arachni 0.4.0.4 → 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ACKNOWLEDGMENTS.md +2 -2
- data/AUTHORS.md +1 -4
- data/CHANGELOG.md +102 -3
- data/CONTRIBUTORS.md +4 -1
- data/EXPLOITATION.md +6 -6
- data/Gemfile +3 -0
- data/HACKING.md +29 -10
- data/LICENSE.md +176 -339
- data/NOTICE +12 -0
- data/README.md +160 -119
- data/Rakefile +83 -45
- data/arachni.gemspec +124 -0
- data/bin/arachni +14 -8
- data/bin/arachni_console +52 -0
- data/bin/arachni_rpc +14 -8
- data/bin/arachni_rpcd +15 -9
- data/bin/arachni_rpcd_monitor +14 -8
- data/bin/arachni_script +41 -0
- data/bin/arachni_web +18 -19
- data/bin/arachni_web_autostart +17 -18
- data/external/metasploit/plugins/arachni.rb +7 -9
- data/external/metasploit/{LICENSE → plugins/arachni/LICENSE} +0 -0
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_exec.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_path_traversal.rb +2 -2
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_eval.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_include.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_sqlmap.rb +2 -2
- data/external/scripts/LICENSE.tpl +174 -0
- data/external/scripts/README.md +95 -0
- data/external/scripts/README.tpl +30 -0
- data/external/scripts/build.sh +631 -0
- data/external/scripts/build_all.sh +29 -0
- data/external/scripts/build_and_package.sh +100 -0
- data/external/scripts/cross_build_and_package.sh +20 -0
- data/external/scripts/installer.sh.tpl +166 -0
- data/external/scripts/lib/readlink_f.sh +40 -0
- data/external/scripts/package.sh +134 -0
- data/external/scripts/push_nightlies.sh +125 -0
- data/extras/placeholder +0 -0
- data/gfx/README.md +18 -0
- data/gfx/compiled/banner.png +0 -0
- data/gfx/compiled/favicon.ico +0 -0
- data/gfx/compiled/icon.png +0 -0
- data/gfx/compiled/logo.png +0 -0
- data/gfx/compiled/spider.png +0 -0
- data/gfx/font/Beneath_the_Surface.ttf +0 -0
- data/gfx/font/bts_readme.txt +14 -0
- data/gfx/source/banner.svg +999 -0
- data/gfx/source/icon.svg +627 -0
- data/gfx/source/logo.svg +672 -0
- data/gfx/source/spider.png +0 -0
- data/gfx/source/spider.svg +277 -0
- data/lib/arachni.rb +30 -5
- data/lib/arachni/audit_store.rb +111 -143
- data/lib/arachni/banner.rb +37 -0
- data/lib/arachni/bloom_filter.rb +74 -0
- data/lib/arachni/cache.rb +21 -0
- data/lib/arachni/cache/base.rb +170 -0
- data/lib/arachni/cache/least_cost_replacement.rb +89 -0
- data/lib/arachni/cache/least_recently_used.rb +73 -0
- data/lib/arachni/cache/random_replacement.rb +52 -0
- data/lib/arachni/component/manager.rb +391 -0
- data/lib/arachni/component/options.rb +38 -0
- data/lib/arachni/component/options/address.rb +41 -0
- data/lib/arachni/component/options/base.rb +126 -0
- data/lib/arachni/component/options/bool.rb +55 -0
- data/lib/arachni/component/options/enum.rb +51 -0
- data/lib/arachni/component/options/float.rb +45 -0
- data/lib/arachni/component/options/int.rb +44 -0
- data/lib/arachni/component/options/path.rb +36 -0
- data/lib/arachni/component/options/port.rb +37 -0
- data/lib/arachni/component/options/string.rb +44 -0
- data/lib/arachni/component/options/url.rb +42 -0
- data/lib/arachni/crypto/rsa_aes_cbc.rb +14 -8
- data/lib/arachni/database.rb +4 -4
- data/lib/arachni/database/base.rb +14 -8
- data/lib/arachni/database/hash.rb +21 -12
- data/lib/arachni/database/queue.rb +15 -9
- data/lib/arachni/element/base.rb +147 -0
- data/lib/arachni/element/capabilities/auditable.rb +623 -0
- data/lib/arachni/element/capabilities/auditable/rdiff.rb +243 -0
- data/lib/arachni/element/capabilities/auditable/taint.rb +141 -0
- data/lib/arachni/element/capabilities/auditable/timeout.rb +330 -0
- data/lib/arachni/element/capabilities/body.rb +19 -0
- data/lib/arachni/element/capabilities/mutable.rb +286 -0
- data/lib/arachni/element/capabilities/path.rb +19 -0
- data/lib/arachni/element/capabilities/refreshable.rb +48 -0
- data/lib/arachni/element/capabilities/server.rb +19 -0
- data/lib/arachni/element/cookie.rb +1043 -0
- data/lib/arachni/element/form.rb +1364 -0
- data/lib/arachni/element/header.rb +87 -0
- data/lib/arachni/element/link.rb +227 -0
- data/lib/arachni/exceptions.rb +12 -34
- data/lib/arachni/framework.rb +345 -436
- data/lib/arachni/http.rb +445 -409
- data/lib/arachni/http/cookie_jar.rb +163 -0
- data/lib/arachni/issue.rb +102 -65
- data/lib/arachni/mixins/observable.rb +25 -28
- data/lib/arachni/mixins/progress_bar.rb +11 -5
- data/lib/arachni/mixins/terminal.rb +17 -11
- data/lib/arachni/module.rb +4 -4
- data/lib/arachni/module/auditor.rb +270 -793
- data/lib/arachni/module/base.rb +107 -101
- data/lib/arachni/module/element_db.rb +54 -59
- data/lib/arachni/module/key_filler.rb +35 -35
- data/lib/arachni/module/manager.rb +178 -68
- data/lib/arachni/module/output.rb +25 -30
- data/lib/arachni/module/trainer.rb +85 -156
- data/lib/arachni/module/utilities.rb +29 -138
- data/lib/arachni/options.rb +496 -162
- data/lib/arachni/page.rb +186 -0
- data/lib/arachni/parser.rb +392 -2
- data/lib/arachni/plugin.rb +4 -4
- data/lib/arachni/plugin/base.rb +113 -44
- data/lib/arachni/plugin/manager.rb +120 -54
- data/lib/arachni/report.rb +4 -4
- data/lib/arachni/report/base.rb +59 -44
- data/lib/arachni/report/manager.rb +33 -32
- data/lib/arachni/rpc/client.rb +2 -0
- data/lib/arachni/rpc/client/base.rb +31 -18
- data/lib/arachni/rpc/client/dispatcher.rb +24 -11
- data/lib/arachni/rpc/client/instance.rb +24 -11
- data/lib/arachni/rpc/server/base.rb +12 -9
- data/lib/arachni/rpc/server/dispatcher.rb +161 -164
- data/lib/arachni/rpc/server/dispatcher/handler.rb +164 -0
- data/lib/arachni/rpc/server/{node.rb → dispatcher/node.rb} +86 -104
- data/lib/arachni/rpc/server/distributor.rb +432 -0
- data/lib/arachni/rpc/server/framework.rb +266 -758
- data/lib/arachni/rpc/server/instance.rb +38 -53
- data/lib/arachni/rpc/server/module/manager.rb +17 -20
- data/lib/arachni/rpc/server/output.rb +73 -179
- data/lib/arachni/rpc/server/plugin/manager.rb +58 -24
- data/lib/arachni/ruby.rb +6 -4
- data/lib/arachni/ruby/array.rb +30 -9
- data/lib/arachni/ruby/enumerable.rb +29 -0
- data/lib/arachni/ruby/object.rb +47 -12
- data/lib/arachni/ruby/string.rb +69 -24
- data/lib/arachni/ruby/webrick.rb +31 -0
- data/lib/arachni/session.rb +279 -0
- data/lib/arachni/spider.rb +295 -149
- data/lib/arachni/typhoeus/hydra.rb +18 -4
- data/lib/arachni/typhoeus/request.rb +52 -65
- data/lib/arachni/typhoeus/response.rb +62 -22
- data/lib/arachni/typhoeus/utils.rb +25 -0
- data/lib/arachni/ui/cli/cli.rb +331 -298
- data/lib/arachni/ui/cli/output.rb +105 -77
- data/lib/arachni/ui/foo/output.rb +116 -0
- data/lib/arachni/ui/rpc/dispatcher_monitor.rb +5 -12
- data/lib/arachni/ui/rpc/rpc.rb +43 -48
- data/lib/arachni/ui/web/addon_manager.rb +18 -13
- data/lib/arachni/ui/web/addons/sample.rb +14 -8
- data/lib/arachni/ui/web/addons/scheduler.rb +14 -8
- data/lib/arachni/ui/web/addons/scheduler/views/index.erb +1 -1
- data/lib/arachni/ui/web/addons/scheduler/views/options.erb +0 -3
- data/lib/arachni/ui/web/dispatcher_manager.rb +14 -9
- data/lib/arachni/ui/web/instance_manager.rb +14 -8
- data/lib/arachni/ui/web/log.rb +14 -10
- data/lib/arachni/ui/web/output_stream.rb +11 -5
- data/lib/arachni/ui/web/report_manager.rb +14 -10
- data/lib/arachni/ui/web/scheduler.rb +16 -11
- data/lib/arachni/ui/web/server.rb +62 -56
- data/lib/arachni/ui/web/server/public/style.css +1 -1
- data/lib/arachni/ui/web/server/views/addon.erb +1 -1
- data/lib/arachni/ui/web/server/views/dispatchers.erb +3 -3
- data/lib/arachni/ui/web/server/views/dispatchers_edit.erb +2 -2
- data/lib/arachni/ui/web/server/views/error.erb +1 -1
- data/lib/arachni/ui/web/server/views/home.erb +2 -2
- data/lib/arachni/ui/web/server/views/instance.erb +6 -6
- data/lib/arachni/ui/web/server/views/layout.erb +4 -4
- data/lib/arachni/ui/web/server/views/settings.erb +13 -8
- data/lib/arachni/ui/web/server/views/welcome.erb +1 -1
- data/lib/arachni/ui/web/utilities.rb +24 -35
- data/lib/arachni/uri.rb +619 -0
- data/lib/arachni/utilities.rb +316 -0
- data/lib/arachni/version.rb +12 -6
- data/lib/version +1 -0
- data/modules/audit/code_injection.rb +64 -81
- data/modules/audit/code_injection_timing.rb +57 -75
- data/modules/audit/csrf.rb +87 -185
- data/modules/audit/ldapi.rb +42 -67
- data/modules/audit/os_cmd_injection.rb +53 -71
- data/modules/audit/os_cmd_injection/payloads.txt +1 -1
- data/modules/audit/os_cmd_injection_timing.rb +54 -75
- data/modules/audit/os_cmd_injection_timing/payloads.txt +1 -3
- data/modules/audit/path_traversal.rb +84 -110
- data/modules/audit/response_splitting.rb +41 -53
- data/modules/audit/rfi.rb +68 -76
- data/modules/audit/session_fixation.rb +86 -0
- data/modules/audit/sqli.rb +51 -77
- data/modules/audit/sqli/regexp_ids.txt +5 -19
- data/modules/audit/sqli/regexp_ignore.txt +2 -0
- data/modules/audit/sqli_blind_rdiff.rb +51 -62
- data/modules/audit/sqli_blind_timing.rb +53 -73
- data/modules/audit/trainer.rb +21 -58
- data/modules/audit/unvalidated_redirect.rb +41 -51
- data/modules/audit/xpath.rb +38 -69
- data/modules/audit/xpath/errors.txt +2 -3
- data/modules/audit/xss.rb +65 -69
- data/modules/audit/xss_event.rb +50 -69
- data/modules/audit/xss_path.rb +63 -89
- data/modules/audit/xss_script_tag.rb +53 -66
- data/modules/audit/xss_tag.rb +46 -65
- data/modules/audit/xss_uri.rb +22 -24
- data/modules/recon/allowed_methods.rb +46 -62
- data/modules/recon/backdoors.rb +39 -66
- data/modules/recon/backup_files.rb +49 -79
- data/modules/recon/common_directories.rb +39 -63
- data/modules/recon/common_directories/directories.txt +0 -5
- data/modules/recon/common_files.rb +34 -63
- data/modules/recon/directory_listing.rb +66 -116
- data/modules/recon/grep/captcha.rb +34 -41
- data/modules/recon/grep/credit_card.rb +57 -68
- data/modules/recon/grep/cvs_svn_users.rb +40 -50
- data/modules/recon/grep/emails.rb +34 -41
- data/modules/recon/grep/html_objects.rb +30 -33
- data/modules/recon/grep/http_only_cookies.rb +57 -0
- data/modules/recon/grep/insecure_cookies.rb +55 -0
- data/modules/recon/grep/mixed_resource.rb +93 -0
- data/modules/recon/grep/private_ip.rb +34 -32
- data/modules/recon/grep/ssn.rb +33 -31
- data/modules/recon/grep/unencrypted_password_forms.rb +84 -0
- data/modules/recon/htaccess_limit.rb +38 -54
- data/modules/recon/http_put.rb +48 -62
- data/modules/recon/interesting_responses.rb +77 -79
- data/modules/recon/webdav.rb +53 -79
- data/modules/recon/xst.rb +44 -63
- data/modules/test2.rb +46 -0
- data/path_extractors/anchors.rb +17 -15
- data/path_extractors/forms.rb +17 -15
- data/path_extractors/frames.rb +17 -18
- data/path_extractors/generic.rb +52 -55
- data/path_extractors/links.rb +16 -14
- data/path_extractors/meta_refresh.rb +33 -18
- data/path_extractors/scripts.rb +17 -15
- data/plugins/autologin.rb +60 -85
- data/plugins/beep_notify.rb +25 -27
- data/plugins/cookie_collector.rb +28 -45
- data/plugins/defaults/autothrottle.rb +43 -51
- data/plugins/defaults/content_types.rb +63 -52
- data/plugins/defaults/healthmap.rb +45 -62
- data/plugins/defaults/{metamodules → meta}/remedies/discovery.rb +34 -69
- data/plugins/defaults/meta/remedies/manual_verification.rb +61 -0
- data/plugins/defaults/meta/remedies/timing_attacks.rb +108 -0
- data/plugins/defaults/meta/uniformity.rb +81 -0
- data/plugins/defaults/profiler.rb +68 -115
- data/plugins/defaults/resolver.rb +33 -28
- data/plugins/email_notify.rb +60 -62
- data/plugins/form_dicattack.rb +67 -121
- data/plugins/http_dicattack.rb +51 -65
- data/plugins/libnotify.rb +37 -41
- data/plugins/proxy.rb +407 -152
- data/plugins/proxy/panel/403_forbidden.html.erb +11 -0
- data/plugins/proxy/panel/404_not_found.html.erb +6 -0
- data/plugins/proxy/panel/css/bootstrap.min.css +9 -0
- data/plugins/proxy/panel/css/panel.css +30 -0
- data/plugins/proxy/panel/help.html.erb +66 -0
- data/plugins/proxy/panel/img/glyphicons-halflings-white.png +0 -0
- data/plugins/proxy/panel/img/glyphicons-halflings.png +0 -0
- data/plugins/proxy/panel/img/record.png +0 -0
- data/plugins/proxy/panel/inspect.html.erb +7 -0
- data/plugins/proxy/panel/js/bootstrap.min.js +6 -0
- data/plugins/proxy/panel/js/jquery.min.js +2 -0
- data/plugins/proxy/panel/js/panel.js +39 -0
- data/plugins/proxy/panel/layout.html.erb +25 -0
- data/plugins/proxy/panel/page_accordion.html.erb +67 -0
- data/plugins/proxy/panel/page_twin_accordion.html.erb +18 -0
- data/plugins/proxy/panel/panel.html.erb +63 -0
- data/plugins/proxy/panel/shutdown_message.html.erb +7 -0
- data/plugins/proxy/panel/verify_login_check.html.erb +31 -0
- data/plugins/proxy/panel/verify_login_final.html.erb +26 -0
- data/plugins/proxy/panel/verify_login_sequence.html.erb +45 -0
- data/plugins/proxy/server.rb +175 -47
- data/plugins/proxy/ssl-interceptor-cert.pem +34 -0
- data/plugins/proxy/ssl-interceptor-pkey.pem +51 -0
- data/plugins/rescan.rb +27 -28
- data/plugins/script.rb +53 -0
- data/plugins/vector_feed.rb +226 -0
- data/plugins/waf_detector.rb +70 -73
- data/reports/afr.rb +23 -24
- data/reports/ap.rb +25 -36
- data/reports/html.rb +109 -163
- data/reports/html/default.erb +13 -12
- data/reports/html/default/configuration.erb +21 -21
- data/reports/html/default/css/main.css +350 -350
- data/reports/html/default/issues.erb +1 -1
- data/reports/html/default/js/charts.js +2 -2
- data/reports/html/default/js/helpers.js +0 -42
- data/reports/html/default/js/init.js +0 -1
- data/reports/html/default/sitemap.erb +2 -2
- data/reports/html/default/summary.erb +4 -4
- data/reports/html/default/summary_issue.erb +1 -1
- data/reports/json.rb +26 -28
- data/reports/marshal.rb +23 -25
- data/reports/metareport.rb +65 -98
- data/reports/plugin_formatters/html/autologin.rb +34 -41
- data/reports/plugin_formatters/html/content_types.rb +46 -52
- data/reports/plugin_formatters/html/cookie_collector.rb +41 -47
- data/reports/plugin_formatters/html/discovery.rb +36 -41
- data/reports/plugin_formatters/html/form_dicattack.rb +28 -34
- data/reports/plugin_formatters/html/healthmap.rb +48 -55
- data/reports/plugin_formatters/html/http_dicattack.rb +28 -34
- data/reports/plugin_formatters/html/profiler.rb +26 -30
- data/reports/plugin_formatters/html/profiler/template.erb +7 -7
- data/reports/plugin_formatters/html/resolver.rb +44 -52
- data/reports/plugin_formatters/html/timing_attacks.rb +42 -44
- data/reports/plugin_formatters/html/uniformity.rb +37 -42
- data/reports/plugin_formatters/html/waf_detector.rb +26 -34
- data/reports/plugin_formatters/stdout/autologin.rb +28 -40
- data/reports/plugin_formatters/stdout/content_types.rb +36 -53
- data/reports/plugin_formatters/stdout/cookie_collector.rb +28 -41
- data/reports/plugin_formatters/stdout/discovery.rb +27 -37
- data/reports/plugin_formatters/stdout/form_dicattack.rb +22 -35
- data/reports/plugin_formatters/stdout/healthmap.rb +40 -57
- data/reports/plugin_formatters/stdout/http_dicattack.rb +22 -36
- data/reports/plugin_formatters/stdout/profiler.rb +55 -74
- data/reports/plugin_formatters/stdout/resolver.rb +18 -34
- data/reports/plugin_formatters/stdout/timing_attacks.rb +27 -39
- data/reports/plugin_formatters/stdout/uniformity.rb +32 -44
- data/reports/plugin_formatters/stdout/waf_detector.rb +20 -32
- data/reports/plugin_formatters/xml/autologin.rb +27 -49
- data/reports/plugin_formatters/xml/content_types.rb +41 -66
- data/reports/plugin_formatters/xml/cookie_collector.rb +29 -49
- data/reports/plugin_formatters/xml/discovery.rb +23 -41
- data/reports/plugin_formatters/xml/form_dicattack.rb +22 -40
- data/reports/plugin_formatters/xml/healthmap.rb +44 -63
- data/reports/plugin_formatters/xml/http_dicattack.rb +22 -41
- data/reports/plugin_formatters/xml/profiler.rb +65 -89
- data/reports/plugin_formatters/xml/resolver.rb +21 -41
- data/reports/plugin_formatters/xml/timing_attacks.rb +27 -45
- data/reports/plugin_formatters/xml/uniformity.rb +36 -55
- data/reports/plugin_formatters/xml/waf_detector.rb +23 -42
- data/reports/stdout.rb +120 -121
- data/reports/txt.rb +29 -45
- data/reports/xml.rb +109 -148
- data/reports/xml/buffer.rb +66 -79
- data/reports/yaml.rb +26 -28
- data/rpcd_handlers/placeholder +0 -0
- data/spec/arachni/audit_store_spec.rb +223 -0
- data/spec/arachni/bloom_filter_spec.rb +76 -0
- data/spec/arachni/cache/base_spec.rb +275 -0
- data/spec/arachni/cache/least_cost_replacement_spec.rb +58 -0
- data/spec/arachni/cache/least_recently_used_spec.rb +91 -0
- data/spec/arachni/cache/random_replacement_spec.rb +43 -0
- data/spec/arachni/component/manager_spec.rb +448 -0
- data/spec/arachni/component/options/address_spec.rb +32 -0
- data/spec/arachni/component/options/base_spec.rb +105 -0
- data/spec/arachni/component/options/bool_spec.rb +67 -0
- data/spec/arachni/component/options/enum_spec.rb +51 -0
- data/spec/arachni/component/options/float_spec.rb +42 -0
- data/spec/arachni/component/options/int_spec.rb +46 -0
- data/spec/arachni/component/options/path_spec.rb +32 -0
- data/spec/arachni/component/options/port_spec.rb +38 -0
- data/spec/arachni/component/options/string_spec.rb +38 -0
- data/spec/arachni/component/options/url_spec.rb +36 -0
- data/spec/arachni/crypto/rsa_aes_cbc_spec.rb +31 -0
- data/spec/arachni/database/hash_spec.rb +217 -0
- data/spec/arachni/database/queue_spec.rb +52 -0
- data/spec/arachni/element/base_spec.rb +127 -0
- data/spec/arachni/element/body_spec.rb +9 -0
- data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +47 -0
- data/spec/arachni/element/capabilities/auditable/taint_spec.rb +110 -0
- data/spec/arachni/element/capabilities/auditable/timeout_spec.rb +107 -0
- data/spec/arachni/element/capabilities/mutable_spec.rb +261 -0
- data/spec/arachni/element/cookie_spec.rb +362 -0
- data/spec/arachni/element/form_spec.rb +668 -0
- data/spec/arachni/element/header_spec.rb +49 -0
- data/spec/arachni/element/link_spec.rb +220 -0
- data/spec/arachni/element/path_spec.rb +9 -0
- data/spec/arachni/element/server_spec.rb +9 -0
- data/spec/arachni/framework_spec.rb +860 -0
- data/spec/arachni/http/cookie_jar_spec.rb +267 -0
- data/spec/arachni/http_spec.rb +991 -0
- data/spec/arachni/issue_spec.rb +307 -0
- data/spec/arachni/mixins/observable_spec.rb +59 -0
- data/spec/arachni/mixins/progress_bar_spec.rb +41 -0
- data/spec/arachni/module/auditor_spec.rb +506 -0
- data/spec/arachni/module/element_db_spec.rb +131 -0
- data/spec/arachni/module/key_filler.rb +15 -0
- data/spec/arachni/module/manager_spec.rb +154 -0
- data/spec/arachni/module/trainer_spec.rb +102 -0
- data/spec/arachni/module/utilities_spec.rb +30 -0
- data/spec/arachni/module/utilities_spec/read_file.txt +3 -0
- data/spec/arachni/options_spec.rb +555 -0
- data/spec/arachni/page_spec.rb +290 -0
- data/spec/arachni/parser_spec.rb +508 -0
- data/spec/arachni/plugin/manager_spec.rb +174 -0
- data/spec/arachni/report/base_spec.rb +53 -0
- data/spec/arachni/report/manager_spec.rb +82 -0
- data/spec/arachni/rpc/client/base_spec.rb +157 -0
- data/spec/arachni/rpc/client/dispatcher_spec.rb +40 -0
- data/spec/arachni/rpc/client/instance_spec.rb +92 -0
- data/spec/arachni/rpc/server/base_spec.rb +40 -0
- data/spec/arachni/rpc/server/dispatcher/handler.rb +120 -0
- data/spec/arachni/rpc/server/dispatcher/node_spec.rb +220 -0
- data/spec/arachni/rpc/server/dispatcher_spec.rb +136 -0
- data/spec/arachni/rpc/server/distributor_spec.rb +628 -0
- data/spec/arachni/rpc/server/framework_hpg_spec.rb +321 -0
- data/spec/arachni/rpc/server/framework_simple_spec.rb +453 -0
- data/spec/arachni/rpc/server/instance_spec.rb +81 -0
- data/spec/arachni/rpc/server/modules/manager_spec.rb +79 -0
- data/spec/arachni/rpc/server/options_spec.rb +124 -0
- data/spec/arachni/rpc/server/output_spec.rb +238 -0
- data/spec/arachni/rpc/server/plugin/manager_spec.rb +86 -0
- data/spec/arachni/ruby/array_spec.rb +103 -0
- data/spec/arachni/ruby/enumerable_spec.rb +37 -0
- data/spec/arachni/ruby/object_spec.rb +38 -0
- data/spec/arachni/ruby/string_spec.rb +77 -0
- data/spec/arachni/ruby/webrick_spec.rb +15 -0
- data/spec/arachni/session_spec.rb +308 -0
- data/spec/arachni/spider_spec.rb +383 -0
- data/spec/arachni/typhoeus/hydra_spec.rb +14 -0
- data/spec/arachni/typhoeus/requrest_spec.rb +58 -0
- data/spec/arachni/typhoeus/response_spec.rb +78 -0
- data/spec/arachni/uri_spec.rb +462 -0
- data/spec/arachni/utilities_spec.rb +297 -0
- data/spec/fixtures/auditstore.afr +2959 -0
- data/spec/fixtures/cookies.txt +9 -0
- data/spec/fixtures/modules/test.rb +58 -0
- data/spec/fixtures/modules/test2.rb +46 -0
- data/spec/fixtures/modules/test3.rb +46 -0
- data/spec/fixtures/passwords.txt +17 -0
- data/spec/fixtures/plugins/bad.rb +46 -0
- data/spec/fixtures/plugins/defaults/default.rb +45 -0
- data/spec/fixtures/plugins/distributable.rb +42 -0
- data/spec/fixtures/plugins/loop.rb +32 -0
- data/spec/fixtures/plugins/wait.rb +34 -0
- data/spec/fixtures/plugins/with_options.rb +31 -0
- data/spec/fixtures/reports/base_spec/plugin_formatters/with_formatters/foobar.rb +21 -0
- data/spec/fixtures/reports/base_spec/with_formatters.rb +23 -0
- data/spec/fixtures/reports/base_spec/with_outfile.rb +24 -0
- data/spec/fixtures/reports/base_spec/without_outfile.rb +20 -0
- data/spec/fixtures/reports/manager_spec/afr.rb +21 -0
- data/spec/fixtures/reports/manager_spec/foo.rb +26 -0
- data/spec/fixtures/rescan.afr.tpl +145 -0
- data/spec/fixtures/rpcd_handlers/echo.rb +68 -0
- data/spec/fixtures/run_mod/body.rb +58 -0
- data/spec/fixtures/run_mod/cookies.rb +58 -0
- data/spec/fixtures/run_mod/empty.rb +58 -0
- data/spec/fixtures/run_mod/flch.rb +63 -0
- data/spec/fixtures/run_mod/forms.rb +58 -0
- data/spec/fixtures/run_mod/headers.rb +58 -0
- data/spec/fixtures/run_mod/links.rb +58 -0
- data/spec/fixtures/run_mod/nil.rb +57 -0
- data/spec/fixtures/run_mod/path.rb +58 -0
- data/spec/fixtures/run_mod/server.rb +58 -0
- data/spec/fixtures/script_plugin.rb +1 -0
- data/spec/fixtures/taint_module/taint.rb +48 -0
- data/spec/fixtures/usernames.txt +13 -0
- data/spec/fixtures/wait_module/wait.rb +48 -0
- data/spec/helpers/auditor.rb +9 -0
- data/spec/helpers/misc.rb +41 -0
- data/spec/helpers/processes.rb +112 -0
- data/spec/helpers/requires.rb +8 -0
- data/spec/helpers/server.rb +54 -0
- data/spec/logs/Dispatcher - 2752-13830.log +49 -0
- data/spec/logs/Dispatcher - 2766-8238.log +35 -0
- data/spec/logs/Dispatcher - 2808-9029.log +31 -0
- data/spec/logs/Dispatcher - 2854-8571.log +26 -0
- data/spec/logs/Dispatcher - 2888-10411.log +20 -0
- data/spec/logs/Dispatcher - 2922-14464.log +13 -0
- data/spec/logs/Dispatcher - 2957-15255.log +19 -0
- data/spec/logs/Dispatcher - 3216-14203.log +35 -0
- data/spec/logs/Dispatcher - 3305-8622.log +43 -0
- data/spec/logs/Dispatcher - 3340-15426.log +35 -0
- data/spec/logs/Dispatcher - 3399-12586.log +40 -0
- data/spec/logs/Dispatcher - 3433-14149.log +26 -0
- data/spec/logs/Dispatcher - 3582-6198.log +27 -0
- data/spec/logs/Dispatcher - 3616-11169.log +13 -0
- data/spec/logs/Dispatcher - 3849-9016.log +7 -0
- data/spec/logs/output_spec.log +4 -0
- data/spec/logs/placeholder +0 -0
- data/spec/modules/audit/code_injection_spec.rb +25 -0
- data/spec/modules/audit/code_injection_timing_spec.rb +24 -0
- data/spec/modules/audit/csrf_spec.rb +38 -0
- data/spec/modules/audit/ldapi_spec.rb +19 -0
- data/spec/modules/audit/os_cmd_injection_spec.rb +24 -0
- data/spec/modules/audit/os_cmd_injection_timing_spec.rb +24 -0
- data/spec/modules/audit/path_traversal_spec.rb +23 -0
- data/spec/modules/audit/response_splitting_spec.rb +19 -0
- data/spec/modules/audit/rfi_spec.rb +19 -0
- data/spec/modules/audit/session_fixation_spec.rb +23 -0
- data/spec/modules/audit/sqli_blind_rdiff_spec.rb +19 -0
- data/spec/modules/audit/sqli_blind_timing_spec.rb +23 -0
- data/spec/modules/audit/sqli_spec.rb +24 -0
- data/spec/modules/audit/trainer_spec.rb +25 -0
- data/spec/modules/audit/unvalidated_redirect_spec.rb +24 -0
- data/spec/modules/audit/xpath_spec.rb +25 -0
- data/spec/modules/audit/xss_event_spec.rb +19 -0
- data/spec/modules/audit/xss_path_spec.rb +19 -0
- data/spec/modules/audit/xss_script_tag_spec.rb +19 -0
- data/spec/modules/audit/xss_spec.rb +24 -0
- data/spec/modules/audit/xss_tag_spec.rb +19 -0
- data/spec/modules/recon/allowed_methods_spec.rb +19 -0
- data/spec/modules/recon/backdoors_spec.rb +19 -0
- data/spec/modules/recon/backup_files_spec.rb +19 -0
- data/spec/modules/recon/common_directories_spec.rb +19 -0
- data/spec/modules/recon/common_files_spec.rb +19 -0
- data/spec/modules/recon/directory_listing_spec.rb +19 -0
- data/spec/modules/recon/grep/captcha_spec.rb +19 -0
- data/spec/modules/recon/grep/credit_card_spec.rb +19 -0
- data/spec/modules/recon/grep/cvs_svn_users_spec.rb +19 -0
- data/spec/modules/recon/grep/emails_spec.rb +19 -0
- data/spec/modules/recon/grep/html_objects_spec.rb +19 -0
- data/spec/modules/recon/grep/http_only_cookies_spec.rb +19 -0
- data/spec/modules/recon/grep/insecure_cookies_spec.rb +19 -0
- data/spec/modules/recon/grep/mixed_resource_spec.rb +20 -0
- data/spec/modules/recon/grep/private_ip_spec.rb +26 -0
- data/spec/modules/recon/grep/ssn_spec.rb +19 -0
- data/spec/modules/recon/grep/unencrypted_password_forms_spec.rb +19 -0
- data/spec/modules/recon/htaccess_limit_spec.rb +19 -0
- data/spec/modules/recon/http_put_spec.rb +19 -0
- data/spec/modules/recon/interesting_responses_spec.rb +27 -0
- data/spec/modules/recon/webdav_spec.rb +19 -0
- data/spec/modules/recon/xst_spec.rb +19 -0
- data/spec/path_extractors/anchors_spec.rb +19 -0
- data/spec/path_extractors/forms_spec.rb +19 -0
- data/spec/path_extractors/frames_spec.rb +20 -0
- data/spec/path_extractors/generic_spec.rb +28 -0
- data/spec/path_extractors/links_spec.rb +19 -0
- data/spec/path_extractors/meta_refresh_spec.rb +24 -0
- data/spec/path_extractors/scripts_spec.rb +19 -0
- data/spec/pems/cacert.pem +39 -0
- data/spec/pems/client/cert.pem +39 -0
- data/spec/pems/client/foo-cert.pem +39 -0
- data/spec/pems/client/foo-key.pem +51 -0
- data/spec/pems/client/key.pem +51 -0
- data/spec/pems/server/cert.pem +39 -0
- data/spec/pems/server/key.pem +51 -0
- data/spec/plugins/autologin_spec.rb +76 -0
- data/spec/plugins/autothrottle_spec.rb +45 -0
- data/spec/plugins/content_types_spec.rb +93 -0
- data/spec/plugins/cookie_collector_spec.rb +32 -0
- data/spec/plugins/form_dicattack_spec.rb +60 -0
- data/spec/plugins/healthmap_spec.rb +40 -0
- data/spec/plugins/http_dicattack_spec.rb +40 -0
- data/spec/plugins/meta/remedies/discovery_spec.rb +15 -0
- data/spec/plugins/meta/remedies/manual_verification_spec.rb +28 -0
- data/spec/plugins/meta/remedies/timing_attacks_spec.rb +30 -0
- data/spec/plugins/meta/uniformity_spec.rb +83 -0
- data/spec/plugins/profiler_spec.rb +82 -0
- data/spec/plugins/rescan_spec.rb +26 -0
- data/spec/plugins/resolver_spec.rb +16 -0
- data/spec/plugins/script_spec.rb +12 -0
- data/spec/plugins/vector_feed_spec.rb +155 -0
- data/spec/plugins/waf_detector_spec.rb +41 -0
- data/spec/reports/afr_spec.rb +13 -0
- data/spec/reports/ap_spec.rb +9 -0
- data/spec/reports/html_spec.rb +13 -0
- data/spec/reports/json_spec.rb +17 -0
- data/spec/reports/marshal_spec.rb +13 -0
- data/spec/reports/stdout_spec.rb +9 -0
- data/spec/reports/txt_spec.rb +8 -0
- data/spec/reports/xml_spec.rb +13 -0
- data/spec/reports/yaml_spec.rb +13 -0
- data/spec/servers/arachni/element/capabilities/auditable/rdiff.rb +36 -0
- data/spec/servers/arachni/element/capabilities/auditable/taint.rb +10 -0
- data/spec/servers/arachni/element/capabilities/auditable/timeout.rb +30 -0
- data/spec/servers/arachni/element/cookie.rb +37 -0
- data/spec/servers/arachni/element/form.rb +93 -0
- data/spec/servers/arachni/element/header.rb +22 -0
- data/spec/servers/arachni/element/link.rb +26 -0
- data/spec/servers/arachni/framework.rb +54 -0
- data/spec/servers/arachni/http.rb +140 -0
- data/spec/servers/arachni/http_auth.rb +9 -0
- data/spec/servers/arachni/module/auditor.rb +135 -0
- data/spec/servers/arachni/module/trainer.rb +40 -0
- data/spec/servers/arachni/parser.rb +70 -0
- data/spec/servers/arachni/rpc/server/framework_hpg.rb +21 -0
- data/spec/servers/arachni/rpc/server/framework_simple.rb +30 -0
- data/spec/servers/arachni/session.rb +110 -0
- data/spec/servers/arachni/spider.rb +148 -0
- data/spec/servers/modules/audit/code_injection.rb +140 -0
- data/spec/servers/modules/audit/code_injection_timing.rb +110 -0
- data/spec/servers/modules/audit/csrf.rb +80 -0
- data/spec/servers/modules/audit/ldapi.rb +73 -0
- data/spec/servers/modules/audit/os_cmd_injection.rb +140 -0
- data/spec/servers/modules/audit/os_cmd_injection_timing.rb +111 -0
- data/spec/servers/modules/audit/path_traversal.rb +176 -0
- data/spec/servers/modules/audit/response_splitting.rb +114 -0
- data/spec/servers/modules/audit/rfi.rb +113 -0
- data/spec/servers/modules/audit/session_fixation.rb +87 -0
- data/spec/servers/modules/audit/sqli.rb +118 -0
- data/spec/servers/modules/audit/sqli/coldfusion +1 -0
- data/spec/servers/modules/audit/sqli/db2 +4 -0
- data/spec/servers/modules/audit/sqli/emc +2 -0
- data/spec/servers/modules/audit/sqli/informix +3 -0
- data/spec/servers/modules/audit/sqli/interbase +2 -0
- data/spec/servers/modules/audit/sqli/jdbc +0 -0
- data/spec/servers/modules/audit/sqli/mssql +26 -0
- data/spec/servers/modules/audit/sqli/mysql +13 -0
- data/spec/servers/modules/audit/sqli/oracle +6 -0
- data/spec/servers/modules/audit/sqli/postgresql +7 -0
- data/spec/servers/modules/audit/sqli/sqlite +4 -0
- data/spec/servers/modules/audit/sqli/sybase +0 -0
- data/spec/servers/modules/audit/sqli_blind_rdiff.rb +74 -0
- data/spec/servers/modules/audit/sqli_blind_timing.rb +121 -0
- data/spec/servers/modules/audit/trainer_module.rb +160 -0
- data/spec/servers/modules/audit/unvalidated_redirect.rb +115 -0
- data/spec/servers/modules/audit/xpath.rb +111 -0
- data/spec/servers/modules/audit/xpath/dotnet +5 -0
- data/spec/servers/modules/audit/xpath/general +13 -0
- data/spec/servers/modules/audit/xpath/java +3 -0
- data/spec/servers/modules/audit/xpath/libxml2 +2 -0
- data/spec/servers/modules/audit/xpath/php +2 -0
- data/spec/servers/modules/audit/xss.rb +152 -0
- data/spec/servers/modules/audit/xss_event.rb +80 -0
- data/spec/servers/modules/audit/xss_path.rb +44 -0
- data/spec/servers/modules/audit/xss_script_tag.rb +73 -0
- data/spec/servers/modules/audit/xss_tag.rb +139 -0
- data/spec/servers/modules/module_server.rb +14 -0
- data/spec/servers/modules/recon/allowed_methods.rb +5 -0
- data/spec/servers/modules/recon/backdoors.rb +4 -0
- data/spec/servers/modules/recon/backup_files.rb +28 -0
- data/spec/servers/modules/recon/common_directories.rb +6 -0
- data/spec/servers/modules/recon/common_files.rb +6 -0
- data/spec/servers/modules/recon/directory_listing.rb +30 -0
- data/spec/servers/modules/recon/grep/captcha.rb +27 -0
- data/spec/servers/modules/recon/grep/credit_card.rb +28 -0
- data/spec/servers/modules/recon/grep/cvs_svn_users.rb +23 -0
- data/spec/servers/modules/recon/grep/emails.rb +21 -0
- data/spec/servers/modules/recon/grep/html_objects.rb +7 -0
- data/spec/servers/modules/recon/grep/http_only_cookies.rb +21 -0
- data/spec/servers/modules/recon/grep/insecure_cookies.rb +21 -0
- data/spec/servers/modules/recon/grep/mixed_resource.rb +83 -0
- data/spec/servers/modules/recon/grep/private_ip.rb +18 -0
- data/spec/servers/modules/recon/grep/ssn.rb +5 -0
- data/spec/servers/modules/recon/grep/unencrypted_password_forms.rb +33 -0
- data/spec/servers/modules/recon/htaccess_limit.rb +8 -0
- data/spec/servers/modules/recon/http_put.rb +7 -0
- data/spec/servers/modules/recon/interesting_responses.rb +5 -0
- data/spec/servers/modules/recon/webdav.rb +25 -0
- data/spec/servers/modules/recon/xst.rb +6 -0
- data/spec/servers/plugins/autologin.rb +38 -0
- data/spec/servers/plugins/autothrottle.rb +8 -0
- data/spec/servers/plugins/content_types.rb +17 -0
- data/spec/servers/plugins/cookie_collector.rb +20 -0
- data/spec/servers/plugins/form_dicattack.rb +28 -0
- data/spec/servers/plugins/healthmap.rb +16 -0
- data/spec/servers/plugins/http_dicattack.rb +9 -0
- data/spec/servers/plugins/http_dicattack_secure.rb +9 -0
- data/spec/servers/plugins/http_dicattack_unprotected.rb +5 -0
- data/spec/servers/plugins/meta/remedies/discovery.rb +7 -0
- data/spec/servers/plugins/meta/remedies/timing_attacks.rb +29 -0
- data/spec/servers/plugins/profiler.rb +82 -0
- data/spec/servers/plugins/rescan.rb +31 -0
- data/spec/servers/plugins/waf_detector.rb +33 -0
- data/spec/shared/component.rb +43 -0
- data/spec/shared/element/capabilities/auditable.rb +729 -0
- data/spec/shared/element/capabilities/refreshable.rb +56 -0
- data/spec/shared/module.rb +162 -0
- data/spec/shared/path_extractor.rb +47 -0
- data/spec/shared/plugin.rb +50 -0
- data/spec/shared/reports.rb +47 -0
- data/spec/spec_helper.rb +53 -0
- metadata +870 -323
- data/extras/modules/recon/raft_dirs.rb +0 -108
- data/extras/modules/recon/raft_dirs/raft-large-directories.txt +0 -62290
- data/extras/modules/recon/raft_files.rb +0 -110
- data/extras/modules/recon/raft_files/raft-large-files.txt +0 -37037
- data/extras/modules/recon/svn_digger_dirs.rb +0 -108
- data/extras/modules/recon/svn_digger_dirs/Licence.txt +0 -674
- data/extras/modules/recon/svn_digger_dirs/ReadMe-Arachni.txt +0 -4
- data/extras/modules/recon/svn_digger_dirs/ReadMe.txt +0 -6
- data/extras/modules/recon/svn_digger_dirs/all-dirs.txt +0 -5960
- data/extras/modules/recon/svn_digger_files.rb +0 -114
- data/extras/modules/recon/svn_digger_files/Licence.txt +0 -674
- data/extras/modules/recon/svn_digger_files/ReadMe-Arachni.txt +0 -4
- data/extras/modules/recon/svn_digger_files/ReadMe.txt +0 -6
- data/extras/modules/recon/svn_digger_files/all-extensionless.txt +0 -25419
- data/extras/modules/recon/svn_digger_files/all.txt +0 -43135
- data/lib/arachni/component_manager.rb +0 -293
- data/lib/arachni/component_options.rb +0 -425
- data/lib/arachni/parser/auditable.rb +0 -606
- data/lib/arachni/parser/elements.rb +0 -315
- data/lib/arachni/parser/page.rb +0 -168
- data/lib/arachni/parser/parser.rb +0 -866
- data/lib/arachni/rpc/server/options.rb +0 -95
- data/lib/arachni/ui/web/addons/autodeploy.rb +0 -207
- data/lib/arachni/ui/web/addons/autodeploy/lib/manager.rb +0 -398
- data/lib/arachni/ui/web/addons/autodeploy/views/index.erb +0 -291
- data/modules/recon/mixed_resource.rb +0 -100
- data/modules/recon/unencrypted_password_forms.rb +0 -107
- data/path_extractors/sitemap.rb +0 -31
- data/plugins/defaults/metamodules/remedies/manual_verification.rb +0 -65
- data/plugins/defaults/metamodules/remedies/timing_attacks.rb +0 -134
- data/plugins/defaults/metamodules/uniformity.rb +0 -99
- data/reports/metareport/arachni_metareport.rb +0 -174
- data/reports/plugin_formatters/stdout/metamodules.rb +0 -82
@@ -0,0 +1,243 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
module Arachni
|
18
|
+
|
19
|
+
require Options.dir['lib'] + 'bloom_filter'
|
20
|
+
|
21
|
+
module Element::Capabilities
|
22
|
+
|
23
|
+
#
|
24
|
+
# Performs boolean, fault injection and behavioral analysis (using the rDiff algorithm)
|
25
|
+
# in order to determine whether the web application is responding to the injected data and how.
|
26
|
+
#
|
27
|
+
# If the behavior can be manipulated by the injected data in ways that it's not supposed to
|
28
|
+
# (like when evaluating injected code) then the element is deemed vulnerable.
|
29
|
+
#
|
30
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
31
|
+
#
|
32
|
+
module Auditable::RDiff
|
33
|
+
|
34
|
+
def self.included( mod )
|
35
|
+
# the rdiff attack performs it own redundancy checks so we need this to
|
36
|
+
# keep track of audited elements
|
37
|
+
@@rdiff_audited ||= BloomFilter.new
|
38
|
+
end
|
39
|
+
|
40
|
+
RDIFF_OPTIONS = {
|
41
|
+
# append our seeds to the default values
|
42
|
+
format: [Mutable::Format::APPEND],
|
43
|
+
|
44
|
+
# allow duplicate requests
|
45
|
+
redundant: true,
|
46
|
+
|
47
|
+
# amount of rdiff iterations
|
48
|
+
precision: 2,
|
49
|
+
|
50
|
+
respect_method: true
|
51
|
+
}
|
52
|
+
|
53
|
+
#
|
54
|
+
# Performs differential analysis and logs an issue should there be one.
|
55
|
+
#
|
56
|
+
# opts = {
|
57
|
+
# :precision => 3,
|
58
|
+
# :faults => [ 'fault injections' ],
|
59
|
+
# :bools => [ 'boolean injections' ]
|
60
|
+
# }
|
61
|
+
#
|
62
|
+
# element.rdiff_analysis( opts )
|
63
|
+
#
|
64
|
+
# Here's how it goes:
|
65
|
+
# * let _default_ be the default/original response
|
66
|
+
# * let _fault_ be the response of the fault injection
|
67
|
+
# * let _bool_ be the response of the boolean injection
|
68
|
+
#
|
69
|
+
# A vulnerability is logged if:
|
70
|
+
# default == bool AND bool.code == 200 AND fault != bool
|
71
|
+
#
|
72
|
+
# The "bool" response is also checked in order to determine if it's a custom 404, if it is it'll be skipped.
|
73
|
+
#
|
74
|
+
# If a block has been provided analysis and logging will be delegated to it.
|
75
|
+
#
|
76
|
+
# @param [Hash] opts available options:
|
77
|
+
# * :format -- as seen in {Arachni::Element::Mutable::MUTATION_OPTIONS}
|
78
|
+
# * :precision -- amount of rdiff iterations
|
79
|
+
# * :faults -- array of fault injection strings (these are supposed to force erroneous conditions when interpreted)
|
80
|
+
# * :bools -- array of boolean injection strings (these are supposed to not alter the webapp behavior when interpreted)
|
81
|
+
# @param [Block] block block to be used for custom analysis of responses; will be passed the following:
|
82
|
+
# * injected string
|
83
|
+
# * audited element
|
84
|
+
# * default response body
|
85
|
+
# * boolean response
|
86
|
+
# * fault injection response body
|
87
|
+
#
|
88
|
+
def rdiff_analysis( opts = {}, &block )
|
89
|
+
opts = self.class::MUTATION_OPTIONS.merge( RDIFF_OPTIONS.merge( opts ) )
|
90
|
+
|
91
|
+
# don't continue if there's a missing value
|
92
|
+
auditable.values.each { |val| return if !val || val.empty? }
|
93
|
+
|
94
|
+
return if rdiff_audited?
|
95
|
+
rdiff_audited
|
96
|
+
|
97
|
+
responses = {
|
98
|
+
# will hold the original, default, response that results from submitting
|
99
|
+
orig: nil,
|
100
|
+
|
101
|
+
# will hold responses of boolean injections
|
102
|
+
good: {},
|
103
|
+
|
104
|
+
# will hold responses of fault injections
|
105
|
+
bad: {}
|
106
|
+
}
|
107
|
+
|
108
|
+
# submit the element, as is, opts[:precision] amount of times and
|
109
|
+
# rdiff the responses in order to arrive to a refined response without
|
110
|
+
# any superfluous dynamic content
|
111
|
+
opts[:precision].times {
|
112
|
+
# get the default responses
|
113
|
+
audit( '', opts ) do |res|
|
114
|
+
responses[:orig] ||= res.body
|
115
|
+
# remove context-irrelevant dynamic content like banners and such
|
116
|
+
responses[:orig] = responses[:orig].rdiff( res.body )
|
117
|
+
end
|
118
|
+
}
|
119
|
+
|
120
|
+
# perform fault injection opts[:precision] amount of times and
|
121
|
+
# rdiff the responses in order to arrive to a refined response without
|
122
|
+
# any superfluous dynamic content
|
123
|
+
opts[:precision].times {
|
124
|
+
opts[:faults].each do |str|
|
125
|
+
# get mutations of self using the fault seed, which will
|
126
|
+
# cause an internal/silent error when evaluated
|
127
|
+
mutations( str, opts ).each do |elem|
|
128
|
+
print_status elem.status_string
|
129
|
+
|
130
|
+
# submit the mutation and store the response
|
131
|
+
elem.submit( opts ) do |res|
|
132
|
+
responses[:bad][elem.altered] ||= res.body.clone
|
133
|
+
# remove context-irrelevant dynamic content like banners and such
|
134
|
+
# from the error page
|
135
|
+
responses[:bad][elem.altered] =
|
136
|
+
responses[:bad][elem.altered].rdiff( res.body.clone )
|
137
|
+
end
|
138
|
+
end
|
139
|
+
end
|
140
|
+
}
|
141
|
+
|
142
|
+
# get injection variations that will not affect the outcome of the query
|
143
|
+
opts[:bools].each do |str|
|
144
|
+
|
145
|
+
# get mutations of self using the boolean seed, which will not
|
146
|
+
# alter the execution flow
|
147
|
+
mutations( str, opts ).each do |elem|
|
148
|
+
print_status elem.status_string
|
149
|
+
|
150
|
+
# submit the mutation and store the response
|
151
|
+
elem.submit( opts ) do |res|
|
152
|
+
responses[:good][elem.altered] ||= []
|
153
|
+
# save the response and some data for analysis
|
154
|
+
responses[:good][elem.altered] << {
|
155
|
+
'str' => str,
|
156
|
+
'res' => res,
|
157
|
+
'elem' => elem
|
158
|
+
}
|
159
|
+
end
|
160
|
+
end
|
161
|
+
end
|
162
|
+
|
163
|
+
# when this runs the "responses" hash will have been populated and we
|
164
|
+
# can continue with analysis
|
165
|
+
http.after_run {
|
166
|
+
|
167
|
+
responses[:good].keys.each do |key|
|
168
|
+
responses[:good][key].each do |res|
|
169
|
+
|
170
|
+
# if there's a block passed then delegate analysis to it
|
171
|
+
if block
|
172
|
+
exception_jail( false ){
|
173
|
+
block.call( res['str'], res['elem'], responses[:orig],
|
174
|
+
res['res'], responses[:bad][key] )
|
175
|
+
}
|
176
|
+
|
177
|
+
# if default_response_body == bool_response_body AND
|
178
|
+
# bool_response_code == 200 AND
|
179
|
+
# fault_response_body != bool_response_body
|
180
|
+
elsif responses[:orig] == res['res'].body &&
|
181
|
+
responses[:bad][key] != res['res'].body &&
|
182
|
+
res['res'].code == 200
|
183
|
+
|
184
|
+
# check to see if the current boolean response we're analyzing
|
185
|
+
# is a custom 404 page
|
186
|
+
http.custom_404?( res['res'] ) do |bool|
|
187
|
+
# if this is a custom 404 page bail out
|
188
|
+
next if bool
|
189
|
+
|
190
|
+
# if this isn't a custom 404 page then it means that
|
191
|
+
# the element is vulnerable, so go ahead and log the issue
|
192
|
+
|
193
|
+
url = res['res'].effective_url
|
194
|
+
|
195
|
+
# information for the Metareport report
|
196
|
+
opts = {
|
197
|
+
injected_orig: res['str'],
|
198
|
+
combo: res['elem'].auditable
|
199
|
+
}
|
200
|
+
|
201
|
+
@auditor.log_issue(
|
202
|
+
var: key,
|
203
|
+
url: url,
|
204
|
+
method: res['res'].request.method.to_s,
|
205
|
+
opts: opts,
|
206
|
+
injected: res['str'],
|
207
|
+
id: res['str'],
|
208
|
+
regexp: 'n/a',
|
209
|
+
regexp_match: 'n/a',
|
210
|
+
elem: res['elem'].type,
|
211
|
+
response: res['res'].body,
|
212
|
+
# :verification => true,
|
213
|
+
headers: {
|
214
|
+
request: res['res'].request.headers,
|
215
|
+
response: res['res'].headers,
|
216
|
+
}
|
217
|
+
)
|
218
|
+
|
219
|
+
print_ok "In #{res['elem'].type} var '#{key}' ( #{url} )"
|
220
|
+
end
|
221
|
+
end
|
222
|
+
|
223
|
+
end
|
224
|
+
end
|
225
|
+
}
|
226
|
+
end
|
227
|
+
|
228
|
+
private
|
229
|
+
def rdiff_audited
|
230
|
+
@@rdiff_audited << rdiff_audit_id
|
231
|
+
end
|
232
|
+
|
233
|
+
def rdiff_audited?
|
234
|
+
@@rdiff_audited.include?( rdiff_audit_id )
|
235
|
+
end
|
236
|
+
|
237
|
+
def rdiff_audit_id
|
238
|
+
@action + @auditable.keys.to_s
|
239
|
+
end
|
240
|
+
|
241
|
+
end
|
242
|
+
end
|
243
|
+
end
|
@@ -0,0 +1,141 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
module Arachni::Element::Capabilities
|
18
|
+
|
19
|
+
#
|
20
|
+
# Looks for specific substrings or patterns in response bodies.
|
21
|
+
#
|
22
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
23
|
+
#
|
24
|
+
module Auditable::Taint
|
25
|
+
|
26
|
+
TAINT_OPTIONS = {
|
27
|
+
#
|
28
|
+
# The regular expression to match against the response body.
|
29
|
+
#
|
30
|
+
# Alternatively, you can use the :substring option.
|
31
|
+
#
|
32
|
+
regexp: nil,
|
33
|
+
|
34
|
+
#
|
35
|
+
# Verify the matched string with this value when using a regexp.
|
36
|
+
#
|
37
|
+
match: nil,
|
38
|
+
|
39
|
+
#
|
40
|
+
# The substring to look for the response body.
|
41
|
+
#
|
42
|
+
# Alternatively, you can use the :regexp option.
|
43
|
+
#
|
44
|
+
substring: nil,
|
45
|
+
|
46
|
+
#
|
47
|
+
# Array of patterns to ignore.
|
48
|
+
#
|
49
|
+
# Useful when needing to narrow down what to log without
|
50
|
+
# having to construct overly complex match regexps.
|
51
|
+
#
|
52
|
+
ignore: nil
|
53
|
+
}
|
54
|
+
|
55
|
+
#
|
56
|
+
# Performs taint analysis and logs an issue should there be one.
|
57
|
+
#
|
58
|
+
# It logs an issue when:
|
59
|
+
# * _:match_ == nil AND _:regexp_ matches the response body
|
60
|
+
# * _:match_ == not nil AND _:regexp_ match == _:match_
|
61
|
+
# * _:substring_ exists in the response body
|
62
|
+
#
|
63
|
+
# @param [String] seed the string to be injected
|
64
|
+
# @param [Hash] opts options as described in {Arachni::Module::Auditor::OPTIONS} and {TAINT_OPTIONS}
|
65
|
+
#
|
66
|
+
def taint_analysis( seed, opts = { } )
|
67
|
+
opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) )
|
68
|
+
opts[:substring] = seed if !opts[:regexp] && !opts[:substring]
|
69
|
+
audit( seed, opts ) { |res, c_opts| get_matches( res, c_opts ) }
|
70
|
+
end
|
71
|
+
|
72
|
+
private
|
73
|
+
|
74
|
+
#
|
75
|
+
# Tries to identify an issue through pattern matching.
|
76
|
+
#
|
77
|
+
# If a issue is found a message will be printed and the issue will be logged.
|
78
|
+
#
|
79
|
+
# @param [Typhoeus::Response] res
|
80
|
+
# @param [Hash] opts
|
81
|
+
#
|
82
|
+
def get_matches( res, opts )
|
83
|
+
[opts[:regexp]].flatten.compact.each { |regexp| match_regexp_and_log( regexp, res, opts ) }
|
84
|
+
[opts[:substring]].flatten.compact.each { |substring| match_substring_and_log( substring, res, opts ) }
|
85
|
+
end
|
86
|
+
|
87
|
+
def match_substring_and_log( substring, res, opts )
|
88
|
+
opts[:verification] = false
|
89
|
+
|
90
|
+
# an annoying encoding exception may be thrown by scan()
|
91
|
+
# the sob started occurring again....
|
92
|
+
begin
|
93
|
+
opts[:verification] = true if @auditor.page.body.substring?( substring )
|
94
|
+
rescue
|
95
|
+
end
|
96
|
+
|
97
|
+
if res.body.substring?( substring ) && !ignore?( res, opts )
|
98
|
+
opts[:regexp] = opts[:id] = opts[:match] = substring.clone
|
99
|
+
@auditor.log( opts, res )
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
def match_regexp_and_log( regexp, res, opts )
|
104
|
+
regexp = regexp.is_a?( Regexp ) ? regexp :
|
105
|
+
Regexp.new( regexp.to_s, Regexp::IGNORECASE )
|
106
|
+
|
107
|
+
match_data = res.body.scan( regexp )[0]
|
108
|
+
match_data = match_data.to_s
|
109
|
+
|
110
|
+
opts[:verification] = false
|
111
|
+
|
112
|
+
# an annoying encoding exception may be thrown by scan()
|
113
|
+
# the sob started occuring again....
|
114
|
+
begin
|
115
|
+
opts[:verification] = true if @auditor.page.body.scan( regexp )[0]
|
116
|
+
rescue
|
117
|
+
end
|
118
|
+
|
119
|
+
# fairly obscure condition...pardon me...
|
120
|
+
if ( opts[:match] && match_data == opts[:match] ) ||
|
121
|
+
( !opts[:match] && match_data && match_data.size > 0 )
|
122
|
+
|
123
|
+
return if ignore?( res, opts )
|
124
|
+
|
125
|
+
opts[:id] = opts[:match] = opts[:match] ? opts[:match] : match_data
|
126
|
+
opts[:regexp] = regexp
|
127
|
+
|
128
|
+
@auditor.log( opts, res )
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
def ignore?( res, opts )
|
133
|
+
[opts[:ignore]].flatten.compact.each do |r|
|
134
|
+
r = r.is_a?( Regexp ) ? r : Regexp.new( r.to_s, Regexp::IGNORECASE )
|
135
|
+
return true if res.body.scan( r ).flatten.first
|
136
|
+
end
|
137
|
+
false
|
138
|
+
end
|
139
|
+
|
140
|
+
end
|
141
|
+
end
|
@@ -0,0 +1,330 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
require 'set'
|
18
|
+
|
19
|
+
module Arachni::Element::Capabilities
|
20
|
+
|
21
|
+
#
|
22
|
+
# Evaluates whether or not the injection of specific data affects the response
|
23
|
+
# time of the web application.
|
24
|
+
#
|
25
|
+
# It takes into account unstable network conditions and server-side failures and
|
26
|
+
# verifies the results before logging.
|
27
|
+
#
|
28
|
+
# == Methodology
|
29
|
+
#
|
30
|
+
# Here's how it works:
|
31
|
+
# * Loop 1 ({#timeout_analysis}) -- Populates the candidate queue. We're picking the low hanging
|
32
|
+
# fruit here so we can run this in larger concurrent bursts which cause *lots* of noise.
|
33
|
+
# - Initial probing for candidates -- If element times out it is added to a queue.
|
34
|
+
# - Stabilization ({#responsive?}) -- The element is submitted with its default values in
|
35
|
+
# order to wait until the effects of the timing attack have worn off.
|
36
|
+
# * Loop 2 ({timeout_analysis_phase_2}) -- Verifies the candidates. This is much more delicate so the
|
37
|
+
# concurrent requests are lowered to pairs.
|
38
|
+
# - Liveness test -- Ensures that the webapp is alive and not just timing-out by default
|
39
|
+
# - Verification using an increased timeout delay -- Any elements that time out again are logged.
|
40
|
+
# - Stabilization ({#responsive?})
|
41
|
+
#
|
42
|
+
# Ideally, all requests involved with timing attacks would be run in sync mode
|
43
|
+
# but the performance penalties are too high, thus we compromise and make the best of it
|
44
|
+
# by running as little an amount of concurrent requests as possible for any given phase.
|
45
|
+
#
|
46
|
+
# == Usage
|
47
|
+
#
|
48
|
+
# Call {#timeout_analysis} to schedule a timeout audit and execute {timeout_audit_run}
|
49
|
+
# to run the scheduled operations.
|
50
|
+
#
|
51
|
+
# This deviates from the normal framework structure because it is preferable
|
52
|
+
# to run timeout audits separately in order to avoid interference by other
|
53
|
+
# audit operations.
|
54
|
+
#
|
55
|
+
# If you want to be notified every time a timeout audit is performed you can pass
|
56
|
+
# callback block to {on_timing_attacks}.
|
57
|
+
#
|
58
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
59
|
+
#
|
60
|
+
module Auditable::Timeout
|
61
|
+
|
62
|
+
def self.included( mod )
|
63
|
+
@@parent = mod
|
64
|
+
|
65
|
+
#
|
66
|
+
# Returns the names of all loaded modules that use timing attacks.
|
67
|
+
#
|
68
|
+
# @return [Set]
|
69
|
+
#
|
70
|
+
def @@parent.timeout_loaded_modules
|
71
|
+
@@timeout_loaded_modules
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Holds timing-attack performing Procs to be run after all
|
76
|
+
# non-timing-attack modules have finished.
|
77
|
+
#
|
78
|
+
# @return [Queue]
|
79
|
+
#
|
80
|
+
def @@parent.timeout_audit_blocks
|
81
|
+
@@timeout_audit_blocks
|
82
|
+
end
|
83
|
+
|
84
|
+
#
|
85
|
+
# @return [Integer] amount of timeout-audit related operations
|
86
|
+
# (audit blocks + candidate elements)
|
87
|
+
#
|
88
|
+
def @@parent.current_timeout_audit_operations_cnt
|
89
|
+
@@timeout_audit_blocks.size + @@timeout_candidates.size
|
90
|
+
end
|
91
|
+
|
92
|
+
def @@parent.add_timeout_audit_block( &block )
|
93
|
+
@@timeout_audit_operations_cnt += 1
|
94
|
+
@@timeout_audit_blocks << block
|
95
|
+
end
|
96
|
+
|
97
|
+
def @@parent.add_timeout_candidate( elem )
|
98
|
+
@@timeout_audit_operations_cnt += 1
|
99
|
+
@@timeout_candidates << elem
|
100
|
+
end
|
101
|
+
|
102
|
+
#
|
103
|
+
# @return [Bool] true if timeout attacks are currently running
|
104
|
+
#
|
105
|
+
def @@parent.running_timeout_attacks?
|
106
|
+
@@running_timeout_attacks
|
107
|
+
end
|
108
|
+
|
109
|
+
#
|
110
|
+
# Adds a block to be executed every time a timing attack is performed
|
111
|
+
#
|
112
|
+
def @@parent.on_timing_attacks( &block )
|
113
|
+
@@on_timing_attacks << block
|
114
|
+
end
|
115
|
+
|
116
|
+
#
|
117
|
+
# @return [Integer] amount of timeout-audit operations
|
118
|
+
#
|
119
|
+
def @@parent.timeout_audit_operations_cnt
|
120
|
+
@@timeout_audit_operations_cnt
|
121
|
+
end
|
122
|
+
|
123
|
+
def @@parent.call_on_timing_blocks( res, elem )
|
124
|
+
@@on_timing_attacks.each { |block| block.call( res, elem ) }
|
125
|
+
end
|
126
|
+
|
127
|
+
#
|
128
|
+
# Runs all blocks in {timeout_audit_blocks} and verifies
|
129
|
+
# and logs the candidate elements.
|
130
|
+
#
|
131
|
+
def @@parent.timeout_audit_run
|
132
|
+
@@running_timeout_attacks = true
|
133
|
+
|
134
|
+
while !@@timeout_audit_blocks.empty?
|
135
|
+
@@timeout_audit_blocks.pop.call
|
136
|
+
end
|
137
|
+
|
138
|
+
while !@@timeout_candidates.empty?
|
139
|
+
self.timeout_analysis_phase_2( @@timeout_candidates.pop )
|
140
|
+
end
|
141
|
+
end
|
142
|
+
|
143
|
+
#
|
144
|
+
# (Called by {timeout_audit_run}, do *NOT* call manually.)
|
145
|
+
#
|
146
|
+
# Runs phase 2 of the timing attack auditing an individual element
|
147
|
+
# (which passed phase 1) with a higher delay and timeout.
|
148
|
+
#
|
149
|
+
# * Liveness check: Element is submitted as is to make sure that the page is alive and responsive
|
150
|
+
# * If liveness check fails then phase 2 is aborted
|
151
|
+
# * If liveness check succeeds it progresses to verification
|
152
|
+
# * Verification: Element is submitted with an increased delay to verify the vulnerability
|
153
|
+
# * If verification fails it aborts
|
154
|
+
# * If verification succeeds the issue is logged
|
155
|
+
# * Stabilize responsiveness: Wait for the effects of the timing attack to wear off
|
156
|
+
#
|
157
|
+
def @@parent.timeout_analysis_phase_2( elem )
|
158
|
+
|
159
|
+
# reset the audited list since we're going to re-audit the elements
|
160
|
+
# @@timeout_audited = Set.new
|
161
|
+
|
162
|
+
opts = elem.opts
|
163
|
+
opts[:timeout] *= 2
|
164
|
+
# opts[:async] = false
|
165
|
+
# self.audit_timeout_debug_msg( 2, opts[:timeout] )
|
166
|
+
|
167
|
+
str = opts[:timing_string].gsub( '__TIME__',
|
168
|
+
( opts[:timeout] / opts[:timeout_divider] ).to_s )
|
169
|
+
|
170
|
+
opts[:timeout] *= 0.7
|
171
|
+
|
172
|
+
elem.auditable = elem.orig
|
173
|
+
|
174
|
+
# this is the control; request the URL of the element to make sure
|
175
|
+
# that the web page is alive i.e won't time-out by default
|
176
|
+
elem.submit do |res|
|
177
|
+
self.call_on_timing_blocks( res, elem )
|
178
|
+
|
179
|
+
if res.timed_out?
|
180
|
+
elem.print_info 'Liveness check failed, bailing out...'
|
181
|
+
next
|
182
|
+
end
|
183
|
+
|
184
|
+
elem.print_info 'Liveness check was successful, progressing to verification...'
|
185
|
+
elem.audit( str, opts ) do |c_res, c_opts|
|
186
|
+
if !c_res.timed_out?
|
187
|
+
elem.print_info 'Verification failed.'
|
188
|
+
next
|
189
|
+
end
|
190
|
+
|
191
|
+
# all issues logged by timing attacks need manual verification.
|
192
|
+
# end of story.
|
193
|
+
# c_opts[:verification] = true
|
194
|
+
elem.auditor.log( c_opts, c_res )
|
195
|
+
elem.responsive?
|
196
|
+
end
|
197
|
+
|
198
|
+
end
|
199
|
+
|
200
|
+
elem.http.run
|
201
|
+
end
|
202
|
+
|
203
|
+
def call_on_timing_blocks( res, elem )
|
204
|
+
@@parent.call_on_timing_blocks( res, elem )
|
205
|
+
end
|
206
|
+
|
207
|
+
# holds timing-attack performing Procs to be run after all
|
208
|
+
# non-timing-attack modules have finished.
|
209
|
+
@@timeout_audit_blocks ||= Queue.new
|
210
|
+
|
211
|
+
@@timeout_audit_operations_cnt ||= 0
|
212
|
+
|
213
|
+
# populated by timing attack phase 1 with
|
214
|
+
# candidate elements to be verified by phase 2
|
215
|
+
@@timeout_candidates ||= Queue.new
|
216
|
+
|
217
|
+
# modules which have called the timing attack audit method (audit_timeout)
|
218
|
+
# we're interested in the amount, not the names, and is used to
|
219
|
+
# determine scan progress
|
220
|
+
@@timeout_loaded_modules ||= Set.new
|
221
|
+
|
222
|
+
@@on_timing_attacks ||= []
|
223
|
+
|
224
|
+
@@running_timeout_attacks ||= false
|
225
|
+
end
|
226
|
+
|
227
|
+
#
|
228
|
+
# Performs timeout/time-delay analysis and logs an issue should there be one.
|
229
|
+
#
|
230
|
+
# @param [Array] strings injection strings
|
231
|
+
# __TIME__ will be substituted with (timeout / timeout_divider)
|
232
|
+
# @param [Hash] opts options as described in {Arachni::Element::Mutable::OPTIONS} with the following extra:
|
233
|
+
# * :timeout -- milliseconds to wait for the request to complete
|
234
|
+
# * :timeout_divider -- __TIME__ = timeout / timeout_divider
|
235
|
+
#
|
236
|
+
def timeout_analysis( strings, opts )
|
237
|
+
@@timeout_loaded_modules << @auditor.fancy_name
|
238
|
+
|
239
|
+
@@parent.add_timeout_audit_block {
|
240
|
+
delay = opts[:timeout]
|
241
|
+
|
242
|
+
audit_timeout_debug_msg( 1, delay )
|
243
|
+
timing_attack( strings, opts ) do |_, _, elem|
|
244
|
+
elem.auditor = @auditor
|
245
|
+
|
246
|
+
print_info "Found a candidate -- #{elem.type.capitalize} input '#{elem.altered}' at #{elem.action}"
|
247
|
+
|
248
|
+
@@parent.add_timeout_candidate( elem ) if elem.responsive?
|
249
|
+
end
|
250
|
+
}
|
251
|
+
end
|
252
|
+
|
253
|
+
#
|
254
|
+
# Submits self with a high timeout value and blocks until it gets a response.
|
255
|
+
#
|
256
|
+
# That is to make sure that responsiveness has been restored before progressing further.
|
257
|
+
#
|
258
|
+
# @param [Float] limit how much time to afford the server to respond
|
259
|
+
#
|
260
|
+
# @return [Bool] +true+ if server responds within the given time limit, +false+ otherwise
|
261
|
+
#
|
262
|
+
def responsive?( limit = 120.0 )
|
263
|
+
d_opts = {
|
264
|
+
skip_orig: true,
|
265
|
+
redundant: true,
|
266
|
+
timeout: limit * 1000,
|
267
|
+
silent: true,
|
268
|
+
async: false
|
269
|
+
}
|
270
|
+
|
271
|
+
orig_opts = opts
|
272
|
+
|
273
|
+
print_info 'Waiting for the effects of the timing attack to wear off.'
|
274
|
+
print_info "Max waiting time: #{limit} seconds."
|
275
|
+
|
276
|
+
@auditable = @orig
|
277
|
+
res = submit( d_opts ).response
|
278
|
+
|
279
|
+
@opts.merge!( orig_opts )
|
280
|
+
|
281
|
+
if !res.timed_out?
|
282
|
+
print_info 'Server seems responsive again.'
|
283
|
+
else
|
284
|
+
print_error 'Max waiting time exceeded, the server may be dead.'
|
285
|
+
return false
|
286
|
+
end
|
287
|
+
|
288
|
+
true
|
289
|
+
end
|
290
|
+
|
291
|
+
private
|
292
|
+
def audit_timeout_debug_msg( phase, delay )
|
293
|
+
print_debug '---------------------------------------------'
|
294
|
+
print_debug "Running phase #{phase.to_s} of timing attack."
|
295
|
+
print_debug "Delay set to: #{delay.to_s} milliseconds"
|
296
|
+
print_debug '---------------------------------------------'
|
297
|
+
end
|
298
|
+
|
299
|
+
#
|
300
|
+
# Audits elements using a timing attack.
|
301
|
+
#
|
302
|
+
# 'opts' needs to contain a :timeout value in milliseconds.</br>
|
303
|
+
# Optionally, you can add a :timeout_divider.
|
304
|
+
#
|
305
|
+
# @param [Array] strings injection strings
|
306
|
+
# '__TIME__' will be substituted with (timeout / timeout_divider)
|
307
|
+
# @param [Hash] opts options as described in {Arachni::Element::Mutable::OPTIONS}
|
308
|
+
# @param [Block] block block to call if a timeout occurs,
|
309
|
+
# it will be passed the response and opts
|
310
|
+
#
|
311
|
+
def timing_attack( strings, opts, &block )
|
312
|
+
opts[:timeout_divider] ||= 1
|
313
|
+
|
314
|
+
[strings].flatten.each do |str|
|
315
|
+
|
316
|
+
opts[:timing_string] = str
|
317
|
+
str = str.gsub( '__TIME__', ( opts[:timeout] / opts[:timeout_divider] ).to_s )
|
318
|
+
opts[:skip_orig] = true
|
319
|
+
|
320
|
+
audit( str, opts ) do |res, c_opts, elem|
|
321
|
+
call_on_timing_blocks( res, elem )
|
322
|
+
block.call( res, c_opts, elem ) if block && res.timed_out?
|
323
|
+
end
|
324
|
+
end
|
325
|
+
|
326
|
+
@auditor.http.run
|
327
|
+
end
|
328
|
+
|
329
|
+
end
|
330
|
+
end
|