Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Testing The Rule

[ | Last updated: Feb 21, 2022 09:10AM UTC

I read this tutorial:https://portswigger.net/support/using-burp-suites-session-handling-rules-with-anti-csrf-tokens But i have a problem to do this: Testing The Rule We can use Burp Intruder to test our configuration.Intruder allows us to evaluate each request to determine if the POST parameter that possesses the anti-CSRF token is being updated.The anti-CSRF token parameter should be updated within each request. How can i test my rule with burp intruder?(intruder needs positions and i just have rule and i don't know how to run my rule with intruder)

Ben, PortSwigger Agent | Last updated: Feb 21, 2022 10:48AM UTC

Hi Dan, You could use Repeater to test that your session handling rule is working as expected - assuming that you have configured the scope of your session handling rule to include Repeater, issuing the request using this method should also update the token being used. Intruder could be used if you wanted to test this, automatically, over a number of requests in order to make sure that the anti-CSRF token is being updated in all of the requests (you could simply add a payload position somewhere non-intrusive within the base request and perform the Intruder attack in that manner).

[ | Last updated: Feb 21, 2022 11:45AM UTC

i have a question about macro in burp sutie : Imagine i have a webapplication in my local host and i'm enterning wrong information to login and webapplication uses CSRF tokens and now my question is can macro help me to login with wrong username and passwrod?

Ben, PortSwigger Agent | Last updated: Feb 21, 2022 06:09PM UTC

Hi Dan, Just to clarify, you want to be able to login to a web application with the wrong credentials or you want to be able to brute force the login mechanism so that you can login successfully without having prior knowledge of the correct credentials?

[ | Last updated: Feb 22, 2022 02:48AM UTC

you want to be able to login to a web application with the wrong credentials?Yes:In fact, my question is whether Macro can help or not in this way?

Ben, PortSwigger Agent | Last updated: Feb 22, 2022 11:04AM UTC