Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Proposal to Combine CSRF Token Validation Labs Due to Overlapping Objectives

MANDEEP | Last updated: May 26, 2024 10:22AM UTC

Upon reviewing the CSRF labs titled "Validation of CSRF token depends on request method" and "Validation of CSRF token depends on token being present," it has been observed that both labs share similar objectives. Specifically, both scenarios can be exploited using a payload generated by Burp's CSRF PoC generator, highlighting that some applications correctly validate the CSRF token when it is present but skip the validation if the token is omitted. Proof Of Concept: Lab: Validation of CSRF token depends on request method Lab: Validation of CSRF token depends on token being present In first lab, POST request is replaced with GET with CSRF token being present, we can use Burp's CSRF PoC generator to generate a payload and solve the lab. In second lab, in POST request , if CSRF token parameter is removed, we can use the Burp's CSRF PoC generator to generate a payload and solve the lab. My point of view here is , while solving the 1st lab (Validation of CSRF token depends on request method), if CSRF token parameter is removed after changing the request method, we still can solve the lab with same payload generated with Burp's CSRF PoC generator. Recommendation: It is recommended to merge these two labs into one comprehensive lab. In the theory section, include the note: "Some applications correctly validate the token when it is present but skip the validation if the token is omitted. This behavior applies to any allowed request method." Outcome: This consolidation will streamline the learning process and avoid redundancy.

Ben, PortSwigger Agent | Last updated: May 27, 2024 09:27AM UTC

Hi Mandeep, Thank you for this. We can certainly pass this information onto the team for you.

MANDEEP | Last updated: May 27, 2024 01:27PM UTC

Thank you, Ben. Looking forward to it. Have a good day.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.