the magic of macros in Burp Suite

Hello! If you think you know everything about Burp Suite, I'll surprise you! This powerful tool for testing web applications contains even more features that can significantly simplify and speed up your work. Today we will study the functionality of macros in practice and see how they can become a reliable assistant in the process of testing and analyzing web applications.

A little introductory information

PS Available in Pro version*

Just recently I decided laboratory work “Bypassing 2FA with Brute Force” on PortSwigger, where it was necessary to update the CSRF-Token before each request. Of course, you can implement a script that, before each iteration, will make a GET request to the desired page and parse the token, for example:

def get_csrf_token(text):
    soup = BeautifulSoup(text, 'html.parser')
    return soup.find('input', attrs={'name': 'csrf'})['value']

But another more elegant option is to use macros.

Let's look at it in practice

So let's look at the job description:

It's clear here. Let's look at the logic behind how authorization works.

GET /login -> POST /login -> GET /login2 -> POST /login2

It is worth noting that with two unsuccessful attempts to enter the verification code, we will be redirected to /login. It is also important to note that we use a “one-time” CSRF token before each POST request, which we receive in the response from the server to GET /login and GET /login2:

Now we know that it is necessary to refresh the token regularly. Macros will help us with this task.

To do this, go to Project options -> Sessions -> Session Handling Rules -> Add

Let’s immediately select a scope:

Now let's create a new rule “Run a macro”

Let's create a macro by clicking on “Add”

In this window, select the required sequence of requests. In our case, this is GET /login POST /login GET /login2

Just in case, it’s better to make sure that everything works by clicking on the “Test macro” button

As you can see, the macro was successfully created:

Now let's go to Intruder and configure it as needed

And let's run:

Bingo! We were able to automate a rather tedious process. It is worth considering that in this example, this method requires “4 requests per 1 request,” which significantly slows down the speed of task completion. In any case, this functionality is very convenient and useful for automating some processes. Good luck!

PS When I found out that Burp could do this, I was very surprised and decided to share it with the people. Maybe someone didn't know either 🙂

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *