LazyCSRF is a more useful CSRF PoC generator on Burp Suite extentions/plugins. It is more accurate and powerfull than regular CSRF PoC extentions on Burp Suite.
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is
Generate CSRF PoC. However, the function to automatically determine the content of request is broken, and it will try to generate PoC using
form even for PoC that cannot be represented by
form, such as cases using JSON for parameters or PUT requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. These were the motivations for creating LazyCSRF.
- Automatically switch to PoC using XMLHttpRequest
- In case the parameter is JSON
- In case the request is a PUT/PATCH/DELETE
- Support displaying multibyte characters (like Japanese)
- Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
The following image shows the difference in the display of multibyte characters between Burp’s CSRF PoC generator and LazyCSRF. LazyCSRF can generate PoC for CSRF without garbling multibyte characters. This is only the case if the characters are not garbled on Burp Suite.
Install JAR File on Burp Suite
Download the JAR from GitHub Releases. In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type
Java, and specify the location of the JAR.
You can generate a CSRF PoC by selecting
Generate CSRF PoC By LazyCSRF from the menu that opens by right-clicking on Burp Suite.
How to Build
If you use IntelliJ IDEA, you can build it by following
Build Artifacts ->
You can build it with maven.