Today we have a lot of tools to automate web application testing. Burp suite happens to be one of the top tools for web application testing. However, often controls such as CSRF tokens fail these automated tools. For example, we cannot brute-force a phpMyAdmin login page or even DVWA login page directly using the burp intruder as they have something called an Anti CSRF token and it keeps changing.
In this article, we will see how we can bypass these controls so that we can easily perform tests like brute force on these kinds of login forms.
Using Burp macro to update anti CSRF token in DVWA
For this demo, we will use DVWA.
This is the login page of DVWA and if we see the request in burp suite we can see that it adds an anti-CSRF token called user_token in the request so if we send it to the intruder and try to brute force, it will fail as the token is not getting updated.
We can use a macro to solve this issue. Here is how we can use a macro to update the user_token
1. Click on project options and then click on Sessions.
2. Under session handling rules click on add. A new popup window will appear now in the popup window under the Rule actions click on the add button and then click on Run a macro.
4. Clicking on the add button opens up the Macro recorder window which shows us the request.
In this case, we will select the GET request just before the login POST request and click ok. This is because we get the Anti CSRF token in the response to the GET request.
5. After clicking ok another window called Macro editor will open up. Now we need to configure the macro and instruct it on what it exactly needs to do. For this click on the Configure Item button
6. After clicking on Configure Item a new window opens up where we need to define custom parameter locations in response. To do that click on the add button
7. Now we need to select the user_token by giving the parameter name, start after expression, and end.
Make sure that you enter the details correctly. If the details are entered correctly then it will automatically highlight the value. And click ok. If it automatically highlights the value then it means that everything is correct so far.
8. After doing the 7th step you will get the session handling editor window again. Now click on the Scope tab and define your scope
You can edit the URL scope, select the tool where this rule will be applied, etc.
Now send the request to the repeater or intruder to test for brute force or other vulnerabilities. In this example, I’ll send it to the repeater.
After sending it to the repeater we can see that the user_token will magically keep changing on every request. Here in this request, the value of user_token is ada33e61c8ae4a525ffeb15b57c29065 and after the send button is clicked the value changed to 7ff1ac8d69daa9d3d0c4f64fcca1a57f
This will help in performing attacks like brute force or testing for any other vulnerability without the application showing any error.
Using BurpSuite to update anti CSRF tokens in phpMyAdmin
PhpMyAdmin is an interesting dashboard that if we get access can help us get full access to the website. Bruteforcing phpMyAdmin is not a straightforward process as it has anti-CSRF tokens in many parameters which stop brute-forcing it directly.
We will use the burp suite to configure brute force.
1. Go to phpMyAdmin and enter a random login id and password
2. Intercept the request and send it to the intruder and add payload market in the following parameters. Don’t forget to change the attack type to pitchfork
3. Now click on options and go to Grep-Extract and click on add. A new pop-up window will come up. Click on the fetch response there.
4. Select the value as highlighted. And click on ok
5. Now once again click on add from the Grep-Extract option. When selected the value is highlighted.
6. Now go to Payloads and select payload 1 and change the payload type to recursive grep. Now select the first option from the payload options as shown in the screenshot.
7. Repeat step 6 for payload 2.
8. Now for the payload set 3 which is the password field. Select simple list as payload type and add list of passwords in the payload options box
9. Now for the payload set 4 once again select recursive grep and this time select the 2nd option in the payload options box.
10. Now click on the attack button
Clicking on the attack button will give us an error popup which will stop the attack
We get this error because recursive grep payloads cannot be used with multiple request threads.
11. To solve this issue to go the resource pool option. Select create new resource pool and set the maximum concurrent requests to 1 and click on the attack.
12. Once we start the attack we can see that CSRF tokens get generated automatically which allows us to brute force the login page
The shortcoming of this technique
The only shortcoming of this method is that we need to keep the username static. We can’t give a list of usernames to brute force.
If you want to brute force phpMyAdmin with both username wordlist and password wordlist then you should try out tools like: https://github.com/plzdonotsay/phpmyadmin-authentication-bruteforce
Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned for more!
This blog was originally published on our Medium Account.