arachni 0.2.2.1

data/plugins/metamodules.rb

@@ -0,0 +1,118 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+
+#
+# Namespace under which all meta modules will reside
+#
+module MetaModules
+    class Base
+        include Arachni::Module::Output
+
+        def initialize( framework )
+        end
+
+        def prepare
+        end
+
+        def run
+        end
+
+        def clean_up
+        end
+
+        def self.info
+            {
+                :name           => '[Meta] ' + self.name.to_s.gsub( 'Arachni::MetaModules::', '' ),
+                :description    => %q{Performs high-level meta-analysis on the results of the scan
+                    using abstract meta components.},
+                :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+                :version        => '0.1',
+            }
+        end
+
+    end
+end
+
+
+module Plugins
+
+#
+# Performs high-level meta-analysis on the results of the scan
+# using abstract meta-modules.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class MetaModules < Arachni::Plugin::Base
+
+    def initialize( framework, options )
+        @framework = framework
+
+        @metamanager = Arachni::ComponentManager.new( @framework.opts.dir['root'] + 'metamodules/', Arachni::MetaModules )
+
+        # load all meta-components
+        @metamanager.load( ['*'] )
+        @inited = {}
+        @metamanager.each {
+            |name, klass|
+            @inited[name] = klass.new( @framework )
+        }
+    end
+
+    def prepare
+        # prepare all meta modules here to give them a chance to set up their hooks
+        # and callbacks to other framework interfaces.
+        @inited.values.each { |meta| meta.prepare }
+
+        # we need to wait until the framework has finished running
+        # in order to work with the full report
+        while( @framework.running? )
+            ::IO.select( nil, nil, nil, 1 )
+        end
+
+    end
+
+    def run
+        results = { }
+        # run all meta-modules
+        @inited.each_pair {
+            |name, meta|
+            if (metaresult = meta.run) && !metaresult.empty?
+                results[name] = { :results => metaresult }.merge( meta.class.info )
+            end
+        }
+
+        register_results( results )
+    end
+
+    def clean_up
+        # let the meta-modules clean up after themselves
+        @inited.values.each { |meta| meta.clean_up }
+    end
+
+    def self.info
+        {
+            :name           => 'Metamodules',
+            :description    => %q{Performs high-level meta-analysis on the results of the scan using abstract meta-modules.
+                Before reviewing the scan results you are strongly encouraged to take full advantage of the data gathered via meta-analysis.
+                They will help you shed light into the inner workings of the web application and even caution you about possible false positives and/or inconclusive test results.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1'
+        }
+    end
+
+
+end
+end
+end

data/plugins/proxy.rb

@@ -0,0 +1,248 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# Passive proxy.
+#
+# Will gather data based on user actions and exchanged HTTP traffic and push that
+# data to the {Framework#page_queue} to be audited.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class Proxy < Arachni::Plugin::Base
+
+    SHUTDOWN_URL = 'http://arachni.proxy.shutdown/'
+
+    MSG_SHUTDOWN = 'Shutting down the Arachni proxy plug-in...'
+
+    MSG_DISALOWED = "You can't access this resource via the Arachni " +
+                    "proxy plug-in for the following reasons:"
+
+    MSG_NOT_IN_DOMAIN = 'This resource is on a domain or subdomain' +
+        ' outside the scope of the audit.'
+
+    MSG_EXCLUDED = 'This resource is matched by an exclude rule.'
+
+    MSG_NOT_INCLUDED = 'This resource is disallowed based on an include rule.'
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @options   = options
+
+        # don't let the framework run just yet
+        @framework.pause!
+        print_info( "System paused." )
+    end
+
+    def prepare
+        require @framework.opts.dir['plugins'] + '/proxy/server.rb'
+
+        # foo initialization, we just need it to verify URLs
+        @parser = Arachni::Parser.new( @framework.opts,
+            Typhoeus::Response.new(
+                :effective_url => @framework.opts.url.to_s,
+                :body          => '',
+                :headers_hash  => {}
+            )
+        )
+
+        @server = Server.new(
+            :BindAddress    => @options['bind_address'],
+            :Port           => @options['port'],
+            :ProxyVia       => false,
+            :ProxyContentHandler => method( :handler ),
+            :ProxyURITest   => method( :allowed? ),
+            :AccessLog      => [],
+            :Logger         => WEBrick::Log::new( "/dev/null", 7 )
+        )
+    end
+
+    def run( )
+        print_status( "Listening on: " +
+            "http://#{@server[:BindAddress]}:#{@server[:Port]}" )
+
+        print_status( "Shutdown URL: #{SHUTDOWN_URL}" )
+        print_info( "The scan will resume once you visit the shutdown URL." )
+        @server.start
+    end
+
+    #
+    # Called by the proxy to process each page
+    #
+    def handler( req, res )
+
+        if( res.header['content-encoding'] == 'gzip' )
+            res.header.delete( 'content-encoding' )
+            res.body = Zlib::GzipReader.new( StringIO.new( res.body ) ).read
+        end
+
+        headers = {}
+        headers.merge( res.header.dup )     if res.header
+        headers['set-cookie'] = res.cookies if !res.cookies.empty?
+
+        # proper initialization in order to parse the response into a page
+        @parser = Arachni::Parser.new( @framework.opts,
+            Typhoeus::Response.new(
+                :effective_url => req.unparsed_uri,
+                :body          => res.body,
+                :headers_hash  => headers
+            )
+        )
+
+        page = @parser.run
+        page = update_forms( page, req ) if req.body
+        page.method = res.request_method
+        page.code   = res.status
+
+        print_info " *  #{page.forms.size} forms"
+        print_info " *  #{page.links.size} links"
+        print_info " *  #{page.cookies.size} cookies"
+
+        update_framework_cookies( page, req )
+        @framework.page_queue << page.dup
+
+        return res
+    end
+
+    def update_framework_cookies( page, req )
+
+        print_debug( 'Updating framework cookies...' )
+
+        cookies = {}
+
+        if req['Cookie']
+            req['Cookie'].split( ';' ).each{
+                |cookie|
+                k, v = cookie.split( '=', 2 )
+                cookies[k.strip] = v.strip
+            }
+        end
+
+        page.cookies.each {
+            |cookie|
+            cookies.merge!( cookie.simple )
+        }
+
+        if cookies.empty?
+            print_debug( 'Could not extract cookies...' )
+            return
+        else
+            print_debug( 'Extracted cookies:' )
+            cookies.each{
+                |k, v|
+                print_debug( "  * #{k} => #{v}" )
+            }
+        end
+
+        @framework.http.update_cookies( cookies )
+
+    end
+
+    def update_forms( page, req )
+        params = {}
+
+        URI.decode( req.body ).split( '&' ).each {
+            |param|
+            k,v = param.split( '=', 2 )
+            params[k] = v
+        }
+
+        raw = {
+            'attrs' => {
+                'action' => req.unparsed_uri,
+                'method' => req.request_method,
+            }
+        }
+
+        form = ::Arachni::Parser::Element::Form.new( req.unparsed_uri, raw )
+        form.auditable = params
+
+        page.forms << form
+
+        return page
+    end
+
+    #
+    # Checks if the URL is allowed.
+    #
+    # URLs outside the scope of the scan are not allowed.
+    #
+    def allowed?( uri )
+
+        url = URI( uri )
+
+        print_status( 'Requesting: ' + url.to_s )
+
+        # if !(url.to_s =~ /http(s):\/\//)
+        #     url = URI( @framework.opts.url.scheme + '://' + url.to_s )
+        # end
+
+        reasons = []
+
+        if shutdown?( url )
+            print_status( 'Shutting down...' )
+            @server.shutdown
+            reasons << MSG_SHUTDOWN
+            return reasons
+        end
+
+        @parser.url = @framework.opts.url
+
+        reasons << MSG_NOT_IN_DOMAIN if !@parser.in_domain?( url )
+        reasons << MSG_EXCLUDED      if @parser.exclude?( url )
+        reasons << MSG_NOT_INCLUDED  if !@parser.include?( url )
+
+        if !reasons.empty?
+            print_info( "#{MSG_DISALOWED}" )
+            reasons.each{ |msg| print_info " *  #{msg}" }
+            reasons << MSG_DISALOWED
+        end
+
+        return reasons
+    end
+
+    def shutdown?( url )
+        return url.to_s == SHUTDOWN_URL
+    end
+
+    def clean_up
+        @framework.resume!
+    end
+
+    def self.info
+        {
+            :name           => 'Proxy',
+            :description    => %q{Gathers data based on user actions and exchanged HTTP
+                traffic and pushes that data to the framework's page-queue to be audited.
+                It also updates the framework cookies with the cookies of the HTTP requests and
+                responses, thus it can also be used to login to a web application.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptPort.new( 'port', [ false, 'Port to bind to.', 8282 ] ),
+                Arachni::OptAddress.new( 'bind_address', [ false, 'IP address to bind to.', '0.0.0.0' ] )
+            ]
+        }
+    end
+
+end
+
+end
+end

data/plugins/proxy/server.rb

@@ -0,0 +1,66 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+require 'webrick/httpproxy'
+require 'stringio'
+require 'zlib'
+require 'open-uri'
+
+module Arachni
+module Plugins
+
+class Proxy
+    #
+    # We add our own type of WEBrick::HTTPProxyServer class that supports
+    # notifications when the user tries to access a resource irrelevant
+    # to the scan and does not restrict header exchange.
+    #
+    # @author: Tasos "Zapotek" Laskos
+    #                                      <tasos.laskos@gmail.com>
+    #                                      <zapotek@segfault.gr>
+    # @version: 0.1
+    #
+    class Server < WEBrick::HTTPProxyServer
+
+        def choose_header(src, dst)
+            connections = split_field(src['connection'])
+            src.each{|key, value|
+                key = key.downcase
+                if HopByHop.member?(key)          || # RFC2616: 13.5.1
+                   connections.member?(key)       || # RFC2616: 14.10
+                   # ShouldNotTransfer.member?(key)    # pragmatics
+                  @logger.debug("choose_header: `#{key}: #{value}'")
+                  next
+                end
+            dst[key] = value
+          }
+        end
+
+        def service( req, res )
+            exclude_reasons = @config[:ProxyURITest].call( req.unparsed_uri )
+
+            if( exclude_reasons.empty? )
+                super( req, res )
+            else
+                notify( exclude_reasons, req, res )
+            end
+        end
+
+        def notify( reasons, req, res )
+            res.header['content-type'] = 'text/plain'
+            res.header.delete( 'content-encoding' )
+
+            res.body << reasons.map{ |msg| " *  #{msg}" }.join( "\n" )
+        end
+    end
+end
+
+end
+end

data/plugins/waf_detector.rb

@@ -0,0 +1,184 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+module Arachni
+module Plugins
+
+#
+# Web Application Firewall detection plugin.
+#
+# This is a 4 stage process:
+#   1. Grab the original page as is
+#   2. Send a lot of innocent strings in non-existent inputs so as to profile normal behavior
+#   3. Send a lot of suspicious strings in non-existent inputs and check if behavior changes
+#   4. Make heads or tails of the gathered responses
+#
+# Steps 1 to 3 will be repeated _precision_ times and the responses will be averaged using rDiff analysis.
+#
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class WAFDetector < Arachni::Plugin::Base
+
+    MSG_INCONCLUSIVE = %q{Could not establish a baseline behavior for the website. Due to that fact analysis has been aborted.}
+
+    MSG_FOUND        = %q{Request parameters are being filtered, this is usually a sign of a WAF.}
+
+    MSG_NOT_FOUND    = %q{Could not detect any sign of filtering, a WAF doesn't seem to be present.}
+
+    #
+    # @param    [Arachni::Framework]    framework
+    # @param    [Hash]        options    options passed to the plugin
+    #
+    def initialize( framework, options )
+        @framework = framework
+        @options   = options
+    end
+
+    def prepare
+
+        @precision = @options['precision']
+
+        bad = [
+            '../../../../',
+            '<script>foo</script>',
+            '\'--;`',
+        ]
+
+        names = []
+        bad.size.times {
+            |i|
+            names << i.to_s + '_' + Digest::SHA2.hexdigest( rand( i*1000 ).to_s )
+        }
+
+        @safe   = { }
+        @unsafe = { }
+        names.each_with_index {
+            |name, i|
+            @safe[name]    = 'value_' + name
+            @unsafe[name]  = i.to_s + '_' + bad.join( '_' )
+        }
+
+        @url = @framework.opts.url
+
+        @responses = {
+            :original => nil,
+            :vanilla  => nil,
+            :spicy    => nil
+        }
+
+    end
+
+    def run( )
+
+        print_status( "Starting detection with a precision of #{@precision}." )
+
+        print_status( "Stage #1: Requesting original page." )
+        queue_original(  )
+
+        print_status( "Stage #2: Requesting with vanilla inputs." )
+        queue_vanilla( )
+
+        print_status( "Stage #3: Requesting with spicy inputs." )
+        queue_spicy( )
+
+        print_status( "Stage #4: Analyzing gathered responses." )
+
+        @framework.http.after_run {
+
+            if @responses[:original] == @responses[:vanilla]
+                if @responses[:vanilla] == @responses[:spicy]
+                    not_found!
+                else
+                    found!
+                end
+            else
+                inconclusive!
+            end
+        }
+
+    end
+
+    def found!
+        print_ok( MSG_FOUND )
+        register_results( { :code => 1, :msg => MSG_FOUND } )
+    end
+
+    def not_found!
+        print_ok( MSG_NOT_FOUND )
+        register_results( { :code => 0, :msg => MSG_NOT_FOUND } )
+    end
+
+    def inconclusive!
+        print_ok( MSG_INCONCLUSIVE )
+        register_results( { :code => -1, :msg => MSG_INCONCLUSIVE } )
+    end
+
+    def queue_original
+        @precision.times {
+            # grab the page containing the login form
+            @framework.http.get( @url.to_s ).on_complete {
+                |res|
+                @responses[:original] ||= res.body
+                @responses[:original] = @responses[:original].rdiff( res.body )
+            }
+        }
+    end
+
+    def queue_vanilla( )
+        @precision.times {
+            # grab the page containing the login form
+            @framework.http.get( @url.to_s, :params => @safe ).on_complete {
+                |res|
+                @responses[:vanilla] ||= res.body
+                @responses[:vanilla] = @responses[:vanilla].rdiff( res.body )
+            }
+        }
+    end
+
+    def queue_spicy( )
+        @precision.times {
+            # grab the page containing the login form
+            @framework.http.get( @url.to_s, :params => @unsafe ).on_complete {
+                |res|
+                @responses[:spicy] ||= res.body
+                @responses[:spicy] = @responses[:spicy].rdiff( res.body )
+            }
+        }
+    end
+
+    def self.info
+        {
+            :name           => 'WAF Detector',
+            :description    => %q{Performs basic profiling on the web application
+                in order to assess the existence of a Web Application Firewall.
+
+                This is a 4 stage process:
+                   1. Grab the original page as is
+                   2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
+                   3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
+                   4. Make heads or tails of the gathered responses
+
+                 Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptInt.new( 'precision', [ false, 'Stage precision (how many times to perform each detection stage).', 5 ] )
+            ]
+        }
+    end
+
+end
+
+end
+end