I'm currently on my first co-op term and one of my tasks is to check part of our web application for CSRF vulnerabilities.
I've used CSRFTester recommended by OWASP and many other security sites. I've been able to capture the data and "Generate HTML" file with script for one of our web applications.
However, when performing the same tests on the other web application we have (Where an anti-forgery token has been implemented), CSRFTester does not generate html file.
The console output instead is what I've posted below.
My questions is am i unable to produce the html because the anti-forgery token is working? or is it due to something else that i'm missing?
Exception in thread "AWT-EventQueue-0" java.lang.ArrayIndexOutOfBoundsException:
1
at org.owasp.csrftester.report.ReportAdapter.getParametersAsHtmlInput(Re
portAdapter.java:74)
at org.owasp.csrftester.report.ReportAdapter.getParametersAsHtmlInput(Re
portAdapter.java:41)
at org.owasp.csrftester.report.FormsReport.getFormHtml(FormsReport.java:
55)
at org.owasp.csrftester.report.FormsReport.generateHtml(FormsReport.java
:31)
at org.owasp.csrftester.CSRFTesterUI.testButtonActionPerformed(CSRFTeste
rUI.java:772)
at org.owasp.csrftester.CSRFTesterUI.access$14(CSRFTesterUI.java:751)
at org.owasp.csrftester.CSRFTesterUI$15.actionPerformed(CSRFTesterUI.jav
a:319)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEventImpl(Unknown Source)
at java.awt.EventQueue.access$500(Unknown Source)
at java.awt.EventQueue$3.run(Unknown Source)
This looks to me like a bug in CSRFTester.
I can't find the source .java files, but we can decompile the .class file (using JD for example) from the Google Code Archive of this project here.
Unfortunately, the line numbers don't match up, but it's likely failing in one of the pair[0], parts[i].split("=")[1], or similar unchecked array index calls:
protected String getParametersAsHtmlInput(CSRFTesterModel model, int row,
boolean isString) {
String s = model.getParameters(row);
String[] parts = s.split("&");
StringBuffer sb = new StringBuffer();
if ((s == null) || (s.length() == 0)) {
if (isString) {
sb.append("'<input type=\"hidden\" name=\"name\" value=\"value\"/>' \r\n");
} else {
sb.append("<input type=\"hidden\" name=\"name\" value=\"value\"/> \r\n");
}
}
else if (parts.length == 1) {
String[] pair = parts[0].split("=");
if (isString) {
sb.append("'<input type=\"hidden\" name=\"" + pair[0]
+ "\" value=\"" + pair[1] + "\"/>' \r\n");
} else {
sb.append("<input type=\"hidden\" name=\"" + pair[0]
+ "\" value=\"" + pair[1] + "\"/> \r\n");
}
}
else {
for (int i = 0; i < parts.length; i++) {
String name = parts[i].split("=")[0];
String value = parts[i].split("=").length == 1 ? "" : parts[i].split("=")[1];
if (isString) {
sb.append("'<input type=\"hidden\" name=\"" + name
+ "\" value=\"" + value + "\"/>'");
} else {
sb.append("<input type=\"hidden\" name=\"" + name
+ "\" value=\"" + value + "\"/>");
}
if ((i + 1 < parts.length) && (isString)) {
sb.append(" + \r\n");
} else {
sb.append("\r\n");
}
}
}
return sb.toString();
}
Honestly, this OWASP tool looks a little abandoned, considering that project page's wiki history shows the last update was in July 2014, and Google Code was on its way out in March 2015.
I wish I could recommend a better CSRF tool, but I've never used CSRFTester or any other CSRF testing application.