CSRF-Request-Builder Beta Released
CSRF-Request-Builder is a tool for testing CSRF against web services. Such as RESTful JSON or even SOAP web services.
This is a tool for testing CSRF against web services. This is a complete test in that it can be used to create PoC exploits to exploit real victims and real systems in a real world scenario. After all if it didn’t work in the real world it wouldn’t be a useful test.
Why is is this tool needed?
It is posible to use HTML/JS to perform a valid JSON request using parameter padding (http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html), however while on a recent pentest the application I was testing was checking that incoming requests had a content-type of application/json. Well as far as I know only Flash can do this. Flash has the unique ability to set arbitrary headers, including setting the content-type to an arbitrary value. Flash can also set the body of the HTTP request to an arbitrary value.
More Information: here
Download CSRF-Request-Builder Beta