arachni 0.4.0.4 → 0.4.1

data/modules/audit/code_injection_timing.rb

@@ -1,26 +1,29 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
-
-module Arachni
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
-# It's designed to work with PHP, Perl, Python, Java, ASP and Ruby
-# but still needs some more testing.
+# Tries to inject code strings which, if executed, would cause an identifiable
+# delay in execution.
+#
+# If that delay can be verified then the vector via which it was introduced is
+# flagged as vulnerable.
 #
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.2.1
+# @version 0.2.2
 #
 # @see http://cwe.mitre.org/data/definitions/94.html
 # @see http://php.net/manual/en/function.eval.php
@@ -29,87 +32,66 @@ module Modules
 # @see http://www.aspdev.org/asp/asp-eval-execute/
 # @see http://en.wikipedia.org/wiki/Eval#Ruby
 #
-class CodeInjectionTiming < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
-
-    def prepare
-
-        @@__injection_str ||= []
+class Arachni::Modules::CodeInjectionTiming < Arachni::Module::Base
 
-        if @@__injection_str.empty?
-            read_file( 'payloads.txt' ) {
-                |str|
+    prefer :code_injection
 
-                [ ' ', ' && ', ';' ].each {
-                    |sep|
-                    @@__injection_str << sep + " " + str
-                }
+    def self.code_strings
+        @code_strings ||= []
 
-            }
+        if @code_strings.empty?
+            read_file( 'payloads.txt' ) do |str|
+                [ ' ', ' && ', ';' ].each { |sep| @code_strings << "#{sep} #{str}"}
+            end
         end
 
-        @__opts = {
-            :format  => [ Format::STRAIGHT ],
-            :timeout => 4000
-        }
+        @code_strings
     end
 
     def run
-        audit_timeout( @@__injection_str, @__opts )
-    end
-
-    def redundant
-        [ 'code_injection' ]
+        audit_timeout( self.class.code_strings, format: [Format::STRAIGHT], timeout: 4000 )
     end
 
     def self.info
         {
-            :name           => 'Code injection (timing)',
-            :description    => %q{It tries to inject code snippets into the
+            name:        'Code injection (timing)',
+            description: %q{It tries to inject code snippets into the
                 web application and assess whether or not the injection
-                was successful using timing attacks.},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.2.1',
-            :references     => {
+                was successful using a time delay.},
+            elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.2.2',
+            references:  {
                 'PHP'    => 'http://php.net/manual/en/function.eval.php',
                 'Perl'   => 'http://perldoc.perl.org/functions/eval.html',
                 'Python' => 'http://docs.python.org/py3k/library/functions.html#eval',
                 'ASP'    => 'http://www.aspdev.org/asp/asp-eval-execute/',
                 'Ruby'   => 'http://en.wikipedia.org/wiki/Eval#Ruby'
-             },
-            :targets        => { 'Generic' => 'all' },
-
-            :issue   => {
-                :name        => %q{Code injection (timing attack)},
-                :description => %q{Arbitrary code can be injected into the web application
-                    which is then executed as part of the system.
-                    (This issue was discovered using a timing attack; timing attacks
-                    can result in false positives in cases where the server takes
-                    an abnormally long time to respond.
-                    Either case, these issues will require further investigation
-                    even if they are false positives.)},
-                :tags        => [ 'code', 'injection', 'timing', 'blind' ],
-                :cwe         => '94',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '7.5',
-                :remedy_guidance    => %q{User inputs must be validated and filtered
-                    before being evaluated as executable code.
-                    Better yet, the web application should stop evaluating user
-                    inputs as any part of dynamic code altogether.},
-                :remedy_code => '',
-                :metasploitable => 'unix/webapp/arachni_php_eval'
+            },
+            targets:     %w(Java ASP Python PHP Perl Ruby),
+
+            issue:       {
+                name:            %q{Code injection (timing attack)},
+                description:     %q{Arbitrary code can be injected into the web application
+    which is then executed as part of the system.
+    (This issue was discovered using a timing attack; timing attacks
+    can result in false positives in cases where the server takes
+    an abnormally long time to respond.
+    Either case, these issues will require further investigation
+    even if they are false positives.)},
+                tags:            %w(code injection timing blind),
+                cwe:             '94',
+                severity:        Severity::HIGH,
+                cvssv2:          '7.5',
+                remedy_guidance: %q{User inputs must be validated and filtered
+    before being evaluated as executable code.
+    Better yet, the web application should stop evaluating user
+    inputs as any part of dynamic code altogether.},
+                remedy_code:     '',
+                metasploitable:  'unix/webapp/arachni_php_eval'
             }
 
         }
     end
 
 end
-end
-end

data/modules/audit/csrf.rb

@@ -1,16 +1,18 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
-
-module Arachni
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # Cross-Site Request Forgery audit module.
@@ -31,154 +33,71 @@ module Modules
 #   * Extract forms.
 # * Check forms that appear *only* when logged-in for CSRF.
 #
-# In order for the module to give meaningful results a valid cookie-jar of a logged-in
+# In order for the module to give meaningful results, a valid cookie-jar of a logged-in
 # user must be supplied to the framework.
 #
 # However, as Arachni goes through the system it will gather
 # cookies just like a user would, so if there are forms that only appear
 # after a guest has performed a previous event it will check these too.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.2.2
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.3
 #
 # @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
 # @see http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
 # @see http://www.cgisecurity.com/csrf-faq.html
 # @see http://cwe.mitre.org/data/definitions/352.html
 #
-class CSRF < Arachni::Module::Base
-
-    def prepare
-
-        # the Trainer can provide modules access to the HTML parser
-        # and other cool stuff for element comparison
-        @__trainer = @http.trainer
-
-        # since we bypass the Auditor we must also do our own audit tracking
-        @@__audited ||= Set.new
-    end
+class Arachni::Modules::CSRF < Arachni::Module::Base
 
     def run
-
-        print_status( 'Looking for CSRF candidates...' )
-
-        print_status( 'Simulating logged-out user.' )
-
-        # setup opts with empty cookies
-        opts = {
-            :cookies => {},
-            :remove_id => true
-        }
+        print_status 'Looking for CSRF candidates...'
+        print_status 'Simulating logged-out user.'
 
         # request page without cookies, simulating a logged-out user
-        @http.get( @page.url, opts ).on_complete {
-            |res|
-
-            # set-up the parser with the proper url so that it
-            # can fix broken 'action' attrs and the like
-            @parser = Arachni::Parser.new( Arachni::Options.instance, res )
-
+        http.get( page.url, cookies: {}, no_cookiejar: true ) do |res|
             # extract forms from the body of the response
-            forms_logged_out = @parser.forms( res.body ).reject {
-                |form|
-                form.auditable.empty?
-            }
-
-            print_status( "Found #{forms_logged_out.size.to_s} context irrelevant forms." )
+            logged_out = forms_from_response( res ).reject { |f| f.auditable.empty? }
 
-            # get forms that are worthy of testing for CSRF
-            # i.e. apper only when the user is logged-in
-            csrf_forms = logged_in_only( forms_logged_out )
+            print_status "Found #{logged_out.size} context irrelevant forms."
 
-            print_status( "Found #{csrf_forms.size.to_s} CSRF candidates." )
+            # get forms that are worthy of testing for CSRF i.e. appear only when the user is logged-in
+            candidates = page.forms - logged_out
 
-            csrf_forms.each {
-                |form|
-                __log( form ) if unsafe?( form )
-            }
-
-        }
+            print_status "Found #{candidates.size} CSRF candidates."
 
+            candidates.each { |form| _log( form ) if unsafe?( form ) }
+        end
     end
 
     #
     # Tries to detect if a form is protected using an anti-CSRF token.
     #
-    # @param  [Hash]  form
+    # @param    [Arachni::Element::Form]  form
     #
-    # @return   [Bool]  true if the form if vulnerable, false otherwise
+    # @return   [Bool]  +true+ if the form has no anti-CSRF token, +false+ otherwise
     #
     def unsafe?( form )
-
-        found_token = false
-
-        # nobody says that tokens must be in a 'value' attribute,
-        # they can just as well be in 'name'.
-        # so we check them both...
-        form.simple['auditable'].to_a.flatten.each_with_index {
-            |str, i|
-            next if !str
-            next if !form.raw['auditable'][i]
-            next if !form.raw['auditable'][i]['type']
-            next if form.raw['auditable'][i]['type'].downcase != 'hidden'
-
-            found_token = true if( csrf_token?( str ) )
-        }
-
-        link_vars = @parser.link_vars( form.action )
-        if( !link_vars.empty? )
-            # and we also need to check for a token in the form action
-            link_vars.values.each {
-                |val|
-                next if !val
-                found_token = true  if( csrf_token?( val ) )
-            }
+        #
+        # Nobody says that tokens must be in a +value+ attribute, they can
+        # just as well be in +name+ -- so we check them both...
+        #
+        found_token = (form.raw['auditable'] || []).map do |input|
+            next if !input['type'] || input['type'].downcase != 'hidden'
+            csrf_token?( input['value'] ) || csrf_token?( input['name'] )
+        end.include?( true )
+
+        return false if found_token
+
+        link_vars = parse_url_vars( form.action )
+        if link_vars.any?
+            # and we also need to check for a token in the form action.
+            found_token = link_vars.to_a.flatten.
+                map { |val| csrf_token?( val ) }.include?( true )
         end
 
-        return !found_token
-    end
-
-    #
-    # Returns forms that only appear when the user is logged-in.
-    #
-    # These are the forms that will most likely affect business logic.
-    #
-    # @param  [Array]  forms_logged_out  forms that appear while logged-out
-    #                                      in order to eliminate them.
-    #
-    # @return  [Array]  forms to be checked for CSRF
-    #
-    def logged_in_only( logged_out )
-        csrf_forms = []
-
-        @page.forms.each {
-            |form|
-
-            next if form.auditable.size == 0
-
-            if !( forms_include?( logged_out, form ) )
-                csrf_forms << form
-            end
-
-        }
-
-        return csrf_forms
-    end
-
-    def forms_include?( forms, form )
-
-        forms.each {
-            |i_form|
-
-            if( form.id == i_form.id )
-                return true
-            end
-
-        }
-
-        return false
+        !found_token
     end
 
     #
@@ -187,6 +106,7 @@ class CSRF < Arachni::Module::Base
     # @param  [String]  str
     #
     def csrf_token?( str )
+        return false if !str
 
         # we could use regexps but i kinda like lcamtuf's (Michal's) way
         base16_len_min    = 8
@@ -201,93 +121,75 @@ class CSRF < Arachni::Module::Base
         base64_slash_cnt  = 2
 
         len = str.size
-        digit_cnt = str.scan(/[0-9]+/).join( '' ).size
+        digit_cnt = str.scan( /[0-9]+/ ).join.size
 
-        if( len >= base16_len_min &&
-            len <= base16_len_max &&
-            digit_cnt >= base16_digit_num
-          )
+        if len >= base16_len_min && len <= base16_len_max && digit_cnt >= base16_digit_num
             return true
         end
 
-        upper_cnt = str.scan(/[A-Z]+/).join( '' ).size
-        slash_cnt = str.scan(/\/+/).join( '' ).size
-
-        if( len >= base64_len_min && len <= base64_len_max &&
-            ( ( digit_cnt >= base64_digit_num && upper_cnt >= base64_case ) ||
-              digit_cnt >= base64_digit_num2 ) &&
-            slash_cnt <= base64_slash_cnt
-          )
+        upper_cnt = str.scan( /[A-Z]+/ ).join.size
+        slash_cnt = str.scan( /\/+/ ).join.size
 
+        if len >= base64_len_min && len <= base64_len_max &&
+            ((digit_cnt >= base64_digit_num && upper_cnt >= base64_case ) ||
+              digit_cnt >= base64_digit_num2) && slash_cnt <= base64_slash_cnt
             return true
         end
 
-        return false
-
+        false
     end
 
-
-    def __log( form )
+    def _log( form )
+        return if !form.raw['attrs']
 
         url  = form.action
         name = form.raw['attrs']['name'] || form.raw['attrs']['id']
 
-        if @@__audited.include?( "#{url}::#{name.to_s}" )
-            print_info( 'Skipping already audited form with name \'' +
-                name.to_s + '\' of url: ' + url )
+        if audited?( "#{url}::#{name}" )
+            print_info "Skipping already audited form '#{name}' at '#{url}'"
             return
         end
 
-        @@__audited << "#{url}::#{name}"
-
-        log_issue(
-            :var          => name,
-            :url          => url,
-            :elem         => Issue::Element::FORM,
-            :response     => @page.html,
-        )
+        audited( "#{url}::#{name}" )
 
-        print_ok( "Found unprotected form with name '#{name}' at '#{url}'" )
+        log_issue( var: name, url: url, elem: Element::FORM, response: page.body )
+        print_ok "Found unprotected form with name '#{name}' at '#{url}'"
     end
 
     def self.info
         {
-            :name           => 'CSRF',
-            :description    => %q{It uses 2-pass rDiff analysis to determine
+            name:        'CSRF',
+            description: %q{It uses 2-pass rDiff analysis to determine
                 which forms affect business logic and audits them for CSRF.
                 It requires a logged-in user's cookie-jar.},
-            :elements       => [
-                Issue::Element::FORM
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.2.2',
-            :references     => {
-                'Wikipedia' => 'http://en.wikipedia.org/wiki/Cross-site_request_forgery',
-                'OWASP'     => 'http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)',
+            elements:    [ Element::FORM ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.3',
+            references:  {
+                'Wikipedia'    => 'http://en.wikipedia.org/wiki/Cross-site_request_forgery',
+                'OWASP'        => 'http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)',
                 'CGI Security' => 'http://www.cgisecurity.com/csrf-faq.html'
-             },
-            :targets        => { 'Generic' => 'all' },
-
-            :issue   => {
-                :name        => %q{Cross-Site Request Forgery},
-                :description => %q{The web application does not, or can not,
-                     sufficiently verify whether a well-formed, valid, consistent
-                     request was intentionally provided by the user who submitted the request.
-                     This is due to a lack of secure anti-CSRF tokens to verify
-                     the freshness of the submitted data.},
-                :tags        => [ 'csrf', 'rdiff', 'form', 'token' ],
-                :cwe         => '352',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '',
-                :remedy_guidance    => %q{A unique token that guaranties freshness of submitted
-                    data must be added to all web application elements that can affect
-                    business logic.},
-                :remedy_code => '',
+            },
+            targets:     %w(Generic),
+
+            issue:       {
+                name:            %q{Cross-Site Request Forgery},
+                description:     %q{The web application does not, or can not,
+     sufficiently verify whether a well-formed, valid, consistent
+     request was intentionally provided by the user who submitted the request.
+     This is due to a lack of secure anti-CSRF tokens to verify
+     the freshness of the submitted data.},
+                tags:            %w(csrf rdiff form token),
+                cwe:             '352',
+                severity:        Severity::HIGH,
+                cvssv2:          '',
+                remedy_guidance: %q{A unique token that guaranties freshness of submitted
+    data must be added to all web application elements that can affect
+    business logic.},
+                remedy_code:     ''
             }
 
         }
     end
 
 end
-end
-end