Bolt is presented as an open-source, lightweight Cross-Site Request Forgery (CSRF) scan tool designed to help security professionals and developers identify potential CSRF vulnerabilities in web applications. While currently in its beta development phase, Bolt offers a practical approach to automating the detection of weak CSRF protection mechanisms. It is important to note that due to its beta status, using Bolt in production environments is discouraged, and users are encouraged to contribute to its development through pull requests and issue reporting.
Bolt Workflow: A Deep Dive into CSRF Vulnerability Scanning
Bolt’s process for identifying CSRF vulnerabilities is structured into distinct phases, each focusing on a different aspect of CSRF protection analysis.
Crawling Phase
Initially, Bolt acts as a crawler, exploring the target website to a user-defined depth. This crawling process is crucial for discovering all HTML forms present within the web application. The discovered forms are then stored in a database, creating a comprehensive inventory for subsequent analysis.
Evaluating Token Strength
The evaluation phase is where Bolt begins to analyze the security of the discovered forms. This stage focuses on identifying tokens associated with these forms that may not be cryptographically strong enough. Weak tokens are a common vulnerability and can be a significant indicator of potential CSRF issues.
Comparative Token Analysis
Following the initial evaluation, Bolt performs a comparative analysis of the tokens. This involves detecting replay attack scenarios by checking if any token has been issued more than once. Furthermore, Bolt calculates the Levenshtein distance between tokens to assess their similarity. High similarity can suggest predictable token generation. Tokens are also checked against a database of over 250 hash patterns to identify potentially weak or known hash algorithms.
Real-time Token Observation
To further assess token randomness and predictability, Bolt initiates an observation phase. During this phase, 100 simultaneous requests are sent to a single webpage. The tool then observes if identical tokens are generated across these concurrent requests. Consistent tokens in this scenario can point to inadequate CSRF protection.
Active CSRF Protection Testing
Bolt moves into active testing to rigorously examine the CSRF protection mechanisms in place. This testing phase is multifaceted and includes checks such as verifying protection on mobile browsers, testing the application’s response to self-generated tokens, and confirming if token length validation is properly implemented. These tests are crucial for uncovering various bypass techniques and weaknesses in CSRF defenses.
Statistical Token Analysis
The final phase of Bolt’s workflow involves in-depth statistical analysis of the tokens. This phase aims to determine the true randomness of the tokens, using a suite of statistical tests. These tests include:
- Monobit frequency test
- Block frequency test
- Runs test
- Spectral test
- Non-overlapping template matching test
- Overlapping template matching test
- Serial test
- Cumulative sums test
- Approximate entropy test
- Random excursions variant test
- Linear complexity test
- Longest runs test
- Maurer’s universal statistic test
- Random excursions test
These comprehensive statistical tests provide a robust assessment of token randomness, which is a critical factor in effective CSRF protection.
Getting Started with Bolt CSRF Scan Tool
Utilizing Bolt to scan a website for CSRF vulnerabilities is designed to be straightforward. The basic command structure is as follows:
python3 bolt.py -u <target_url> -l <crawl_depth>In this command:
-uspecifies the target URL you wish to scan.-ldefines the depth to which Bolt should crawl the website.
For example, to scan https://github.com with a crawl depth of 2, you would use:
python3 bolt.py -u https://github.com -l 2Bolt also provides several optional parameters to customize your scans:
-t <number_of_threads>: Adjust the number of threads used for crawling and scanning.--delay <delay_in_seconds>: Introduce a delay between requests to avoid overwhelming the server.--timeout <timeout_in_seconds>: Set a timeout for HTTP requests.--headers <headers_json>: Supply custom HTTP headers in JSON format.
Acknowledging Contributions
Bolt’s development acknowledges and incorporates resources from other open-source projects. The regular expressions used for hash detection are derived from the hashID project. Additionally, the bit-level entropy tests are based on highfestiva’s Python implementation of statistical tests. These credits recognize the valuable contributions of the open-source community to Bolt’s functionality.
[
