A verification-driven CSRF exploitation assistant for VAPT teams
Project description
Sentinel-CSRF
███████╗███████╗███╗ ██╗████████╗██╗███╗ ██╗███████╗██╗
██╔════╝██╔════╝████╗ ██║╚══██╔══╝██║████╗ ██║██╔════╝██║
███████╗█████╗ ██╔██╗ ██║ ██║ ██║██╔██╗ ██║█████╗ ██║
╚════██║██╔══╝ ██║╚██╗██║ ██║ ██║██║╚██╗██║██╔══╝ ██║
███████║███████╗██║ ╚████║ ██║ ██║██║ ╚████║███████╗███████╗
╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚══════╝
CSRF Exploit Verification Tool | Author: N15H
A verification-driven CSRF exploitation assistant for VAPT teams and bug bounty hunters. Reports only what it can prove exploitable.
📦 Installation
pip install sentinel-csrf
Or with pipx:
pipx install sentinel-csrf
🚀 Quick Start
Scan for CSRF
# Paste request & cookies directly (Ctrl+D to end each)
sentinel-csrf scan -R -C
# Or use files
sentinel-csrf scan -r request.txt -c cookies.txt
Generate PoC
sentinel-csrf poc generate -R -o poc.html
Reuse Last Scan
sentinel-csrf scan -L
📖 Command Reference
scan - CSRF Scanner
| Short | Long | Description |
|---|---|---|
-R |
--request-stdin |
Read request from STDIN |
-C |
--cookies-stdin |
Read cookies from STDIN |
-L |
--reuse-last |
Reuse cached inputs |
-r |
--request FILE |
Request file path |
-c |
--cookies FILE |
Cookies file path |
-o |
--output-dir DIR |
Output directory |
Examples:
sentinel-csrf scan -R -C # Paste both
sentinel-csrf scan -r req.txt -C # File + STDIN
sentinel-csrf scan -L # Reuse last
poc generate - Create Exploit HTML
| Short | Long | Description |
|---|---|---|
-R |
--request-stdin |
Read request from STDIN |
-r |
--request FILE |
Request file path |
-o |
--output FILE |
Output HTML file |
-v |
--vector |
Attack vector |
Attack Vectors:
| Vector | Use Case |
|---|---|
form_post |
POST requests (default) |
form_get |
GET via form |
img_tag |
Silent GET via image |
iframe |
Hidden iframe |
fetch |
JavaScript fetch |
Examples:
sentinel-csrf poc generate -R -o poc.html
sentinel-csrf poc generate -R -o poc.html -v img_tag
sentinel-csrf poc generate -r req.txt -o poc.html -v iframe
poc serve - Local Test Server
sentinel-csrf poc serve -d ./pocs -p 8080
import - Format Conversion
# Burp XML to raw requests
sentinel-csrf import burp -i export.xml -o ./requests/
# Cookie string to Netscape format
sentinel-csrf import cookies -i "session=abc" -d example.com -o cookies.txt
🔍 CSRF Types Detected
| Type | Detection |
|---|---|
| Form-based POST | ✅ |
| GET-based | ✅ |
| Login CSRF | ✅ |
| JSON API | ⚠️ Partial |
🛡️ Trusted Framework Tokens
Automatically recognized as protected:
sesskey(Moodle)authenticity_token(Rails)csrfmiddlewaretoken(Django)__RequestVerificationToken(ASP.NET)_token(Laravel)
🔗 Links
- PyPI: https://pypi.org/project/sentinel-csrf/
- GitHub: https://github.com/NI54NTH/sentinel-csrf
- Author: N15H
📄 License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sentinel_csrf-1.0.8.tar.gz
(44.4 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sentinel_csrf-1.0.8.tar.gz.
File metadata
- Download URL: sentinel_csrf-1.0.8.tar.gz
- Upload date:
- Size: 44.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e0e7390eae178076c8c420847f676aaac2746f52997ad2b4ef309181a50e92a
|
|
| MD5 |
e96f09557f3b4b4a059e46901db51a0c
|
|
| BLAKE2b-256 |
0906422d9c04949c0e69e1547dac182ded0f0e265eb62e0f67aad8d96a46c2c1
|
File details
Details for the file sentinel_csrf-1.0.8-py3-none-any.whl.
File metadata
- Download URL: sentinel_csrf-1.0.8-py3-none-any.whl
- Upload date:
- Size: 46.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f78a0da4bd4eb0a0a9baac7246ac5e9490b0f23af86bdc396c16b2816c9d9a87
|
|
| MD5 |
603cf70e2339232fe8e9fe7800187224
|
|
| BLAKE2b-256 |
2048049b6ec06a0a6cae2e1b36f639f89eb273e67b11c68d090c61c27d92bba8
|
