Git Product home page Git Product logo

xsrfprobe's Introduction


xsrfprobe

XSRFProbe

The Prime Cross Site Request Forgery Audit & Exploitation Toolkit.

About:

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

xsrf-logo

XSRFProbe WikiGetting StartedGeneral UsageAdvanced UsageXSRFProbe InternalsGallery

Some Features:

  • Performs several types of checks before declaring an endpoint as vulnerable.
  • Can detect several types of Anti-CSRF tokens in POST requests.
  • Works with a powerful crawler which features continuous crawling and scanning.
  • Out of the box support for custom cookie values and generic headers.
  • Accurate Token-Strength Detection and Analysis using various algorithms.
  • Can generate both normal as well as maliciously exploitable CSRF proof of concepts.
  • Well documented code and highly generalised automated workflow.
  • The user is in control of everything whatever the scanner does.
  • Has a user-friendly interaction environment with full verbose support.
  • Detailed logging system of errors, vulnerabilities, tokens and other stuffs.

Gallery:

Lets see some real-world scenarios of XSRFProbe in action:

Usage:

For the full usage info, please take a look at the wiki's — General Usage and Advanced Usage.

Installing via Pypi:

XSRFProbe can be easily installed via a single command:

pip install xsrfprobe

Installing manually:

  • For the basics, the first step is to install the tool:
python3 setup.py install
  • Now, the tool can be fired up via:
xsrfprobe --help
  • After testing XSRFProbe on a site, an output folder is created in your present working directory as xsrfprobe-output. Under this folder you can view the detailed logs and information collected during the scans.

Version and License:

XSRFProbe v2.3 release is a Stage 5 Production-Ready (Stable) release and the work is licensed under the GNU General Public License (GPLv3).

Warnings:

Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.

Test on a disposable/dummy setup/site!

Disclaimer:

Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.

Author's Words:

This project is based entirely upon my own research and my own experience with web applications on Cross-Site Request Forgery attacks. You can try going through the source code which is highly documented to help you understand how this toolkit was built. Useful pull requests, ideas and issues are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the Development Board.

Copyright © @0xInfection

xsrfprobe's People

Contributors

0xinfection avatar iduronto avatar

Watchers

James Cloos avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.