Home page logo

nmap-dev logo Nmap Development mailing list archives

[NSE] http-csrf.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Sat, 17 Aug 2013 01:57:01 +0300

The attached script detects Cross Site Request Forgeries (CSRF) vulnerabilities
that exist in HTML forms. A CSRF attack tricks the victim into loading a page
that contains a malicious request. You can read more about them here [1].

The most secure way to prevent them is by adding a user-specific token in all 
form submissions.  So, this script spiders through the website and looks for any 
special unpredictable tokens. It identifies them, using some patterns or also
by calculating the entropy of the value.

A common use case of this script would be along with a cookie that gives access
in an administration panel because that's where the priviledged actions exist.

For example,

./nmap -p80 -n -Pn --script http-csrf random-forum.com --script-args 'http.cookies = { randomcookiethatgivesadminaccess 
}, httpspider.url = /admin/' -d1 

The above command will search for CSRF vulnerabilities within the administration
panel of random-forum.com. This is where the most critical CSRF may exist, hence
unpredictable tokens are essential there. This would be done by an administrator
looking for vulnerabilities in their forum.

The output looks like this:

 80/tcp open  http    syn-ack
 | http-csrf: 
 | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=skroutz.gr
 |   Found the following CSRF vulnerabilities: 
 |     Path: http://www.some-very-random-page.com/
 |     Form id: search_bar_input
 |     Form action: /search
 |     Path: http://www.some-very-random-page.com/c/334/watches.html
 |     Form id: custom_price_filters
 |     Form action: /search
 |     Path: http://www.some-very-radom-page.com/c/334/watches.html
 |     Form id: custom_price_filters
 |_    Form action: /c/334/rologia-xeiros-watches.html

You may use the 'singlepages' option to limit the forms you want to check or the 
'checkentropy' option to enable entropy calculation of a value (this will
handle some false-positives but may bring others).

To test it make sure you are on the latest SVN trunk. I made a commit as
revision 31878 earlier that updates parse_form function to support double quotes
and return more attributes. This change is essential for http-csrf.

Also, make sure that you have included formulas.nse library in nselib. This is a
newly proposed library that is not currently commited to the trunk. See the
relevant thread [1].

[1]: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[2]: http://seclists.org/nmap-dev/2013/q3/381

George Chatzisofroniou

Attachment: http-csrf.nse

Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]