arachni 0.2.2.1

data/modules/audit/xss_tag.rb

@@ -0,0 +1,112 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS in HTML tag. <br/>
+# It injects a string and checks if it appears inside any HTML tags.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSSHTMLTag < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    TAG_NAME = 'arachni_xss_in_tag'
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare( )
+        @_injection_strs = [
+            " #{TAG_NAME}=" + seed,
+            "\" #{TAG_NAME}=\"" + seed,
+            "' #{TAG_NAME}='" + seed,
+        ]
+
+        @_opts = {
+            :format => [ Format::APPEND ],
+        }
+    end
+
+    def run( )
+        @_injection_strs.each {
+            |str|
+            audit( str, @_opts ) {
+                |res, opts|
+                _log( res, opts )
+            }
+        }
+    end
+
+    def _log( res, opts )
+        # if we have no body or it doesn't contain the TAG_NAME under any
+        # context there's no point in parsing the HMTL to verify the vulnerability
+        return if !res.body || !res.body.substring?( TAG_NAME )
+
+        begin
+            doc = Nokogiri::HTML( res.body )
+
+            # see if we managed to inject a working HTML attribute to any
+            # elements
+            if !(html_elem = doc.xpath("//*[@#{TAG_NAME}]")).empty?
+                opts[:match] = html_elem.to_s
+                log( opts, res )
+            end
+        end
+    end
+
+    def self.info
+        {
+            :name           => 'XSS in HTML tag',
+            :description    => %q{Cross-Site Scripting in HTML tag.},
+            :elements       => [
+                Issue::Element::FORM,
+                Issue::Element::LINK,
+                Issue::Element::COOKIE,
+                Issue::Element::HEADER
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.1',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting in HTML tag.},
+                :description => %q{Unvalidated user input is being embedded in a HTML element.
+                    This can lead to a Cross-Site Scripting vulnerability or a form of HTML manipulation.},
+                :tags        => [ 'xss', 'script', 'tag', 'regexp', 'dom', 'attribute', 'injection' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => 'User inputs must be validated and filtered
+                    before being returned as part of the HTML code of a page.',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/audit/xss_uri.rb

@@ -0,0 +1,125 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# XSS in URI audit module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.3
+#
+# @see http://cwe.mitre.org/data/definitions/79.html
+# @see http://ha.ckers.org/xss.html
+# @see http://secunia.com/advisories/9716/
+#
+class XSSURI < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+
+        @results    = []
+
+        # since we'll bypass the Auditor we need to keep track of our audits
+        @@__audited  ||= Set.new
+    end
+
+    def prepare( )
+        @str = '/<arachni_xss_uri_' + seed
+    end
+
+    def run( )
+
+    uri  = URI( normalize_url( @page.url ) )
+    url  = uri.scheme + '://' + uri.host + uri.path  + @str
+
+    if @@__audited.include?( url )
+        print_info( 'Skipping already audited url: ' + url )
+        return
+    end
+
+    @@__audited << url
+
+    req  = @http.get( url )
+
+    req.on_complete {
+        |res|
+        __log_results( res )
+    }
+
+    end
+
+
+    def self.info
+        {
+            :name           => 'XSSURI',
+            :description    => %q{Cross-Site Scripting module for path injection},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1.3',
+            :references     => {
+                'ha.ckers' => 'http://ha.ckers.org/xss.html',
+                'Secunia'  => 'http://secunia.com/advisories/9716/'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Cross-Site Scripting (XSS) in URI},
+                :description => %q{Client-side code, like JavaScript, can
+                    be injected into the web application.},
+                :tags        => [ 'xss', 'uri', 'path', 'regexp', 'injection', 'script' ],
+                :cwe         => '79',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '9.0',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    def __log_results( res )
+
+        if res.body.substring?( @str )
+
+            url = res.effective_url
+            # append the result to the results hash
+            @results << Issue.new( {
+                :url          => url,
+                :injected     => @str,
+                :id           => @str,
+                :regexp       => @str,
+                :regexp_match => @str,
+                :elem         => Issue::Element::PATH,
+                :response     => res.body,
+                :headers      => {
+                    :request    => res.request.headers,
+                    :response   => res.headers,
+                }
+            }.merge( self.class.info ) )
+
+            # inform the user that we have a match
+            print_ok( "In #{@page.url} at " + url )
+
+            # register our results with the system
+            register_results( @results )
+
+        end
+    end
+
+
+end
+end
+end

data/modules/recon/allowed_methods.rb

@@ -0,0 +1,104 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Allowed HTTP methods recon module.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+# @see http://en.wikipedia.org/wiki/WebDAV
+# @see http://www.webdav.org/specs/rfc4918.html
+#
+class AllowedMethods < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+        @@__ran ||= false
+    end
+
+    def run( )
+
+        return if @@__ran
+
+        print_status( "Checking..." )
+
+        @http.request( URI( normalize_url( @page.url ) ).host, :method => :options ).on_complete {
+            |res|
+            __log_results( res )
+        }
+    end
+
+    def clean_up
+        @@__ran = true
+    end
+
+    def self.info
+        {
+            :name           => 'AllowedMethods',
+            :description    => %q{Checks for supported HTTP methods.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :references     => {
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Allowed HTTP methods},
+                :description => %q{The webserver claims that it supports the logged methods.},
+                :tags        => [ 'http', 'methods', 'options' ],
+                :cwe         => '',
+                :severity    => Issue::Severity::INFORMATIONAL,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+        }
+    end
+
+    def __log_results( res )
+
+        methods = res.headers_hash['Allow']
+
+        return if !methods || methods.empty?
+
+        issue = Issue.new( {
+            :url          => res.effective_url,
+            :method       => res.request.method.to_s.upcase,
+            :regexp_match => methods,
+            :elem         => Issue::Element::SERVER,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( [issue] )
+
+        # inform the user that we have a match
+        print_ok( methods )
+    end
+
+end
+end
+end

data/modules/recon/backdoors.rb

@@ -0,0 +1,131 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Looks for common backdoors on the server.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+#
+class Backdoors < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+        # to keep track of the requests and not repeat them
+        @@__audited ||= Set.new
+
+        # our results array
+        @results = []
+
+        @@__filenames ||=[]
+        return if !@@__filenames.empty?
+
+        read_file( 'filenames.txt' ) {
+            |file|
+            @@__filenames << file
+        }
+    end
+
+    def run( )
+
+        path = get_path( @page.url )
+        return if @@__audited.include?( path )
+
+        print_status( "Scanning..." )
+        @@__filenames.each {
+            |file|
+
+            url  = path + file
+
+            print_status( "Checking for #{url}" )
+
+            req  = @http.get( url, :train => true )
+
+            req.on_complete {
+                |res|
+                print_status( "Analyzing #{res.effective_url}" )
+                __log_results( res, file )
+            }
+        }
+
+        @@__audited << path
+    end
+
+
+    def self.info
+        {
+            :name           => 'Backdoors',
+            :description    => %q{Tries to find common backdoors on the server.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1',
+            :references     => {},
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{A backdoor file exists on the server.},
+                :description => %q{},
+                :tags        => [ 'path', 'backdoor', 'file' ],
+                :cwe         => '',
+                :severity    => Issue::Severity::HIGH,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    #
+    # Adds an issue to the @results array<br/>
+    # and outputs an "OK" message with the filename and its url.
+    #
+    # @param  [Net::HTTPResponse]  res   the HTTP response
+    # @param  [String]  filename   the discovered filename
+    #
+    def __log_results( res, filename )
+
+        return if( res.code != 200 || @http.custom_404?( res ) )
+
+        url = res.effective_url
+        # append the result to the results array
+        @results << Issue.new( {
+            :url          => url,
+            :injected     => filename,
+            :id           => filename,
+            :elem         => Issue::Element::PATH,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( @results )
+
+        # inform the user that we have a match
+        print_ok( "Found #{filename} at " + url )
+    end
+
+end
+end
+end