*However, there’s a tool in Python in utils folder that you can use to automate CSRF exploitation. *
This project allows you to perform PoC (Proof Of Concepts) really easily. Let’s see how to get/use it.
First, clone it :
$ git clone git@github.com:PaulSec/CSRFT.git
To make this project work, get the latest Node.js version here.
Go in the directory and install all the dependencies:
npm install
Then, launch the server.js :
$ node server.js
Usage will be displayed :
Usage : node server.js <file.json> <port : default 8080>
Based on the templates which are available, you can easily create
your own.
If you have any trouble creating it, feel free to contact me and I’ll
try to help you as much as I can but it shoudn’t be this complicated.
Steps to succeed :
1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,
4) Replace the value of the field you want to perform this attack with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if POST exploitation.
5) Launch the application : node server.js conf/test.json
To do so, I developed a Python script csrft_utils.py in utils folder that will do this for you.
Here are some basic use cases :
*GET parameter with Dictionnary attack : *
$ python csrft_utils.py –url=”http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter” –param=newPassword –dico_file=”../dicos/passwords.txt”
*POST parameter with Special value attack : *
$ python csrft_utils.py –form=http://website.com/user.php –id=changePassword –param=password password=newPassword –special_value
Industrial Cybersecurity
September 28, 2023
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
Have you heard about the term “test automation” but don’t really know what it is? Well, you’ve come to the right page! Get all your
This article explores the idea of discovering the victim’s location. Previously, we have used several tools for OSINT purposes, so, today let us try this
Can random characters in your code get you in trouble? They certainly can! Today, we are going to discuss CRLF injections and improper neutralization of
Want always be up to date?
By subscribing to our mailing list, you will be enrolled to receive our new trainings, latest blog posts, product news, and more.
Transform your cybersecurity skills with CIP Cyber’s comprehensive training & course offerings
