Giter Site home page Giter Site logo

additional-csrf-checks's Introduction

EasyCSRF extension for Burp

EasyCSRF helps to find weak CSRF-protection in WebApp which can be easily bypassed. For example, content type based protection for API (Rest API, GraphQL API, etc) or CSRF-protection based on obscure data format (binary format, etc) are known to be weak. I presented some tricks to bypass CSRF-protection at ZeroNights 2017 conference.

EasyCSRF is not a scanner, deal with it. Scanner implementation doesn't allow you to quickly check large WebApp with mixture of APIs and enpoints for CSRF vulnerabilities. Also scanner implementation has more false positives/negatives. EasyCSRF is a trade-off between manual and fully automatic check.

Extension automatically makes changes to POST/PUT/DELETE/PATCH requests and highlights modified requests in Proxy HTTP history. Researcher should trigger actions in WebApp, and judge by looking at WebApp's UI which modified requests are failed/succeeded. Actions that are succeeded after modification are potentially interesting, and you should investigate them deeper.

With EasyCSRF you can find APIs or endpoints that have weak CSRF-protection based on content type, referrer, obscure data format, etc.

EasyCSRF is written in python, it works with Burp Suite Free and Professional. To install it in Burp Suite follow this instruction. When installing EasyCSRF extension, EasyCSRF tab with three inner tabs (Settings, CSRF params/headers to remove, Requests whitelist) is added.

Settings

Inner tab Settings allows to configure following options:

  • Enable/disable EasyCSRF extension.
  • Modify all or only in-scope requests.
  • Remove HTTP headers that are used for CSRF-protection.
  • Remove CSRF-token from parameters. URL-encoded, multipart, JSON parameters are supported.
  • Change PUT/DELETE/PATCH method to POST.
  • Convert URL-encoded body to JSON format.
  • Set text/plain value for Content-Type header.
  • Change POST/PUT/DELETE/PATCH request to GET request for url-encoded requests.

First four options are turned on by default.

Inner tab CSRF params/headers to remove allows to configure parameter or header names which are used for CSRF-protection. EasyCSRF removes such parameters and headers.

Settings

Inner tab Requests whitelist allows to specify whitelist of URLs. If URL for a request starts with URL in whitelist, EasyCSRF will not make modifications to such request. Note that you should specify port number when adding URL to the whitelist manually (this is also true for 80 or 443 ports).

Settings

It is possible to add URLs to whitelist using context menu >> Add to EasyCSRF whitelist <<. For that you should select part of the path (starting with /) in Request Viewer or Repeater and invoke context menu.

Settings

Probable usage scenario

  1. You add some URLs to Burp's Target Scope.
  2. You add URLs you want to skip (login URLs, etc) to EasyCSRF whitelist.
  3. In Burp's Proxy History you can filter requests by selecting Show only highlited items for convenience.
  4. You browse WebApp through a browser, perform actions and look for succeeded actions.
  5. You can find succeeded actions in Burp's Proxy History and further investigate or construct a PoC.

additional-csrf-checks's People

Contributors

pajswigger avatar

Watchers

 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.