Create twitterxsrf.py

debasishm89 · Sep 26, 2013 · 7591f44 · 7591f44
1 parent ed2de10
commit 7591f44
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/modules/twitterxsrf.py b/modules/twitterxsrf.py
@@ -0,0 +1,26 @@
+from rawweb import *
+def main(raw_stream,ssl):
+	'''
+	This Burpy module is specially written to find CSRF vulnerability in Twitter Application.
+	It has already found few minor and one major CSRF vulnerability in Twitter.
+	It simply checks whether CSRF token validation is present in Server Side or not by removing token from request and replaying it.
+	Twitter application always shows a generic error message for CSRF error which is "Your account may not be allowed to perform this action."
+	If this error is not present in response after removing the token it returns +ve.
+	'''
+	title = [
+		 "Possible XSRF",		#Please don't add <script>/ html tags here and report XSS :P
+		"CSRF Token Removed from Request"
+		]
+	csrf_error = "Your account may not be allowed to perform this action."	# 
+	raw = RawWeb(raw_stream)
+	if "authenticity_token" in raw_stream:		# Check if request contains any CSRF token or not
+		raw.removeparameter("authenticity_token")	# Use rawweb api to remove the parameter from request
+	else:
+		return "FALSE"			#CSRF token not present in request
+	result = raw.fire(ssl)
+	if csrf_error in result[3]:		# If the CSRF error presnt in response body, Everythng is fine, return false
+		# validation there
+		return "FALSE"
+	else:
+		# If false only send False
+		return title,final,result[0],result[1],result[2],result[3]	# Else return the crafted request