Advanced Usage

XSRFProbe is a toolkit intended to be highly flexible and customisable. Everything the scanner does can be controlled via the config.py configuration file.

Understanding the Workflow

XSRFProbe has various checks for detecting whether an endpoint is vulnerable to CSRF attacks.

Types of Checks:

Following are the various checks XSRFProbe executes before declaring any endpoint as vulnerable.

• Origin Based Checks Checks on whether the site validates Cross-Origin requests.
• Referer Based Checks Checks on whether the site validates Referer-based requests.
• Anti-CSRF Token Detection Checks on whether the site validates requests with Anti-CSRF tokens. XSRFProbe has a list of tokens with which it compares every parameter of all requests (both GET and POST, POST has higher precedence over GET type requests).
• Token Strength Calculation Next XSRFProbe now goes for a basic strength check for the Anti-CSRF token (if discovered). As a standard it is by default set 5 bytes as minimum and 256 bytes as maximum token length.
• Token Randomness Calculation Now, XSRFProbe goes for a token randomness strength check by calculating Entropy of the Anti-CSRF token. For this purpose Shannon Entropy is used. As a base standard, an entropy above 2.4 is considered strong and unforgable. An entropy lower than that of 2.4, means the token isn't random enough and can be easily forged via guessing/bruteforcing.
• Cookie Persistence - XSRFProbe has also got significant checks for testing cookie validation and relative persistence. This is a crucial step and XSRFProbe has got some checks which can detect a persistent cookie by observing the variation of the Set-Cookie header under different user-agents.

This module will work only if you supply a cookie with the -c/--cookie argument.

NOTE:

For a successful CSRF attack, an attacker has to get access to the victim cookies or has to trick the user into clicking something that executes the CSRF attack. However this is only possible when the site provides long-term session cookies.