4

My issue is that I am attempting to fuzz a 2 stage login for a custom webapp.

What I need to do is GET for the initial page which will provide me with an anti-csrf token and a sessionID.

From there I POST a username who's response will provide me with another token

That second token will be used in the final POST along with the anti-csrf token and sessionID to submit the password to the server. The username is only linked to the second POST through the second token which is tracked at each login attempt so a new one is required at each login attempt.

Ideally I would like to fuzz both POST's in a chain using intruder, but will settle for a macro chain that will allow parameters from the GET and first POST to be passed to intruder at which point the password field will be fuzzed and submitted to the server.

I've done some research on burp macros and it seems like it should be possible, although unorthodox for their normal use. The issue I'm having is with the extraction and passing of the parameters to intruder.

Any help would be greatly appreciated, thank you.

Desblock
  • 41
  • 1
  • 3

1 Answers1

2

This can normally done by macros and session handling rules. As I understand it you have three requests:

  1. Fetch CSRF token
  2. Post user name
  3. Post password

The first step is to reproduce these in your browser, with Burp configured as a proxy.

Then create a Macro with requests 1 and 2. In the Macro Editor, select request 2, and click Configure Item. If the CSRF token is a hidden field, it should have automatically detected this, and in Parameter handling you will see something like "csrf_token - derive from prior response". If not - you may need to configure this manually. You may need to do Configure Item on request 1, and define a custom parameter location. You can then use Test Macro to confirm this is working.

Next, create a Session Handling Rule. Set the scope to cover the URL and path for request 3. Add an action that is Run a Macro, select your macro, and leave this option enabled: "Update current request with parameters matched from final macro response".

Then send request 3 to Repeater. When you click Go, the macro will run, and you should see your request be updated with new token values. If not - use session tracer to work out what is going wrong.

Once it's working in Repeater you can use other tools like Intruder, Scanner, etc.

Your idea about fuzzing both requests in a chain is interesting. I can't think of an easy way to do it, but that would be an interesting extension to write.

PortSwigger
  • 487
  • 2
  • 7