Skip to content

General Usage

Infected Drake edited this page Jan 17, 2019 · 21 revisions

Arguments List:

usage: python3 xsrfprobe.py [-h] [-u URL] [-c COOKIE] [-o OUTPUT] [-d DELAY]
                            [-q] [-v] [--user-agent USER_AGENT]
                            [--headers HEADERS] [--exclude EXCLUDE]
                            [--timeout TIMEOUT] [--max-chars MAXCHARS]
                            [--crawl] [--no-analysis] [--malicious]
                            [--skip-poc] [--display] [--update]
                            [--random-agent] [--version]
Required Arguments:
  -u URL, --url URL     Main URL to test
Optional Arguments:
  -c COOKIE, --cookie COOKIE
                        Cookie value to be requested with each successive
                        request. If there are multiple cookies, separate them
                        with commas. For example: `-c PHPSESSID=i837c5n83u4,
                        _gid=jdhfbuysf`.
  -o OUTPUT, --output OUTPUT
                        Output directory where files to be stored. Default is
                        the`files` folder where all files generated will be
                        stored.
  -d DELAY, --delay DELAY
                        Time delay between requests in seconds. Default is
                        zero.
  -q, --quiet           Set the DEBUG mode to quiet. Report only when
                        vulnerabilities are found. Minimal output will be
                        printed on screen.
  -v, --verbose         Increase the verbosity of the output (e.g., -vv is
                        more than -v).
  --user-agent USER_AGENT
                        Custom user-agent to be used. Only one user-agent can
                        be specified.
  --headers HEADERS     Comma separated list of custom headers you'd want to
                        use. For example: ``--headers "Accept=text/php,
                        X-Requested-With=Dumb"``.
  --exclude EXCLUDE     Comma separated list of paths or directories to be
                        excluded which are not in scope. These paths/dirs
                        won't be scanned. For example: `--exclude somepage/,
                        sensitive-dir/, pleasedontscan/`
  --timeout TIMEOUT     HTTP request timeout value in seconds. The entered
                        value may be either in floating point decimal or an
                        integer. Example: ``--timeout 10.0``
  --max-chars MAXCHARS  Maximum allowed character length for the custom token
                        value to be generated. For example: `--max-chars 5`.
                        Default value is 6.
  --crawl               Crawl the whole site and simultaneously test all
                        discovered endpoints for CSRF.
  --no-analysis         Skip the Post-Scan Analysis of Tokens which were
                        gathered during requests
  --malicious           Generate a malicious CSRF Form which can be used in
                        real-world exploits.
  --skip-poc            Skip the PoC Form Generation of POST-Based Cross Site
                        Request Forgeries.
  --display             Print out response headers of requests while making
                        requests.
  --update              Update XSRFProbe to latest version on GitHub via git.
  --random-agent        Use random user-agents for making requests.
  --version             Display the version of XSRFProbe and exit.

Testing A Single Endpoint

Option: -u or --url

The main URL of the site you want to scan. This might be either a URL endpoint or the first level domain itself.

python xsrfprobe.py -u http://example.com/testcsrf.php

Crawling The Site

Option: --crawl

This option allows you to use XSRFProbe's built-in crawler to dynamically discover and simultaneously test all endpoints which are crawled.

python xsrfprobe.py -u http://example.com --crawl

WARNING: XSRFProbe generates considerable amout of requests against the target so be careful while using this option.

Adding Cookies

Option: -c or --cookies

This option helps you to supply a comma separated list of external custom cookies which will be used during all requests. See advanced usage for more info on why you should supply cookies.

python3 xsrfprobe.py -u http://example.com/testcsrf.php -c "SESSION_ID=i837c5n83u4e84cry9e4, _gid=jdhfbuysfcefjbhiiwer"

Custom User-Agent

Option: --user-agent

This option (--user-agent) enables you to supply custom user-agent value. For example, if you want XSRFProbe to make requests as Googlebot crawler, you might use:

python xsrfprobe.py -u http://example.com/testcsrf.php --user-agent "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Request Timeout

Option: --timeout | Default: 7 seconds

It is possible to specify a number of seconds to wait before considering the HTTP(S) request timed out. The valid value is an int, for instance if you want to set the timeout value to 10 seconds, you might use

python xsrfprobe.py -u http://example.com/testcsrf.php --timeout 10

Request Delay

Option: -d or --delay | Default: 0 seconds

By using this option, it is possible to specify a number of seconds to hold between each request. The value specified should either be an integer or a floating point decimal.

python xsrfprobe.py -u http://example.com/testcsrf.php -d 2

Custom HTTP Headers

Option: --headers

This option enables you to supply a comma separated list of custom headers which you might want XSRFProbe to use during all requests.

python xsrfprobe.py -u http://example.com/testcsrf.php --headers "Accept=text/php, DNT=1"

NOTE: The additional headers which you'll supply will be appended to a list of default headers. For more info on controlling headers, see advanced usage.

Using Random User-Agents

Option: --random-agent

This option enables you to make requests using random user-agents for different requests.

python xsrfprobe.py -u http://example.com/testcsrf.php --random-agent

NOTE: Using this argument is NOT RECOMMENDED if you're supplying a cookie using the --cookie argument. For more info on when you should and when and why you shouldn't use, see advanced usage.

Character Generation

Option: --max-chars | Default: 6

This option enables you to supply the character length of form submission string values which you might want XSRFProbe to submit whenever a form is found.

python xsrfprobe.py -u http://example.com/testcsrf.php --max-chars 10

NOTE: The length of the string being submitted in forms are crucial. For more info on controlling charter generation, see advanced usage.

Excluding Directories

Option: --exclude

This option enables you to supply a comma separated list of directories which are out of scope and will not be scanned.

python3 xsrfprobe.py -u http://example.com --crawl --exclude "sensitive_dir/, dontscanme/"

NOTE: The --crawl option is a must to supply with --exclude argument. If you're testing a single endpoint then supplying this option doesn't hold valid.

Controlling Verbosity

Option: -q or --quiet

It is possible to control XSRFProbe's verbose output using -q/--quiet option as follows:

python xsrfprobe.py -u http://example.com/testcsrf.php --quiet

NOTE:

Using this option is NOT RECOMMENDED as it significantly decreases the output, and XSRFProbe will only report to the terminal only if some significant vulnerability is found. This option was originally developed for development purposes where one needs to avoid heavy logs when it comes to CIs. However you also might want to supply this option if you do not want to know what's going on under the hood. This option is turned off by default, so you'll have to explicitly set this option for a quiet output.

Generating Malicious PoC Forms

Option: --malicious

This option enables you to instruct XSRFProbe to craft malicious CSRF forms which can be used in real world exploitations.

python xsrfprobe.py -u http://example.com/testcsrf.php --malicious

NOTE: The --skip-poc argument should not supplied with this switch, or the form itself will never be generated.

Skipping Proof of Concept Generation

Option: --skip-poc

This option enables you to skip the Proof of Concept form generation of POST-Based CSRF vulnerable forms.

python xsrfprobe.py -u http://example.com/testcsrf.php --skip-poc

Specifying Output Directory

Option: -o or --output | Default: output/ Directory

This option enables you to specify the output directory where all logs and stuff will be stored. After a successful scan completion, mainly 6 logs are generated:

  • vulnerabilities.log - Log file where all vulnerabilities will be stored.
  • strengths.log - Log file where all strengths of the web-app are stored.
  • errored.log - Log file where all errors encountered will be stored.
  • internal-links.log - Log file where all links found and crawled will be stored.
  • forms-tested.log - Log file where all forms tested will be stored.
  • tokens.log - Log file where all Anti-CSRF tokens are stored (if any). Apart from these, if XSRFProbe finds any form vulnerable to POST-Based CSRF, it will generate a PoC form which will be stored there too (unless the --skip-poc argument is not supplied).

Skip Post-Scan Analysis

Option: --no-analysis

This option enables you to skip the post-scan analysis of tokens which were gathered during various requests.

python xsrfprobe.py -u http://example.com/testcsrf.php --no-analysis

Displaying Headers

Option: --display

Often you might want to view the response header sent from an application during requests. This option empowers you to view headers sent by the web-application during all requests.

python xsrfprobe.py -u http://example.com/testcsrf.php --display

Updating XSRFProbe

Option: --update

If this option is supplied, XSRFProbe will check for updates. If a newer version will available, XSRFProbe will download and merge the updates into the current directory via its seamless update system without losing any of your files.

python xsrfprobe.py --update

XSRFProbe Version

Option: --version

This option displays the current version of XSRFProbe from files/VersionNum which you're using.

python xsrfprobe.py --version

XSRFProbe Wiki Index

Clone this wiki locally
You can’t perform that action at this time.