Saturday, July 23, 2016

Use marco to Anti-CSRF token in Burpsuite

When i am reading one paper about Burpsuite trick, this talk about: Burpsuite marco, and we can use it to anti-csrf token.
I tried it with this demo: http://www.businessinfo.co.uk/labs/csrf_defend/form_token_demo_stage2.php
First request to get token in htlm (formtoken), and post request (request 2) use it to check.
Now, we need use marco to automatic get token, add to post data.
Make sure 2 request and response in http proxy, and intercept is off
Go to project options (version > 1.7) or options (<=1.6, i not sure). I used pro version. Chose Session tab. In session handing rules, add new rule:
Type your rule name, like Anti CSRF Rule for xx.com. In rule action, choose Add, with "run post-request marco" type. You can see Action handing editor.

Add new marcos by click add, new marco editor and marco recorder windows open

Now, in marco recorder you must choose 2 request. request 1 is request get token, and request 2 is action request use token (choose by select it). 

Click OK, 2 request will be send to Marco Editor:

You can re-order 2 request, before request is top (number 1), and after request is bottom (number 2). In many case, burpsuite can auto analyze to extract parameter. We can manual extract by use: Configure item.
Click request 1, and click Configure item. In config marco item for.... click add. Now we can instructor for burpsuite extract exactly value in html code. And we can assign name for it (form_token):

Click ok, and go to, we can see form_token in custom parameter. Click Ok to return Marco editor. 
Select request 2, and click configure item. In parameter handling, formtoken select Deriver from pior response, and select response 1
Ok to return Marco editor. You can test marco. Ok to return Session handling editor. you can select: Update only following parameter, and choose your parameter.
Make sure click on the final request in marco. Click OK to return Session handling rule editor
Click to scope tab, make sure click on Tool scope you need (Extender, Intruder, Repeater ...). In url scope you can click on all url, or enter specific url

Ok to return Project option, we can see new Session handling rule and maro
Now you can use this macro in your tool. To monitor, debug it you can open session trace. 

You can use it for intruder (run your payload), or repeater.
But it is marco only, so you can only select in prior response. If need extract, and need calculate bla bla, this trick can not used. I think we need program new extender to solve it
Note: If you need run marco before run main request (like login), you must choose "Run marco" when add rule action.


----------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
SecurityLab - Linux Lab -- Window and Cisco Lab
to be continued - I will update more.




2 comments:

Melbourne Mobile Developer said...

Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!

thesis writing service said...

I read this article. I think You put a lot of effort to create this article. I appreciate your work.
thesis Writing Service

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...