Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Session Handling with 2 CSRF Tokens

Karan | Last updated: Jun 13, 2019 10:51AM UTC

Hi I am trying to create a session handling rule for the request having 2 CSRF Tokens. My GET Request has 2 parameters of CSRF Tokens in the response. I am extracting those while creating my macro. but it is still now working as only one CSRF token gets updated in POST request. I have seen below post but it is of no help https://support.portswigger.net/customer/portal/articles/2906338-using-burp-s-session-handling-rules-with-anti-csrf-tokens Can someone please help on this with the detailed steps

PortSwigger Agent | Last updated: Jun 13, 2019 12:49PM UTC

Ok, it sounds like you're headed in the right direction. Please use the session tracer to see what's going on. What you will probably need to do to fix this is define a custom parameter location. You do this on the macro; within macro editor, click configure item, then add a custom parameter location. You need to make sure the parameter name matches the parameter you want to replace on the POST request.

Burp User | Last updated: Jun 14, 2019 07:23AM UTC

I have done the exact same thing but in my POST request only 1 CSRF token is getting updated whereas my GET request response has both the tokens updated See below CSRF Tokens of my POST request _csrf=45d2dd2a-6273-400b-a475-0aa45f75f56a&j_username=xxxxx&j_password=xxxxx&saveuser=on&_csrf=543086ca-44ab-4e3c-a7a4-6fe06af3e92a Can someone please help me on this

PortSwigger Agent | Last updated: Jun 17, 2019 08:17AM UTC