LazyCSRF - A More Useful CSRF PoC Generator#408
LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite.
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing.
The feature of Burp Suite that I like the most is
Generate CSRF PoC.
However, this does not support JSON parameters.
It also uses the
<form>, so it cannot send PUT/DELETE requests.
In addition, multibyte characters that can be displayed in the burp itself are often garbled in the generated CSRF PoC.
Those were the motivations for creating this extension.
- Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
- Support JSON parameter (like GraphQL Request)
- Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy)
- Support displaying multibyte characters (like Japanese)
Difference in display of multibyte characters
The following image shows the difference in the display of multibyte characters between Burp's CSRF PoC generator and LazyCSRF.
LazyCSRF can generate CSRF PoC without garbling multibyte characters that are not garbled on Burp.
Download the jar from GitHub Releases.
In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension.
Select the extension type
Java, and specify the location of the jar.
How to Build
If you use IntelliJ IDEA, you can build it by following
You can build it with maven.
$ mvn install
You can generate a CSRF PoC by selecting
Generate JSON CSRF PoC with Ajaxor
Generate POST PoC with Formfrom the menu that opens by right-clicking on Burp Suite.
Copyright (C) 2021 tkmru