Created
July 12, 2019 14:01
-
-
Save nvssks/8a8987b253c1678e9d78fb97275280e4 to your computer and use it in GitHub Desktop.
This Burp plugin (Handling Action) will sync the _csrf body parameter with the value in the CSRF-TOKEN cookie
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from burp import IBurpExtender | |
| from burp import ISessionHandlingAction | |
| from burp import IBurpExtenderCallbacks | |
| class BurpExtender(IBurpExtender, ISessionHandlingAction): | |
| def registerExtenderCallbacks(self, callbacks): | |
| self._callbacks = callbacks | |
| self._helpers = self._callbacks.getHelpers() | |
| self._callbacks.setExtensionName('CSRF Body Syncro') | |
| self._callbacks.registerSessionHandlingAction(self) | |
| print '[*] CSRF Body Syncro' | |
| def getActionName(self): | |
| return 'CSRF Body Syncro' | |
| def performAction(self, currentRequest, macroItems): | |
| request=currentRequest.getRequest() | |
| request_info=self._helpers.analyzeRequest(request) | |
| body_parameter=self._helpers.getRequestParameter(request,'_csrf') | |
| cookie_parameter=self._helpers.getRequestParameter(request,'CSRF-TOKEN') | |
| if body_parameter and cookie_parameter: | |
| body_value=body_parameter.getValue() | |
| cookie_value=cookie_parameter.getValue() | |
| if not body_value == cookie_value: | |
| print '[+] Updating Body CSRF Token' | |
| new_parameter=self._helpers.buildParameter(body_parameter.getName(), cookie_value, body_parameter.getType()) | |
| new_request=self._helpers.updateParameter(request, new_parameter) | |
| currentRequest.setRequest(new_request) | |
| else: | |
| print '[*] Parameters matching - nothing to do' | |
| else: | |
| print '[-] Parameter missing' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment