Home

Welcome to the XSRFProbe Wiki!

Lets get started with the documentation!

Getting Started

• Compatibility
  • Python Versions
  • Operating Systems
  • Colors
  • Dependencies
• Installation

Using XSRFProbe

• General Usage
  • XSRFProbe Arguments List
  • Testing a Single Endpoint
  • Crawling the Site
  • Adding Cookies for Requests
  • Using Custom User-Agent
  • HTTP Request Timeout
  • HTTP Request Delay
  • Using Custom HTTP Headers
  • Using Random User-Agents
  • Form Field Character Generation
  • Excluding Out of Scope Directories
  • Controlling Verbosity
  • Skipping PoC Generation
  • Skipping Post-Scan Analysis
  • Specifying Output Directory
  • Updating XSRFProbe
  • XSRFProbe Version
• Advanced Usage
  • Environment Configuration Variables

Some Common FAQs

• Why should I supply cookies?
• Why is using random-user-agents not recommended?
• What if I want my own custom headers while making requests?
• What is the buzz about form field generation?
• I have some directories which I don't want to scan, is it possible?
• During scanning I received a HTTPError, what happened?
• I am getting VULNERABLE in various endpoints, but they're not. Why?

XSRFProbe Internals

• The Generalised Workflow
  • Types of Checks
    • Origin Based Forgery Checks
    • Referer Based Forgery Checks
    • Anti-CSRF Token Detection
    • Token Strength Calculation
    • Token Randomness Calculation
    • Token Encoding Detection
    • Cookie Persistence
    • Cookie Flag Checks
    • POST-Based Request Forgery Checks
    • Request Tampering and Forging
    • Post-Scan Analysis

Contributing

• Contributing to XSRFProbe
  • Conditions
  • New Pull Requests
  • Coding Style Tips

Reporting Bugs

• Before Submission
• How to Submit
  • Avoiding Duplicates
  • Full Description
  • Runtime Environment
  • Reproduction Steps
  • Potential Cause/Fix