CSRFTokenScanIssue.java

package burp.zn.csrf;

import burp.*;
import org.apache.commons.lang3.StringEscapeUtils;

import java.net.URL;
import java.util.List;

public class CSRFTokenScanIssue implements IScanIssue {

    private final IExtensionHelpers helpers;
    private final IBurpExtenderCallbacks callbacks;
    private final IHttpRequestResponse requestResponse;

    public CSRFTokenScanIssue(IBurpExtenderCallbacks callbacks, IHttpRequestResponse requestResponse) {
        this.callbacks = callbacks;
        this.requestResponse = requestResponse;
        this.helpers = callbacks.getHelpers();
    }

    @Override
    public URL getUrl() {
        return helpers.analyzeRequest(requestResponse).getUrl();
    }

    @Override
    public String getIssueName() {
        return "CSRF token Not Found";
    }

    @Override
    public int getIssueType() {
        return 1337;
    }

    @Override
    public String getSeverity() {
        return "Medium";
    }

    @Override
    public String getConfidence() {
        return "Firm";
    }

    @Override
    public String getIssueBackground() {
        return "There is possible CSRF at current url";
    }

    @Override
    public String getRemediationBackground() {
        return "You should implement CSRF token for this form submission request";
    }

    @Override
    public String getIssueDetail() {
        StringBuilder details = new StringBuilder()
                .append("CSRF attack possible in this form. Please read more completely about this in OWASP TOP-10");

        String stringResponse = callbacks.getHelpers().bytesToString(requestResponse.getResponse());
        List<int[]> markers = ((IHttpRequestResponseWithMarkers) requestResponse).getResponseMarkers();
        markers.forEach(marker -> {
            details.append("<br/>");
            details.append(
                    StringEscapeUtils.escapeHtml4(stringResponse.substring(marker[0], marker[1]))
            );
        });
        details.append("<br/><img src=\"http://www.terrariaonline.com/attachments/small-trollface-jpg.9747/\">");

        return details.toString();
    }

    @Override
    public String getRemediationDetail() {
        return "Seriously, You should implement CSRF token for this form submission request!";
    }

    @Override
    public IHttpRequestResponse[] getHttpMessages() {
        return new IHttpRequestResponse[]{requestResponse};
    }

    @Override
    public IHttpService getHttpService() {
        return requestResponse.getHttpService();
    }
}