Scripthttp-csrf

Script types:portrule
Categories:intrusive,exploit,vuln
Download:https://svn.nmap.org/nmap/scripts/http-csrf.nse

Script Summary

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.

It will try to detect them by checking each form if it contains an unpredictabletoken for each user. Without one an attacker may forge malicious requests.

To recognize a token in a form, the script will iterate through the form'sattributes and will search for common patterns in their names. If that fails, itwill also calculate the entropy of each attribute's value. A big entropy means apossible token.

A common use case for this script comes along with a cookie that gives accessin pages that require authentication, because that's where the privilegedexist. See the http library's documentation to set your own cookie.

Script Arguments

http-csrf.singlepages

The pages that contain the forms to check. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)

http-csrf.checkentropy

If this is set the script will also calculate the entropy of the field's value to determine if it is a token, rather than just checking its name. Default: true

slaxml.debug

See the documentation for theslaxml library.

httpspider.doscraping,httpspider.maxdepth,httpspider.maxpagecount,httpspider.noblacklist,httpspider.url,httpspider.useheadfornonwebfiles,httpspider.withindomain,httpspider.withinhost

See the documentation for thehttpspider library.

http.host,http.max-body-size,http.max-cache-size,http.max-pipeline,http.pipeline,http.truncated-ok,http.useragent

See the documentation for thehttp library.

smbdomain,smbhash,smbnoguest,smbpassword,smbtype,smbusername

See the documentation for thesmbauth library.

Example Usage

nmap -p80 --script http-csrf.nse <target>

Script Output

PORT   STATE SERVICE REASON80/tcp open  http    syn-ack| http-csrf:| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com|   Found the following CSRF vulnerabilities:||     Path: http://www.example.com/|     Form id: search_bar_input|     Form action: /search||     Path: http://www.example.com/c/334/watches.html|     Form id: custom_price_filters|     Form action: /search||     Path: http://www.example.com/c/334/watches.html|     Form id: custom_price_filters|_    Form action: /c/334/rologia-xeiros-watches.html

Requires

• http
• formulas
• shortport
• stdnse
• table
• string
• httpspider

Author:

• George Chatzisofroniou

License: Same as Nmap--Seehttps://nmap.org/book/man-legal.html