Tool to brute-force CSRF-protected login forms

Tutorials Tools
, ,
1

Hey guys, I wrote a small Python script that lets you brute-force CSRF-protected login forms. Feel free to give it a try, would appreciate it if you do. Do let me know your feedback. Demo videos included in the README.md file. Thanks.

(Why would there be CSRF protection on the login form, you might ask. Well, recently I encountered an issue while performing a security assessment of a web app. There was a hidden random token in the login POST request that changed every time, but apparently its purpose was not to mitigate CSRF but to stop password brute-forcing automation. It was their workaround for not having a temporary account lockout / CAPTCHA.)

2

Good work bro, i will try it . Thanks.

3

Type your comment> @ixxelles said:

Good work bro, i will try it . Thanks.

Thanks, bro. Appreciate it. :smile:

4

Very nice readme on the git hub page by the way. Clean and informative.
So basically you use a headless browser to simulate the user ‘really’ visiting the page, right?

5

Type your comment> @gnothiseauton said:

Very nice readme on the git hub page by the way. Clean and informative.
So basically you use a headless browser to simulate the user ‘really’ visiting the page, right?

Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words. :smile:

6

(Quote)
Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words. :smile:

Clever thinking man. Clear vision and clean code. Love it!

7

Type your comment> @gnothiseauton said:

(Quote)
Yup, that’s the idea. That way, any additional random tokens that might get generated upon visiting the login page (anti-CSRF token, browser window identifier, timestamp, etc.) will automatically be passed along in the subsequent login POST request. And the password brute-forcing automation can be accomplished.

P.S. Thanks for the kind words. :smile:

Clever thinking man. Clear vision and clean code. Love it!

Thank you :smiley: