lazyCSRF v0.0.4 releases: useful CSRF PoC generator

by do son · Published September 27, 2021 · Updated October 14, 2021

LazyCSRF

LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.

Motivation

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, it does not support JSON parameters. It also uses the <form>, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. Those were the motivations for creating LazyCSRF.

Features

Support JSON parameter (like a request to the API)
Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy)
Support displaying multibyte characters (like Japanese)
Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)

The difference in the display of multibyte characters

The following image shows the difference in the display of multibyte characters between Burp’s CSRF PoC generator and LazyCSRF. LazyCSRF can generate PoC for CSRF without garbling multibyte characters. This is only the case if the characters are not garbled on Burp Suite.

Usage

You can generate a CSRF PoC by selecting Extensions->Generate JSON CSRF PoC with Ajax or Generate POST PoC with Form from the menu that opens by right-clicking on Burp Suite.