Burp, Web Penetration Testing

Using Burp Intruder to Test CSRF Protected Applications

1. Open Intruder Tab

2. Define Attack Target

3. Select Pitchfork as Attack type. Define your payload positions.

4. Define grep rule. Open Options tab -> click Add button under Grep – Extract section. A new window opens -> click fetch response button and select your csrf token value and press ok.

5. Select Paylod types. Open Payloads Tab -> Select Recursive grep for Payload Set 1(csrf token). Choose also payload types for other sets.

6. Set payload options for every set. For set 1(csrf token) you should see grep-extract regex. Set an initial payload for first request.

7. Set number of threads to 1.

8. Start Attack