the magic of macros in Burp Suite
Hello! If you think you know everything about Burp Suite, I'll surprise you! This powerful tool for testing web applications contains even more features that can significantly simplify and speed up your work. Today we will study the functionality of macros in practice and see how they can become a reliable assistant in the process of testing and analyzing web applications.
A little introductory information
PS Available in Pro version*
Just recently I decided laboratory work “Bypassing 2FA with Brute Force” on PortSwigger, where it was necessary to update the CSRF-Token before each request. Of course, you can implement a script that, before each iteration, will make a GET request to the desired page and parse the token, for example:
def get_csrf_token(text):
soup = BeautifulSoup(text, 'html.parser')
return soup.find('input', attrs={'name': 'csrf'})['value']
But another more elegant option is to use macros.
Let's look at it in practice
So let's look at the job description:
It's clear here. Let's look at the logic behind how authorization works.
GET /login -> POST /login -> GET /login2 -> POST /login2
It is worth noting that with two unsuccessful attempts to enter the verification code, we will be redirected to /login. It is also important to note that we use a “one-time” CSRF token before each POST request, which we receive in the response from the server to GET /login and GET /login2:
Now we know that it is necessary to refresh the token regularly. Macros will help us with this task.
To do this, go to Project options -> Sessions -> Session Handling Rules -> Add
Let’s immediately select a scope:
Now let's create a new rule “Run a macro”
Let's create a macro by clicking on “Add”
In this window, select the required sequence of requests. In our case, this is GET /login POST /login GET /login2
Just in case, it’s better to make sure that everything works by clicking on the “Test macro” button
As you can see, the macro was successfully created:
Now let's go to Intruder and configure it as needed
And let's run:
Bingo! We were able to automate a rather tedious process. It is worth considering that in this example, this method requires “4 requests per 1 request,” which significantly slows down the speed of task completion. In any case, this functionality is very convenient and useful for automating some processes. Good luck!
PS When I found out that Burp could do this, I was very surprised and decided to share it with the people. Maybe someone didn't know either 🙂