Burp Intruder to brute-force login form with CSRF

Capture the POST request

Start Burp and go to Proxy tab and then Open Browser. For now you can keep the Intercept option off.

In the browser go to the target login page, enter some username and password and before you click next turn Intercept on. Click on Login and you’ll see something like this is Burp

Send it to Intruder and set the options

Click on Action button and then Send to Intruder.

Move to Intruder tab and verify the details in TargetHost, Port and Use HTTPS

Next, go to Positions tab. This is where we set the variables to be fuzzed. Burp will automatically populate all positions where a fuzz test can be run. You can customize it by using the options in the Right side of the tab.

In our example, we’d like to fetch the csrf_token from previous request and rotate j_passowrd It will look like this – note the § symbol

Once the position is set, confirm whether the Attack type is Pitchfork.

Move to tha Options tab, click on Add in the Grep-Extract menu. In the new pop-up window click on the Refresh response button. Mark with the mouse the anti-CSRF-token and Burp will populate the form. Click OK

In the Payloads tab, we now need to select the payload type Recursive grep for Payload set: 1 the identified anti-CSRF token parameter in the position tab. It is important that you also insert the token that was sent in the last valid response to be used as initial token value for the first request.

For Payload set: 2 we will use Simple list. You can manually add passwords to the list or load them from file – for example in Kali linux you can find wordlists inside /usr/share/wordlists

You may have to change Maximum concurrent requests to 1 and add some delay between the requests in the Resource Pool tab. With this we are now ready to launch our attack.


If everything is fine and you have the right password then you’ll get slightly different response from the web application form – it can be a different status code or length as in the example below

Leave a Reply

Your email address will not be published. Required fields are marked *