{"id":17922582,"url":"https://github.com/s0md3v/bolt","last_synced_at":"2025-04-04T09:08:51.733Z","repository":{"id":37432543,"uuid":"163542563","full_name":"s0md3v/Bolt","owner":"s0md3v","description":"CSRF Scanner","archived":false,"fork":false,"pushed_at":"2024-06-28T06:36:05.000Z","size":88,"stargazers_count":561,"open_issues_count":5,"forks_count":124,"subscribers_count":26,"default_branch":"master","last_synced_at":"2025-03-28T08:07:35.933Z","etag":null,"topics":["csrf","csrf-scanner","xsrf"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/s0md3v.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"s0md3v","custom":"https://paypal.me/s0md3v"}},"created_at":"2018-12-29T21:35:36.000Z","updated_at":"2025-03-22T19:49:11.000Z","dependencies_parsed_at":"2024-10-28T20:39:55.136Z","dependency_job_id":null,"html_url":"https://github.com/s0md3v/Bolt","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FBolt","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FBolt/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FBolt/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/s0md3v%2FBolt/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/s0md3v","download_url":"https://codeload.github.com/s0md3v/Bolt/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247149501,"owners_count":20891954,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["csrf","csrf-scanner","xsrf"],"created_at":"2024-10-28T20:39:51.480Z","updated_at":"2025-04-04T09:08:51.712Z","avatar_url":"https://github.com/s0md3v.png","language":"Python","readme":"\u003ch1 align=\"center\"\u003e\n  \u003cbr\u003e\n  \u003ca href=\"https://github.com/s0md3v/Bolt\"\u003e\u003cimg src=\"https://i.ibb.co/2tnkLvt/bolt.png\" alt=\"Bolt\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  Bolt\n  \u003cbr\u003e\n\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eA dumb CSRF scanner\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/s0md3v/Bolt/releases\"\u003e\n    \u003cimg src=\"https://img.shields.io/github/release/s0md3v/Bolt.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://travis-ci.com/s0md3v/Bolt\"\u003e\n    \u003cimg src=\"https://img.shields.io/travis/com/s0md3v/Bolt.svg\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://github.com/s0md3v/Bolt/issues?q=is%3Aissue+is%3Aclosed\"\u003e\n      \u003cimg src=\"https://img.shields.io/github/issues-closed-raw/s0md3v/Bolt.svg\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n![demo](https://i.ibb.co/mTtHTGP/Screenshot-2018-12-30-03-42-26.png)\n\n### Important\nBolt is in beta phase of development which means there can be bugs. Any production use of this tool discouraged.\nPull requests and issues are welcome. I also suggest you to put this repo on watch if you are interested in it.\n\n### Workflow\n\n#### Crawling\nBolt crawls the target website to the specified depth and stores all the HTML forms found in a database for further processing.\n\n#### Evaluating\nIn this phase, Bolt finds out the tokens which aren't strong enough and the forms which aren't protected.\n\n##### Comparing\nThis phase focuses on detection on replay attack scenarios and hence checks if a token has been issued more than one time.\nIt also calculates the average [levenshtein distance](https://en.wikipedia.org/wiki/Levenshtein_distance) between all the tokens to see if they are similar.\\\nTokens are also compared against a database of 250+ hash patterns.\n\n##### Observing\nIn this phase, 100 simultaneous requests are made to a single webpage to see if same tokens are generated for the requests.\n\n##### Testing\nThis phase is dedicated to active testing of the CSRF protection mechanism. It includes but not limited to checking if protection exsists for moblie browsers, submitting requests with self-generated token and testing if token is being checked to a certain length.\n\n##### Analysing\nVarious statistical checks are performed in this phase to see if the token is really random.\nFollowing tests are performed during this phase\n- Monobit frequency test\n- Block frequency test\n- Runs test\n- Spectral test\n- Non-overlapping template matching test\n- Overlapping template matching test\n- Serial test\n- Cumultative sums test\n- Aproximate entropy test\n- Random excursions variant test\n- Linear complexity test\n- Longest runs test\n- Maurers universal statistic test\n- Random excursions test\n\n### Usage\n\nScanning a website for CSRF using Bolt is as easy as doing\n```\npython3 bolt.py -u https://github.com -l 2\n```\nWhere `-u` is used to supply the URL and `-l` is used to specify the depth of crawling.\n\nOther options and switches:\n\n- `-t` number of threads\n- `--delay` delay between requests\n- `--timeout` http request timeout\n- `--headers` supply http headers\n\n#### Credits\nRegular Expressions for detecting hashes are taken from [hashID](https://github.com/psypanda/hashID).\\\nBit level entropy tests are taken from [highfestiva](https://github.com/highfestiva)'s python implementation of statistical tests.\n","funding_links":["https://github.com/sponsors/s0md3v","https://paypal.me/s0md3v"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2Fbolt","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fs0md3v%2Fbolt","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fs0md3v%2Fbolt/lists"}