Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Request vulnerable to Cross-site Request Forgery (CSRF)

Srikanth | Last updated: Jun 08, 2021 12:56PM UTC

Hi Team, I have a couple of .net MVC application and one application loads into other using IFrames. The two applications neither have user related nor application related data stored in the Cookie except for ASP.NET_SessionId. When I run a Burp Suite scan on the requests, it flags the requests vulnerable to CSRF with the message "The request does not appear to contain an anti-CSRF token". I wanted to know how burp suite checks for CSRF vulnerability and is it because of the ASP.NET_SessionID that I am getting the vulnerability. Adding CSRF tokens to the requests might be a case of over engineering just for ASP.NET_SessionID (correct me if I am wrong). Thank you, Srikanth V

Uthman, PortSwigger Agent | Last updated: Jun 08, 2021 01:43PM UTC

Hi Srikanth, Is the issue being reported natively by the scanner on the Dashboard in the Issue Activity? Or is it being reported by a Burp extension? The documentation below describes some of the checks the scanner performs in relation to CSRF: - https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery

Srikanth | Last updated: Jun 08, 2021 02:25PM UTC

Hi Uthman, This issue was generated by the Burp extension: CSRF Scanner.

Uthman, PortSwigger Agent | Last updated: Jun 08, 2021 02:35PM UTC

Hi Srikanth, Thanks for confirming. We do not manage the logic behind third-party extensions, unfortunately so you will need to look at the code or ask the original developer for further information. I have found the passive scanning functionality logic below but I would suggest having a look at the entire repo: - doPassiveScan = https://github.com/PortSwigger/csrf-scanner/blob/e79ab6e94e61d36ddde1a5e4e6f778158a113ccd/BurpExtender.java#L1067 - https://github.com/PortSwigger/csrf-scanner

Srikanth | Last updated: Jun 08, 2021 03:15PM UTC

Thank you Uthman for the links. Wanted to know if there are any recommended extensions similar to CSRF Scanner, which are not third-party and are supported by PortSwigger.

Uthman, PortSwigger Agent | Last updated: Jun 09, 2021 06:43AM UTC