arachni 0.2.2.1

data/modules/audit/code_injection_timing/payloads.txt

@@ -0,0 +1,4 @@
+sleep(__TIME__);
+import time;time.sleep(__TIME__);
+Thread.sleep(__TIME__);
+Thread.Sleep(__TIME__);

data/modules/audit/csrf.rb

@@ -0,0 +1,301 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Cross-Site Request Forgery audit module.
+#
+# It uses 4-pass reverse-diff analysis to determine which forms affect business logic
+# and audits them for CSRF.
+#
+# Using this technique noise/false-positives should be kept to a minimum,
+# however we do need to jump through some hoops.
+#
+# The technique used to identify which forms are CSRF worthy is described bellow.
+#
+# === 4-pass rDiff CSRF detection:
+#
+# * Request each page *without* cookies
+#   * Extract forms.
+# * Request each page *with* cookies
+#   * Extract forms.
+# * Check forms that appear *only* when logged-in for CSRF.
+#
+# In order for the module to give meaningful results a valid cookie-jar of a logged-in
+# user must be supplied to the framework.
+#
+# However, as Arachni goes through the system it will gather
+# cookies just like a user would, so if there are forms that only appear
+# after a guest has performed a previous event it will check these too.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+# @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
+# @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
+# @see http://www.cgisecurity.com/csrf-faq.html
+# @see http://cwe.mitre.org/data/definitions/352.html
+#
+class CSRF < Arachni::Module::Base
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        # the Trainer can provide modules access to the HTML parser
+        # and other cool stuff for element comparison
+        @__trainer = @http.trainer
+
+        # since we bypass the Auditor we must also do our own audit tracking
+        @@__audited ||= Set.new
+    end
+
+    def run( )
+
+        print_status( 'Looking for CSRF candidates...' )
+
+        print_status( 'Simulating logged-out user.' )
+
+        # setup opts with empty cookies
+        opts = {
+            :headers => {
+                'cookie'  => ''
+            },
+            :remove_id => true
+        }
+
+        # request page without cookies, simulating a logged-out user
+        @http.get( @page.url, opts ).on_complete {
+            |res|
+
+            # set-up the parser with the proper url so that it
+            # can fix broken 'action' attrs and the like
+            @parser = Arachni::Parser.new( Arachni::Options.instance, res )
+
+            # extract forms from the body of the response
+            forms_logged_out = @parser.forms( res.body ).reject {
+                |form|
+                form.auditable.empty?
+            }
+
+            print_status( "Found #{forms_logged_out.size.to_s} context irrelevant forms." )
+
+            # get forms that are worthy of testing for CSRF
+            # i.e. apper only when the user is logged-in
+            csrf_forms = logged_in_only( forms_logged_out )
+
+            print_status( "Found #{csrf_forms.size.to_s} CSRF candidates." )
+
+            csrf_forms.each {
+                |form|
+                __log( form ) if unsafe?( form )
+            }
+
+        }
+
+    end
+
+    #
+    # Tries to detect if a form is protected using an anti-CSRF token.
+    #
+    # @param  [Hash]  form
+    #
+    # @return   [Bool]  true if the form if vulnerable, false otherwise
+    #
+    def unsafe?( form )
+
+        found_token = false
+
+        # nobody says that tokens must be in a 'value' attribute,
+        # they can just as well be in 'name'.
+        # so we check them both...
+        form.simple['auditable'].to_a.flatten.each_with_index {
+            |str, i|
+            next if !str
+            next if !form.raw['auditable'][i]
+            next if !form.raw['auditable'][i]['type']
+            next if form.raw['auditable'][i]['type'].downcase != 'hidden'
+
+            found_token = true if( csrf_token?( str ) )
+        }
+
+        link_vars = @parser.link_vars( form.action )
+        if( !link_vars.empty? )
+            # and we also need to check for a token in the form action
+            link_vars.values.each {
+                |val|
+                next if !val
+                found_token = true  if( csrf_token?( val ) )
+            }
+        end
+
+        return !found_token
+    end
+
+    #
+    # Returns forms that only appear when the user is logged-in.
+    #
+    # These are the forms that will most likely affect business logic.
+    #
+    # @param  [Array]  forms_logged_out  forms that appear while logged-out
+    #                                      in order to eliminate them.
+    #
+    # @return  [Array]  forms to be checked for CSRF
+    #
+    def logged_in_only( logged_out )
+        csrf_forms = []
+
+        @page.forms.each {
+            |form|
+
+            next if form.auditable.size == 0
+
+            if !( forms_include?( logged_out, form ) )
+                csrf_forms << form
+            end
+
+        }
+
+        return csrf_forms
+    end
+
+    def forms_include?( forms, form )
+
+        forms.each {
+            |i_form|
+
+            if( form.id == i_form.id )
+                return true
+            end
+
+        }
+
+        return false
+    end
+
+    #
+    # Checks if the str is an anti-CSRF token of base10/16/32/64.
+    #
+    # @param  [String]  str
+    #
+    def csrf_token?( str )
+
+        # we could use regexps but i kinda like lcamtuf's (Michal's) way
+        base16_len_min    = 8
+        base16_len_max    = 45
+        base16_digit_num  = 2
+
+        base64_len_min    = 6
+        base64_len_max    = 32
+        base64_digit_num  = 1
+        base64_case       = 2
+        base64_digit_num2 = 3
+        base64_slash_cnt  = 2
+
+        len = str.size
+        digit_cnt = str.scan(/[0-9]+/).join( '' ).size
+
+        if( len >= base16_len_min &&
+            len <= base16_len_max &&
+            digit_cnt >= base16_digit_num
+          )
+            return true
+        end
+
+        upper_cnt = str.scan(/[A-Z]+/).join( '' ).size
+        slash_cnt = str.scan(/\/+/).join( '' ).size
+
+        if( len >= base64_len_min && len <= base64_len_max &&
+            ( ( digit_cnt >= base64_digit_num && upper_cnt >= base64_case ) ||
+              digit_cnt >= base64_digit_num2 ) &&
+            slash_cnt <= base64_slash_cnt
+          )
+
+            return true
+        end
+
+        return false
+
+    end
+
+
+    def __log( form )
+
+        url  = form.action
+        name = form.raw['attrs']['name'] || form.raw['attrs']['id']
+
+        if @@__audited.include?( "#{url}::#{name.to_s}" )
+            print_info( 'Skipping already audited form with name \'' +
+                name.to_s + '\' of url: ' + url )
+            return
+        end
+
+        @@__audited << "#{url}::#{name}"
+
+        # append the result to the results array
+        issue = Issue.new( {
+            :var          => name,
+            :url          => url,
+            :elem         => Issue::Element::FORM,
+            :response     => @page.html,
+        }.merge( self.class.info ) )
+
+        print_ok( "Found unprotected form with name '#{name}' at '#{url}'" )
+        register_results( [ issue ] )
+    end
+
+    def self.info
+        {
+            :name           => 'CSRF',
+            :description    => %q{It uses 2-pass rDiff analysis to determine
+                which forms affect business logic and audits them for CSRF.
+                It requires a logged-in user's cookie-jar.},
+            :elements       => [
+                Issue::Element::FORM
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.2',
+            :references     => {
+                'Wikipedia' => 'http://en.wikipedia.org/wiki/Cross-site_request_forgery',
+                'OWASP'     => 'http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)',
+                'CGI Security' => 'http://www.cgisecurity.com/csrf-faq.html'
+             },
+            :targets        => { 'Generic' => 'all' },
+
+            :issue   => {
+                :name        => %q{Cross-Site Request Forgery},
+                :description => %q{The web application does not, or can not,
+                     sufficiently verify whether a well-formed, valid, consistent
+                     request was intentionally provided by the user who submitted the request.
+                     This is due to a lack of secure anti-CSRF tokens to verify
+                     the freshness of the submitted data.},
+                :tags        => [ 'csrf', 'rdiff', 'form', 'token' ],
+                :cwe         => '352',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '',
+                :remedy_guidance    => %q{A unique token that guaranties freshness of submitted
+                    data must be added to all web application elements that can affect
+                    business logic.},
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/ldapi.rb

@@ -0,0 +1,103 @@
+=begin
+  $Id$
+
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# LDAP injection audit module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+# @see http://cwe.mitre.org/data/definitions/90.html
+# @see http://projects.webappsec.org/w/page/13246947/LDAP-Injection
+# @see http://www.owasp.org/index.php/LDAP_injection
+#
+class LDAPInjection < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+
+        #
+        # we make this a class variable and populate it only once
+        # to reduce file IO
+        #
+        @@__errors ||= []
+
+        if @@__errors.empty?
+            read_file( 'errors.txt' ) { |error| @@__errors << error }
+        end
+
+
+        # prepare the strings that will hopefully cause the webapp
+        # to output LDAP error messages
+        @__injection_str = "#^($!@$)(()))******"
+
+        @__opts = {
+            :format    => [ Format::APPEND ],
+            :substring => @@__errors
+        }
+
+    end
+
+    def run( )
+        audit( @__injection_str, @__opts )
+    end
+
+
+    def self.info
+        {
+            :name           => 'LDAPInjection',
+            :description    => %q{It tries to force the web application to
+                return LDAP error messages in order to discover failures
+                in user input validation.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :references     => {
+                'WASC'      => 'http://projects.webappsec.org/w/page/13246947/LDAP-Injection',
+                'OWASP'     => 'http://www.owasp.org/index.php/LDAP_injection'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{LDAP Injection},
+                :description => %q{LDAP queries can be injected into the web application
+                    which can be used to disclose sensitive data of affect the execution flow.},
+                :tags        => [ 'ldap', 'injection', 'regexp' ],
+                :cwe         => '90',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being used in an LDAP query.},
+                :remedy_code => ''
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/ldapi/errors.txt

@@ -0,0 +1,26 @@
+supplied argument is not a valid ldap
+javax.naming.NameNotFoundException
+LDAPException
+com.sun.jndi.ldap
+Search: Bad search filter
+Protocol error occurred
+Size limit has exceeded
+An inappropriate matching occurred
+A constraint violation occurred
+The syntax is invalid
+Object does not exist
+The alias is invalid
+The distinguished name has an invalid syntax
+The server does not handle directory requests
+There was a naming violation
+There was an object class violation
+Results returned are too large
+Unknown error occurred
+Local error occurred
+The search filter is incorrect
+The search filter is invalid
+The search filter cannot be recognized
+Invalid DN syntax
+No Such Object
+IPWorksASP.LDAP
+Module Products.LDAPMultiPlugins

data/modules/audit/os_cmd_injection.rb

@@ -0,0 +1,103 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Simple OS command injection module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.3
+#
+# @see http://cwe.mitre.org/data/definitions/78.html
+# @see http://www.owasp.org/index.php/OS_Command_Injection
+#
+class OSCmdInjection < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+
+        @__opts = {}
+        @__opts[:regexp]   = [
+            /\w+:.+:[0-9]+:[0-9]+:.+:[0-9a-zA-Z\/]+/i,
+            /\[boot loader\](.*)\[operating systems\]/i
+        ]
+        @__opts[:format]   = [ Format::STRAIGHT ]
+
+        @@__injection_str ||= []
+
+        if @@__injection_str.empty?
+            read_file( 'payloads.txt' ) {
+                |str|
+
+                [ '', '&&', '|', ';' ].each {
+                    |sep|
+                    @@__injection_str << sep + " " + str
+                }
+
+                @@__injection_str << "`" + " " + str + "`"
+            }
+        end
+
+    end
+
+    def run( )
+        @@__injection_str.each {
+            |str|
+            audit( str, @__opts )
+        }
+    end
+
+
+    def self.info
+        {
+            :name           => 'OS command injection',
+            :description    => %q{Tries to find operating system command injections.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.3',
+            :references     => {
+                 'OWASP'         => 'http://www.owasp.org/index.php/OS_Command_Injection'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Operating system command injection},
+                :description => %q{The web application allows an attacker to
+                    execute arbitrary OS commands.},
+                :tags        => [ 'os', 'command', 'code', 'injection', 'regexp' ],
+                :cwe         => '78',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => %q{User inputs must be validated and filtered
+                    before being evaluated as OS level commands.},
+                :remedy_code => '',
+                :metasploitable => 'unix/webapp/arachni_exec'
+            }
+
+        }
+    end
+
+end
+end
+end