Active scanning part

[Hipapheralkus]

Hi,

First of all, this extender is amazing for passive scanning of presence of CSRF tokens.

Would it be possible to include active scanning component as well? Based on the Scanner Settings, it could try to find all the satisfying requests in the Burp History, and then try to re-issue them in 3 separate tests:

1. with removal of the token(s)
2. with altering value of the token(s) (1 character should be sufficient to check if the token is being validated)
3. transforming request to GET without token(s)

Although the number of requests would be big, it would be a very complete scan of CSRF issues in my opinion.

[ah8r]

This is an interesting suggestion but I think it will be low of my list of priorities since I believe implementation would be difficult, especially with regards to verification of issues. I guess a simple comparison between an initial request and then a modified request might suffice, but there are likely inconsistencies which need to be accounted for. For instance, if the response contains a timestamp, then both responses will differ even if the server doesn't actually process the token correctly.

Transforming the request to GET without a token isn't really an issue with CSRF but something separate, and comes with its own set of problems, especially with REST apps. For example, GET /model/1 is a valid CSRF-less request for viewing a model, but PUT /model/1 used for updating said model requires a CSRF token.