Recently I wrote a quick HowTo about dealing with using Burp Suite against an application that invalidates your session whenever it spots a potential malicious payload. I wrote that a Burp Macro that can perform Automatic Reauthentication can overcome that issue. Another common issue that gets in the way of performing penetration tests against mobile applications is having to deal with anti cross-site request forgery tokens. These are tokens that an application embeds in a response and expects to see in the body of the subsequent request, if the token is ever missing or incorrect the request is ignored. This interferes terribly with Burp Suite tools such as repeater, intruder and scanner as by default these don’t handle the tokens and therefore the requests are all ignored. I get around this issue through the use of simple custom burp extensions and I wanted to share some notes about how surprisingly simple this is!
Continue reading: Burp Suite vs CSRF Tokens