id: csrf-guard-detect info: name: OWASP CSRFGuard 3.x/4.x - Detect author: forgedhallpass severity: info description: OWASP CSRFGuard 3.x and 4.x were checked for whether token-per-page support is enabled based on default configuration. reference: - https://github.com/OWASP/www-project-csrfguard classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N cvss-score: 0.0 cwe-id: CWE-200 tags: tech,csrfguard,owasp requests: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | GET /JavaScriptServlet HTTP/1.1 Host: {{Hostname}} Referer: {{BaseURL}} - | POST /JavaScriptServlet HTTP/1.1 Host: {{Hostname}} OWASP-CSRFTOKEN: {{masterToken}} matchers-condition: or matchers: - type: word name: "CSRFGuard-v3.x" words: - "FETCH-CSRF-TOKEN" - type: word name: "CSRFGuard-v4.x" words: - "masterTokenValue" - type: dsl name: "Disabled-token-per-page" condition: and dsl: - 'status_code_3==400' - 'contains(body, "Token-Per-Page functionality is disabled")' - type: dsl name: "Enabled-token-per-page" condition: and dsl: - 'status_code_3==200' - 'contains(body, "{\"pageTokens")' cookie-reuse: true extractors: - type: regex name: masterToken internal: true group: 1 regex: - "(?:masterTokenValue\\s*=\\s*')([^']+)';" - type: regex group: 1 name: "master-token" regex: - "(?:masterTokenValue\\s*=\\s*')([^']+)';" - type: json name: "page-token" json: - '.pageTokens' # Enhanced by md on 2023/03/15