Burp Suite User Forum

Create new post

Report on CSRF Vulnerabilities

Dave | Last updated: May 05, 2015 06:12PM UTC

Hello. I am trying to learn Burp Pro after one of my colleagues left without leaving much information around the Burp testing he had done. I have an application with a known CRSF vulnerability AND an older Burp report indicating the CRSF vulnerability. I am trying to reconfigure the Burp environment and regenerate the report, but without any luck. I can replicate the other vulnerabilities, but I cannot get same CRSF item to list out again. I have included the CSRF Scanner extension and tried using the CSRF PoC, but neither show up in the scan report. I am trying to figure out if this is a wording change or if I am missing something. My current reports cover vulnerability 2098944 "Cross-site request forgery" but the old report indicated type "Request vulnerable to Cross-site Request Forgery" and "Form does not contain an anti-CSRF token." If these can only be identified manually, is there something beyond the CSRF PoC that I need to be using to capture them within the report? Thanks.

PortSwigger Agent | Last updated: May 06, 2015 10:20AM UTC

The "Cross-site request forgery" vulnerability is reported by Burp's native scan check for CSRF. The other two issues you mentioned are generated by extensions. We added the native CSRF check to Burp earlier this year, and we believe it is more reliable than any extension-provided checks that were previously available. If Burp is reporting the "Cross-site request forgery" issue for you, then you can use that in place of the issues that some extensions reported earlier.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.