arachni 0.2.2.1

data/modules/audit/xss.rb

@@ -0,0 +1,99 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS audit module.<br/>
+# It audits links, forms and cookies.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSS < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+
+        @results    = []
+    end
+
+    def prepare( )
+        @_injection_strs = [
+            '<arachni_xss_' + seed,
+            '<arachni_xss_\'";_' + seed,
+        ]
+        @_opts = {
+            :format => [ Format::APPEND | Format::NULL ],
+            :flip_param => true
+        }
+    end
+
+    def run( )
+        @_injection_strs.each {
+            |str|
+
+            opts = {
+                :match  => str,
+                :substring => str
+            }.merge( @_opts )
+
+            audit( str, opts )
+        }
+    end
+
+    def self.info
+        {
+            :name           => 'XSS',
+            :description    => %q{Cross-Site Scripting module},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.2',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting (XSS)},
+                :description => %q{Client-side code (like JavaScript) can
+                    be injected into the web application which is then returned to the user's browser.
+                    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
+                :tags        => [ 'xss', 'regexp', 'injection', 'script' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => 'User inputs must be validated and filtered
+                    before being returned as part of the HTML code of a page.',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/xss_event.rb

@@ -0,0 +1,134 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS in HTML element event attribute. <br/>
+# It injects a string and checks if it appears inside an event attribute of any HTML tag.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSSEvent < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    EVENT_ATTRS = [
+        'onload',
+        'onunload',
+        'onblur',
+        'onchange',
+        'onfocus',
+        'onreset',
+        'onselect',
+        'onsubmit',
+        'onabort',
+        'onkeydown',
+        'onkeypress',
+        'onkeyup',
+        'onclick',
+        'ondblclick',
+        'onmousedown',
+        'onmousemove',
+        'onmouseout',
+        'onmouseover',
+        'onmouseup',
+        'src' # not an event but it fits the module structure
+    ]
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+        @_injection_strs = [
+            ";arachni_xss_in_element_event=" + seed + '//',
+            "\";arachni_xss_in_element_event=" + seed + '//',
+            "';arachni_xss_in_element_event=" + seed + '//',
+        ]
+
+        @_opts = {
+            :format => [ Format::APPEND ],
+        }
+    end
+
+    def run( )
+        @_injection_strs.each {
+            |str|
+            audit( str, @_opts ) {
+                |res, opts|
+                log( opts, res ) if !( opts[:id] = _check( res, opts[:injected] ) ).empty?
+            }
+        }
+    end
+
+    def _check( res, injected_str )
+        return [] if !res.body || !res.body.substring?( injected_str )
+
+        doc = Nokogiri::HTML( res.body )
+        EVENT_ATTRS.each {
+            |attr|
+            doc.xpath("//*[@#{attr}]").each {
+                |elem|
+                if elem.attributes[attr].to_s.substring?( injected_str )
+                    return elem.to_s
+                end
+            }
+        }
+
+        return []
+    end
+
+    def self.info
+        {
+            :name           => 'XSS in HTML element event attribute',
+            :description    => %q{Cross-Site Scripting in event tag of HTML element.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.1',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting in event tag of HTML element.},
+                :description => %q{Unvalidated user input is being embedded inside an HMTL event element such as "onmouseover".
+                    This makes Cross-Site Scripting attacks much easier to mount since the user input
+                    lands in code waiting to be executed.},
+                :tags        => [ 'xss', 'event', 'injection', 'regexp', 'dom', 'attribute' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => 'User inputs must be validated and filtered
+                    before being included in executable code or not be included at all.',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/xss_path.rb

@@ -0,0 +1,125 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS in path audit module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.2
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSSPath < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+
+        @results    = []
+    end
+
+    def prepare( )
+        @str = '/<arachni_xss_path_' + seed
+        @__injection_strs = [
+            @str,
+            '?>"\'>' + @str,
+            '?=>"\'>' + @str
+        ]
+    end
+
+    def run( )
+
+        path = get_path( @page.url )
+
+        @__injection_strs.each {
+            |str|
+
+            url  = path + str
+            req  = @http.get( url )
+
+            req.on_complete {
+                |res|
+                __log_results( res, str )
+            }
+        }
+
+    end
+
+
+    def self.info
+        {
+            :name           => 'XSSPath',
+            :description    => %q{Cross-Site Scripting module for path injection},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.2',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting (XSS) in path},
+                :description => %q{Client-side code, like JavaScript, can
+                    be injected into the web application.},
+                :tags        => [ 'xss', 'path', 'injection', 'regexp' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    def __log_results( res, id )
+
+        if res.body.substring?( id )
+
+            url = res.effective_url
+            # append the result to the results hash
+            @results << Issue.new( {
+                :var          => 'n/a',
+                :url          => url,
+                :injected     => id,
+                :id           => id,
+                :regexp       => 'n/a',
+                :regexp_match => 'n/a',
+                :elem         => Issue::Element::LINK,
+                :response     => res.body,
+                :headers      => {
+                    :request    => res.request.headers,
+                    :response   => res.headers,
+                }
+            }.merge( self.class.info ) )
+
+            # inform the user that we have a match
+            print_ok( "Match at #{url}" )
+            print_verbose( "Inected string: #{id}" )
+
+            # register our results with the system
+            register_results( @results )
+        end
+    end
+
+
+end
+end
+end

data/modules/audit/xss_script_tag.rb

@@ -0,0 +1,112 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS in HTML script tag. <br/>
+# It injects strings and checks if they appear inside HTML 'script' tags.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSSScriptTag < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+        @_injection_strs = [
+            "arachni_xss_in_script_tag_" + seed + "",
+            "\"arachni_xss_in_script_tag_" + seed + "\"",
+            "'arachni_xss_in_script_tag_" + seed + "'"
+        ]
+
+        @_opts = {
+            :format => [ Format::APPEND ],
+        }
+    end
+
+    def run( )
+        @_injection_strs.each {
+            |str|
+            audit( str, @_opts ) {
+                |res, opts|
+                _log( res, opts )
+            }
+        }
+    end
+
+    def _log( res, opts )
+        # if we have no body or it doesn't contain the injected string under any
+        # context there's no point in parsing the HMTL to verify the vulnerability
+        return if !res.body || !res.body.substring?( opts[:injected] )
+
+        begin
+            doc = Nokogiri::HTML( res.body )
+
+            # see if we managed to inject a working HTML attribute to any
+            # elements
+            if !(html_elem = doc.xpath("//script")).empty? &&
+                html_elem.to_s.substring?( opts[:injected] )
+                opts[:match] = html_elem.to_s
+                log( opts, res )
+            end
+        end
+    end
+
+    def self.info
+        {
+            :name           => 'XSS in HTML "script" tag',
+            :description    => %q{Injects strings and checks if they appear inside HTML 'script' tags.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.1',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting in HTML "script" tag.},
+                :description => %q{Unvalidated user input is being embedded inside a <script> element.
+                    This makes Cross-Site Scripting attacks much easier to mount since user input lands inside
+                    a trusted script.},
+                :tags        => [ 'xss', 'script', 'tag', 'regexp', 'dom', 'attribute', 'injection' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => 'User inputs must be validated and filtered
+                    before being included in executable code or not be included at all.',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end