Frameworks information gathering tool Vulnerability scanner Wordpress

XSRF (CSRF) Vulnerability Scanner and POC generator for Bug hunter: XSRF (CSRF) Probe

XSRF Probe
Written by Mubassir patel

XSRF (CSRF) Probe is an advanced Cross Site Request Forgery Audit Toolkit equipped with Powerful Crawling and Intelligent Token Generation Capabilities.

An XSRF (CSRF) Scanner Equipped with Powerful Crawling Engine and Intelligent Token Generator.

Some Features Of XSRF (CSRF) Probe:

  • Has a powerful crawler which features continuous crawling and scanning.
  • XSRFProbe has absolute support for both GET and POST requests.
  • Out of the box support for custom cookie values and generic headers.
  • Can intelligently generate crafted tokens for different types of parameters.
  • Can effectively crawl and hunt out hidden parameters (without bruteforce).
  • Submits forms in the normal values as well as with crafted token.
  • Rare chances of false positives occuring during scan.
  • Follows a redirect when there is a 302 response.
  • Generates PoCs for both exploitable and non-exploitable CSRFs.
  • Has a user-friendly interaction environment.
  • Everything is automated on demand.

All In One Information Gathering Tool: Red Hawk

The Workflow:

The typical workflow of this scanner is :-

  • Spiders the target website to find all pages.
  • Finds all types of forms present on the each page.
  • Hunts out hidden as well as visible parameter values.
  • Submits each form with normal tokens & parameter values.
  • Generates random token strings and sets parameter values.
  • Submits each form with the crafted tokens.
  • Finds out if the tokens are sufficiently protected.
  • Generates custom proof of concepts after each successful bug hunt.

All Kali Linux Tools Installer For Termux (Android)


Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.

Test on a disposable test site!


The scanner has the following drawbacks presently:

  • Normally the scanner assumes that every form has a hidden/visible parameter and token field.
  • Changing or removing that token field usually causes a 403 Forbidden response.
  • Spidering is restricted to domains of startpages (so doesn’t work with all domains). 🙁


  • urllib2
  • requests
  • bs4
  • lxml


➲ Clone the script and launch it.

git clone
cd XSRFProbe

➲ Install the dependencies.

pip install -r requirements

➲ Launch the script.


➲ Enter the website target.

➲ Let the scanner load up.

➲ Keep track of PoCs which may appear (if a bug exists).

Best Subdomain Takeover Tool For Bug Hunting: SubOver


About the author

Mubassir patel

Mubassir is a founder and developer of this site. He is a computer science engineer. He has a very deep interest in ethical hacking, penetration testing, website development and including all technology topic.

Leave a Comment