Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Professional

Generating a CSRF proof-of-concept with Burp Suite

  • Last updated: June 18, 2024

  • Read time: 2 Minutes

Cross-site request forgery (CSRF) attacks force a victim user to perform unintended actions on a website. If a website is vulnerable to CSRF, an attacker can bypass the same-origin policy, which usually prevents websites from interfering with each other. This means the attacker can create a web page that causes the victim user's browser to submit a request directly to the vulnerable website.

You can use Burp Suite Professional to automatically generate HTML for a proof-of-concept (PoC) CSRF attack. This is much quicker and easier than manually creating the HTML, which can be particularly cumbersome when the request contains a larger number of parameters.

Steps

You can follow along with the process below using our lab: CSRF vulnerability with no defenses.

To generate a CSRF proof-of-concept:

  1. Identify a request that you think may be vulnerable to CSRF. You can use Burp Scanner to identify requests that are potentially vulnerable.

    Identify a potentially vulnerable request
  2. Right-click the request and select Engagement tools > Generate CSRF PoC. A dialog opens with HTML based on the selected request.
  3. In the HTML, edit the value in the fields you want to change in the PoC attack. For example, the email value in the change email request.

    Edit the email field
  4. Click Copy HTML to copy the HTML to your clipboard.
  5. Paste the HTML into a web page. If you're using the lab, paste the HTML into the exploit server instead.
  6. View the web page in a browser that is logged into the vulnerable website.
  7. Review the response in your browser and Burp's HTTP history to see whether the desired action occurred. In this example, the user's email address is successfully updated.

    Review the response
  8. To verify the vulnerability, log into the application with a different account. Repeat the attack with the same HTML. A successful attack confirms that the application is vulnerable to CSRF.

Was this article helpful?