Let's take another look at a CSRF vulnerability on webscantest.com. Here's the form we'll be testing:
![](https://static.packt-cdn.com/products/9781789344202/graphics/assets/68f5b43b-7d59-4fee-ac76-3d2682f3a18b.png)
Simple enough. Fire up the Burp proxy and make sure the Intercept feature is on, let's fill in the form with a nice test value:
![](https://static.packt-cdn.com/products/9781789344202/graphics/assets/dcaafd6e-2165-4ec4-82e9-2d95682ec700.png)
As a sidenote, Cyan is really cool – in the subtractive color system, Cyan is a primary color and can be created by removing red from white light. Let's submit this form and then check back with Burp to see the intercepted request:
![](https://static.packt-cdn.com/products/9781789344202/graphics/assets/7bdcadc4-9b31-4fe3-b72b-69a2d889c00e.png)
OK, noting the important information – the HTTP request method, the form encoding, the field data, and so on – let's take a look at what happens when we turn Intercept off and allow the POST request to resolve:
![](https://static.packt-cdn.com/products/9781789344202/graphics/assets/4bdd4353-82f1-497e-8c2b-8d862e3751ab.png)
Here's what a successful submission looks like. Critically for us, we can see what value the form submitted through the...