[](<https://blogger.googleusercontent.com/img/a/AVvXsEhJWRJapZuz9HeJ2mIvfS7E6auhNUuzFRpWbabN__ib2MKlW0zj1abgGwfSaHp5LgbdBfzqiZ6xAhQaiLxvhWuSXIYzBFi1dBkOOFMhFcxKDw7L_GyhjRgfUeKipWNg8W5E9x0YlqOTth2E7qxlG-LSCwolYfUzkMfJFSLczVN3mNmPMXtfPzeA7vKf8Q=s2048>)
LazyCSRF is a more useful CSRF PoC [generator](<https://www.kitploit.com/search/label/Generator> "generator" ) that runs on [Burp](<https://www.kitploit.com/search/label/Burp> "Burp" ) Suite.
**Motivation**
Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of [Burp Suite](<https://www.kitploit.com/search/label/Burp%20Suite> "Burp Suite" ) that I like the most is `Generate CSRF PoC`. However, this does not support JSON parameters. It also uses the `<form>`, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in the burp itself are often garbled in the generated CSRF PoC. Those were the motivations for creating this extension.
**Features**
* Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)
* Support JSON parameter (like [GraphQL](<https://www.kitploit.com/search/label/GraphQL> "GraphQL" ) Request)
* Support PUT/DELETE (only work with [CORS](<https://www.kitploit.com/search/label/CORS> "CORS" ) enabled with an unrestrictive policy)
* Support displaying multibyte characters (like Japanese)
**Difference in display of multibyte characters**
The following image shows the difference in the display of multibyte characters between Burp's CSRF PoC generator and LazyCSRF. LazyCSRF can generate CSRF PoC without garbling multibyte characters that are not garbled on Burp.
[](<https://blogger.googleusercontent.com/img/a/AVvXsEhJWRJapZuz9HeJ2mIvfS7E6auhNUuzFRpWbabN__ib2MKlW0zj1abgGwfSaHp5LgbdBfzqiZ6xAhQaiLxvhWuSXIYzBFi1dBkOOFMhFcxKDw7L_GyhjRgfUeKipWNg8W5E9x0YlqOTth2E7qxlG-LSCwolYfUzkMfJFSLczVN3mNmPMXtfPzeA7vKf8Q=s2048>)
**Installation**
Download the jar from [GitHub Releases](<https://github.com/tkmru/lazyCSRF/releases/> "GitHub Releases" ). In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type `Java`, and specify the location of the jar.
**How to Build**
**intellij**
If you use IntelliJ IDEA, you can build it by following `Build` -> `Build Artifacts` -> `LazyCSRF:jar` -> `Build`.
**Command line**
You can build it with maven.
$ mvn install
**Usage**
You can generate a CSRF PoC by selecting `Extensions`->`Generate JSON CSRF PoC with Ajax` or `Generate POST PoC with Form` from the menu that opens by right-clicking on Burp Suite.
[](<https://blogger.googleusercontent.com/img/a/AVvXsEjyH7_kcySGpwGGfmNrVSwqVTjYBPB1QbplKZLi-AFr4uHfYMAakhjHR-4BAu2HJAiHdOu5QdlDiH0LHML0Z_l7jGNNbpU9PTrZK_yD2XUIma4vknRt4uS5k7RCz99m4kDwyfJUWAYfyBWhEdabfIR5mDBuKrpqOFAHZf7O3c8Oypz2oj889BqNjGg_KA=s1446>)
**LICENSE**
MIT License
Copyright (C) 2021 tkmru
**[Download lazyCSRF](<https://github.com/tkmru/lazyCSRF> "Download lazyCSRF" )**
{"id": "KITPLOIT:6125923549431149603", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "LazyCSRF - A More Useful CSRF PoC Generator", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhJWRJapZuz9HeJ2mIvfS7E6auhNUuzFRpWbabN__ib2MKlW0zj1abgGwfSaHp5LgbdBfzqiZ6xAhQaiLxvhWuSXIYzBFi1dBkOOFMhFcxKDw7L_GyhjRgfUeKipWNg8W5E9x0YlqOTth2E7qxlG-LSCwolYfUzkMfJFSLczVN3mNmPMXtfPzeA7vKf8Q=s2048>)\n\n \n\n\nLazyCSRF is a more useful CSRF PoC [generator](<https://www.kitploit.com/search/label/Generator> \"generator\" ) that runs on [Burp](<https://www.kitploit.com/search/label/Burp> \"Burp\" ) Suite.\n\n \n**Motivation** \n\n\nBurp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of [Burp Suite](<https://www.kitploit.com/search/label/Burp%20Suite> \"Burp Suite\" ) that I like the most is `Generate CSRF PoC`. However, this does not support JSON parameters. It also uses the `<form>`, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in the burp itself are often garbled in the generated CSRF PoC. Those were the motivations for creating this extension.\n\n \n\n\n**Features** \n\n\n * Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition)\n * Support JSON parameter (like [GraphQL](<https://www.kitploit.com/search/label/GraphQL> \"GraphQL\" ) Request)\n * Support PUT/DELETE (only work with [CORS](<https://www.kitploit.com/search/label/CORS> \"CORS\" ) enabled with an unrestrictive policy)\n * Support displaying multibyte characters (like Japanese)\n \n**Difference in display of multibyte characters** \n\n\nThe following image shows the difference in the display of multibyte characters between Burp's CSRF PoC generator and LazyCSRF. LazyCSRF can generate CSRF PoC without garbling multibyte characters that are not garbled on Burp.\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEhJWRJapZuz9HeJ2mIvfS7E6auhNUuzFRpWbabN__ib2MKlW0zj1abgGwfSaHp5LgbdBfzqiZ6xAhQaiLxvhWuSXIYzBFi1dBkOOFMhFcxKDw7L_GyhjRgfUeKipWNg8W5E9x0YlqOTth2E7qxlG-LSCwolYfUzkMfJFSLczVN3mNmPMXtfPzeA7vKf8Q=s2048>)\n\n**Installation** \n\n\nDownload the jar from [GitHub Releases](<https://github.com/tkmru/lazyCSRF/releases/> \"GitHub Releases\" ). In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension. Select the extension type `Java`, and specify the location of the jar.\n\n \n**How to Build** \n \n**intellij** \n\n\nIf you use IntelliJ IDEA, you can build it by following `Build` -> `Build Artifacts` -> `LazyCSRF:jar` -> `Build`.\n\n \n**Command line** \n\n\nYou can build it with maven.\n \n \n $ mvn install \n \n\n \n**Usage** \n\n\nYou can generate a CSRF PoC by selecting `Extensions`->`Generate JSON CSRF PoC with Ajax` or `Generate POST PoC with Form` from the menu that opens by right-clicking on Burp Suite.\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEjyH7_kcySGpwGGfmNrVSwqVTjYBPB1QbplKZLi-AFr4uHfYMAakhjHR-4BAu2HJAiHdOu5QdlDiH0LHML0Z_l7jGNNbpU9PTrZK_yD2XUIma4vknRt4uS5k7RCz99m4kDwyfJUWAYfyBWhEdabfIR5mDBuKrpqOFAHZf7O3c8Oypz2oj889BqNjGg_KA=s1446>)\n\n \n\n\n**LICENSE** \n\n\nMIT License\n\nCopyright (C) 2021 tkmru\n\n \n \n\n\n**[Download lazyCSRF](<https://github.com/tkmru/lazyCSRF> \"Download lazyCSRF\" )**\n", "published": "2021-10-19T20:30:00", "modified": "2021-10-19T20:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/10/lazycsrf-more-useful-csrf-poc-generator.html", "reporter": "KitPloit", "references": ["https://github.com/tkmru/lazyCSRF/releases/", "https://github.com/tkmru/lazyCSRF"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:34", "viewCount": 189, "enchantments": {"dependencies": {}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1659914120, "score": 1684009192, "epss": 1679134186}, "_internal": {"score_hash": "3c5d23a3b7a3bb0736fa7e8bb6596645"}, "toolHref": "https://github.com/tkmru/lazyCSRF"}
LazyCSRF - A More Useful CSRF PoC Generator