This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CSRFTester Usage

Revision as of 16:48, 21 November 2007 by Esheridan (talk | contribs)

Jump to: navigation, search


The following article describes how to utilize the OWASP CSRFTester to generate test cases during an application security assessment. To download the tool, please visit the OWASP CSRFTester project page at

Launch OWASP CSRFTester

  • Update JAVA_HOME in run.bat to ensure appropriate access to the JVM.
  • Double-click run.bat to launch CSRFTester with the appropriate classpath configuration

The CSRFTester distribution contains three files: run.bat, OWASP-CSRFTester-1.0.jar, and concurrent.jar. The run.bat script configures the classpath to include the required jars and invokes the appropriate main class. Currently, the batch script assumes your JDK runtime exists under C:\AppSecWorkbench\jdk16\jre. Obviously, this will not be the correct location of your JVM. Make sure you update the JAVA_HOME environment variable in run.bat before attempting to execute the batch file. Assuming proper configuration, executing run.bat should launch CSRFTester. If an error occurs, evident when the command line interface quickly disappears, consider opening up a separate CLI and 'CD' directly to the folder of your run.bat file and execute it via command line. Any errors that may occur will display to stdout.

Record Execution of Business Functions

TBD: describe how to configure proxy TBD: describe how to start and stop recorded requests TBD: describe how to manipulate recorded requests (i.e. parameters, method, timing, etc.)

Generate HTML Reports

TBD: Describe the available report types TBD: Describe how to generate the report TBD: Describe how to test the newly generated report