Riskemy
online scrf scan

5 CSRF Scanner to Detect Vulnerability on Your Site

Find Cross-site Request Forgery (CSRF) problems on the site with these advanced scanning tools.

OWASP Top 10 is usually the first guide that online businesses follow to build a secure, safe application. Although CSRF has been dropped recently from the list, most security experts understand the severity of the issue.

What is a CSRF Vulnerability?

A successful exploit of this vulnerability can be devastating for your visitors and business. Hackers force an end user to execute malicious actions on the site, account or application in which the user is already logged in.

Attackers often use malicious email links and social media to find their targets and then manipulate their authenticated sessions to launch an attack.

what is csrf

Since this kind of attack uses social engineering, all companies should take serious preventive measures to block it. In the most severe cases, companies can lose money, data, and reputation.

OWASP Project’s CSRF Cheat Sheet is a good place to start but before that you need powerful scanning tools that can detect the issue.

1. Detectify

Scan your web applications for more than 1000 vulnerabilities with the Detectify tool. It is a completely automated CSRF scanner tool that tests for all common vulnerabilities including XSS, CSRF, and SQL Injection. Their ethical hacking community includes some of the most experienced experts in the industry.

detectify csrf
  • Automated security research
  • 1000+ security tests
  • OWASP Top 10 coverage
  • Get regular alerts

The basic plan for this CSRF scanner starts at $50.

2. Qualys Scanner

Qualys web application scanning helps businesses of all sizes find and fix application loopholes in and out of the development cycle. It offers advanced CSRF scan checks for cross-site request forgery issues. With simple dashboard views and categorization, you will get quick view on the severity of all kinds of vulnerabilities on the site.

Apart from CSRF, this tool is fully capable of detecting other OWASP problems, unvalidated redirections, defacement attempts, and more.

qualys csrf
  • OWASP Top 10 detection
  • Advanced CSRF scan
  • Detailed risk reports
  • Web, app, API, and IoT scans

The prices are not openly disclosed. You can take a free trial though.

3. Acunetix

When it comes to scanning cross-site request forgery, no tool does it better than Acunetix. They have tones of intel on the vulnerability collected through years of research. While most of the scanners on the list can detect basic CSRF exploits, Acunetix does it even more thoroughly. They have advanced checks for CSRF variations by using highly tuned heuristics.

Additionally, this tool also detects a wide range of other vulnerabilities like Cross-site Scripting and SQL Injection.

  • OWASP Top 10 detection
  • Advanced CSRF tests
  • Support for SPAs

Acunetix is an expensive option with Standard plan starting at $4, 495

4. Tenable

Tenable is also an automated scanning tool for CSRF vulnerabilities. It utilizes deep scan to understand the application infrastructure and to find issues that hackers might try to exploit. With single pane visibility on all security loopholes in the application, Tenable is a popular option for companies of all sizes. You might want to use the free trial plan from the company that offers every feature.  

  • Advanced CSRF checks
  • Online reports on the dashboard
  • SPA support
  • OWASP Top 10 detection

Tenable scanner’s cost depends on the number of assets you choose to test.

5. Beyond Security

Designed to scan one or multiple websites at once, Beyond Security’s CSRF scanner is fast and effective. It automatically tests your sites for common security loopholes like unvalidated redirects, XSS, CSRF, and SQLi.

You can scan up to ten sites for CSRF issues in one go with Beyond Security. Their detailed reports classify discovered security loopholes based on their severity and business risk.

  • OWASP Top 10 detection
  • CSRF reports
  • Directory Traversal
  • Detailed reports

There are no available details on the cost of this tool. However, it is likely to be on the higher side.

Prevent Cross-Site Request Forgery

Although I have already mentioned the OWASP Cheat Sheet to preventing CSRF exploits, here are a couple of pointers to help you out.

  1. Use referrer header
  2. Use ‘httpOnly’ flag
  3. Use X-Requested-With custom header using jQuery
  4. Use anti-CSRF tokens
  5. Use same site cookies

Preventing cross-site scripting attacks is not a one-time event. Your applications should be frequently scanned and tested for any possible attacks.

Comments

Ishan Mathur

From stopping hackers to getting the fastest CDN, I'm helping big and small companies choose what's best for them by building a community here.

No, no, no. You’re not supposed to look here man!