Skip to main content
Glama
operantlabs

operant-mcp

Official
by operantlabs
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Local

auth_csrf_extract

Extract CSRF tokens from HTML forms by searching hidden inputs, meta tags, and script blocks to identify security tokens for web application testing.

Instructions

Extract CSRF tokens from HTML forms.

Searches for the token in hidden input fields, meta tags, and script blocks.

Returns: {"tokens_found": [{"source": str, "value": str}], "cookies": [str]}.

Side effects: Single GET request.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
urlYesURL of the form page containing CSRF token
token_nameNoCSRF token field name to search for

Implementation Reference

  • src/tools/auth.ts:24-87 (handler)
    The handler function for the `auth_csrf_extract` tool, which fetches a URL and parses HTML content to find CSRF tokens and cookies.
    async ({ url, token_name = "csrf" }) => {
  requireTool("curl");

  // Fetch the page and save cookies
  const res = await runCmd("curl", ["-sk", "-D", "-", "-c", "-", url]);

  const body = res.stdout;
  const tokens: Array<{ source: string; value: string }> = [];

  const escapedName = token_name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");

  // Hidden input fields (name before value)
  const inputPattern = new RegExp(
    `name=["']?${escapedName}["']?\\s+value=["']([^"']+)["']`,
    "gi"
  );
  for (const match of body.matchAll(inputPattern)) {
    tokens.push({ source: "hidden_input", value: match[1] });
  }

  // Value before name pattern
  const valueFirstPattern = new RegExp(
    `value=["']([^"']+)["']\\s+name=["']?${escapedName}["']?`,
    "gi"
  );
  for (const match of body.matchAll(valueFirstPattern)) {
    tokens.push({ source: "hidden_input_v2", value: match[1] });
  }

  // Meta tag
  const metaPattern = new RegExp(
    `<meta\\s+name=["']?${escapedName}["']?\\s+content=["']([^"']+)["']`,
    "gi"
  );
  for (const match of body.matchAll(metaPattern)) {
    tokens.push({ source: "meta_tag", value: match[1] });
  }

  // URL parameter in form action
  const actionPattern = new RegExp(
    `${escapedName}=([^&"'>\\s]+)`,
    "g"
  );
  for (const match of body.matchAll(actionPattern)) {
    tokens.push({ source: "url_param", value: match[1] });
  }

  // Extract cookies
  const cookieLines = body
    .split("\n")
    .filter(
      (line) =>
        line.startsWith("Set-Cookie:") ||
        line.startsWith("set-cookie:")
    );

  const result = {
    tokens_found: tokens,
    token_count: tokens.length,
    cookies: cookieLines.slice(0, 10),
  };

  return { content: [{ type: "text", text: JSON.stringify(result) }] };
}
  • src/tools/auth.ts:12-23 (registration)
    Registration of the `auth_csrf_extract` tool within the McpServer, including its schema/input parameters.
    server.tool(
  "auth_csrf_extract",
  "Extract CSRF tokens from HTML forms.\n\nSearches for the token in hidden input fields, meta tags, and script blocks.\n\nReturns: {\"tokens_found\": [{\"source\": str, \"value\": str}], \"cookies\": [str]}.\n\nSide effects: Single GET request.",
  {
    url: z
      .string()
      .describe("URL of the form page containing CSRF token"),
    token_name: z
      .string()
      .describe("CSRF token field name to search for")
      .optional(),
  },
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/operantlabs/operant-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server