usage: python3 xsrfprobe.py [-h] [-u URL] [-c COOKIE] [-o OUTPUT] [-d DELAY] [-q] [-v] [--user-agent USER_AGENT] [--headers HEADERS] [--exclude EXCLUDE] [--timeout TIMEOUT] [--max-chars MAXCHARS] [--crawl] [--no-analysis] [--malicious] [--skip-poc] [--display] [--update] [--random-agent] [--version] Required Arguments: -u URL, --url URL Main URL to test Optional Arguments: -c COOKIE, --cookie COOKIE Cookie value to be requested with each successive request. If there are multiple cookies, separate them with commas. For example: `-c PHPSESSID=i837c5n83u4, _gid=jdhfbuysf`. -o OUTPUT, --output OUTPUT Output directory where files to be stored. Default is the`files` folder where all files generated will be stored. -d DELAY, --delay DELAY Time delay between requests in seconds. Default is zero. -q, --quiet Set the DEBUG mode to quiet. Report only when vulnerabilities are found. Minimal output will be printed on screen. -v, --verbose Increase the verbosity of the output (e.g., -vv is more than -v). --user-agent USER_AGENT Custom user-agent to be used. Only one user-agent can be specified. --headers HEADERS Comma separated list of custom headers you'd want to use. For example: ``--headers "Accept=text/php, X-Requested-With=Dumb"``. --exclude EXCLUDE Comma separated list of paths or directories to be excluded which are not in scope. These paths/dirs won't be scanned. For example: `--exclude somepage/, sensitive-dir/, pleasedontscan/` --timeout TIMEOUT HTTP request timeout value in seconds. The entered value may be either in floating point decimal or an integer. Example: ``--timeout 10.0`` --max-chars MAXCHARS Maximum allowed character length for the custom token value to be generated. For example: `--max-chars 5`. Default value is 6. --crawl Crawl the whole site and simultaneously test all discovered endpoints for CSRF. --no-analysis Skip the Post-Scan Analysis of Tokens which were gathered during requests --malicious Generate a malicious CSRF Form which can be used in real-world exploits. --skip-poc Skip the PoC Form Generation of POST-Based Cross Site Request Forgeries. --display Print out response headers of requests while making requests. --update Update XSRFProbe to latest version on GitHub via git. --random-agent Use random user-agents for making requests. --version Display the version of XSRFProbe and exit.
Testing A Single Endpoint
The main URL of the site you want to scan. This might be either a URL endpoint or the first level domain itself.
python xsrfprobe.py -u http://example.com/testcsrf.php
Crawling The Site
This option allows you to use XSRFProbe's built-in crawler to dynamically discover and simultaneously test all endpoints which are crawled.
python xsrfprobe.py -u http://example.com --crawl
WARNING: XSRFProbe generates considerable amout of requests against the target so be careful while using this option.
This option helps you to supply a comma separated list of external custom cookies which will be used during all requests. See advanced usage for more info on why you should supply cookies.
python3 xsrfprobe.py -u http://example.com/testcsrf.php -c "SESSION_ID=i837c5n83u4e84cry9e4, _gid=jdhfbuysfcefjbhiiwer"
This option (
--user-agent) enables you to supply custom user-agent value. For example, if you want XSRFProbe to make requests as Googlebot crawler, you might use:
python xsrfprobe.py -u http://example.com/testcsrf.php --user-agent "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
--timeout | Default:
It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out. The valid value is an
int, for instance if you want to set the timeout value to 10 seconds, you might use
python xsrfprobe.py -u http://example.com/testcsrf.php --timeout 10
--delay | Default:
By using this option, it is possible to specify a number of seconds to hold between each request. The value specified should either be an integer or a floating point decimal.
python xsrfprobe.py -u http://example.com/testcsrf.php -d 2
Custom HTTP Headers
This option enables you to supply a comma separated list of custom headers which you might want XSRFProbe to use during all requests.
python xsrfprobe.py -u http://example.com/testcsrf.php --headers "Accept=text/php, DNT=1"
NOTE: The additional headers which you'll supply will be appended to a list of default headers. For more info on controlling headers, see advanced usage.
Using Random User-Agents
This option enables you to make requests using random user-agents for different requests.
python xsrfprobe.py -u http://example.com/testcsrf.php --random-agent
--max-chars | Default:
This option enables you to supply the character length of form submission string values which you might want XSRFProbe to submit whenever a form is found.
python xsrfprobe.py -u http://example.com/testcsrf.php --max-chars 10
NOTE: The length of the string being submitted in forms are crucial. For more info on controlling charter generation, see advanced usage.
This option enables you to supply a comma separated list of directories which are out of scope and will not be scanned.
python3 xsrfprobe.py -u http://example.com --crawl --exclude "sensitive_dir/, dontscanme/"
--crawloption is a must to supply with
--excludeargument. If you're testing a single endpoint then supplying this option doesn't hold valid.
It is possible to control XSRFProbe's verbose output using
-q/--quiet option as follows:
python xsrfprobe.py -u http://example.com/testcsrf.php --quiet
Using this option is NOT RECOMMENDED as it significantly decreases the output, and XSRFProbe will only report to the terminal only if some significant vulnerability is found. This option was originally developed for development purposes where one needs to avoid heavy logs when it comes to CIs. However you also might want to supply this option if you do not want to know what's going on under the hood. This option is turned
offby default, so you'll have to explicitly set this option for a quiet output.
Generating Malicious PoC Forms
This option enables you to instruct XSRFProbe to craft malicious CSRF forms which can be used in real world exploitations.
python xsrfprobe.py -u http://example.com/testcsrf.php --malicious
--skip-pocargument should not supplied with this switch, or the form itself will never be generated.
Skipping Proof of Concept Generation
This option enables you to skip the Proof of Concept form generation of POST-Based CSRF vulnerable forms.
python xsrfprobe.py -u http://example.com/testcsrf.php --skip-poc
Specifying Output Directory
--output | Default:
This option enables you to specify the output directory where all logs and stuff will be stored. After a successful scan completion, mainly 6 logs are generated:
vulnerabilities.log- Log file where all vulnerabilities will be stored.
strengths.log- Log file where all strengths of the web-app are stored.
errored.log- Log file where all errors encountered will be stored.
internal-links.log- Log file where all links found and crawled will be stored.
forms-tested.log- Log file where all forms tested will be stored.
tokens.log- Log file where all Anti-CSRF tokens are stored (if any). Apart from these, if XSRFProbe finds any form vulnerable to POST-Based CSRF, it will generate a PoC form which will be stored there too (unless the
--skip-pocargument is not supplied).
Skip Post-Scan Analysis
This option enables you to skip the post-scan analysis of tokens which were gathered during various requests.
python xsrfprobe.py -u http://example.com/testcsrf.php --no-analysis
Often you might want to view the response header sent from an application during requests. This option empowers you to view headers sent by the web-application during all requests.
python xsrfprobe.py -u http://example.com/testcsrf.php --display
If this option is supplied, XSRFProbe will check for updates. If a newer version will available, XSRFProbe will download and merge the updates into the current directory via its seamless update system without losing any of your files.
python xsrfprobe.py --update
This option displays the current version of XSRFProbe from
files/VersionNum which you're using.
python xsrfprobe.py --version