XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.
Lets see some real-world scenarios of XSRFProbe in action:
XSRFProbe can be easily installed via a single command:
pip install xsrfprobe
python3 setup.py install
xsrfprobe-output. Under this folder you can view the detailed logs and information collected during the scans.
v2.3 release is a
Stage 5 Production-Ready (Stable) release and the work is licensed under the GNU General Public License (GPLv3).
Do not use this tool on a live site!
It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.
Test on a disposable/dummy setup/site!
Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.
This project is based entirely upon my own research and my own experience with web applications on Cross-Site Request Forgery attacks. You can try going through the source code which is highly documented to help you understand how this toolkit was built. Useful pull requests, ideas and issues are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the Development Board.
Copyright © @0xInfection