A verification-driven CSRF exploitation assistant for VAPT teams
Project description
Sentinel-CSRF
███████╗███████╗███╗ ██╗████████╗██╗███╗ ██╗███████╗██╗
██╔════╝██╔════╝████╗ ██║╚══██╔══╝██║████╗ ██║██╔════╝██║
███████╗█████╗ ██╔██╗ ██║ ██║ ██║██╔██╗ ██║█████╗ ██║
╚════██║██╔══╝ ██║╚██╗██║ ██║ ██║██║╚██╗██║██╔══╝ ██║
███████║███████╗██║ ╚████║ ██║ ██║██║ ╚████║███████╗███████╗
╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚═╝╚═╝ ╚═══╝╚══════╝╚══════╝
CSRF Exploit Verification Tool | Author: N15H
A verification-driven CSRF exploitation assistant for VAPT teams and bug bounty hunters. Reports only what it can prove exploitable.
📦 Installation
pip install sentinel-csrf
Or with pipx:
pipx install sentinel-csrf
🚀 Quick Start
Scan for CSRF
# Paste request & cookies directly (Ctrl+D to end each)
sentinel-csrf scan -R -C
# Or use files
sentinel-csrf scan -r request.txt -c cookies.txt
Generate PoC
sentinel-csrf poc generate -R -o poc.html
Reuse Last Scan
sentinel-csrf scan -L
📖 Command Reference
scan - CSRF Scanner
| Short | Long | Description |
|---|---|---|
-R |
--request-stdin |
Read request from STDIN |
-C |
--cookies-stdin |
Read cookies from STDIN |
-L |
--reuse-last |
Reuse cached inputs |
-r |
--request FILE |
Request file path |
-c |
--cookies FILE |
Cookies file path |
-o |
--output-dir DIR |
Output directory |
Examples:
sentinel-csrf scan -R -C # Paste both
sentinel-csrf scan -r req.txt -C # File + STDIN
sentinel-csrf scan -L # Reuse last
poc generate - Create Exploit HTML
| Short | Long | Description |
|---|---|---|
-R |
--request-stdin |
Read request from STDIN |
-r |
--request FILE |
Request file path |
-o |
--output FILE |
Output HTML file |
-v |
--vector |
Attack vector |
Attack Vectors:
| Vector | Use Case |
|---|---|
form_post |
POST requests (default) |
form_get |
GET via form |
img_tag |
Silent GET via image |
iframe |
Hidden iframe |
fetch |
JavaScript fetch |
Examples:
sentinel-csrf poc generate -R -o poc.html
sentinel-csrf poc generate -R -o poc.html -v img_tag
sentinel-csrf poc generate -r req.txt -o poc.html -v iframe
poc serve - Local Test Server
sentinel-csrf poc serve -d ./pocs -p 8080
import - Format Conversion
# Burp XML to raw requests
sentinel-csrf import burp -i export.xml -o ./requests/
# Cookie string to Netscape format
sentinel-csrf import cookies -i "session=abc" -d example.com -o cookies.txt
🔍 CSRF Types Detected
| Type | Detection |
|---|---|
| Form-based POST | ✅ |
| GET-based | ✅ |
| Login CSRF | ✅ |
| JSON API | ⚠️ Partial |
🛡️ Trusted Framework Tokens
Automatically recognized as protected:
sesskey(Moodle)authenticity_token(Rails)csrfmiddlewaretoken(Django)__RequestVerificationToken(ASP.NET)_token(Laravel)
🔗 Links
- PyPI: https://pypi.org/project/sentinel-csrf/
- GitHub: https://github.com/NI54NTH/sentinel-csrf
- Author: N15H
📄 License
MIT License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
sentinel_csrf-1.0.7.tar.gz
(44.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sentinel_csrf-1.0.7.tar.gz.
File metadata
- Download URL: sentinel_csrf-1.0.7.tar.gz
- Upload date:
- Size: 44.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
41197e2f356b49cadfa9b72260def68be620b4b10d5d08d72cacf6ccf36ccd71
|
|
| MD5 |
623815ab465805fd025d8dd6c5de2d55
|
|
| BLAKE2b-256 |
a12f76d52f9bef4a5bb05dd3be73bd6589f211d728b9b5597e60b38838e75e3b
|
File details
Details for the file sentinel_csrf-1.0.7-py3-none-any.whl.
File metadata
- Download URL: sentinel_csrf-1.0.7-py3-none-any.whl
- Upload date:
- Size: 46.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b91c7f9751187bb6efb60a6831f52e7a90fed4ab48ff2a89c3a06d7d927f6f13
|
|
| MD5 |
13dd32dd433904276bb3b2d3219ddd94
|
|
| BLAKE2b-256 |
cecbe65f4c0c7e32b3d4a43a668d2531e27924df3dc3d5f4fc465026e91dcd1b
|
