arachni 0.2.2.1

data/modules/recon/interesting_responses.rb

@@ -0,0 +1,118 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+require 'digest/md5'
+
+module Arachni
+
+module Modules
+
+#
+# Logs all non 200 (OK) and non 404 server responses.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+#
+class InterestingResponses < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    IGNORE_CODES = [
+        200,
+        404
+    ]
+
+    def initialize( page )
+        super( page )
+
+        # we need to run only once
+        @@__ran ||= false
+    end
+
+    def run( )
+        return if @@__ran
+
+        print_status( "Listening..." )
+
+        # tell the HTTP interface to cal this block every-time a request completes
+        @http.on_complete {
+            |res|
+            __log_results( res ) if !IGNORE_CODES.include?( res.code ) && !res.body.empty?
+        }
+
+    end
+
+    def clean_up
+        @@__ran = true
+    end
+
+    def self.info
+        {
+            :name           => 'Interesting responses',
+            :description    => %q{Logs all non 200 (OK) server responses.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Interesting server response.},
+                :description => %q{The server responded with a non 200 (OK) code. },
+                :tags        => [ 'interesting', 'response', 'server' ],
+                :cwe         => '',
+                :severity    => Issue::Severity::INFORMATIONAL,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    def __log_results( res )
+
+        @@_loged ||= {
+            :paths   => Set.new,
+            :digests => Set.new
+        }
+
+        digest = Digest::MD5.hexdigest( res.body )
+        path   = URI( res.effective_url ).path
+
+        return if @@_loged[:paths].include?( path ) ||
+            @@_loged[:digests].include?( digest )
+
+        @@_loged[:paths]   << path
+        @@_loged[:digests] << digest
+
+        issue = Issue.new( {
+            :url          => res.effective_url,
+            :method       => res.request.method.to_s.upcase,
+            :id           => "Code: #{res.code.to_s}",
+            :elem         => Issue::Element::SERVER,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( [issue] )
+
+        # inform the user that we have a match
+        print_ok( "Found an interesting response (Code: #{res.code.to_s})." )
+    end
+
+end
+end
+end

data/modules/recon/unencrypted_password_forms.rb

@@ -0,0 +1,119 @@
+=begin
+  $Id$
+
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Unencrypted password form
+#
+# Looks for password inputs that don't submit data over an encrypted channel (HTTPS).
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection
+#
+class UnencryptedPasswordForms < Arachni::Module::Base
+
+    def initialize( page )
+        # in this case we don't need to call the parent
+        @page = page
+
+        @results    = []
+        @@__audited ||= Set.new
+    end
+
+    def run( )
+
+        @page.forms.each {
+            |form|
+            __check( form )
+        }
+
+        # register our results with the system
+        register_results( @results )
+    end
+
+    def __check( form )
+
+        scheme = URI( form.action ).scheme
+        return if( scheme.downcase == 'https' )
+
+        form.raw['auditable'].each {
+            |input|
+
+            next if !input['type']
+
+            if( input['type'].downcase == 'password' )
+                __log( form.url, input )
+            end
+        }
+    end
+
+    def __log( url, input )
+
+        if @@__audited.include?( input['name'] )
+            print_info( 'Skipping already audited field \'' +
+                input['name'] + '\' of url: ' + url )
+            return
+        end
+
+        name = input['name'] || input['id'] || 'n/a'
+        @@__audited << name
+
+        # append the result to the results array
+        @results << Issue.new( {
+            :var          => name,
+            :url          => url,
+            :elem         => Issue::Element::FORM,
+            :response     => @page.html,
+        }.merge( self.class.info ) )
+
+        print_ok( "Found unprotected password field '#{input['name']}' at #{url}" )
+
+    end
+
+    def self.info
+        {
+            :name           => 'UnencryptedPasswordForms',
+            :description    => %q{Looks for password inputs that don't submit data
+                over an encrypted channel (HTTPS).},
+            :elements       => [
+                Issue::Element::FORM
+            ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            :version        => '0.1',
+            :references     => {
+                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{Unencrypted password form.},
+                :description => %q{Transmission of password does not use an encrypted channel.},
+                :tags        => [ 'unencrypted', 'password', 'form' ],
+                :cwe         => '319',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+end
+end
+end

data/modules/recon/webdav.rb

@@ -0,0 +1,126 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# WebDAV detection recon module.
+#
+# It doesn't check for a functional DAV implementation but uses the
+# OPTIONS HTTP method to see if 'PROPFIND' is allowed.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+# @see http://en.wikipedia.org/wiki/WebDAV
+# @see http://www.webdav.org/specs/rfc4918.html
+#
+class WebDav < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+    end
+
+    def prepare
+        #
+        # Because Dav may be enabled on a per directory basis we will check
+        # all directories but only report the first one we find.
+        #
+        # If it is enabled for all dirs then we'll end up swimming in
+        # noise.
+        #
+        # Result aggregation will be implemented at some point though...
+        #
+        @@__found ||= false
+
+        @__check = 'PROPFIND'
+
+        @@__auditted ||= Set.new
+    end
+
+    def run( )
+
+        path = get_path( @page.url )
+
+        return if @@__found || @@__auditted.include?( path )
+
+        print_status( "Checking: #{path}" )
+
+        @http.request( path, :method => :options ).on_complete {
+            |res|
+            begin
+                allowed = res.headers_hash['Allow'].split( ',' ).map{ |method| method.strip }
+                __log_results( res ) if allowed.include?( @__check )
+            rescue
+            end
+        }
+
+        @@__auditted << path
+    end
+
+    def self.info
+        {
+            :name           => 'WebDav',
+            :description    => %q{Checks for WebDAV enabled directories.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :references     => {
+                'WebDAV.org'    => 'http://www.webdav.org/specs/rfc4918.html',
+                'Wikipedia'    => 'http://en.wikipedia.org/wiki/WebDAV',
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{WebDAV},
+                :description => %q{WebDAV is enabled on the server.
+                    Consider auditing further using a specialised tool.},
+                :tags        => [ 'webdav', 'options', 'methods', 'server' ],
+                :cwe         => '',
+                :severity    => Issue::Severity::INFORMATIONAL,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    def __log_results( res )
+        return if @@__found
+
+        @@__found = true
+
+        issue = Issue.new( {
+            :url          => res.effective_url,
+            :method       => res.request.method.to_s.upcase,
+            :elem         => Issue::Element::SERVER,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( [issue] )
+
+        # inform the user that we have a match
+        print_ok( "Enabled for: #{res.effective_url}" )
+    end
+
+end
+end
+end

data/modules/recon/xst.rb

@@ -0,0 +1,107 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+module Modules
+
+#
+# Cross-Site tracing recon module.
+#
+# But not really...it only checks if the TRACE HTTP method is enabled.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1.1
+#
+# @see http://cwe.mitre.org/data/definitions/693.html
+# @see http://capec.mitre.org/data/definitions/107.html
+# @see http://www.owasp.org/index.php/Cross_Site_Tracing
+#
+class XST < Arachni::Module::Base
+
+    include Arachni::Module::Utilities
+
+    def initialize( page )
+        super( page )
+
+        # we need to run only once
+        @@__ran ||= false
+    end
+
+    def run( )
+        return if @@__ran
+
+        print_status( "Checking..." )
+
+        @http.trace( URI( normalize_url( @page.url ) ).host ).on_complete {
+            |res|
+            # checking for a 200 code is not enought, there are some weird
+            # webservers out there that don't give a flying fuck about standards
+            __log_results( res ) if res.code == 200 && !res.body.empty?
+        }
+
+    end
+
+    def clean_up
+        @@__ran = true
+    end
+
+    def self.info
+        {
+            :name           => 'XST',
+            :description    => %q{Sends an HTTP TRACE request and checks if it succeeded.},
+            :elements       => [ ],
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1.1',
+            :references     => {
+                'CAPEC'     => 'http://capec.mitre.org/data/definitions/107.html',
+                'OWASP'     => 'http://www.owasp.org/index.php/Cross_Site_Tracing'
+            },
+            :targets        => { 'Generic' => 'all' },
+            :issue   => {
+                :name        => %q{The TRACE HTTP method is enabled.},
+                :description => %q{This type of attack can occur when the there
+                    is an XSS vulnerability and the server supports HTTP TRACE. },
+                :tags        => [ 'xst', 'methods', 'trace', 'server' ],
+                :cwe         => '693',
+                :severity    => Issue::Severity::MEDIUM,
+                :cvssv2       => '',
+                :remedy_guidance    => '',
+                :remedy_code => '',
+            }
+
+        }
+    end
+
+    def __log_results( res )
+
+        issue = Issue.new( {
+            :url          => res.effective_url,
+            :method       => res.request.method.to_s.upcase,
+            :elem         => Issue::Element::SERVER,
+            :response     => res.body,
+            :headers      => {
+                :request    => res.request.headers,
+                :response   => res.headers,
+            }
+        }.merge( self.class.info ) )
+
+        # register our results with the system
+        register_results( [issue] )
+
+        # inform the user that we have a match
+        print_ok( "TRACE is enabled." )
+    end
+
+end
+end
+end