I am a cyber security researcher and programmer.
Do you want to be one too? Check out my advice for learning hacking and programming.
You can support my work with a few bucks, here.
CSRF Scanner
License: GNU General Public License v3.0
I am a cyber security researcher and programmer.
Do you want to be one too? Check out my advice for learning hacking and programming.
You can support my work with a few bucks, here.
Target: http://donki.xyz
Cmd: python bolt.py -u http://donki.xyz/ -l 2
Output:
⚡ BOLT ⚡
⚡ Phase: Crawling [1/6]
[!] Crawled 23 URL(s) and found 18 form(s).
⚡ Phase: Evaluating [2/6]
⚡ Phase: Comparing [3/6]
[!] Token matches the pattern of following hash type(s):
> MD2
> MD5
> MD4
> Double MD5
> LM
> RIPEMD-128
> Haval-128
> Tiger-128
> Skein-256(128)
> Skein-512(128)
> Lotus Notes/Domino 5
> Skype
> ZipMonster
> PrestaShop
> md5(md5(md5($pass)))
> md5(strtoupper(md5($pass)))
> md5(sha1($pass))
> md5($pass.$salt)
> md5($salt.$pass)
> md5(unicode($pass).$salt)
> md5($salt.unicode($pass))
> HMAC-MD5 (key = $pass)
> HMAC-MD5 (key = $salt)
> md5(md5($salt).$pass)
> md5($salt.md5($pass))
> md5($pass.md5($salt))
> md5($salt.$pass.$salt)
> md5(md5($pass).md5($salt))
> md5($salt.md5($salt.$pass))
> md5($salt.md5($pass.$salt))
> md5($username.0.$pass)
> Snefru-128
> NTLM
> Domain Cached Credentials
> Domain Cached Credentials 2
> DNSSEC(NSEC3)
> RAdmin v2.x
> Cisco Type 7
> BigCrypt
[!] Tokens are 36% similar to each other on an average
[!] Common substring found
{
"add": [
"a737ef9f5734dbbfa36082a9b42badd7",
"55f874770b4faddc6cd64159bdcb908e"
],
"1fb": [
"f4006f01e6edf1fb53ddf0cf285619da",
"94957ab8cb5f00295fc92e031fbaa3c8"
],
"f01": [
"f4006f01e6edf1fb53ddf0cf285619da",
"e2d3b0df014ff1a2e50212bb6530d533"
],
"9f0": [
"9f0429920ca6637ade2c4e21fabe00ff",
"e49f917acf5dc8e0e1a8c9293d39f053"
],
"2c4e": [
"9f0429920ca6637ade2c4e21fabe00ff",
"e8500d5a12c4e86aa4252831ac49a22c"
],
"c92": [
"e49f917acf5dc8e0e1a8c9293d39f053",
"94957ab8cb5f00295fc92e031fbaa3c8"
],
"0d5": [
"e2d3b0df014ff1a2e50212bb6530d533",
"e8500d5a12c4e86aa4252831ac49a22c"
]
}
⚡ Phase: Observing [4/6]
[!] 100 simultaneous requests are being made, please wait.
[!] Different tokens were issued for simultaneous requests.
⚡ Phase: Testing [5/6]
[~] Finding a suitable form for further testing. It may take a while.
Traceback (most recent call last):
File "bolt.py", line 248, in
parsed = datanize(candidate, headers, tolerate=True)
TypeError: datanize() got multiple values for argument 'tolerate'
path -> core/datanize.py
7: def datanize(forms, tolerate=False):
path -> bolt.py
248: parsed = datanize(candidate, headers, tolerate=True)
└──╼ $sudo python3 bolt.py -u https://github.com -l 2
[sudo] password for punk:
⚡ BOLT ⚡
Traceback (most recent call last):
File "bolt.py", line 33, in
from core.entropy import isRandom
File "/home/punk/Music/Bolt/core/entropy.py", line 1, in
import numpy as np
ModuleNotFoundError: No module named 'numpy'
Is there any solution for this issue ?
Very good project, it helped me a lot and gave me ideas for doing CSRF checks, but I found some minor problems while reading. When token processing is performed, localTokens are a set, which cannot have duplicate values. Then localTokens are assigned to allTokens by traversing them. All this takes place in the Evaluate function. The problem is that in earlier Bolt.py token comparisons, allTokens were first rebranded with set tokens. Of course, we know that allTokens have already been rebranded with localTokens, so the size of the uniqueTokens that will be rebranded will be consistent with allTokens no matter what. So it's never typed into the logic that determines token duplication.
It is a good programming practice to specify versions of the library used in requirements.txt.
This ensures that the project doesn't break if unforeseen changes are made in the latest version of the library. Also, it avoids dependency hell.
Currently, all the latest versions are getting installed.
python3 bolt.py -h
⚡ BOLT ⚡
/usr/local/lib/python3.7/dist-packages/fuzzywuzzy/fuzz.py:11: UserWarning: Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning
warnings.warn('Using slow pure-python SequenceMatcher. Install python-Levenshtein to remove this warning')
i have install python-Levenshtein.
but the warning exists,too
datanize function doesn't have headers argument.
Line 249 in de2a95c
in photon .py
url = getUrl(url, '', True)
params = getParams(url, '', True)
params will never get the right value
⚡ Phase: Comparing [3/6]
[+] Potential Replay Attack condition found
[~] Verifying and looking for the cause
Traceback (most recent call last):
File "bolt.py", line 113, in
for url, token in tokenDatabase:
ValueError: not enough values to unpack (expected 2, got 1)
Hello, and in what format are the headers and cookies inserted? I need the tool to pass authorization and check forms there. Thank you.
Finding a suitable form for further testing. It may take a while.
Traceback (most recent call last):
File "/root/webtesting/Bolt/bolt.py", line 249, in
parsed = datanize(candidate, tolerate=True)
File "/root/webtesting/Bolt/core/datanize.py", line 8, in datanize
parsedForms = list(forms.values())
AttributeError: 'str' object has no attribute 'values'
kali@kali:/projects/Bolt$ python3 --version/projects/Bolt$ python3 bolt.py -u https://github.com -l 2
Python 3.8.2
kali@kali:
Traceback (most recent call last):
File "bolt.py", line 1, in
from core.colors import green, yellow, end, run, good, info, bad, white, red
ModuleNotFoundError: No module named 'core.colors
Hi bro !
I use your tools but get [attribute error] for this value :
python3 bolt.py -u https://github.com -l 2
text error:
⚡ Phase: Observing [4/6]
[!] 100 simultaneous requests are being made, please wait.
[+] Same tokens were issued for simultaneous requests.
⚡ Phase: Testing [5/6]
[~] Finding a suitable form for further testing. It may take a while.
Traceback (most recent call last):
File "bolt.py", line 249, in
parsed = datanize(candidate, tolerate=True)
File "/home/f.sarmali/test_tools/csrf_scanner/Bolt/core/datanize.py", line 8, in datanize
parsedForms = list(forms.values())
AttributeError: 'str' object has no attribute 'values'
Link Switch to function: fuc
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.