Egor Homakov | Stuff: 4sq app Redmine JS leaking Clickjacking extractor Steal pass with XSS demo
CSRF Tool (How it works). Also check out Replay tool