XSRFProbe: Prime CSRF Audit and Exploitation Toolkit
Introduction
XSRFProbe is an advanced CSRF (Cross Site Request Forgery) Audit and Exploitation Toolkit. This tool, written in Python and equipped with a powerful crawling engine, it’s able to detect most cases of CSRF vulnerabilities and their related bypasses. In addition, it’s capable to generate exploitable PoCs (proof of concepts) with each found vulnerability.
XSRFProbe: Cross-site Request Forgery [CSRF/XSRF] Audit & Exploitation Toolkit
XSRFProbe is a very flexible and customizable CSRF Audit tool that has numerous systematic checks. Furthermore, you can make your own configuration if you don’t want to enter parameters everytime. To make config changes, you just need to edit config.py
file as you wish, and the next time you run the tool, it will run according to your configuration.
Features:
- Performs several types of checks before declaring an endpoint as vulnerable.
- Can detect several types of Anti-CSRF tokens in POST requests.
- Features a powerful crawler which features continuous crawling and scanning.
- Out of the box support for custom cookie values and generic headers.
- Accurate Token-Strength Detection and Analysis using various algorithms.
- Can generate both normal as well as maliciously exploitable CSRF PoCs.
- Follows a redirect when there is a 30x response.
- Well documented code and highly generalised automated workflow.
- The user is in control of everything whatever the scanner does.
- Has a user-friendly interaction environment with full verbose support.
- Detailed logging system of errors, vulnerabilities, tokens and other stuffs.
Requirements:
Python 3.x
- Dependencies from
requirements.txt
Supported Platforms:
- Linux (Ubuntu, Debian, Arch), Mac OS X, Windows
Install
Clone the repo and navigate to the working directory:
$ git clone https://github.com/0xinfection/XSRFProbe.git
$ cd XSRFProbe/
Then install the dependencies via pip3
(requirements.txt
):
$ pip3 install -r requirements.txt
Basic Usage
To start using it, launch the script (you’ll see the list of arguments):
$ python3 xsrfprobe.py
usage: python3 xsrfprobe.py [-h] [-u URL] [-c COOKIE] [-o OUTPUT] [-d DELAY]
[-q] [-v] [--user-agent USER_AGENT]
[--headers HEADERS] [--exclude EXCLUDE]
[--timeout TIMEOUT] [--max-chars MAXCHARS]
[--crawl] [--no-analysis] [--malicious]
[--skip-poc] [--display] [--update]
[--random-agent] [--version]
Required Arguments:
-u URL, --url URL Main URL to test
Optional Arguments:
-c COOKIE, --cookie COOKIE
Cookie value to be requested with each successive
request. If there are multiple cookies, separate them
with commas. For example: -c PHPSESSID=i837c5n83u4,
_gid=jdhfbuysf.
-o OUTPUT, --output OUTPUT
Output directory where files to be stored. Default is
thefiles folder where all files generated will be
stored.
-d DELAY, --delay DELAY
Time delay between requests in seconds. Default is
zero.
-q, --quiet Set the DEBUG mode to quiet. Report only when
vulnerabilities are found. Minimal output will be
printed on screen.
-v, --verbose Increase the verbosity of the output (e.g., -vv is
more than -v).
--user-agent USER_AGENT
Custom user-agent to be used. Only one user-agent can
be specified.
...
Example: Testing A Single Endpoint
-u
or--url:
Just enter the website to scan (end point URL or first level of domain):
$ python3 xsrfprobe.py -u http://www.example.com/
[!] Testing site example.com status…
[+] Site seems to be up!
[!] Testing endpoint status…
[+] Endpoint seems to be up!
[*] Processing the GET Request…
[!] Trying to parse response…
[!] Checking endpoint request validation via Referer Checks…
+--------------------------------------+
| Referer Based Request Validation |
+--------------------------------------+
[!] Making request on normal basis…
[*] Processing the GET Request…
[*] Setting generic headers…
[!] Making request with Tampered Referer Header…
[*] Processing the GET Request…
[-] Endpoint Referer Validation Not Present!
[-] Heuristics reveal endpoint might be VULNERABLE to Origin Based CSRFs…
[+] Possible CSRF Vulnerability Detected : http://www.example.com/!
[+] Possible Vulnerability Type: No Referer Based Request Validation
[!] Confirming the vulnerability…
[!] Confirming endpoint request validation via Origin Checks…
...
List of XSRFProbe checks:
- Origin & Referer Based Request Validation Check
- Anti-CSRF Token Detection in POST Queries, Strength Detection, Randomness Calculation, Encoding Detection
- Session Cookie Persistence Checks
- Cross-Site Cookie Validation Checks
- POST-Based Request Forgery Detection on Forms
- Tampering Requests for Detection Back-End Validation
- CSRF Proof of Concept Generation and Testing
- POST-Scan Token Analysis of all Anti-CSRF Tokens Gathered