arachni 0.2.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (262) hide show
  1. data/ACKNOWLEDGMENTS.md +14 -0
  2. data/AUTHORS.md +6 -0
  3. data/CHANGELOG.md +162 -0
  4. data/CONTRIBUTORS.md +10 -0
  5. data/EXPLOITATION.md +429 -0
  6. data/HACKING.md +101 -0
  7. data/LICENSE.md +341 -0
  8. data/README.md +350 -0
  9. data/Rakefile +86 -0
  10. data/bin/arachni +22 -0
  11. data/bin/arachni_web +77 -0
  12. data/bin/arachni_xmlrpc +21 -0
  13. data/bin/arachni_xmlrpcd +82 -0
  14. data/bin/arachni_xmlrpcd_monitor +74 -0
  15. data/conf/README.webui.yaml.txt +44 -0
  16. data/conf/webui.yaml +11 -0
  17. data/external/metasploit/LICENSE +24 -0
  18. data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb +142 -0
  19. data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb +113 -0
  20. data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb +150 -0
  21. data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb +141 -0
  22. data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb +92 -0
  23. data/external/metasploit/plugins/arachni.rb +536 -0
  24. data/getoptslong.rb +241 -0
  25. data/lib/anemone.rb +2 -0
  26. data/lib/anemone/cookie_store.rb +35 -0
  27. data/lib/anemone/core.rb +371 -0
  28. data/lib/anemone/exceptions.rb +5 -0
  29. data/lib/anemone/http.rb +144 -0
  30. data/lib/anemone/page.rb +337 -0
  31. data/lib/anemone/page_store.rb +160 -0
  32. data/lib/anemone/storage.rb +34 -0
  33. data/lib/anemone/storage/base.rb +75 -0
  34. data/lib/anemone/storage/exceptions.rb +15 -0
  35. data/lib/anemone/storage/mongodb.rb +89 -0
  36. data/lib/anemone/storage/pstore.rb +50 -0
  37. data/lib/anemone/storage/redis.rb +90 -0
  38. data/lib/anemone/storage/tokyo_cabinet.rb +57 -0
  39. data/lib/anemone/tentacle.rb +40 -0
  40. data/lib/arachni.rb +16 -0
  41. data/lib/audit_store.rb +346 -0
  42. data/lib/component_manager.rb +293 -0
  43. data/lib/component_options.rb +395 -0
  44. data/lib/exceptions.rb +76 -0
  45. data/lib/framework.rb +637 -0
  46. data/lib/http.rb +809 -0
  47. data/lib/issue.rb +302 -0
  48. data/lib/module.rb +4 -0
  49. data/lib/module/auditor.rb +455 -0
  50. data/lib/module/base.rb +188 -0
  51. data/lib/module/element_db.rb +158 -0
  52. data/lib/module/key_filler.rb +87 -0
  53. data/lib/module/manager.rb +87 -0
  54. data/lib/module/output.rb +68 -0
  55. data/lib/module/trainer.rb +240 -0
  56. data/lib/module/utilities.rb +110 -0
  57. data/lib/options.rb +547 -0
  58. data/lib/parser.rb +2 -0
  59. data/lib/parser/auditable.rb +522 -0
  60. data/lib/parser/elements.rb +296 -0
  61. data/lib/parser/page.rb +149 -0
  62. data/lib/parser/parser.rb +717 -0
  63. data/lib/plugin.rb +4 -0
  64. data/lib/plugin/base.rb +110 -0
  65. data/lib/plugin/manager.rb +162 -0
  66. data/lib/report.rb +4 -0
  67. data/lib/report/base.rb +119 -0
  68. data/lib/report/manager.rb +92 -0
  69. data/lib/rpc/xml/client/base.rb +71 -0
  70. data/lib/rpc/xml/client/dispatcher.rb +49 -0
  71. data/lib/rpc/xml/client/instance.rb +88 -0
  72. data/lib/rpc/xml/server/base.rb +90 -0
  73. data/lib/rpc/xml/server/dispatcher.rb +357 -0
  74. data/lib/rpc/xml/server/framework.rb +206 -0
  75. data/lib/rpc/xml/server/instance.rb +191 -0
  76. data/lib/rpc/xml/server/module/manager.rb +46 -0
  77. data/lib/rpc/xml/server/options.rb +124 -0
  78. data/lib/rpc/xml/server/output.rb +299 -0
  79. data/lib/rpc/xml/server/plugin/manager.rb +58 -0
  80. data/lib/ruby.rb +5 -0
  81. data/lib/ruby/object.rb +32 -0
  82. data/lib/ruby/string.rb +74 -0
  83. data/lib/ruby/xmlrpc/server.rb +27 -0
  84. data/lib/spider.rb +200 -0
  85. data/lib/typhoeus/request.rb +91 -0
  86. data/lib/typhoeus/response.rb +34 -0
  87. data/lib/ui/cli/cli.rb +744 -0
  88. data/lib/ui/cli/output.rb +279 -0
  89. data/lib/ui/web/log.rb +82 -0
  90. data/lib/ui/web/output_stream.rb +94 -0
  91. data/lib/ui/web/report_manager.rb +222 -0
  92. data/lib/ui/web/server.rb +903 -0
  93. data/lib/ui/web/server/db/placeholder +0 -0
  94. data/lib/ui/web/server/public/banner.png +0 -0
  95. data/lib/ui/web/server/public/bodybg-small.png +0 -0
  96. data/lib/ui/web/server/public/bodybg.png +0 -0
  97. data/lib/ui/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
  98. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
  99. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
  100. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
  101. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
  102. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
  103. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
  104. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
  105. data/lib/ui/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
  106. data/lib/ui/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
  107. data/lib/ui/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
  108. data/lib/ui/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
  109. data/lib/ui/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
  110. data/lib/ui/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
  111. data/lib/ui/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +573 -0
  112. data/lib/ui/web/server/public/favicon.ico +0 -0
  113. data/lib/ui/web/server/public/footer.jpg +0 -0
  114. data/lib/ui/web/server/public/icons/error.png +0 -0
  115. data/lib/ui/web/server/public/icons/info.png +0 -0
  116. data/lib/ui/web/server/public/icons/ok.png +0 -0
  117. data/lib/ui/web/server/public/icons/status.png +0 -0
  118. data/lib/ui/web/server/public/js/jquery-1.4.4.min.js +167 -0
  119. data/lib/ui/web/server/public/js/jquery-ui-1.8.9.custom.min.js +781 -0
  120. data/lib/ui/web/server/public/logo.png +0 -0
  121. data/lib/ui/web/server/public/nav-left.jpg +0 -0
  122. data/lib/ui/web/server/public/nav-right.jpg +0 -0
  123. data/lib/ui/web/server/public/nav-selected-left.jpg +0 -0
  124. data/lib/ui/web/server/public/nav-selected-right.jpg +0 -0
  125. data/lib/ui/web/server/public/reports/placeholder +1 -0
  126. data/lib/ui/web/server/public/sidebar-bottom.jpg +0 -0
  127. data/lib/ui/web/server/public/sidebar-h4.jpg +0 -0
  128. data/lib/ui/web/server/public/sidebar-top.jpg +0 -0
  129. data/lib/ui/web/server/public/spider.png +0 -0
  130. data/lib/ui/web/server/public/style.css +604 -0
  131. data/lib/ui/web/server/tmp/placeholder +0 -0
  132. data/lib/ui/web/server/views/dispatcher.erb +85 -0
  133. data/lib/ui/web/server/views/dispatcher_error.erb +14 -0
  134. data/lib/ui/web/server/views/error.erb +1 -0
  135. data/lib/ui/web/server/views/flash.erb +18 -0
  136. data/lib/ui/web/server/views/home.erb +14 -0
  137. data/lib/ui/web/server/views/instance.erb +213 -0
  138. data/lib/ui/web/server/views/layout.erb +95 -0
  139. data/lib/ui/web/server/views/log.erb +40 -0
  140. data/lib/ui/web/server/views/modules.erb +71 -0
  141. data/lib/ui/web/server/views/options.erb +23 -0
  142. data/lib/ui/web/server/views/output_results.erb +51 -0
  143. data/lib/ui/web/server/views/plugins.erb +42 -0
  144. data/lib/ui/web/server/views/report_formats.erb +30 -0
  145. data/lib/ui/web/server/views/reports.erb +55 -0
  146. data/lib/ui/web/server/views/settings.erb +120 -0
  147. data/lib/ui/web/server/views/welcome.erb +38 -0
  148. data/lib/ui/xmlrpc/dispatcher_monitor.rb +204 -0
  149. data/lib/ui/xmlrpc/xmlrpc.rb +843 -0
  150. data/logs/placeholder +0 -0
  151. data/metamodules/autothrottle.rb +74 -0
  152. data/metamodules/timeout_notice.rb +118 -0
  153. data/metamodules/uniformity.rb +98 -0
  154. data/modules/audit/code_injection.rb +136 -0
  155. data/modules/audit/code_injection_timing.rb +115 -0
  156. data/modules/audit/code_injection_timing/payloads.txt +4 -0
  157. data/modules/audit/csrf.rb +301 -0
  158. data/modules/audit/ldapi.rb +103 -0
  159. data/modules/audit/ldapi/errors.txt +26 -0
  160. data/modules/audit/os_cmd_injection.rb +103 -0
  161. data/modules/audit/os_cmd_injection/payloads.txt +2 -0
  162. data/modules/audit/os_cmd_injection_timing.rb +104 -0
  163. data/modules/audit/os_cmd_injection_timing/payloads.txt +3 -0
  164. data/modules/audit/path_traversal.rb +141 -0
  165. data/modules/audit/response_splitting.rb +105 -0
  166. data/modules/audit/rfi.rb +193 -0
  167. data/modules/audit/sqli.rb +120 -0
  168. data/modules/audit/sqli/regexp_ids.txt +90 -0
  169. data/modules/audit/sqli_blind_rdiff.rb +321 -0
  170. data/modules/audit/sqli_blind_timing.rb +103 -0
  171. data/modules/audit/sqli_blind_timing/payloads.txt +51 -0
  172. data/modules/audit/trainer.rb +89 -0
  173. data/modules/audit/unvalidated_redirect.rb +90 -0
  174. data/modules/audit/xpath.rb +104 -0
  175. data/modules/audit/xpath/errors.txt +26 -0
  176. data/modules/audit/xss.rb +99 -0
  177. data/modules/audit/xss_event.rb +134 -0
  178. data/modules/audit/xss_path.rb +125 -0
  179. data/modules/audit/xss_script_tag.rb +112 -0
  180. data/modules/audit/xss_tag.rb +112 -0
  181. data/modules/audit/xss_uri.rb +125 -0
  182. data/modules/recon/allowed_methods.rb +104 -0
  183. data/modules/recon/backdoors.rb +131 -0
  184. data/modules/recon/backdoors/filenames.txt +16 -0
  185. data/modules/recon/backup_files.rb +177 -0
  186. data/modules/recon/backup_files/extensions.txt +28 -0
  187. data/modules/recon/common_directories.rb +138 -0
  188. data/modules/recon/common_directories/directories.txt +265 -0
  189. data/modules/recon/common_files.rb +138 -0
  190. data/modules/recon/common_files/filenames.txt +17 -0
  191. data/modules/recon/directory_listing.rb +171 -0
  192. data/modules/recon/grep/captcha.rb +62 -0
  193. data/modules/recon/grep/credit_card.rb +85 -0
  194. data/modules/recon/grep/cvs_svn_users.rb +73 -0
  195. data/modules/recon/grep/emails.rb +59 -0
  196. data/modules/recon/grep/html_objects.rb +53 -0
  197. data/modules/recon/grep/private_ip.rb +54 -0
  198. data/modules/recon/grep/ssn.rb +53 -0
  199. data/modules/recon/htaccess_limit.rb +82 -0
  200. data/modules/recon/http_put.rb +95 -0
  201. data/modules/recon/interesting_responses.rb +118 -0
  202. data/modules/recon/unencrypted_password_forms.rb +119 -0
  203. data/modules/recon/webdav.rb +126 -0
  204. data/modules/recon/xst.rb +107 -0
  205. data/path_extractors/anchors.rb +35 -0
  206. data/path_extractors/forms.rb +35 -0
  207. data/path_extractors/frames.rb +38 -0
  208. data/path_extractors/generic.rb +39 -0
  209. data/path_extractors/links.rb +35 -0
  210. data/path_extractors/meta_refresh.rb +39 -0
  211. data/path_extractors/scripts.rb +37 -0
  212. data/path_extractors/sitemap.rb +31 -0
  213. data/plugins/autologin.rb +137 -0
  214. data/plugins/content_types.rb +90 -0
  215. data/plugins/cookie_collector.rb +99 -0
  216. data/plugins/form_dicattack.rb +185 -0
  217. data/plugins/healthmap.rb +94 -0
  218. data/plugins/http_dicattack.rb +133 -0
  219. data/plugins/metamodules.rb +118 -0
  220. data/plugins/proxy.rb +248 -0
  221. data/plugins/proxy/server.rb +66 -0
  222. data/plugins/waf_detector.rb +184 -0
  223. data/profiles/comprehensive.afp +74 -0
  224. data/profiles/full.afp +75 -0
  225. data/reports/afr.rb +59 -0
  226. data/reports/ap.rb +55 -0
  227. data/reports/html.rb +179 -0
  228. data/reports/html/default.erb +967 -0
  229. data/reports/metareport.rb +139 -0
  230. data/reports/metareport/arachni_metareport.rb +174 -0
  231. data/reports/plugin_formatters/html/content_types.rb +82 -0
  232. data/reports/plugin_formatters/html/cookie_collector.rb +66 -0
  233. data/reports/plugin_formatters/html/form_dicattack.rb +54 -0
  234. data/reports/plugin_formatters/html/healthmap.rb +76 -0
  235. data/reports/plugin_formatters/html/http_dicattack.rb +54 -0
  236. data/reports/plugin_formatters/html/metaformatters/timeout_notice.rb +65 -0
  237. data/reports/plugin_formatters/html/metaformatters/uniformity.rb +71 -0
  238. data/reports/plugin_formatters/html/metamodules.rb +93 -0
  239. data/reports/plugin_formatters/html/waf_detector.rb +54 -0
  240. data/reports/plugin_formatters/stdout/content_types.rb +73 -0
  241. data/reports/plugin_formatters/stdout/cookie_collector.rb +61 -0
  242. data/reports/plugin_formatters/stdout/form_dicattack.rb +52 -0
  243. data/reports/plugin_formatters/stdout/healthmap.rb +72 -0
  244. data/reports/plugin_formatters/stdout/http_dicattack.rb +53 -0
  245. data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +55 -0
  246. data/reports/plugin_formatters/stdout/metaformatters/uniformity.rb +68 -0
  247. data/reports/plugin_formatters/stdout/metamodules.rb +89 -0
  248. data/reports/plugin_formatters/stdout/waf_detector.rb +48 -0
  249. data/reports/plugin_formatters/xml/content_types.rb +91 -0
  250. data/reports/plugin_formatters/xml/cookie_collector.rb +70 -0
  251. data/reports/plugin_formatters/xml/form_dicattack.rb +57 -0
  252. data/reports/plugin_formatters/xml/healthmap.rb +82 -0
  253. data/reports/plugin_formatters/xml/http_dicattack.rb +57 -0
  254. data/reports/plugin_formatters/xml/metaformatters/timeout_notice.rb +67 -0
  255. data/reports/plugin_formatters/xml/metaformatters/uniformity.rb +82 -0
  256. data/reports/plugin_formatters/xml/metamodules.rb +91 -0
  257. data/reports/plugin_formatters/xml/waf_detector.rb +58 -0
  258. data/reports/stdout.rb +182 -0
  259. data/reports/txt.rb +77 -0
  260. data/reports/xml.rb +231 -0
  261. data/reports/xml/buffer.rb +98 -0
  262. metadata +516 -0
@@ -0,0 +1,99 @@
1
+ =begin
2
+ Arachni
3
+ Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
4
+
5
+ This is free software; you can copy and distribute and modify
6
+ this program under the term of the GPL v2.0 License
7
+ (See LICENSE file for details)
8
+
9
+ =end
10
+
11
+ module Arachni
12
+
13
+ module Modules
14
+
15
+ #
16
+ # XSS audit module.<br/>
17
+ # It audits links, forms and cookies.
18
+ #
19
+ #
20
+ # @author: Tasos "Zapotek" Laskos
21
+ # <tasos.laskos@gmail.com>
22
+ # <zapotek@segfault.gr>
23
+ # @version: 0.2
24
+ #
25
+ # @see http://cwe.mitre.org/data/definitions/79.html
26
+ # @see http://ha.ckers.org/xss.html
27
+ # @see http://secunia.com/advisories/9716/
28
+ #
29
+ class XSS < Arachni::Module::Base
30
+
31
+ include Arachni::Module::Utilities
32
+
33
+ def initialize( page )
34
+ super( page )
35
+
36
+ @results = []
37
+ end
38
+
39
+ def prepare( )
40
+ @_injection_strs = [
41
+ '<arachni_xss_' + seed,
42
+ '<arachni_xss_\'";_' + seed,
43
+ ]
44
+ @_opts = {
45
+ :format => [ Format::APPEND | Format::NULL ],
46
+ :flip_param => true
47
+ }
48
+ end
49
+
50
+ def run( )
51
+ @_injection_strs.each {
52
+ |str|
53
+
54
+ opts = {
55
+ :match => str,
56
+ :substring => str
57
+ }.merge( @_opts )
58
+
59
+ audit( str, opts )
60
+ }
61
+ end
62
+
63
+ def self.info
64
+ {
65
+ :name => 'XSS',
66
+ :description => %q{Cross-Site Scripting module},
67
+ :elements => [
68
+ Issue::Element::FORM,
69
+ Issue::Element::LINK,
70
+ Issue::Element::COOKIE,
71
+ Issue::Element::HEADER
72
+ ],
73
+ :author => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
74
+ :version => '0.2',
75
+ :references => {
76
+ 'ha.ckers' => 'http://ha.ckers.org/xss.html',
77
+ 'Secunia' => 'http://secunia.com/advisories/9716/'
78
+ },
79
+ :targets => { 'Generic' => 'all' },
80
+ :issue => {
81
+ :name => %q{Cross-Site Scripting (XSS)},
82
+ :description => %q{Client-side code (like JavaScript) can
83
+ be injected into the web application which is then returned to the user's browser.
84
+ This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
85
+ :tags => [ 'xss', 'regexp', 'injection', 'script' ],
86
+ :cwe => '79',
87
+ :severity => Issue::Severity::HIGH,
88
+ :cvssv2 => '9.0',
89
+ :remedy_guidance => 'User inputs must be validated and filtered
90
+ before being returned as part of the HTML code of a page.',
91
+ :remedy_code => '',
92
+ }
93
+
94
+ }
95
+ end
96
+
97
+ end
98
+ end
99
+ end
@@ -0,0 +1,134 @@
1
+ =begin
2
+ Arachni
3
+ Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
4
+
5
+ This is free software; you can copy and distribute and modify
6
+ this program under the term of the GPL v2.0 License
7
+ (See LICENSE file for details)
8
+
9
+ =end
10
+
11
+ module Arachni
12
+
13
+ module Modules
14
+
15
+ #
16
+ # XSS in HTML element event attribute. <br/>
17
+ # It injects a string and checks if it appears inside an event attribute of any HTML tag.
18
+ #
19
+ # @author: Tasos "Zapotek" Laskos
20
+ # <tasos.laskos@gmail.com>
21
+ # <zapotek@segfault.gr>
22
+ # @version: 0.1.1
23
+ #
24
+ # @see http://cwe.mitre.org/data/definitions/79.html
25
+ # @see http://ha.ckers.org/xss.html
26
+ # @see http://secunia.com/advisories/9716/
27
+ #
28
+ class XSSEvent < Arachni::Module::Base
29
+
30
+ include Arachni::Module::Utilities
31
+
32
+ EVENT_ATTRS = [
33
+ 'onload',
34
+ 'onunload',
35
+ 'onblur',
36
+ 'onchange',
37
+ 'onfocus',
38
+ 'onreset',
39
+ 'onselect',
40
+ 'onsubmit',
41
+ 'onabort',
42
+ 'onkeydown',
43
+ 'onkeypress',
44
+ 'onkeyup',
45
+ 'onclick',
46
+ 'ondblclick',
47
+ 'onmousedown',
48
+ 'onmousemove',
49
+ 'onmouseout',
50
+ 'onmouseover',
51
+ 'onmouseup',
52
+ 'src' # not an event but it fits the module structure
53
+ ]
54
+
55
+ def initialize( page )
56
+ super( page )
57
+ end
58
+
59
+ def prepare( )
60
+ @_injection_strs = [
61
+ ";arachni_xss_in_element_event=" + seed + '//',
62
+ "\";arachni_xss_in_element_event=" + seed + '//',
63
+ "';arachni_xss_in_element_event=" + seed + '//',
64
+ ]
65
+
66
+ @_opts = {
67
+ :format => [ Format::APPEND ],
68
+ }
69
+ end
70
+
71
+ def run( )
72
+ @_injection_strs.each {
73
+ |str|
74
+ audit( str, @_opts ) {
75
+ |res, opts|
76
+ log( opts, res ) if !( opts[:id] = _check( res, opts[:injected] ) ).empty?
77
+ }
78
+ }
79
+ end
80
+
81
+ def _check( res, injected_str )
82
+ return [] if !res.body || !res.body.substring?( injected_str )
83
+
84
+ doc = Nokogiri::HTML( res.body )
85
+ EVENT_ATTRS.each {
86
+ |attr|
87
+ doc.xpath("//*[@#{attr}]").each {
88
+ |elem|
89
+ if elem.attributes[attr].to_s.substring?( injected_str )
90
+ return elem.to_s
91
+ end
92
+ }
93
+ }
94
+
95
+ return []
96
+ end
97
+
98
+ def self.info
99
+ {
100
+ :name => 'XSS in HTML element event attribute',
101
+ :description => %q{Cross-Site Scripting in event tag of HTML element.},
102
+ :elements => [
103
+ Issue::Element::FORM,
104
+ Issue::Element::LINK,
105
+ Issue::Element::COOKIE,
106
+ Issue::Element::HEADER
107
+ ],
108
+ :author => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
109
+ :version => '0.1.1',
110
+ :references => {
111
+ 'ha.ckers' => 'http://ha.ckers.org/xss.html',
112
+ 'Secunia' => 'http://secunia.com/advisories/9716/'
113
+ },
114
+ :targets => { 'Generic' => 'all' },
115
+ :issue => {
116
+ :name => %q{Cross-Site Scripting in event tag of HTML element.},
117
+ :description => %q{Unvalidated user input is being embedded inside an HMTL event element such as "onmouseover".
118
+ This makes Cross-Site Scripting attacks much easier to mount since the user input
119
+ lands in code waiting to be executed.},
120
+ :tags => [ 'xss', 'event', 'injection', 'regexp', 'dom', 'attribute' ],
121
+ :cwe => '79',
122
+ :severity => Issue::Severity::HIGH,
123
+ :cvssv2 => '9.0',
124
+ :remedy_guidance => 'User inputs must be validated and filtered
125
+ before being included in executable code or not be included at all.',
126
+ :remedy_code => '',
127
+ }
128
+
129
+ }
130
+ end
131
+
132
+ end
133
+ end
134
+ end
@@ -0,0 +1,125 @@
1
+ =begin
2
+ Arachni
3
+ Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
4
+
5
+ This is free software; you can copy and distribute and modify
6
+ this program under the term of the GPL v2.0 License
7
+ (See LICENSE file for details)
8
+
9
+ =end
10
+
11
+ module Arachni
12
+
13
+ module Modules
14
+
15
+ #
16
+ # XSS in path audit module.
17
+ #
18
+ # @author: Tasos "Zapotek" Laskos
19
+ # <tasos.laskos@gmail.com>
20
+ # <zapotek@segfault.gr>
21
+ # @version: 0.1.2
22
+ #
23
+ # @see http://cwe.mitre.org/data/definitions/79.html
24
+ # @see http://ha.ckers.org/xss.html
25
+ # @see http://secunia.com/advisories/9716/
26
+ #
27
+ class XSSPath < Arachni::Module::Base
28
+
29
+ include Arachni::Module::Utilities
30
+
31
+ def initialize( page )
32
+ super( page )
33
+
34
+ @results = []
35
+ end
36
+
37
+ def prepare( )
38
+ @str = '/<arachni_xss_path_' + seed
39
+ @__injection_strs = [
40
+ @str,
41
+ '?>"\'>' + @str,
42
+ '?=>"\'>' + @str
43
+ ]
44
+ end
45
+
46
+ def run( )
47
+
48
+ path = get_path( @page.url )
49
+
50
+ @__injection_strs.each {
51
+ |str|
52
+
53
+ url = path + str
54
+ req = @http.get( url )
55
+
56
+ req.on_complete {
57
+ |res|
58
+ __log_results( res, str )
59
+ }
60
+ }
61
+
62
+ end
63
+
64
+
65
+ def self.info
66
+ {
67
+ :name => 'XSSPath',
68
+ :description => %q{Cross-Site Scripting module for path injection},
69
+ :elements => [ ],
70
+ :author => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
71
+ :version => '0.1.2',
72
+ :references => {
73
+ 'ha.ckers' => 'http://ha.ckers.org/xss.html',
74
+ 'Secunia' => 'http://secunia.com/advisories/9716/'
75
+ },
76
+ :targets => { 'Generic' => 'all' },
77
+ :issue => {
78
+ :name => %q{Cross-Site Scripting (XSS) in path},
79
+ :description => %q{Client-side code, like JavaScript, can
80
+ be injected into the web application.},
81
+ :tags => [ 'xss', 'path', 'injection', 'regexp' ],
82
+ :cwe => '79',
83
+ :severity => Issue::Severity::HIGH,
84
+ :cvssv2 => '9.0',
85
+ :remedy_guidance => '',
86
+ :remedy_code => '',
87
+ }
88
+
89
+ }
90
+ end
91
+
92
+ def __log_results( res, id )
93
+
94
+ if res.body.substring?( id )
95
+
96
+ url = res.effective_url
97
+ # append the result to the results hash
98
+ @results << Issue.new( {
99
+ :var => 'n/a',
100
+ :url => url,
101
+ :injected => id,
102
+ :id => id,
103
+ :regexp => 'n/a',
104
+ :regexp_match => 'n/a',
105
+ :elem => Issue::Element::LINK,
106
+ :response => res.body,
107
+ :headers => {
108
+ :request => res.request.headers,
109
+ :response => res.headers,
110
+ }
111
+ }.merge( self.class.info ) )
112
+
113
+ # inform the user that we have a match
114
+ print_ok( "Match at #{url}" )
115
+ print_verbose( "Inected string: #{id}" )
116
+
117
+ # register our results with the system
118
+ register_results( @results )
119
+ end
120
+ end
121
+
122
+
123
+ end
124
+ end
125
+ end
@@ -0,0 +1,112 @@
1
+ =begin
2
+ Arachni
3
+ Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
4
+
5
+ This is free software; you can copy and distribute and modify
6
+ this program under the term of the GPL v2.0 License
7
+ (See LICENSE file for details)
8
+
9
+ =end
10
+
11
+ module Arachni
12
+
13
+ module Modules
14
+
15
+ #
16
+ # XSS in HTML script tag. <br/>
17
+ # It injects strings and checks if they appear inside HTML 'script' tags.
18
+ #
19
+ # @author: Tasos "Zapotek" Laskos
20
+ # <tasos.laskos@gmail.com>
21
+ # <zapotek@segfault.gr>
22
+ # @version: 0.1.1
23
+ #
24
+ # @see http://cwe.mitre.org/data/definitions/79.html
25
+ # @see http://ha.ckers.org/xss.html
26
+ # @see http://secunia.com/advisories/9716/
27
+ #
28
+ class XSSScriptTag < Arachni::Module::Base
29
+
30
+ include Arachni::Module::Utilities
31
+
32
+ def initialize( page )
33
+ super( page )
34
+ end
35
+
36
+ def prepare( )
37
+ @_injection_strs = [
38
+ "arachni_xss_in_script_tag_" + seed + "",
39
+ "\"arachni_xss_in_script_tag_" + seed + "\"",
40
+ "'arachni_xss_in_script_tag_" + seed + "'"
41
+ ]
42
+
43
+ @_opts = {
44
+ :format => [ Format::APPEND ],
45
+ }
46
+ end
47
+
48
+ def run( )
49
+ @_injection_strs.each {
50
+ |str|
51
+ audit( str, @_opts ) {
52
+ |res, opts|
53
+ _log( res, opts )
54
+ }
55
+ }
56
+ end
57
+
58
+ def _log( res, opts )
59
+ # if we have no body or it doesn't contain the injected string under any
60
+ # context there's no point in parsing the HMTL to verify the vulnerability
61
+ return if !res.body || !res.body.substring?( opts[:injected] )
62
+
63
+ begin
64
+ doc = Nokogiri::HTML( res.body )
65
+
66
+ # see if we managed to inject a working HTML attribute to any
67
+ # elements
68
+ if !(html_elem = doc.xpath("//script")).empty? &&
69
+ html_elem.to_s.substring?( opts[:injected] )
70
+ opts[:match] = html_elem.to_s
71
+ log( opts, res )
72
+ end
73
+ end
74
+ end
75
+
76
+ def self.info
77
+ {
78
+ :name => 'XSS in HTML "script" tag',
79
+ :description => %q{Injects strings and checks if they appear inside HTML 'script' tags.},
80
+ :elements => [
81
+ Issue::Element::FORM,
82
+ Issue::Element::LINK,
83
+ Issue::Element::COOKIE,
84
+ Issue::Element::HEADER
85
+ ],
86
+ :author => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
87
+ :version => '0.1.1',
88
+ :references => {
89
+ 'ha.ckers' => 'http://ha.ckers.org/xss.html',
90
+ 'Secunia' => 'http://secunia.com/advisories/9716/'
91
+ },
92
+ :targets => { 'Generic' => 'all' },
93
+ :issue => {
94
+ :name => %q{Cross-Site Scripting in HTML "script" tag.},
95
+ :description => %q{Unvalidated user input is being embedded inside a <script> element.
96
+ This makes Cross-Site Scripting attacks much easier to mount since user input lands inside
97
+ a trusted script.},
98
+ :tags => [ 'xss', 'script', 'tag', 'regexp', 'dom', 'attribute', 'injection' ],
99
+ :cwe => '79',
100
+ :severity => Issue::Severity::HIGH,
101
+ :cvssv2 => '9.0',
102
+ :remedy_guidance => 'User inputs must be validated and filtered
103
+ before being included in executable code or not be included at all.',
104
+ :remedy_code => '',
105
+ }
106
+
107
+ }
108
+ end
109
+
110
+ end
111
+ end
112
+ end