Packages and Binaries:

xsrfprobe

XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and further generate (maliciously) exploitable proof of concepts with each found vulnerability.

Installed size: 190 KB
How to install: sudo apt install xsrfprobe

Dependencies:
  • python3
  • python3-bs4
  • python3-requests
  • python3-stringdist
  • python3-tld
  • python3-yattag
xsrfprobe
root@kali:~# xsrfprobe -h

    XSRFProbe, A Cross Site Request Forgery Audit Toolkit

usage: xsrfprobe -u <url> <args>

Required Arguments:
  -u URL, --url URL     Main URL to test

Optional Arguments:
  -c COOKIE, --cookie COOKIE
                        Cookie value to be requested with each successive
                        request. If there are multiple cookies, separate them
                        with commas. For example: `-c PHPSESSID=i837c5n83u4,
                        _gid=jdhfbuysf`.
  -o OUTPUT, --output OUTPUT
                        Output directory where files to be stored. Default is
                        the output/ folder where all files generated will be
                        stored.
  -d DELAY, --delay DELAY
                        Time delay between requests in seconds. Default is
                        zero.
  -q, --quiet           Set the DEBUG mode to quiet. Report only when
                        vulnerabilities are found. Minimal output will be
                        printed on screen.
  -H HEADERS, --headers HEADERS
                        Comma separated list of custom headers you'd want to
                        use. For example: ``--headers "Accept=text/php,
                        X-Requested-With=Dumb"``.
  -v, --verbose         Increase the verbosity of the output (e.g., -vv is
                        more than -v).
  -t TIMEOUT, --timeout TIMEOUT
                        HTTP request timeout value in seconds. The entered
                        value may be either in floating point decimal or an
                        integer. Example: ``--timeout 10.0``
  -E EXCLUDE, --exclude EXCLUDE
                        Comma separated list of paths or directories to be
                        excluded which are not in scope. These paths/dirs
                        won't be scanned. For example: `--exclude somepage/,
                        sensitive-dir/, pleasedontscan/`
  --user-agent USER_AGENT
                        Custom user-agent to be used. Only one user-agent can
                        be specified.
  --max-chars MAXCHARS  Maximum allowed character length for the custom token
                        value to be generated. For example: `--max-chars 5`.
                        Default value is 6.
  --crawl               Crawl the whole site and simultaneously test all
                        discovered endpoints for CSRF.
  --no-analysis         Skip the Post-Scan Analysis of Tokens which were
                        gathered during requests
  --malicious           Generate a malicious CSRF Form which can be used in
                        real-world exploits.
  --skip-poc            Skip the PoC Form Generation of POST-Based Cross Site
                        Request Forgeries.
  --no-verify           Do not verify SSL certificates with requests.
  --display             Print out response headers of requests while making
                        requests.
  --update              Update XSRFProbe to latest version on GitHub via git.
  --random-agent        Use random user-agents for making requests.
  --version             Display the version of XSRFProbe and exit.

Updated on: 2024-Nov-17