1 files changed, 187 insertions, 0 deletions
diff --git a/scripts/http-csrf.nse b/scripts/http-csrf.nse
new file mode 100644
index 0000000..9a8f879
--- /dev/null
+++ b/scripts/http-csrf.nse
@@ -0,0 +1,187 @@
+description = [[
+This script detects Cross Site Request Forgeries (CSRF) vulnerabilities.
+
+It will try to detect them by checking each form if it contains an unpredictable
+token for each user. Without one an attacker may forge malicious requests.
+
+To recognize a token in a form, the script will iterate through the form's
+attributes and will search for common patterns in their names. If that fails, it
+will also calculate the entropy of each attribute's value. A big entropy means a
+possible token.
+
+A common use case for this script comes along with a cookie that gives access
+in pages that require authentication, because that's where the privileged
+exist. See the http library's documentation to set your own cookie.
+]]
+
+---
+-- @usage nmap -p80 --script http-csrf.nse <target>
+--
+-- @args http-csrf.singlepages The pages that contain the forms to check.
+--       For example, {/upload.php,  /login.php}. Default: nil (crawler
+--       mode on)
+-- @args http-csrf.checkentropy If this is set the script will also calculate
+--       the entropy of the field's value to determine if it is a token,
+--       rather than just checking its name. Default: true
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-csrf:
+-- | Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=some-very-random-page.com
+-- |   Found the following CSRF vulnerabilities:
+-- |
+-- |     Path: http://www.example.com/
+-- |     Form id: search_bar_input
+-- |     Form action: /search
+-- |
+-- |     Path: http://www.example.com/c/334/watches.html
+-- |     Form id: custom_price_filters
+-- |     Form action: /search
+-- |
+-- |     Path: http://www.example.com/c/334/watches.html
+-- |     Form id: custom_price_filters
+-- |_    Form action: /c/334/rologia-xeiros-watches.html
+--
+---
+
+categories = {"intrusive", "exploit", "vuln"}
+author = "George Chatzisofroniou"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+
+local http = require "http"
+local formulas = require "formulas"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local table = require "table"
+local string = require "string"
+local httpspider = require "httpspider"
+
+portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
+
+-- Checks if this is really a token.
+isToken = function(value)
+
+  local minlength = 8
+  local minentropy = 72
+
+  -- If it has a reasonable length.
+  if #value > minlength then
+
+    local entropy = formulas.calcPwdEntropy(value)
+
+    -- Does it have a big entropy?
+    if entropy >= minentropy then
+      -- If it doesn't contain any spaces but contains at least one digit.
+      if not string.find(value, " ") and string.find(value, "%d") then
+        return 1
+      end
+    end
+  end
+
+  return 0
+
+end
+
+action = function(host, port)
+
+  local singlepages = stdnse.get_script_args("http-csrf.singlepages")
+  local checkentropy = stdnse.get_script_args("http-csrf.checkentropy") or false
+
+  local csrfvuln = {}
+  local crawler = httpspider.Crawler:new( host, port, '/', { scriptname = SCRIPT_NAME, withinhost = 1 } )
+
+  if (not(crawler)) then
+    return
+  end
+
+  crawler:set_timeout(10000)
+
+  local index, response, path
+  while (true) do
+
+    if singlepages then
+      local k, target,
+      k, target = next(singlepages, index)
+      if (k == nil) then
+        break
+      end
+      response = http.get(host, port, target)
+      path = target
+
+    else
+      local status, r = crawler:crawl()
+      -- if the crawler fails it can be due to a number of different reasons
+      -- most of them are "legitimate" and should not be reason to abort
+      if (not(status)) then
+        if (r.err) then
+          return stdnse.format_output(false, r.reason)
+        else
+          break
+        end
+      end
+
+      response = r.response
+      path = tostring(r.url)
+    end
+
+    if response.body then
+
+      local forms = http.grab_forms(response.body)
+
+      for i, form in ipairs(forms) do
+
+        form = http.parse_form(form)
+
+        local resistant = false
+        if form and form.action then
+          for _, field in ipairs(form['fields']) do
+
+            -- First we check the field's name.
+            if field['value'] then
+              resistant = string.find(field['name'], "[Tt][Oo][Kk][Ee][Nn]") or string.find(field['name'], "[cC][sS][Rr][Ff]")
+              -- Let's be sure, by calculating the entropy of the field's value.
+              if not resistant and checkentropy then
+                resistant = isToken(field['value'])
+              end
+
+              if resistant then
+                break
+              end
+            end
+
+          end
+
+          if not resistant then
+
+            -- Handle forms with no id or action attributes.
+            form['id'] = form['id'] or ""
+            form['action'] = form['action'] or "-"
+
+            local msg = "\nPath: " .. path .. "\nForm id: " .. form['id'] .. "\nForm action: " .. form['action']
+            table.insert(csrfvuln, { msg } )
+          end
+        end
+      end
+
+      if (index) then
+        index = index + 1
+      else
+        index = 1
+      end
+    end
+
+  end
+
+  -- If the table is empty.
+  if next(csrfvuln) == nil then
+    return "Couldn't find any CSRF vulnerabilities."
+  end
+
+  table.insert(csrfvuln, 1, "Found the following possible CSRF vulnerabilities: ")
+
+  csrfvuln.name = crawler:getLimitations()
+
+  return stdnse.format_output(true, csrfvuln)
+
+end