XSRF (CSRF) Probe is an advanced Cross Site Request Forgery Audit Toolkit equipped with Powerful Crawling and Intelligent Token Generation Capabilities.
An XSRF (CSRF) Scanner Equipped with Powerful Crawling Engine and Intelligent Token Generator.
Some Features Of XSRF (CSRF) Probe:
- Has a powerful crawler which features continuous crawling and scanning.
- XSRFProbe has absolute support for both GET and POST requests.
- Out of the box support for custom cookie values and generic headers.
- Can intelligently generate crafted tokens for different types of parameters.
- Can effectively crawl and hunt out hidden parameters
- Submits forms in the normal values as well as with crafted token.
- Rare chances of false positives occuring during scan.
- Follows a redirect when there is a 302 response.
- Generates PoCs for both exploitable and non-exploitable CSRFs.
- Has a user-friendly interaction environment.
- Everything is automated on demand.
The typical workflow of this scanner is :-
- Spiders the target website to find all pages.
- Finds all types of forms present on the each page.
- Hunts out hidden as well as visible parameter values.
- Submits each form with normal tokens & parameter values.
- Generates random token strings and sets parameter values.
- Submits each form with the crafted tokens.
- Finds out if the tokens are sufficiently protected.
- Generates custom proof of concepts after each successful bug hunt.
Do not use this tool on a live site!
It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.
Test on a disposable test site!
The scanner has the following drawbacks presently:
- Normally the scanner assumes that every form has a hidden/visible parameter and token field.
- Changing or removing that token field usually causes a 403 Forbidden response.
- Spidering is restricted to domains of startpages (so doesn’t work with all domains). 🙁
➲ Clone the script and launch it.
git clone https://github.com/theInfectedDrake/XSRFProbe.git cd XSRFProbe
➲ Install the dependencies.
pip install -r requirements
➲ Launch the script.
➲ Enter the website target.
➲ Let the scanner load up.
➲ Keep track of PoCs which may appear (if a bug exists).