Tool to brute-force CSRF-protected login forms

NavinM · August 7, 2020, 11:47pm

Hey guys, I wrote a small Python script that lets you brute-force CSRF-protected login forms. Feel free to give it a try, would appreciate it if you do. Do let me know your feedback. Demo videos included in the README.md file. Thanks.

(Why would there be CSRF protection on the login form, you might ask. Well, recently I encountered an issue while performing a security assessment of a web app. There was a hidden random token in the login POST request that changed every time, but apparently its purpose was not to mitigate CSRF but to stop password brute-forcing automation. It was their workaround for not having a temporary account lockout / CAPTCHA.)

ixxelles · August 8, 2020, 9:10am

Good work bro, i will try it . Thanks.

NavinM · August 8, 2020, 8:39pm

Type your comment> @ixxelles said:

Good work bro, i will try it . Thanks.

Thanks, bro. Appreciate it.

gnothiseauton · August 10, 2020, 10:35pm

Very nice readme on the git hub page by the way. Clean and informative.
So basically you use a headless browser to simulate the user ‘really’ visiting the page, right?

NavinM · August 11, 2020, 12:26pm

Type your comment> @gnothiseauton said:

Very nice readme on the git hub page by the way. Clean and informative.
So basically you use a headless browser to simulate the user ‘really’ visiting the page, right?

Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words.

gnothiseauton · August 11, 2020, 12:35pm

(Quote)
Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words.

Clever thinking man. Clear vision and clean code. Love it!

NavinM · August 11, 2020, 12:40pm

Type your comment> @gnothiseauton said:

(Quote)
Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words.

Clever thinking man. Clear vision and clean code. Love it!

Thank you