Dynamic Security Scanning With Anti-CSRF Tokens

6 min readSep 1, 2022

Penetration Testers often perform Dynamic Scanning on target applications using Interception proxy tools like Burp Suite. A Burp Suite scan is more relevant and meaningful if the scan run is authenticated. All modern applications implement an Anti-CSRF token as protection against Cross-Site-Request-Forgery. These tokens might be passed as POST body parameters or maybe as request headers. In such cases, simply running a Burp Suite scan with just the updated session cookies might not be sufficient. Because all the requests go as invalid if a valid Anti-CSRF token is not passed. And this Anti-CSRF token might change with each login. This blog explains how to run an Automated Burp Scan with valid session cookies and using a macro configuration in combination with a Burp extender to capture and pass valid Anti-CSRF token in both the request headers and in the post body.

A macro in Burp Suite is a series of requests which will be sent to the server prior to requests which have already been proxied by Burp. Once the set of macro requests have been carried out, the parameters taken from the response of the final macro request can then be passed on to the request that triggered the macro.

Configuring BurpSuite To Allow Anti-Csrf Token While Scanning

Crawl the target web application for performing the Burp Tool scan. Let us take one single request from the crawled list and move it to the repeater. The below shown is a comment-saving request which does not have a valid session.

In the above case, for an invalid session, the application returns a 302 Redirection to /auth/doLogout. Create a new session handling rule.

Let us first setup a macro to bring a valid session. Click on Project Options -> Sessions and Create a new session handling rule.

Name the rule as per your wish and under Rule Actions, Add -> Check Session is valid.

Configure the session handling action with the below rules.

The above rule issues the current request and check if the session is valid. It figures out that the session is invalid by looking for redirection to /auth/doLogout.

You can specify any location depending on how your target application behaves for an invalid session.

Add a new macro

Check the box: If session is invalid, Run a macro.

Add a macro, by selecting all the required login and an in-session request.

Test the captured macro.

Now issue the /saveComment request. The cookies get updated with the cookie values captured from the latest macro login. But the response to this request is still not valid. It returns an error message with security_token. If we observe the request, there is a request header Security_token which is getting passed and this Security_token behaves as an Anti-CSRF token. So, for any request to return a valid response, a valid Security_token which is tied to the current user session must be passed in each request as a header.

Using Burp Extender

Let’s make use of a Burp Extender, Add Custom Header to do this process. The Add Custom Header must be combined with the macro rule to get this done.

The Add Custom Header Extender can specify a header name and accepts two types of values for the header. A Hard-Coded value will not be of much use for us as the Burp Scan will not be fully automated, and we should keep updating the header value whenever new session cookies are used by the burp scan. To automatically update the Security_token header value, we must specify a regex pattern.

Now make use of the Burp Search Option and figure out the server response which has issued the Security_token. In most applications, the Anti-CSRF token will be issued from the server side, and we will be able to find it in any of the server responses. In this case, it was observed that, following the login request, the below request /getDesktop returns the Security_token in its response.

Macro Reconfiguration

Now we must reconfigure the macro by adding this request to the list.

After adding /getDesktop request to the macro, click on that request, and select Configure Item.

Capturing the Regex pattern

Now, Add a new Custom Parameter Location.

Select only the token value and check in Extract from regex group. Burp figures out the regex. You can use this Define Custom Parameter to update the Anti-CSRF token in case they are passed as request parameters. But this updates only the parameter values and not the headers.

Now copy this regex pattern in a notepad and go to the Session handling macro rule.

Scroll to the very bottom and select “After running the macro invoke a burp extension session handler” and select Add Custom Header from the drop-down.

Before doing this, ensure that you have the Add Custom Header Burp extender already installed.

Define the scope and click OK.

Configuring the burp extension with the captured Regex

Now, open the Add Custom Header extender and provide the header name which is passed in the requests. Select the header value as Regular Expression and paste the regex pattern which we captured from the Define Custom Parameter Tab. Update the preview and verify.

Now issue the /saveComment request and observe the successful message “Comment was saved”. Setting the scope in the Session Handling Rule to Scanner will automatically enable this rule and updates the Security_token header when the Burp Scan is run.

Behind the scenes

Below is a screenshot of the session handling tracer, which shows the series of session handling actions happening in the background.

With the help of above steps, we can now use Burp’s session handling rules and a macro to automatically retrieve a response, extract the anti-CSRF token, and insert the token within the appropriate request to perform security scans on your application using BurpSuite.

Article By
Shruthi Shunmugom M
https://www.linkedin.com/in/shruthi-s-b4420916a
Penetration Tester
IBM PTC Penetration Testing and Security Services
Arun S
https://www.linkedin.com/in/-aruns/
Lead Penetration Tester
IBM PTC Penetration Testing and Security Services