Script http-csrf

Script types: portrule
Categories: intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-csrf.nse

Script Summary

This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.

It will try to detect them by checking each form if it contains an unpredictable token for each user. Without one an attacker may forge malicious requests.

To recognize a token in a form, the script will iterate through the form's attributes and will search for common patterns in their names. If that fails, it will also calculate the entropy of each attribute's value. A big entropy means a possible token.

A common use case for this script comes along with a cookie that gives access in pages that require authentication, because that's where the privileged exist. See the http library's documentation to set your own cookie.

Script Arguments

http-csrf.singlepages

The pages that contain the forms to check. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)

http-csrf.checkentropy

If this is set the script will also calculate the entropy of the field's value to determine if it is a token, rather than just checking its name. Default: true

slaxml.debug

See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p80 --script http-csrf.nse <target>

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com
|   Found the following CSRF vulnerabilities:
|
|     Path: http://www.example.com/
|     Form id: search_bar_input
|     Form action: /search
|
|     Path: http://www.example.com/c/334/watches.html
|     Form id: custom_price_filters
|     Form action: /search
|
|     Path: http://www.example.com/c/334/watches.html
|     Form id: custom_price_filters
|_    Form action: /c/334/rologia-xeiros-watches.html

Requires

• http
• formulas
• shortport
• stdnse
• table
• string
• httpspider

---

Author:

• George Chatzisofroniou

License: Same as Nmap--See https://nmap.org/book/man-legal.html