CSRF tokens can now be matched against literal strings or regular exp…

…ressions.

More CSRF tokens have been added by default (including some that match common frameworks).
The extension no longer matches GET requests by default (but this can be enabled in the settings).
The extension now uses Burp's built in Base64 encoding functionality rather than legacy Java library.
Global case sensitivity is replaced by per-token case sensitivity.
CSRF tokens are now detected in a number of new places, such as within JSON objects, Multipart requests, XML.

LiteralToken.java

@@ -0,0 +1,27 @@
+//    CSRF Scanner Extension for Burp Suite
+//    Copyright (C) 2017  Adrian Hayter
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package burp;
+
+import java.io.Serializable;
+
+public class LiteralToken extends Token implements Serializable
+{
+    public LiteralToken(String value, boolean caseSensitive)
+    {
+        super(value, caseSensitive);
+    }
+}

RegexToken.java

@@ -0,0 +1,67 @@
+//    CSRF Scanner Extension for Burp Suite
+//    Copyright (C) 2017  Adrian Hayter
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package burp;
+
+import java.io.IOException;
+import java.io.Serializable;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class RegexToken extends Token implements Serializable
+{
+    private Pattern pattern;
+    private transient Matcher matcher; // Matcher cannot be serialized.
+
+    public RegexToken(String value, boolean caseSensitive)
+    {
+        super(value, caseSensitive);
+
+        if (caseSensitive)
+        {
+            pattern = Pattern.compile(value);
+        }
+        else
+        {
+            pattern = Pattern.compile(value, Pattern.CASE_INSENSITIVE);
+        }
+
+        matcher = pattern.matcher("");
+    }
+
+    private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException
+    {
+        in.defaultReadObject();
+        this.matcher = this.pattern.matcher(""); // Create new instance of matcher when object is deserialized.
+    }
+
+    @Override public int getMatchType()
+    {
+        return 1;
+    }
+
+    public Matcher getMatcher()
+    {
+        return this.matcher;
+    }
+
+    @Override public boolean matches(String s)
+    {
+        matcher.reset(s);
+
+        return matcher.matches();
+    }
+}

Token.java

@@ -0,0 +1,58 @@
+//    CSRF Scanner Extension for Burp Suite
+//    Copyright (C) 2017  Adrian Hayter
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package burp;
+
+import java.io.Serializable;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+public class Token implements Serializable
+{
+    private String value;
+    private boolean caseSensitive = false;
+
+    public Token(String value, boolean caseSensitive)
+    {
+        this.value = value;
+        this.caseSensitive = caseSensitive;
+    }
+
+    public String getValue()
+    {
+        return this.value;
+    }
+
+    public int getMatchType()
+    {
+        return 0;
+    }
+
+    public boolean getCaseSensitive()
+    {
+        return this.caseSensitive;
+    }
+
+    public boolean matches(String s)
+    {
+        if (this.caseSensitive)
+        {
+            return this.value.equals(s);
+        }
+
+        return this.value.equalsIgnoreCase(s);
+    }
+}

TokenTableModel.java

@@ -0,0 +1,108 @@
+//    CSRF Scanner Extension for Burp Suite
+//    Copyright (C) 2017  Adrian Hayter
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package burp;
+
+import java.util.ArrayList;
+import javax.swing.table.AbstractTableModel;
+
+public class TokenTableModel extends AbstractTableModel
+{
+    public final String[] matchTypes = {"Literal", "Regex"};
+
+    private final String[] columnNames = {"Token Match", "Match Type", "Case Sensitive"};
+    private ArrayList<Token> data = new ArrayList<Token>();
+
+    @Override
+    public int getRowCount()
+    {
+        return data.size();
+    }
+
+    @Override
+    public int getColumnCount()
+    {
+        return columnNames.length;
+    }
+
+    @Override
+    public String getColumnName(int col)
+    {
+        return columnNames[col];
+    }
+
+    @Override
+    public Class getColumnClass(int col)
+    {
+        switch (col)
+        {
+            case 0:
+                return String.class;
+            case 1:
+                return String.class;
+            case 2:
+                return Boolean.class;
+            default:
+                return String.class;
+        }
+    }
+
+    @Override
+    public Object getValueAt(int rowIndex, int columnIndex)
+    {
+        switch (columnIndex)
+        {
+            case 0:
+                return data.get(rowIndex).getValue();
+            case 1:
+                return matchTypes[data.get(rowIndex).getMatchType()];
+            case 2:
+                return data.get(rowIndex).getCaseSensitive();
+            default:
+                return "";
+        }
+    }
+
+    public ArrayList<Token> getArray()
+    {
+        return data;
+    }
+
+    public void setArray(ArrayList<Token> data)
+    {
+        this.data = data;
+    }
+
+    public Token getToken(int index)
+    {
+        return data.get(index);
+    }
+
+    public void add(Token token)
+    {
+        data.add(token);
+    }
+
+    public void update(int index, Token token)
+    {
+        data.set(index, token);
+    }
+
+    public void remove(int index)
+    {
+        data.remove(index);
+    }
+}