ghostonbutterbread/csrf
skills/csrff/SKILL.md
Use when testing Cross-Site Request Forgery, CSRF, anti-CSRF token validation, SameSite bypasses, Origin or Referer enforcement, state-changing requests, or browser-driven unauthorized actions.
testing
Updated May 30, 2026
$ install --global
skillsauthnpx skillsauth add ghostonbutterbread/bug-bounty-harness csrfInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 30, 2026, 2:39 AM329.2s1 file scanned
SKILL.md
- name:
- csrf
- description:
- Use when testing Cross-Site Request Forgery, CSRF, anti-CSRF token validation, SameSite bypasses, Origin or Referer enforcement, state-changing requests, or browser-driven unauthorized actions.
CSRF Testing
Test for Cross-Site Request Forgery vulnerabilities on authenticated, state-changing functionality.
Required Preflight
Read shared state in this order before testing:
notes/summary.mdnotes/observations.mdchecklist.md(CSRF items only)todo.md(CSRF items only)
Primary Harness
There is no dedicated agents/csrf_hunter.py in this repo yet. Run CSRF work manually with a browser, proxy, and reproducible PoC HTML. Use baseline_capture.py when you need to snapshot authenticated before-and-after state or inspect reflected anti-CSRF headers during a controlled replay.
If the token is generated per action or per request, use /single-request-grabber to capture the fresh owned-session request and perform a bounded intercept/modify test. Do not invent, brute force, or harvest CSRF tokens.
Mode Matrix
| Mode | Use When | What It Tests |
|------|----------|---------------|
| no-token | State-changing request succeeds without a token | Missing anti-CSRF protection |
| weak-token | Token exists but validation may be weak | Omission, replay, cross-session reuse, or cookie duplication |
| samesite | Cookies appear to be the main defense | Cross-site navigation and SameSite edge cases |
| origin | Headers appear to enforce cross-site policy | Weak, absent, or inconsistent Origin and Referer validation |
Files
- Playbook:
$HARNESS_ROOT/prompts/csrf-playbook.md - Origin/Referer Headers:
$HARNESS_ROOT/skills/headers/references/technique-packs/origin.md - Live Request Capture:
$HARNESS_ROOT/skills/single-request-grabber/references/technique-packs/csrf-token.md - Shared Root:
$HARNESS_SHARED_BASE/{program}/agent_shared/ - CSRF Findings:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/csrf/findings.md - CSRF Artifacts:
$HARNESS_SHARED_BASE/{program}/agent_shared/findings/csrf/
Workflow
- Complete the required preflight reads in shared state order.
- Read
prompts/csrf-playbook.md. - If the defense depends on
Origin,Referer, orSec-Fetch-*, load/headersorigin instead of duplicating header checks here. - If a fresh per-action/per-request token is required, load
/single-request-grabberbefore replaying. - Capture authenticated state-changing requests and build the simplest matching cross-site PoC.
- Use
baseline_capture.pywhen you need before-and-after evidence or to inspect anti-CSRF headers during controlled replay. - Write findings to
agent_shared/findings/csrf/findings.md. - Update CSRF entries in
checklist.md,todo.md, and relevant notes.
Related Skills
ghostonbutterbread/stored-xss
documentation
VerifiedTrustedCommunity
Use when attacker-controlled input is saved and rendered later in a profile, comment, title, notification, admin view, export, email, feed, upload metadata, or other stored render surface.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/reflected-xss
content-media
VerifiedTrustedCommunity
Use when attacker-controlled input appears in the immediate HTTP response or browser-rendered page and needs reflected XSS context classification, payload selection, mutation, and browser verification.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/pwnfox
data-ai
VerifiedTrustedCommunity
Use when inspecting proxy traffic from PwnFox-profiled browser sessions, filtering Caido/Burp/proxy history by X-PwnFox-Color, or interpreting user phrases like 'Red session' as a distinct browser/auth/profile lane.
SKILL.mdUpdated Jun 6, 2026
ghostonbutterbread/skills/lfi
tools
VerifiedTrustedCommunity
# LFI — Local File Inclusion Bypass ## What It Does Tests LFI bypass techniques: path traversal, null bytes, wrappers, log poisoning. Load `general-security-testing-policy`, `live-testing-policy`, and `injection-testing-policy` before live testing. For file/path sinks, absence of an immediate file read or response delta is not a stop reason by itself; use the policy to reason about path normalization, extension allowlists, wrappers, encoding, parser differences, and stack-specific proof ladder
SKILL.mdUpdated Jun 6, 2026