Search the Community

LazyCSRF LazyCSRF is a more useful CSRF PoC generator that runs on Burp Suite. Motivation Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is Generate CSRF PoC. However, it does not support JSON parameters. It also uses the <form>, so it cannot send PUT/DELETE requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. Those were the motivations for creating LazyCSRF. Features Support JSON parameter (like a request to the API) Support PUT/DELETE (only work with CORS enabled with an unrestrictive policy) Support displaying multibyte characters (like Japanese) Generating CSRF PoC with Burp Suite Community Edition (of course, it also works in Professional Edition) The difference in the display of multibyte characters The following image shows the difference in the display of multibyte characters between Burp’s CSRF PoC generator and LazyCSRF. LazyCSRF can generate PoC for CSRF without garbling multibyte characters. This is only the case if the characters are not garbled on Burp Suite. [hide][Hidden Content]]

OWASP Nettacker project is created to automate information gathering, vulnerability scanning, and eventually generating a report for networks, including services, bugs, vulnerabilities, misconfigurations, and other information. This software will utilize TCP SYN, ACK, ICMP, and many other protocols in order to detect and bypass Firewall/IDS/IPS devices. By leveraging a unique method in OWASP Nettacker for discovering protected services and devices such as SCADA. It would make a competitive edge compared to other scanners making it one of the bests. Changelog v0.0.2 Many bugs fixed in this release and we are aiming to stop supporting Python 2.7 after this release and restructure our framework to be faster and better. [hide][Hidden Content]]

A fast tool to fetch URLs from HTML attributes by crawl-in. Inspired by the @omespino Tweet, which is possible to extract src, href, URL, and action values by evaluating JavaScript through the Chrome DevTools Protocol. [hide][Hidden Content]]