OWASP CSRFGuard detection

technologies/csrfguard-detect.yaml

@@ -0,0 +1,71 @@
+id: csrf-guard-detect
+
+info:
+  name: OWASP CSRF Guard detection
+  author: forgedhallpass
+  severity: info
+  description: Detects OWASP CSRF Guard 3.x & 4.x versions and whether token-per-page support is enabled based on default configuration.
+  reference:
+    - https://github.com/OWASP/www-project-csrfguard
+
+requests:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /JavaScriptServlet HTTP/1.1
+        Host: {{Hostname}}
+        Referer: {{BaseURL}}
+
+      - |
+        POST /JavaScriptServlet HTTP/1.1
+        Host: {{Hostname}}
+        OWASP-CSRFTOKEN: {{masterToken}}
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        name: "CSRFGuard version 3.x"
+        words:
+          - "FETCH-CSRF-TOKEN"
+
+      - type: word
+        name: "CSRFGuard version 4.x"
+        words:
+          - "masterTokenValue"
+
+      - type: dsl
+        name: "Token-per-page support is not enabled."
+        condition: and
+        dsl:
+          - 'status_code_3==400'
+          - 'contains(body, "Token-Per-Page functionality is disabled")'
+
+      - type: dsl
+        name: "Token-per-page support is enabled."
+        condition: and
+        dsl:
+          - 'status_code_3==200'
+          - 'contains(body, "{\"pageTokens")'
+
+    cookie-reuse: true
+    extractors:
+      - type: regex
+        name: masterToken
+        internal: true
+        group: 1
+        regex:
+          - "(?:masterTokenValue\\s*=\\s*')([^']+)';"
+
+      - type: regex
+        group: 1
+        name: "Master Token"
+        regex:
+          - "(?:masterTokenValue\\s*=\\s*')([^']+)';"
+
+      - type: json
+        name: Page tokens
+        json:
+          - '.pageTokens'