XSRFProbe – Advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit

XSRFProbe - Advanced CSRF or XSRF Audit and Exploitation Toolkit xploitlab

What is XSRF (Cross Site Request Forgery). XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XMLHttpRequests, for example, can all work without the user’s interaction or even knowledge.

If you a bug hunter or pentester you have to know how you can exploit this vulnerability. XSRFProbe is a toolkit that help you to do that, this tool will able to detect most cases of CSRF vulnerabilities and also equipped with powerful crawling engine.

About

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a Powerful Crawling Engine and Numerous Systematic Checks, it is now able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

Some Features:

  •  Performs several types of checks before declaring an endpoint as vulnerable.
  •  Can detect several types of Anti-CSRF tokens in POST requests.
  •  Features a powerful crawler which features continuous crawling and scanning.
  •  Out of the box support for custom cookie values and generic headers.
  •  Accurate Token-Strength Detection and Analysis using various algorithms.
  •  Can generate both normal as well as maliciously exploitable CSRF PoCs.
  •  Follows a redirect when there is a 30x response.
  •  Well documented code and highly generalised automated workflow.
  •  The user is in control of everything whatever the scanner does.
  •  Has a user-friendly interaction environment with full verbose support.
  •  Detailed logging system of errors, vulnerabilities, tokens and other stuffs.

Gallery:

Lets see some real-world scenarios of XSRFProbe in action:

XSRFProbe - Advanced CSRF or XSRF Audit and Exploitation Toolkit
XSRFProbe - anti CSRF token check xploitlab
XSRFProbe - Advanced Cross Site Request Forgery Audit and Exploitation Toolkit
XSRFProbe - XSRF CSRF exploit
XSRFProbe - CSRF or XSRF analysis

Version and License:

XSRFProbe v2.0 release is now a stable release and the work is licensed under the GPL v3 License.

Warnings:

Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.

Test on a disposable/dummy setup/site!

Disclaimer:

Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.

Author’s Words:

This project is based entirely upon my own research and my own experience with web applications on Cross-Site Request Forgery attacks. You can try going through the source code which is highly documented to help you understand how this toolkit was built. Useful pull requestsideas and issues are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the Development Board.

Copyright © Infected Drake


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

15 + 10 =