CSRFT – Cross Site Request Forgeries (Exploitation) Toolkit

This project has been developed to exploit CSRF Web vulnerabilities
and provide you a quick and easy exploitation toolkit.
In few words, this is a simple HTTP Server in NodeJS that will
communicate with the clients (victims) and send them payload that will
be executed using JavaScript.
This has been developed entirely in NodeJS, and configuration files are in JSON format.

*However, there’s a tool in Python in utils folder that you can use to automate CSRF exploitation. *

This project allows you to perform PoC (Proof Of Concepts) really easily. Let’s see how to get/use it.

How to get/use the tool

First, clone it :

$ git clone [email protected]:PaulSec/CSRFT.git

To make this project work, get the latest Node.js version here.
Go in the directory and install all the dependencies: 
npm install

Then, launch the server.js :

$ node server.js

Usage will be displayed :

Usage : node server.js <file.json> <port : default 8080> 


A) I want to write my specific JSON configuration file and launch it by hand

Based on the templates which are available, you can easily create
your own.
If you have any trouble creating it, feel free to contact me and I’ll
try to help you as much as I can but it shoudn’t be this complicated.

Steps to succeed :

1) Create your configuration file, see samples in conf/ folder
2) Add your .html files in the exploits/ folder with the different payloads if the CSRF is POST vulnerable
3) If you want to do Dictionnary attack, add your dictionnary file to the dicos/ folder,
4) Replace the value of the field you want to perform this attack with the token <%value%>
=> either in your urls if GET exploitation, or in the HTML files if POST exploitation.
5) Launch the application : node server.js conf/test.json

B) I want to automate attacks really easily

To do so, I developed a Python script csrft_utils.py in utils folder that will do this for you.

Here are some basic use cases :

*GET parameter with Dictionnary attack : *
$ python csrft_utils.py –url=”http://www.vulnerable.com/changePassword.php?newPassword=csvulnerableParameter” –param=newPassword –dico_file=”../dicos/passwords.txt” 

*POST parameter with Special value attack : *

$ python csrft_utils.py –form=http://website.com/user.php –id=changePassword –param=password password=newPassword –special_value 

Download and Read more

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...