diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 1c90491..a9a9ffe 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -55,7 +55,7 @@ further defined and clarified by project maintainers. ## Enforcement Instances of abusive, harassing, or otherwise unacceptable behavior may be -reported by contacting the project team at code@enablesecurity.com. All +reported by contacting the project lead at theinfecteddrake@gmail.com. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. diff --git a/LICENSE b/LICENSE index 8215fe0..e72bfdd 100644 --- a/LICENSE +++ b/LICENSE @@ -1,7 +1,7 @@ GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. @@ -631,8 +631,8 @@ to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. - XSRFProbe, A Cross Site Request Forgery Audit Toolkit - Copyright (C) 2018 @_tID + + Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -645,14 +645,14 @@ the "copyright" line and a pointer to where the full notice is found. GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see . + along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: - XSRFProbe Copyright (C) 2018 @_tID + Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. @@ -664,11 +664,11 @@ might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see -. +. The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read -. +. \ No newline at end of file diff --git a/README.md b/README.md index 47a474a..2d4ab33 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@


- wafw00f + xsrfprobe

XSRFProbe @@ -22,7 +22,7 @@

### About: -__XSRFProbe__ is an advanced [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a Powerful Crawling Engine and Numerous Systematic Checks, it is now able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see [XSRFProbe Internals](https://github.com/0xInfection/XSRFProbe/wiki#xsrfprobe-internals) on [wiki](https://github.com/0xInfection/XSRFProbe/wiki/). +__XSRFProbe__ is an advanced [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)) (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see [XSRFProbe Internals](https://github.com/0xInfection/XSRFProbe/wiki#xsrfprobe-internals) on [wiki](https://github.com/0xInfection/XSRFProbe/wiki/). xsrf-logo

@@ -91,4 +91,4 @@ Usage of XSRFProbe for testing websites without prior mutual consistency can be ### Author's Words: This project is based __entirely upon my own research and my own experience with web applications__ on Cross-Site Request Forgery attacks. You can try going through the source code which is highly documented to help you understand how this toolkit was built. Useful [pull requests](https://github.com/0xInfection/XSRFProbe/wiki/Contributing), [ideas and issues](https://github.com/0xInfection/XSRFProbe/wiki/Reporting-Bugs#before-submitting) are highly welcome. If you wish to see what how XSRFProbe is being developed, check out the [Development Board](https://github.com/0xInfection/XSRFProbe/projects/1). -> Copyright (C) [0xInfection](https://www.twitter.com/0xInfection) +> Copyright © [@0xInfection](https://www.twitter.com/0xInfection) diff --git a/setup.py b/setup.py index 0367d44..fc3663d 100644 --- a/setup.py +++ b/setup.py @@ -10,13 +10,14 @@ setup( name='xsrfprobe', version=__import__('xsrfprobe').__version__, + description='The Prime Cross Site Request Forgery (CSRF) Audit & Exploitation Toolkit', long_description=desc, long_description_content_type='text/markdown', author='Pinaki Mondal', author_email='theinfecteddrake@gmail.com', license='GPLv3', url='https://github.com/0xInfection/XSRFProbe', - download_url='https://github.com/0xInfection/XSRFProbe/archive/v2.1.zip', + download_url='https://github.com/0xInfection/XSRFProbe/archive/v2.1.1.zip', packages=find_packages(), scripts=['xsrfprobe/bin/xsrfprobe'], install_requires=[ @@ -31,12 +32,11 @@ 'Intended Audience :: System Administrators', 'Intended Audience :: Developers', 'Intended Audience :: Information Technology', - 'Intended Audience :: Developers', 'Operating System :: OS Independent', 'Topic :: Internet', 'Topic :: Security', 'License :: OSI Approved :: GNU General Public License v3 (GPLv3)', 'Programming Language :: Python :: 3', ], - keywords=['csrf', 'xsrf', 'appsec', 'vulnerability scanner', 'webapps'], + keywords=['csrf', 'xsrf', 'appsec', 'vulnerability scanner', 'webapps', 'hacking'], ) diff --git a/xsrfprobe/__init__.py b/xsrfprobe/__init__.py index ac5dab3..a538791 100644 --- a/xsrfprobe/__init__.py +++ b/xsrfprobe/__init__.py @@ -1,4 +1,4 @@ #!/usr/bin/env python3 -__version__ = '2.1.0' +__version__ = '2.1.1' __license__ = 'GNU General Public License v3 (GPLv3)' \ No newline at end of file diff --git a/xsrfprobe/bin/xsrfprobe b/xsrfprobe/bin/xsrfprobe index 8a94e7e..9b6ee78 100644 --- a/xsrfprobe/bin/xsrfprobe +++ b/xsrfprobe/bin/xsrfprobe @@ -1,5 +1,13 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +#-:-:-:-:-:-:-::-:-:# +# XSRF Probe # +#-:-:-:-:-:-:-::-:-:# + +# Author: 0xInfection +# This module requires XSRFProbe +# https://github.com/0xInfection/XSRFProbe from xsrfprobe import xsrfprobe diff --git a/xsrfprobe/core/main.py b/xsrfprobe/core/main.py index aaefa23..7badc10 100644 --- a/xsrfprobe/core/main.py +++ b/xsrfprobe/core/main.py @@ -292,7 +292,7 @@ def Engine(): # lets begin it! GetLogger() # The scanning has interrupted, so now we can log out all the links ;) sys.exit(1) except Exception as e: + print('\n'+R+'Encountered an error. \n'+R+'Please view the error log files to view what went wrong.') verbout(R, e.__str__()) ErrorLogger(url, e) GetLogger() - sys.exit(1) diff --git a/xsrfprobe/core/options.py b/xsrfprobe/core/options.py index 3c2a7f2..c0ab389 100644 --- a/xsrfprobe/core/options.py +++ b/xsrfprobe/core/options.py @@ -67,7 +67,7 @@ # Print out XSRFProbe version if args.version: - print('\033[1;96m [+] \033[1;91mXSRFProbe Version\033[0m : '+__version__) + print('\033[1;96m [+] \033[1;91mXSRFProbe Version\033[0m : v'+__version__) print('\033[1;96m [+] \033[1;91mXSRFProbe License\033[0m : '+__license__+'\n') quit() @@ -111,7 +111,7 @@ # Assigning Cookie if ',' in args.cookie: for cook in args.cookie.split(','): - config.COOKIE_VALUE[cook.split('=')[0].strip()] = cook.strip('=')[1].strip() + config.COOKIE_VALUE[cook.split('=')[0].strip()] = cook.split('=')[1].strip() # This is necessary when a cookie value is supplied # Since if the user-agent used to make the request changes # from time to time, the remote site might trigger up diff --git a/xsrfprobe/files/VersionNum b/xsrfprobe/files/VersionNum index 7ec1d6d..7c32728 100644 --- a/xsrfprobe/files/VersionNum +++ b/xsrfprobe/files/VersionNum @@ -1 +1 @@ -2.1.0 +2.1.1 \ No newline at end of file diff --git a/xsrfprobe/files/config.py b/xsrfprobe/files/config.py index 7768b98..399f532 100644 --- a/xsrfprobe/files/config.py +++ b/xsrfprobe/files/config.py @@ -40,7 +40,7 @@ # NOTE: This is a precaution in case the cookie value is supplied, # if the user-agent gets changed from time to time, the remote # application might trigger up some protection agents -USER_AGENT = 'Mozilla/5.0 (Windows; U; Windows NT 10.0; en-US) AppleWebKit/604.1.38 (KHTML, like Gecko) Chrome/68.0.3325.162' +USER_AGENT = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36' # Cookie value to be sent alongwith the requests. This option is particularly # needed for a wholesome check on CSRFs. Since for a basic successful CSRF attack @@ -60,9 +60,10 @@ # Header values to be used (Modify it as per your need) HEADER_VALUES = { - 'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', - 'Accept-Language' : 'en-US,en;q=0.5', - 'Accept-Encoding' : 'gzip', + 'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', + 'Accept-Language' : 'en-US,en;q=0.9', + 'Accept-Encoding' : 'gzip, deflate, br', + 'Sec-Fetch-Mode' : 'navigate', 'DNT' : '1', # Do Not Track Request Header :D 'Connection' : 'close' }