Home
Welcome to the XSRFProbe Wiki!
Lets get started with the documentation!
Getting Started
Knowing the basics and compatibilities and setting XSRFProbe up.
Using XSRFProbe
Documentation about using XSRFProbe for a general as well as an advanced user.
-
General Usage
- XSRFProbe Arguments List
- Testing a Single Endpoint
- Crawling the Site
- Adding Cookies for Requests
- Using Custom User-Agent
- HTTP Request Timeout
- HTTP Request Delay
- Using Custom HTTP Headers
- Using Random User-Agents
- Form Field Character Generation
- Excluding Out of Scope Directories
- Controlling Verbosity
- Generating Malicious Forms
- Skipping PoC Generation
- Skipping Post-Scan Analysis
- Specifying Output Directory
- Updating XSRFProbe
- XSRFProbe Version
- Advanced Usage
Some Common FAQs
Discussions and answers to questions on topics which a user should understand.
- Why should I supply cookies?
- Why is using random-user-agents not recommended?
- What if I want my own custom headers while making requests?
- What is the buzz about form field generation?
- I have some directories which I don't want to scan, is it possible?
- During scanning I received a
HTTPError, what happened? - I am getting
VULNERABLEin various endpoints, but they're not. Why? - How do I know if this tool actually works?
- Are there different color codes?
XSRFProbe Internals
Documentation on how XSRFProbe works, its test cases, checks and accuracy. Intended for developers exclusively.
-
The Generalised Workflow
-
Types of Checks
- Origin Based Forgery Checks
- Referer Based Forgery Checks
- Anti-CSRF Token Detection
- Token Strength Calculation
- Token Randomness Calculation
- Token Encoding Detection
- Cookie Persistence
- Cookie Flag Checks
- POST-Based Request Forgery Checks
- Request Tampering and Forging
- Generating Custom PoCs
- Post-Scan Analysis
-
Types of Checks
Contributing
Documentation on tips, and guidelines how a developer should contribute to XSRFProbe.
Reporting Bugs
Guidelines on how you should submit bugs.