id: csrf-guard-detect info: name: OWASP CSRF Guard detection author: forgedhallpass severity: info description: Detects OWASP CSRF Guard 3.x & 4.x versions and whether token-per-page support is enabled based on default configuration. reference: - https://github.com/OWASP/www-project-csrfguard tags: tech,csrfguard,owasp requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | GET /JavaScriptServlet HTTP/1.1 Host: {{Hostname}} Referer: {{BaseURL}} - | POST /JavaScriptServlet HTTP/1.1 Host: {{Hostname}} OWASP-CSRFTOKEN: {{masterToken}} matchers-condition: or matchers: - type: word name: "CSRFGuard-v3.x" words: - "FETCH-CSRF-TOKEN" - type: word name: "CSRFGuard-v4.x" words: - "masterTokenValue" - type: dsl name: "Disabled-token-per-page" condition: and dsl: - 'status_code_3==400' - 'contains(body, "Token-Per-Page functionality is disabled")' - type: dsl name: "Enabled-token-per-page" condition: and dsl: - 'status_code_3==200' - 'contains(body, "{\"pageTokens")' cookie-reuse: true extractors: - type: regex name: masterToken internal: true group: 1 regex: - "(?:masterTokenValue\\s*=\\s*')([^']+)';" - type: regex group: 1 name: "master-token" regex: - "(?:masterTokenValue\\s*=\\s*')([^']+)';" - type: json name: "page-token" json: - '.pageTokens'