Generate CSRF PoC
Last updated: March 17, 2023
Read time: 3 Minutes
You can use this function to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for a given request.
To access this function:
- Select a URL or HTTP request from anywhere in Burp.
- Right-click and select Engagement tools > Generate CSRF PoC.
You can edit the request manually. Click Regenerate to regenerate the CSRF HTML based on your edited request.
To test the effectiveness of the generated PoC in Burp's browser:
- Click Test in browser.
- Copy and paste the unique URL into Burp's browser. The browser request is served by Burp with the currently displayed HTML.
- To determine whether the PoC is effective, monitor the requests that are made through the Proxy.
Some points should be noted regarding CSRF techniques:
Some requests have bodies (such as XML or JSON) that can only be generated using either a form with plain text encoding, or a cross-domain XHR. In the former case, the resulting request will include the header
Content-Type: text/plain. In the latter case, the request can include any
Content-Typeheader, but will only qualify as a simple cross-domain request if the
Content-Typeheader has one of the standard values that may be specified for normal HTML forms. This avoids the need for a pre-flight request, which can break the attack. In some cases, although the message body exactly matches that required for the attack request, the application may reject the request due to an unexpected Content-Type header. Such CSRF-like conditions might not be practically exploitable. Burp will display a warning in the CSRF PoC generator if this is likely to occur.
- If you manually select a CSRF technique that cannot be used to produce the required request, Burp generates a best effort at a PoC and displays a warning.
- If the CSRF PoC generator uses plain text encoding, the request body must contain an equals character. This is necessary for Burp to generate an HTML form which results in that exact body. If the original request does not contain an equals character, you may be able to introduce one at a suitable position in the request, without affecting the server's processing of it.
CSRF PoC options
To access the options, click Options:
- CSRF technique - Specify the type of CSRF technique to use in the HTML that generates the CSRF request. The Auto option is generally preferred, and causes Burp to select the most appropriate technique capable of generating the required request.
Was this article helpful?
An error occurred, please try again.