along with any video tutorials? It should be noted that this attack may take several attempts before the lab gets solved due to the verification code.

Hyok | Last updated: Jul 04, 2023 04:39PM UTC

I already followed several video tutorials, like the one present in the academy community solution and the one from "web security guides and tutorials" to solve the lab. I tried this lab from normal intruder as well as burp turbo intruder extension but I still get 400 status .

Hyok | Last updated: Jul 04, 2023 04:41PM UTC

I'm trying to solve this lab from 3-4 days and now I came to know that portswigger web security academy also have user forum.

Dominyque, PortSwigger Agent | Last updated: Jul 05, 2023 06:47AM UTC

Hi Hyok Sorry that you are experiencing difficulty in completing the lab. This video tutorial is also a good one to follow: https://www.youtube.com/watch?v=oPBkhAqy214.

werthergotguns | Last updated: Aug 30, 2023 11:10AM UTC

you have to set the CSRF token parameter as "derived from previous response" while editing the macro, or else it will use the default one and will go code 400.

BonnY | Last updated: Sep 08, 2023 03:50PM UTC

You have to set in session handling rules - your rule - scope and click on the box next to extensions, and you wont be getting 400 invalid CSRF token, but I am getting missing parameter mfa-code in response in turbo intruder and it is in fact sending the req with mfa codes, I am getting a lot of 200 status codes and some 400 (CSRF) in normal intruder but its so slow

BonnY | Last updated: Sep 09, 2023 07:01AM UTC

I fixed the error, add mfa-code to macro - update all parameters and headers except for: mfa-code

You need to Log in to post a reply. Or register here, for free.