Numen

Logo

Using Burp Suite to Bruteforce Anti CSRF Token-based Forms

Anti-csrf

Today we have a lot of tools to automate web application testing. Burp suite happens to be one of the top tools for web application testing. However, often controls such as CSRF tokens fail these automated tools. For example, we cannot brute-force a phpMyAdmin login page or even DVWA login page directly using the burp intruder as they have something called an Anti CSRF token and it keeps changing.

In this article, we will see how we can bypass these controls so that we can easily perform tests like brute force on these kinds of login forms.

Using Burp macro to update anti CSRF token in DVWA

For this demo, we will use DVWA.

the login page of dvwa

This is the login page of DVWA and if we see the request in burp suite we can see that it adds an anti-CSRF token called user_token in the request so if we send it to the intruder and try to brute force, it will fail as the token is not getting updated.

DVWA Proxy Intercept

We can use a macro to solve this issue. Here is how we can use a macro to update the user_token

1. Click on project options and then click on Sessions.

Using Burp macro to update anti csrf token in DVWA Step 1

2. Under session handling rules click on add. A new popup window will appear now in the popup window under the Rule actions click on the add button and then click on Run a macro.

Using Burp macro to update anti csrf token in DVWA step 2
3. After clicking on the run a macro option another new window “session handling action editor” opens up. Click on the add button.
Using Burp macro to update anti csrf token in DVWA step 3

4. Clicking on the add button opens up the Macro recorder window which shows us the request.

In this case, we will select the GET request just before the login POST request and click ok. This is because we get the Anti CSRF token in the response to the GET request.

Using Burp macro to update anti csrf token in DVWA step 4

5. After clicking ok another window called Macro editor will open up. Now we need to configure the macro and instruct it on what it exactly needs to do. For this click on the Configure Item button

Using Burp macro to update anti csrf token in DVWA step 5

6. After clicking on Configure Item a new window opens up where we need to define custom parameter locations in response. To do that click on the add button

Using Burp macro to update anti csrf token in DVWA step 6

7. Now we need to select the user_token by giving the parameter name, start after expression, and end.

Using Burp macro to update anti csrf token in DVWA step 7

Make sure that you enter the details correctly. If the details are entered correctly then it will automatically highlight the value. And click ok. If it automatically highlights the value then it means that everything is correct so far.

8. After doing the 7th step you will get the session handling editor window again. Now click on the Scope tab and define your scope

Using Burp macro to update anti csrf token in DVWA step 8

You can edit the URL scope, select the tool where this rule will be applied, etc.

Now send the request to the repeater or intruder to test for brute force or other vulnerabilities. In this example, I’ll send it to the repeater.

Using Burp macro to update anti csrf token in DVWA step 9

After sending it to the repeater we can see that the user_token will magically keep changing on every request. Here in this request, the value of user_token is ada33e61c8ae4a525ffeb15b57c29065 and after the send button is clicked the value changed to 7ff1ac8d69daa9d3d0c4f64fcca1a57f

This will help in performing attacks like brute force or testing for any other vulnerability without the application showing any error.

Using Burp macro to update anti csrf token in DVWA step 10

Using BurpSuite to update anti CSRF tokens in phpMyAdmin

PhpMyAdmin is an interesting dashboard that if we get access can help us get full access to the website. Bruteforcing phpMyAdmin is not a straightforward process as it has anti-CSRF tokens in many parameters which stop brute-forcing it directly.

We will use the burp suite to configure brute force.

1. Go to phpMyAdmin and enter a random login id and password

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 1

2. Intercept the request and send it to the intruder and add payload market in the following parameters. Don’t forget to change the attack type to pitchfork

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 2

3. Now click on options and go to Grep-Extract and click on add. A new pop-up window will come up. Click on the fetch response there.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 3

4. Select the value as highlighted. And click on ok

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 4

5. Now once again click on add from the Grep-Extract option. When selected the value is highlighted.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 5

6. Now go to Payloads and select payload 1 and change the payload type to recursive grep. Now select the first option from the payload options as shown in the screenshot.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 6

7. Repeat step 6 for payload 2.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 7

8. Now for the payload set 3 which is the password field. Select simple list as payload type and add list of passwords in the payload options box

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 8

9. Now for the payload set 4 once again select recursive grep and this time select the 2nd option in the payload options box.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 9

10. Now click on the attack button

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 10

Clicking on the attack button will give us an error popup which will stop the attack

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 10.2

We get this error because recursive grep payloads cannot be used with multiple request threads.

11. To solve this issue to go the resource pool option. Select create new resource pool and set the maximum concurrent requests to 1 and click on the attack.

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 11

12. Once we start the attack we can see that CSRF tokens get generated automatically which allows us to brute force the login page

Using BurpSuite to update anti csrf tokens in phpMyAdmin Step 12

The shortcoming of this technique

The only shortcoming of this method is that we need to keep the username static. We can’t give a list of usernames to brute force.

If you want to brute force phpMyAdmin with both username wordlist and password wordlist then you should try out tools like: https://github.com/plzdonotsay/phpmyadmin-authentication-bruteforce

Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned for more!

This blog was originally published on our Medium Account.

Share:

More Posts