Kali Linux

LazyCSRF : A More Useful CSRF PoC Generator

LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.

Motivation

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, the function to automatically determine the content of request is broken, and it will try to generate PoC using form even for PoC that cannot be represented by form, such as cases using JSON for parameters or PUT requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. These were the motivations for creating LazyCSRF.

Features

  • Automatically switch to PoC using XMLHttpRequest
    • In case the parameter is JSON
    • In case the request is a PUT/PATCH/DELETE
  • Support displaying multibyte characters (like Japanese)
  • Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)

Difference in display of multibyte characters

The following image shows the difference in the display of multibyte characters between Burp’s CSRF PoC generator and LazyCSRF. LazyCSRF can generate PoC for CSRF without garbling multibyte characters. This is only the case if the characters are not garbled on Burp Suite.

Installation

Download the JAR from GitHub Releases. In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type Java, and specify the location of the JAR.

Usage

You can generate a CSRF PoC by selecting Extensions->LazyCSRF->Generate CSRF PoC By LazyCSRF from the menu that opens by right-clicking on Burp Suite.

How To Build

intellij

If you use IntelliJ IDEA, you can build it by following Build -> Build Artifacts -> LazyCSRF:jar -> Build.

Command line

You can build it with maven.

R K

Recent Posts

Cybersecurity – Tools And Their Function

Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…

11 hours ago

MODeflattener – Miasm’s OLLVM Deflattener

MODeflattener is a specialized tool designed to reverse OLLVM's control flow flattening obfuscation through static…

11 hours ago

My Awesome List : Tools And Their Functions

"My Awesome List" is a curated collection of tools, libraries, and resources spanning various domains…

11 hours ago

Chrome Browser Exploitation, Part 3 : Analyzing And Exploiting CVE-2018-17463

CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, allowed attackers to execute arbitrary…

11 hours ago

Chrome Browser Exploitation, Part 1 : Introduction To V8 And JavaScript Internals

The blog post "Chrome Browser Exploitation, Part 1: Introduction to V8 and JavaScript Internals" provides…

12 hours ago

Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463

The exploitation of CVE-2018-17463, a type confusion vulnerability in Chrome’s V8 JavaScript engine, relies on…

15 hours ago