arachni 0.2.2.1

data/metamodules/autothrottle.rb

@@ -0,0 +1,74 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module MetaModules
+
+#
+# Auto adjusts HTTP throughput for maximum network utilization.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class AutoThrottle < Base
+
+    HIGH_THRESHOLD    = 0.9
+    MIDDLE_THRESHOLD  = 0.34
+    LOW_THREASHOLD    = 0.05
+
+    # easy on the throttle
+    STEP_UP      = 1
+    # hard on the breaks
+    STEP_DOWN    = -3
+
+    MIN_CONCURRENCY = 2
+
+    def initialize( framework )
+        @framework = framework
+        @http      = framework.http
+    end
+
+    def prepare
+
+        # run for each response as it arrives
+        @http.on_complete {
+
+            # adjust only after finished bursts
+            next if @http.curr_res_cnt == 0 || @http.curr_res_cnt % @http.max_concurrency != 0
+
+            print_debug( "Max concurrency: " + @http.max_concurrency.to_s )
+            if( @http.max_concurrency > MIN_CONCURRENCY && @http.average_res_time > HIGH_THRESHOLD ) ||
+                @http.max_concurrency > @framework.opts.http_req_limit
+
+                # make sure that @http.max_concurrency >= MIN_CONCURRENCY
+                if @http.max_concurrency + STEP_DOWN < MIN_CONCURRENCY
+                    step = MIN_CONCURRENCY - @http.max_concurrency
+                else
+                    step = STEP_DOWN
+                end
+
+                print_debug( "Stepping down!: #{step}" )
+                @http.max_concurrency!( @http.max_concurrency + step )
+
+            elsif @http.average_res_time < HIGH_THRESHOLD && @http.average_res_time > LOW_THREASHOLD
+
+                print_debug( "Stepping up!: +#{STEP_UP}" )
+                @http.max_concurrency!( @http.max_concurrency + STEP_UP )
+            end
+        }
+
+    end
+
+end
+
+end
+end

data/metamodules/timeout_notice.rb

@@ -0,0 +1,118 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module MetaModules
+
+#
+# Provides a notice for issues uncovered by timing attacks when the affected audited
+# pages returned unusually high response times to begin with.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class TimeoutNotice < Base
+
+    include Arachni::Module::Utilities
+
+    # look for issue by tag name
+    TAG            = 'timing'
+
+    # response times of a page must be greater or equal to this
+    # in order to be considered
+    TIME_THRESHOLD = 0.6
+
+    def initialize( framework )
+        @framework = framework
+        @http = framework.http
+
+        @times = {}
+        @counter = {}
+    end
+
+    def prepare
+        # run for each response as it arrives
+        @http.on_complete {
+            |res|
+
+            # we don't care about non OK responses
+            next if res.code != 200
+
+            path = URI( normalize_url( res.effective_url ) ).path
+            path = '/' if path.empty?
+            @counter[path] ||= @times[path] ||= 0
+
+            # add up all request times for a specific path
+            @times[path] += res.start_transfer_time
+
+            # add up all requests for each path
+            @counter[path] += 1
+        }
+    end
+
+    def run
+
+        avg = get_avg
+
+        # will hold the hash IDs of inconclusive issues
+        inconclusive = []
+        @framework.audit_store.issues.each_with_index {
+            |issue, idx|
+            if issue.tags && issue.tags.include?( TAG ) &&
+                avg[ URI( normalize_url( issue.url ) ).path ] >= TIME_THRESHOLD
+
+                inconclusive << {
+                    'hash'   => issue._hash,
+                    'index'  => idx + 1,
+                    'url'    => issue.url,
+                    'name'   => issue.name,
+                    'var'    => issue.var,
+                    'elem'   => issue.elem,
+                    'method' => issue.method
+                }
+            end
+        }
+
+        return inconclusive
+    end
+
+    def get_avg
+        avg ={}
+
+        # calculate average request time for each path
+        @times.each_pair {
+            |path, time|
+            avg[path] = time / @counter[path]
+        }
+
+        return avg
+    end
+
+    def self.info
+        super.merge( {
+            :description    => %q{These logged issues used timing attacks.
+                However, the affected web pages demonstrated an unusually high response time rendering
+                these results inconclusive or (possibly) false positives.
+
+                Pages with high response times usually include heavy-duty processing
+                which makes them prime targets for Denial-of-Service attacks.
+
+                Nomatter the case, please do look into the situation further.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+        } )
+    end
+
+end
+
+end
+end

data/metamodules/uniformity.rb

@@ -0,0 +1,98 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module MetaModules
+
+#
+# Goes through all the issues and checks for signs of uniformity using
+# the following criteria:
+#   * Element type (link, form, cookie, header)
+#   * Variable/input name
+#   * The module that logged/discovered the issue -- issue type
+#
+# If the above are all the same for more than 1 page we have a hit.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class Uniformity < Base
+
+    include Arachni::Module::Utilities
+
+    SEVERITY = Issue::Severity::HIGH
+
+    ELEMENTS = [
+        Issue::Element::LINK,
+        Issue::Element::FORM,
+        Issue::Element::COOKIE,
+        Issue::Element::HEADER
+    ]
+
+    def initialize( framework )
+        @framework = framework
+    end
+
+    def run
+
+        # will hold the hash IDs of inconclusive issues
+        uniformals = {}
+        pages      = {}
+
+        @framework.audit_store.deep_clone.issues.each_with_index {
+            |issue, idx|
+
+            if issue.severity == SEVERITY && ELEMENTS.include?( issue.elem ) && issue.var
+
+                id = issue.elem + ':' + issue.var + ':' + issue.internal_modname
+
+                uniformals[id] ||= {
+                    'issue'  => {
+                        'name'   => issue.name,
+                        'var'    => issue.var,
+                        'elem'   => issue.elem,
+                        'method' => issue.method
+                    },
+                    'indices' => [],
+                    'hashes'  => []
+                }
+
+                pages[id]      ||= []
+
+                pages[id]      << issue.url
+                uniformals[id]['indices'] << idx + 1
+                uniformals[id]['hashes']  << issue._hash
+
+            end
+        }
+
+        uniformals.reject!{ |k, v| v['hashes'].empty? || v['hashes'].size == 1 }
+        pages.reject!{ |k, v| v.size == 1 }
+
+        return if pages.empty?
+        return { 'uniformals' => uniformals, 'pages' => pages }
+    end
+
+    def self.info
+        super.merge( {
+            :description    => %q{The same issue(s) persist(s) across different pages.
+                This is usually a sign for a lack of a central/single point of input
+                sanitization, a bad coding practise.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+        } )
+    end
+
+end
+
+end
+end

data/modules/audit/code_injection.rb

@@ -0,0 +1,136 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# It's designed to work with PHP, Perl, Python, Java, ASP and Ruby
+# but still needs some more testing.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.4
+#
+# @see http://cwe.mitre.org/data/definitions/94.html
+# @see http://php.net/manual/en/function.eval.php
+# @see http://perldoc.perl.org/functions/eval.html
+# @see http://docs.python.org/py3k/library/functions.html#eval
+# @see http://www.aspdev.org/asp/asp-eval-execute/
+# @see http://en.wikipedia.org/wiki/Eval#Ruby
+#
+class CodeInjection < Arachni::Module::Base
+
+    def initialize( page )
+        super( page )
+
+        # code to inject
+        @__injection_strs = []
+
+        # digits from a sha1 hash
+        # the codes in @__injection_strs will tell the web app
+        # to sum them and echo the result
+        @__rand1 = '287630581954'
+        @__rand2 = '4196403186331128'
+
+        # our results array
+        @results = []
+    end
+
+    def prepare( )
+
+        @__opts = {}
+
+        # the sum of the 2 numbers as a string
+        @__opts[:substring] = ( @__rand1.to_i + @__rand2.to_i ).to_s
+        @__opts[:format]    = [ Format::APPEND ]
+
+        # code to be injected to the webapp
+        @__injection_strs = [
+            "echo " + @__rand1 + "+" + @__rand2 + ";", # PHP
+            "print " + @__rand1 + "+" + @__rand2 + ";", # Perl
+            "print " + @__rand1 + " + " + @__rand2, # Python
+            "Response.Write\x28" +  @__rand1  + '+' + @__rand2 + "\x29", # ASP
+            "puts " + @__rand1 + " + " + @__rand2 # Ruby
+        ]
+
+        @__variations = [
+            ';%s',
+            "\";%s#",
+            "';%s#"
+        ]
+    end
+
+    def run( )
+
+        # iterate through the injection codes
+        @__injection_strs.each {
+            |str|
+            __variations( str ).each {
+                |var|
+                audit( var, @__opts )
+            }
+        }
+
+    end
+
+    def __variations( str )
+        @__variations.map{ |var| var % str } | [str]
+    end
+
+
+    def self.info
+        {
+            :name           => 'Code injection',
+            :description    => %q{It tries to inject code snippets into the
+                web application and assess whether or not the injection
+                was successful.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.4',
+            :references     => {
+                'PHP'    => 'http://php.net/manual/en/function.eval.php',
+                'Perl'   => 'http://perldoc.perl.org/functions/eval.html',
+                'Python' => 'http://docs.python.org/py3k/library/functions.html#eval',
+                'ASP'    => 'http://www.aspdev.org/asp/asp-eval-execute/',
+                'Ruby'   => 'http://en.wikipedia.org/wiki/Eval#Ruby'
+             },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Code injection},
+                :description => %q{Arbitrary code can be injected into the web application
+                    which is then executed as part of the system.},
+                :tags        => [ 'code', 'injection', 'regexp' ],
+                :cwe         => '94',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '7.5',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being evaluated as executable code.
+                    Better yet, the web application should stop evaluating user
+                    inputs as any part of dynamic code altogether.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_php_eval'
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/code_injection_timing.rb

@@ -0,0 +1,115 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# It's designed to work with PHP, Perl, Python, Java, ASP and Ruby
+# but still needs some more testing.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+# @see http://cwe.mitre.org/data/definitions/94.html
+# @see http://php.net/manual/en/function.eval.php
+# @see http://perldoc.perl.org/functions/eval.html
+# @see http://docs.python.org/py3k/library/functions.html#eval
+# @see http://www.aspdev.org/asp/asp-eval-execute/
+# @see http://en.wikipedia.org/wiki/Eval#Ruby
+#
+class CodeInjectionTiming < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        @@__injection_str ||= []
+
+        if @@__injection_str.empty?
+            read_file( 'payloads.txt' ) {
+                |str|
+
+                [ ' ', ' && ', ';' ].each {
+                    |sep|
+                    @@__injection_str << sep + " " + str
+                }
+
+            }
+        end
+
+        @__opts = {
+            :format  => [ Format::STRAIGHT ],
+            :timeout => 4000
+        }
+    end
+
+    def run
+        audit_timeout( @@__injection_str, @__opts )
+    end
+
+    def self.info
+        {
+            :name           => 'Code injection (timing)',
+            :description    => %q{It tries to inject code snippets into the
+                web application and assess whether or not the injection
+                was successful using timing attacks.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1',
+            :references     => {
+                'PHP'    => 'http://php.net/manual/en/function.eval.php',
+                'Perl'   => 'http://perldoc.perl.org/functions/eval.html',
+                'Python' => 'http://docs.python.org/py3k/library/functions.html#eval',
+                'ASP'    => 'http://www.aspdev.org/asp/asp-eval-execute/',
+                'Ruby'   => 'http://en.wikipedia.org/wiki/Eval#Ruby'
+             },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Code injection (timing attack)},
+                :description => %q{Arbitrary code can be injected into the web application
+                    which is then executed as part of the system.
+                    (This issue was discovered using a timing attack; timing attacks
+                    can result in false positives in cases where the server takes
+                    an abnormally long time to respond.
+                    Either case, these issues will require further investigation
+                    even if they are false positives.)},
+                :tags        => [ 'code', 'injection', 'timing', 'blind' ],
+                :cwe         => '94',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '7.5',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being evaluated as executable code.
+                    Better yet, the web application should stop evaluating user
+                    inputs as any part of dynamic code altogether.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_php_eval'
+            }
+
+        }
+    end
+
+end
+end
+end