I have been working for a while on this extension and I implemented the following features:
On the other hand, I performed a set of tests in both demo apps and real world apps, these are the results:
Facebook:
163155 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The page has parameters marked temporary vulnerable
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: lsd, AVpYQ7RX
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: default_persistent, 0
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: charset_test, €,´,€,´,水,Д,Є
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: timezone,
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: lgnrnd, 020036_NZ89
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: lgnjs, n
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: locale, es_ES
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: o, 2048
163156 [Thread-178] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: init, dir
200
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "AVogYVkR" and "AVqTjOmD" is 6 and their ratio is: 0.75
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "AVogYVkR" and "AVqTjOmD" is 6 and their ratio is: 0.75, random enough
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: lsd, AVqTjOmD
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "020038_ST8S" and "020208_v1NR" is 6 and their ratio is: 0.5454545454545454
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "020038_ST8S" and "020208_v1NR" is 6 and their ratio is: 0.5454545454545454, random enough
163348 [Thread-177] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: lgnrnd, 020208_v1NR
I could not find information in google about the "lgnrnd" parameter but it also looks like a random anti-csrf token.
gmail:
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The page has parameters marked temporary vulnerable
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: service, mail
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: dsh, 7965555468608615868
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: ltmpl, default
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: GALX, Ldh-U9oUXrc
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: timeStmp,
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: secTok,
1640998 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: rmShown, 1
200
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "7965555468608615868" and "2970808815108171516" is 14 and their ratio is: 0.7368421052631579
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "7965555468608615868" and "2970808815108171516" is 14 and their ratio is: 0.7368421052631579, random enough
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: dsh, 2970808815108171516
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "Ldh-U9oUXrc" and "NywfjREgMcg" is 11 and their ratio is: 1.0
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "Ldh-U9oUXrc" and "NywfjREgMcg" is 11 and their ratio is: 1.0, random enough
1641103 [Thread-437] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: GALX, NywfjREgMcg
0% of false positives (I can not say about false negatives because I dont know about all their protections)
bodgeit
156931 [Thread-18] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://localhost:10001 | Csrftokenscan level HIGH 157018 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The page has parameters marked temporary vulnerable
157023 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: null,
157023 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: anticsrf, 0.02386741959595151
157160 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "0.02386741959595151" and "0.45802788970587016" is 14 and their ratio is: 0.7368421052631579
157160 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "0.02386741959595151" and "0.45802788970587016" is 14 and their ratio is: 0.7368421052631579, random enough
157160 [Thread-26] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: anticsrf, 0.45802788970587016
"anticsrf" is a random anti-csrf token
0% of false positives, 0% of false negatives
Another anti-csrf testing app I found:
18136 [Thread-19] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://aopcgr.uab.es:10001 | Csrftokenscan level HIGH 18171 [Thread-22] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The page has parameters marked temporary vulnerable
18171 [Thread-22] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: a,
18171 [Thread-22] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: action,
18173 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The page has parameters marked temporary vulnerable
18175 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: csrf_token, MTM0OTE5MTE3MEYyaXNMMjUxYmZYVDFUWW1NSjAxczVoVkY1cUMxemxO
18175 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Input Tag: csrf_token, whateverkey
18179 [Thread-22] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - New alert pluginid=20012 None. Warning only. uri=http://aopcgr.uab.es:10001/hpp/ 18180 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - the distance between "whateverkey" and "MTM0OTE5MTE4MjFPQUJYNG9pWmxOTlB1N2d6R2J1YldGQlZNMTQ0Ukpu" is 55 and their ratio is: 0.9821428571428571
18180 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - The distance between "whateverkey" and "MTM0OTE5MTE4MjFPQUJYNG9pWmxOTlB1N2d6R2J1YldGQlZNMTQ0Ukpu" is 55 and their ratio is: 0.9821428571428571, random enough
18181 [Thread-24] DEBUG org.zaproxy.zap.extension.csrftokenscan.Csrftokenscan - Found Anti-CSRF token: csrf_token, MTM0OTE5MTE4MjFPQUJYNG9pWmxOTlB1N2d6R2J1YldGQlZNMTQ0Ukpu
"csrf_token" is a random anti-csrf token
0% of false positives, 0% of false negatives
I also carried out other tests with same results. IMAHO, I think this initial results are quite promising, I will write more information about it ASAP. Should I put the jar file available in the downloads page?