XSRFProbe is an advanced Cross Site Request Forgery Audit and Exploitation Toolkit. Equipped with a Powerful Crawling Engine and Numerous Systematic Checks, it is now able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

NOTE:

This tool is still in beta phase and might bug out. A stable release will be pushed once every feature has been added. If you're interested, have a look at this pull request.

XSRFProbe Wiki • Getting Started • General Usage • Advanced Usage • XSRFProbe Internals • Gallery

• Has a powerful crawler which features continuous crawling and scanning.
• The user is in control of everything that the scanner does.
• Can detect several types of Anti-CSRF tokens in requests.
• Out of the box support for custom cookie values and generic headers.
• Accurate Token-Strength Detection and Post-Scan Analysis using various algorithms.
• Submits forms in the normal values as well as with crafted token.
• Follows a redirect when there is a 30x response.
• Highly documented code and highly generalised workflow.
• Has a user-friendly interaction environment.
• Everything is automated on demand.

Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.

Test on a disposable/dummy setup/site!

The scanner has the following drawbacks presently:

• Normally the scanner assumes that every form has a hidden/visible parameter and token field.
• Changing or removing that token field usually causes a 403 Forbidden response.
• There are chances of false positives during scanning for POST-Based Request Forgeries.

Lets see some real-world scenarios of XSRFProbe in action:

XSRFProbe v2 is in beta phase and has been released for public testing. It is licensed under the GPLv3 license.

Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.

• Include detailed logging system.
• Associate multithreading for the better.
• Include methods for detecting blind CSRF.

This project is based entirely upon my own research and my own experience with Cross-Site Request Forgery attacks. Useful pull requests, ideas and issues are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the Development Board.

Thats it folks. Thank you...

Copyright © Infected Drake