The following article describes how to utilize the OWASP CSRFTester to generate test cases during an application security assessment. To download the tool, please visit the OWASP CSRFTester project page at https://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project
Launch OWASP CSRFTester
- Update JAVA_HOME in run.bat to ensure appropriate access to the JVM.
- Double-click run.bat to launch CSRFTester with the appropriate classpath configuration
The CSRFTester distribution contains three files: run.bat, OWASP-CSRFTester-1.0.jar, and concurrent.jar. The run.bat script configures the classpath to include the required jars and invokes the appropriate main class. Currently, the batch script assumes your JDK runtime exists under C:\AppSecWorkbench\jdk16\jre. Obviously, this will not be the correct location of your JVM. Make sure you update the JAVA_HOME environment variable in run.bat before attempting to execute the batch file. Assuming proper configuration, executing run.bat should launch CSRFTester. If an error occurs, evident when the command line interface quickly disappears, consider opening up a separate CLI and 'CD' directly to the folder of your run.bat file and execute it via command line. Any errors that may occur will display to stdout.
Record Execution of Business Functions
TBD: describe how to configure proxy TBD: describe how to start and stop recorded requests TBD: describe how to manipulate recorded requests (i.e. parameters, method, timing, etc.)
Generate HTML Reports
TBD: Describe the available report types TBD: Describe how to generate the report TBD: Describe how to test the newly generated report