forked from ah8r/csrf
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CSRF tokens can now be matched against literal strings or regular exp…
…ressions. More CSRF tokens have been added by default (including some that match common frameworks). The extension no longer matches GET requests by default (but this can be enabled in the settings). The extension now uses Burp's built in Base64 encoding functionality rather than legacy Java library. Global case sensitivity is replaced by per-token case sensitivity. CSRF tokens are now detected in a number of new places, such as within JSON objects, Multipart requests, XML.
- Loading branch information
ah8r
committed
Aug 4, 2017
1 parent
e6e981f
commit 72c9a37
Showing
6 changed files
with
834 additions
and
269 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
// CSRF Scanner Extension for Burp Suite | ||
// Copyright (C) 2017 Adrian Hayter | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package burp; | ||
|
||
import java.io.Serializable; | ||
|
||
public class LiteralToken extends Token implements Serializable | ||
{ | ||
public LiteralToken(String value, boolean caseSensitive) | ||
{ | ||
super(value, caseSensitive); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
// CSRF Scanner Extension for Burp Suite | ||
// Copyright (C) 2017 Adrian Hayter | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package burp; | ||
|
||
import java.io.IOException; | ||
import java.io.Serializable; | ||
import java.util.regex.Matcher; | ||
import java.util.regex.Pattern; | ||
|
||
public class RegexToken extends Token implements Serializable | ||
{ | ||
private Pattern pattern; | ||
private transient Matcher matcher; // Matcher cannot be serialized. | ||
|
||
public RegexToken(String value, boolean caseSensitive) | ||
{ | ||
super(value, caseSensitive); | ||
|
||
if (caseSensitive) | ||
{ | ||
pattern = Pattern.compile(value); | ||
} | ||
else | ||
{ | ||
pattern = Pattern.compile(value, Pattern.CASE_INSENSITIVE); | ||
} | ||
|
||
matcher = pattern.matcher(""); | ||
} | ||
|
||
private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException | ||
{ | ||
in.defaultReadObject(); | ||
this.matcher = this.pattern.matcher(""); // Create new instance of matcher when object is deserialized. | ||
} | ||
|
||
@Override public int getMatchType() | ||
{ | ||
return 1; | ||
} | ||
|
||
public Matcher getMatcher() | ||
{ | ||
return this.matcher; | ||
} | ||
|
||
@Override public boolean matches(String s) | ||
{ | ||
matcher.reset(s); | ||
|
||
return matcher.matches(); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
// CSRF Scanner Extension for Burp Suite | ||
// Copyright (C) 2017 Adrian Hayter | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package burp; | ||
|
||
import java.io.Serializable; | ||
import java.util.regex.Matcher; | ||
import java.util.regex.Pattern; | ||
|
||
public class Token implements Serializable | ||
{ | ||
private String value; | ||
private boolean caseSensitive = false; | ||
|
||
public Token(String value, boolean caseSensitive) | ||
{ | ||
this.value = value; | ||
this.caseSensitive = caseSensitive; | ||
} | ||
|
||
public String getValue() | ||
{ | ||
return this.value; | ||
} | ||
|
||
public int getMatchType() | ||
{ | ||
return 0; | ||
} | ||
|
||
public boolean getCaseSensitive() | ||
{ | ||
return this.caseSensitive; | ||
} | ||
|
||
public boolean matches(String s) | ||
{ | ||
if (this.caseSensitive) | ||
{ | ||
return this.value.equals(s); | ||
} | ||
|
||
return this.value.equalsIgnoreCase(s); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
// CSRF Scanner Extension for Burp Suite | ||
// Copyright (C) 2017 Adrian Hayter | ||
// | ||
// This program is free software: you can redistribute it and/or modify | ||
// it under the terms of the GNU General Public License as published by | ||
// the Free Software Foundation, either version 3 of the License, or | ||
// (at your option) any later version. | ||
// | ||
// This program is distributed in the hope that it will be useful, | ||
// but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
// GNU General Public License for more details. | ||
// | ||
// You should have received a copy of the GNU General Public License | ||
// along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
|
||
package burp; | ||
|
||
import java.util.ArrayList; | ||
import javax.swing.table.AbstractTableModel; | ||
|
||
public class TokenTableModel extends AbstractTableModel | ||
{ | ||
public final String[] matchTypes = {"Literal", "Regex"}; | ||
|
||
private final String[] columnNames = {"Token Match", "Match Type", "Case Sensitive"}; | ||
private ArrayList<Token> data = new ArrayList<Token>(); | ||
|
||
@Override | ||
public int getRowCount() | ||
{ | ||
return data.size(); | ||
} | ||
|
||
@Override | ||
public int getColumnCount() | ||
{ | ||
return columnNames.length; | ||
} | ||
|
||
@Override | ||
public String getColumnName(int col) | ||
{ | ||
return columnNames[col]; | ||
} | ||
|
||
@Override | ||
public Class getColumnClass(int col) | ||
{ | ||
switch (col) | ||
{ | ||
case 0: | ||
return String.class; | ||
case 1: | ||
return String.class; | ||
case 2: | ||
return Boolean.class; | ||
default: | ||
return String.class; | ||
} | ||
} | ||
|
||
@Override | ||
public Object getValueAt(int rowIndex, int columnIndex) | ||
{ | ||
switch (columnIndex) | ||
{ | ||
case 0: | ||
return data.get(rowIndex).getValue(); | ||
case 1: | ||
return matchTypes[data.get(rowIndex).getMatchType()]; | ||
case 2: | ||
return data.get(rowIndex).getCaseSensitive(); | ||
default: | ||
return ""; | ||
} | ||
} | ||
|
||
public ArrayList<Token> getArray() | ||
{ | ||
return data; | ||
} | ||
|
||
public void setArray(ArrayList<Token> data) | ||
{ | ||
this.data = data; | ||
} | ||
|
||
public Token getToken(int index) | ||
{ | ||
return data.get(index); | ||
} | ||
|
||
public void add(Token token) | ||
{ | ||
data.add(token); | ||
} | ||
|
||
public void update(int index, Token token) | ||
{ | ||
data.set(index, token); | ||
} | ||
|
||
public void remove(int index) | ||
{ | ||
data.remove(index); | ||
} | ||
} |