Burp Suite CSRF Token Macro

TL;DR

This guide shows you how to create a Burp Suite macro to automatically handle CSRF tokens when testing web applications. This saves time and effort by automating the process of extracting and injecting these tokens into your requests.

Prerequisites

• Burp Suite Professional
• A web application with CSRF protection

Steps

1. Identify the CSRF Token

First, you need to find where the CSRF token is located. This usually involves:

• Inspecting the HTML source code of a form. Look for hidden input fields with names like csrf_token, XSRF-TOKEN or similar.
• Checking cookies – some applications store CSRF tokens in cookies.
• Using Burp Suite’s intercept feature to observe the token being sent during a legitimate POST request.

Capture a Request with the Token

Use Burp Suite’s Intercept feature to capture a valid POST request that *includes* the CSRF token. This will be your base request for creating the macro.

Send to Repeater

Right-click on the captured request in Burp Suite and select “Send to Repeater”.

Create a New Macro

In Repeater, click the “Macro” button. Then click “New macro”. Give your macro a descriptive name (e.g., ‘CSRF Token’).

Record the Macro Steps

Burp Suite will now record your actions. You need to simulate the process of extracting the CSRF token from its source and injecting it into the request.

• Step 1: Extract Token Value – Use Burp’s search functionality within Repeater (Ctrl+F) to locate the CSRF token in the response. Highlight the entire token value, including any surrounding tags or attributes if necessary.
• Step 2: Inject Token into Request – Position your cursor where the CSRF token should be inserted in the request body. Use Burp’s “Paste” action (Ctrl+V) to paste the copied token value. If the token needs to be added as a new parameter, you may need to manually type out the parameter name and equals sign before pasting.

Save the Macro

Click “Save” to save your macro.

Test the Macro

In Repeater, click the “Macro” button again. Select your newly created macro from the list and click “Run”. Burp Suite will automatically extract the token from the response of a new request and inject it into the current request.

Automate with Intruder

You can now use this macro within Burp Suite’s Intruder to automate CSRF attacks. Configure your Intruder payload positions as needed, ensuring that the macro is applied before each request is sent.

Example Macro Steps (Illustrative)

Let’s assume the token is in a hidden input field like this:

<input type="hidden" name="csrf_token" value="YOUR_TOKEN_HERE">

1. Step 1: Search for Token – Search for ‘value=”‘ within the response.
2. Step 2: Copy Token Value – Highlight from the opening quote after `value=”` to the closing quote before the closing angle bracket (e.g., "YOUR_TOKEN_HERE").
3. Step 3: Inject into Request – Position cursor in request body where token should go, and paste copied value.

Troubleshooting

• Token Not Found – Double-check the location of the CSRF token. It may be dynamically generated or stored in a cookie.
• Incorrect Injection Point – Ensure you are injecting the token into the correct parameter name and format within the request body.
• Macro Fails to Run – Review the recorded macro steps carefully. Make sure each step is accurate and complete.