Skip to content
/ CSRFProbe Public

CSRFProbe is an advanced scanner for hunting down Cross Site Request Forgery bugs in web applications.

code.teamcodesploit.gq/
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

teamcodesploit/CSRFProbe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
core
core
 
 
modules
modules
 
 
README.md
README.md
 
 
csrfprobe.py
csrfprobe.py
 
 
requirements
requirements
 
 

Repository files navigation

CSRF Probe

CSRF Probe is a advanced scanner for hunting down Cross Site Request Forgery bugs in web applications.

Working:

The typical flow of this scanner is :-

  • Spiders the target website to find all pages.
  • Finds all types of forms present on the each page.
  • Hunts out hidden as well as visible parameter values.
  • Submits each form with normal tokens & parameter values.
  • Generates random token strings and sets parameter values.
  • Submits each form with the crafted tokens.
  • Finds out if the tokens are sufficiently protected.
  • Generates custom proof of concepts after each successful bug hunt.

Features:

  • Features continuous crawling and scanning.
  • Support for both GET and POST requests.
  • Support for custom cookie values and generic headers.
  • Generates special crafted tokens for different parameters.
  • Submits forms in the normal way as well as with crafted token.
  • Rare chances of false positives occuring during scan.
  • Follows redirects when there is a 302 response.
  • Generates PoCs for both exploitable and not exploitable CSRFs.
  • Has a user-friendly interaction environment.
  • Everything is automated on demand.

Warnings:

Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can be dangerous to he site. Sometimes you may screw up your database and most probably perform a DoS on the site as well.

Use on a disposable test site!

Drawbacks:

The scanner has the following drawbacks presently:

  • Normally the scanner assumes that every form has a hidden/visible parameter and token field.
  • Changing or removing that token field usually causes a 403 Forbidden response.
  • Spidering is restricted to domains of startpages (so doesn't work with all domains). :(

Requirements:

  • mechanize
  • urllib
  • urllib2
  • requests
  • bs4
  • lxml
  • logging

Usage:

➲ Clone the script and launch it.

git clone https://github.com/the-Infected-Drake/CSRFProbe.git
cd CSRFProbe

➲ Install the dependencies.

pip install -r requirements

➲ Launch the script.

python csrfprobe.py

➲ Enter the website target.

https://examplesite.com

➲ Let the scanner load up.

➲ Keep track of PoCs which may appear (if bug exists).

➲ Report if any bugs found... ; )

Version:

  • v1.1.0

To Do's:

  • Associate multithreading for the better.

Thank you...

✎ @_tID (Team CodeSploit)

About

CSRFProbe is an advanced scanner for hunting down Cross Site Request Forgery bugs in web applications.

code.teamcodesploit.gq/

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages