id: csrf-guard-detect

info:
  name: OWASP CSRF Guard detection
  author: forgedhallpass
  severity: info
  description: Detects OWASP CSRF Guard 3.x & 4.x versions and whether token-per-page support is enabled based on default configuration.
  reference:
    - https://github.com/OWASP/www-project-csrfguard
  tags: tech,csrfguard,owasp

requests:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /JavaScriptServlet HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}

      - |
        POST /JavaScriptServlet HTTP/1.1
        Host: {{Hostname}}
        OWASP-CSRFTOKEN: {{masterToken}}

    matchers-condition: or
    matchers:
      - type: word
        name: "CSRFGuard-v3.x"
        words:
          - "FETCH-CSRF-TOKEN"

      - type: word
        name: "CSRFGuard-v4.x"
        words:
          - "masterTokenValue"

      - type: dsl
        name: "Disabled-token-per-page"
        condition: and
        dsl:
          - 'status_code_3==400'
          - 'contains(body, "Token-Per-Page functionality is disabled")'

      - type: dsl
        name: "Enabled-token-per-page"
        condition: and
        dsl:
          - 'status_code_3==200'
          - 'contains(body, "{\"pageTokens")'

    cookie-reuse: true
    extractors:
      - type: regex
        name: masterToken
        internal: true
        group: 1
        regex:
          - "(?:masterTokenValue\\s*=\\s*')([^']+)';"

      - type: regex
        group: 1
        name: "master-token"
        regex:
          - "(?:masterTokenValue\\s*=\\s*')([^']+)';"

      - type: json
        name: "page-token"
        json:
          - '.pageTokens'