Script http-csrf
Script types:
portrule
Categories:
intrusive, exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/http-csrf.nse
Script Summary
This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
It will try to detect them by checking each form if it contains an unpredictable token for each user. Without one an attacker may forge malicious requests.
To recognize a token in a form, the script will iterate through the form's attributes and will search for common patterns in their names. If that fails, it will also calculate the entropy of each attribute's value. A big entropy means a possible token.
A common use case for this script comes along with a cookie that gives access in pages that require authentication, because that's where the privileged exist. See the http library's documentation to set your own cookie.
Script Arguments
- http-csrf.singlepages
The pages that contain the forms to check. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)
- http-csrf.checkentropy
If this is set the script will also calculate the entropy of the field's value to determine if it is a token, rather than just checking its name. Default: true
- slaxml.debug
See the documentation for the slaxml library.
- httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost
See the documentation for the httpspider library.
- http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
- smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
Example Usage
nmap -p80 --script http-csrf.nse <target>
Script Output
PORT STATE SERVICE REASON 80/tcp open http syn-ack | http-csrf: | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com | Found the following CSRF vulnerabilities: | | Path: http://www.example.com/ | Form id: search_bar_input | Form action: /search | | Path: http://www.example.com/c/334/watches.html | Form id: custom_price_filters | Form action: /search | | Path: http://www.example.com/c/334/watches.html | Form id: custom_price_filters |_ Form action: /c/334/rologia-xeiros-watches.html
Requires
Author:
License: Same as Nmap--See https://nmap.org/book/man-legal.html