Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Lab: Broken brute-force protection, multiple credentials per request CSRF Token issue

Darin | Last updated: Sep 21, 2020 07:18PM UTC

When trying to do this lab whenever I send any credentials I get the following error. "Invalid CSRF token (session does not contain a CSRF token)" Even when I just send one credential as a test to see the format. Is the csrf token something that we need to figure out how to bypass?

Michelle, PortSwigger Agent | Last updated: Sep 22, 2020 09:26AM UTC

Hi If you test logging in to the site via the web page, find that POST request in the HTTP History, and send it to Repeater for the subsequent steps you should get a bit further. Good luck and let us know how you get on!

Darin | Last updated: Sep 25, 2020 05:31AM UTC

Hello Michelle, Thank you for your reply. I just wanted to be sure I explained my situation correctly. When I use the actual lab web page, using carlos/badpass for credentials. I get the following. "Invalid CSRF token (session does not contain a CSRF token)" I can find that in Burp and send to repeater but it gives me the same error. I see the CSRF token in the json being sent on the post. Is part of the challenge figuring out how to get legit CSRF token? Again thank you for your help and support.

Michelle, PortSwigger Agent | Last updated: Sep 25, 2020 10:15AM UTC

Hi Thanks for getting in touch. Would you be able to send a screenshot or screen recording to support@portswigger.net to show where you're seeing the message about the invalid CSRF token, please? If I launch the lab 'Broken brute-force protection, multiple credentials per request', go to the login page and enter the credentials you used I'm not seeing any messages about CSRF tokens, I'm just seeing the login page showing a message saying 'Invalid username or password' so I must be doing something slightly different, working out the CSRF token isn't part of the solution.

Anurubha | Last updated: Nov 07, 2020 09:39AM UTC

I am facing the same issue.

Michelle, PortSwigger Agent | Last updated: Nov 09, 2020 12:07PM UTC

Thanks for your message. We've checked the lab and there are no current issues with the lab itself. Keep trying, the steps in the suggested solution might help.

Albert | Last updated: Nov 11, 2020 10:24AM UTC

Same problem here

Michelle, PortSwigger Agent | Last updated: Nov 11, 2020 03:17PM UTC

Hi Thanks for getting in touch. There aren't any current issues with the lab itself, it might help to take a look at this video recorded by one of our users (https://www.youtube.com/watch?v=1Cg0lLGZXBA) as well as going through the suggested solution. Have another go and good luck!

Praful | Last updated: Dec 27, 2020 02:26PM UTC

Same issue, throws "Invalid CSRF token (session does not contain a CSRF token)" even if we try logging in through the website without any modification in request.

Michelle, PortSwigger Agent | Last updated: Jan 04, 2021 01:00PM UTC

We've checked the lab 'Broken brute-force protection, multiple credentials per request' and are not seeing any issues with invalid CSRF tokens. Could you confirm the steps you're taking when you see this? When we tested here we were using the steps described in the solution.

Joshua | Last updated: Oct 27, 2021 04:05PM UTC

I'm getting the same issues. Whether I execute it as an intercept or as a repeater.

Ben, PortSwigger Agent | Last updated: Oct 28, 2021 07:13AM UTC

Hi Joshua, I have just run through a quick test on this lab and was able to solve it using the solution provided without seeing this particular issue. Are you able to email us at support@portswigger.net and include some screenshots of the steps that you are carrying out and what you are seeing so that we can take a better look at this for you?

Mahpara | Last updated: Feb 08, 2022 06:21AM UTC

Hi I am facing the same issue "Invalid CSRF token (session does not contain a CSRF token)" Kindly help me how can I solve this issue.

Ben, PortSwigger Agent | Last updated: Feb 08, 2022 12:06PM UTC

Hi, I have just run through this lab and was able to solve it using the solution provided so it is currently working as expected. Are you able to provide us with any details of the steps that you are taking to try and solve the lab (some information/screenshots of the request that you sending in Repeater would be useful) - if sending screenshots would be easier for you then please feel free to send us an email at support@portswigger.net and include them via the email.

Bionicx | Last updated: Dec 24, 2022 06:37PM UTC

I'm doing HTTP request smuggling to capture other users' requests and "Invalid CSRF token (session does not contain a CSRF token)". facing same issue. I followed all but failed to solve it.

Ben, PortSwigger Agent | Last updated: Jan 03, 2023 08:53AM UTC

Hi, Are you able to provide us with some specific details of how you are attempting to solve this lab so that we can take a look for you (if it is easier to do this using screenshots then please feel free to email us at support@portswigger.net). I think it is fair to say that this is one of the trickier labs to solve due to the reliance on timing but it would be good to see exactly what you are doing.

Gonçalo | Last updated: Apr 28, 2023 11:26AM UTC

Hello, I had the same issue. Saw the video and read other foruns. Let me try to add more info here: - The macro with 3 steps contains 2 parameters that we will need in the intruder: session and csrf - The video has a different BURP version that I have. For example, in the Intruder I don't have the same tabs, e.g., "Target". - If I replicate the steps in the video then 2 problems ocour in the Intruder: both the session and the csrf are allways static in all the intruder history. If the combination of these 2 is not right then we receive the "Invalid CSRF token (session does not contain a CSRF token)" response. - To solve the static csrf I went back to the macro editor and in the third macro item I click "Configure Item" and I manually added the csrf has a Custom parameter. The name of the custom parameter cannot be csrf2 for example. It must have the exact name "csrf" - After this configuration change the csrf is now changing in each intruder request. - Session although continues to be static. Something is happening in the backgroung because the session id is different from the one I have in the intruder Positions TAB. So the macro is changing the session but it's not providing a different session ID for each intruder request. - If the session ID that BURP is replacing is comming from the macro I also don't think it's providing the session ID from the 3rd macro step or at least the 1st intruder request would be good. - I went back to the configurations and checked "open Cookie JAR". I found out that 2 sessions were there instead of one. Why? because no one doing this is fast enought and the lab goes down and we trigguer a new lab a couple of times. Triggering a new Lab and keeping the macro that was created based on a HTTP history of another lab is messing up the macro host. In the macro editor the host column was XYZ and the host in the Raw request I had changed it to ABC (new lab created meanwhile). Going back to the Cookie JAR I had session cookie from host ABC and XYZ. - I then shutted all down and restarted from scratch making sure I was fast enough to keep the LAB alive and voila, in the intruder I now see both session and csrf dinamicly changing in each intruder request. Resuming: make sure to add "csrf" as a custom parameter and don't let the Lab go down. I can't seem to get the HTTP 302 though. Intruder get's too slow. Just the normal HTTP 200 saying "Incorrect security code". And I'm not sure how to do all this using turbo intruder as sugested in the hint. With the current Turbo documentation I don't understand how to do 2 different requests and pass info for 1st to the 2nd one. More intruder code examples would be helpfull...

Md.Imdadul | Last updated: Jun 22, 2023 04:22PM UTC

Hello, I am still facing the same problem many of them have said they faced the same so i am sending email and hope that will get solve in details and soon . Thank you

Md.Imdadul | Last updated: Jun 22, 2023 04:22PM UTC

Hello, I am still facing the same problem many of them have said they faced the same so i am sending email and hope that will get solve in details and soon . Thank you

Ben, PortSwigger Agent | Last updated: Jun 23, 2023 08:01AM UTC

Hi, If you are struggling with this lab it would be useful to email us at support@portswigger.net and include some screenshots of what you are doing at each stage so that we can see the process that you are carrying out in more detail.

Will | Last updated: Jun 21, 2024 07:52PM UTC

Had this same problem. Found chrome was not sending the session cookie. Used chrome inspect then go to network, then view cookies and you will see warning that it did not send session cookie because of third party phase out. Found I could overcome the issue by intercepting and including the session cookie in the request for the account page.

Nazarii | Last updated: Aug 06, 2024 06:52AM UTC

Hi! I solved this problem. While I tried to do it step by step I always got "Invalid CSRF token (Session does not contain CSRF token)". So I enable Intercept, intercept POST /login with carlos and without disabling the intercept switch to Turbo intruder. Run a script attack and you should get a 302. It looks like the Turbo Intruder isn't running through a proxy, so its requests weren't blocked by Intercept, which was enabled and stuck at the POST /login stage. Maybe it will help someone who has encountered a CSRF problem.

Dominyque, PortSwigger Agent | Last updated: Aug 06, 2024 12:07PM UTC

Hi Nazarii Thank you for contributing! I am sure others who are struggling with the lab appreciate the help :)

Joshua | Last updated: Oct 22, 2024 06:23AM UTC

I'm getting the invalid CSRF as well. Look, if you guys have this many people complaining and saying "it works for us..." maybe you need to consider reviewing the solution or how the lab is built. Lab stability for this one is also atrocious. Multiple people are having this issue and following the written solution under the lab.

Ben, PortSwigger Agent | Last updated: Oct 23, 2024 09:51AM UTC