Offensive Security Tool: XSRFProbe

by | Jan 10, 2025 | Tools

Post Views: 65

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon

Reading Time: 2 Minutes

XSRFProbe

XSRFProbe, developed by 0xInfection, is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and further generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.

See Also: So you want to be a hacker?
Offensive Security and Ethical Hacking Course

Some Features:

  •  Performs several types of checks before declaring an endpoint as vulnerable.
  •  Can detect several types of Anti-CSRF tokens in POST requests.
  •  Works with a powerful crawler which features continuous crawling and scanning.
  •  Out of the box support for custom cookie values and generic headers.
  •  Accurate Token-Strength Detection and Analysis using various algorithms.
  •  Can generate both normal as well as maliciously exploitable CSRF proof of concepts.
  •  Well documented code and highly generalised automated workflow.
  •  The user is in control of everything whatever the scanner does.
  •  Has a user-friendly interaction environment with full verbose support.
  •  Detailed logging system of errors, vulnerabilities, tokens and other stuffs.

See Also: Offensive Security Techniques Repo: RustRedOps

See Also: How to Exploit “improper error handling” in Web Applications

Usage

For the full usage info, please take a look at the wiki’s — General Usage and Advanced Usage.

Installing via Pypi:

XSRFProbe can be easily installed via a single command:

pip install xsrfprobe

Installing manually:

  • For the basics, the first step is to install the tool:

python3 setup.py install

  • Now, the tool can be fired up via:

xsrfprobe --help

  • After testing XSRFProbe on a site, an output folder is created in your present working directory as xsrfprobe-output. Under this folder you can view the detailed logs and information collected during the scans.

 

Warnings:

Do not use this tool on a live site!

It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.

Test on a disposable/dummy setup/site!

Disclaimer:

Usage of XSRFProbe for testing websites without prior mutual consistency can be considered as an illegal activity. It is the final user’s responsibility to obey all applicable local, state and federal laws. The author assumes no liability and is not exclusively responsible for any misuse or damage caused by this program.

 

Clone the repo from here: GitHub Link

See Also: Post-Exploitation Techniques: Maintaining Access, Escalating Privileges, Gathering Credentials, Covering Tracks

Merch

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This