arachni 0.4.0.4 → 0.4.1

data/modules/audit/xpath/errors.txt

@@ -11,7 +11,7 @@ Document Axis does not allow any context Location Steps
 Empty Path Expression
 Empty Relative Location Path
 Empty Union Expression
-Expected '\)' in
+Expected ')' in
 Expected node test or name specification after axis operator
 Incompatible XPath key
 Incorrect Variable Binding
@@ -20,7 +20,6 @@ xmlsec library function
 error '80004005'
 A document must contain exactly one root element.
 Expression must evaluate to a node-set.
-Expected token '\]'
+Expected token ']'
 <p>msxml4.dll</font>
 <p>msxml3.dll</font>
-4005 Notes error: Query is not understandable

data/modules/audit/xss.rb

@@ -1,113 +1,109 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # XSS audit module
 #
-# It doesn't just look for the injected XSS string in the HMTL code
+# It doesn't just look for the injected XSS string in the HTML code
 # but actually parses the code and looks for the injected element proper.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.3.1
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.3.2
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
 # @see http://secunia.com/advisories/9716/
 #
-class XSS < Arachni::Module::Base
+class Arachni::Modules::XSS < Arachni::Module::Base
 
-    include Arachni::Module::Utilities
+    def self.tag
+        @tag ||= 'some_dangerous_input_' + seed
+    end
 
-    def prepare
-        @_tag_name = 'some_dangerous_input_' + seed
-        @_injection_strs = [
+    def self.strings
+        @strings ||= [
             # straight injection
-            '<' + @_tag_name + ' />',
+            '<' + tag + '/>',
             # go for an error
-            '\'-;<' + @_tag_name + ' />',
+            '\'-;<' + tag + '/>',
             # break out of HTML comments
-            '--> <' + @_tag_name + ' /> <!--',
+            '--> <' + tag + '/> <!--',
         ]
-        @_opts = {
-            :format => [ Format::APPEND | Format::STRAIGHT ],
-            :flip_param => true
+    end
+
+    def self.opts
+        @opts ||= {
+            format:     [Format::APPEND | Format::STRAIGHT],
+            flip_param: true
         }
     end
 
     def run
-
-        opts = @_opts.dup
-        @_injection_strs.each {
-            |str|
-
-            opts[:match] = opts[:substring] = str
-
-            audit( str, opts ) {
-                |res, opts|
-                check_and_log( res, opts )
-            }
-        }
+        self.class.strings.each do |str|
+            audit( str, self.class.opts ) { |res, opts| check_and_log( res, opts ) }
+        end
     end
 
     def check_and_log( res, opts )
-        doc = Nokogiri::HTML( res.body )
+        # if the body doesn't include the tag name at all bail out early
+        return if !res.body || !res.body.include?( self.class.tag )
 
-        # see if we managed to successfully inject our element
-        if !doc.xpath( "//#{@_tag_name}" ).empty?
-            opts[:match] = opts[:injected]
-            log( opts, res )
-        end
+        # see if we managed to successfully inject our element in the doc tree
+        return if Nokogiri::HTML( res.body ).css( self.class.tag ).empty?
+
+        # Nokogiri seems to think that an HTML node inside a textarea is a node
+        # and not just text, however I disagree.
+        #
+        # *But*, there's the possibility of being able to break out of the
+        # textarea hence I'll leave this commented and sleep on it.
+        #our_nodes.each { |node| return if !node.ancestors( 'textarea' ).empty? }
+
+        opts[:match] = opts[:injected]
+        log( opts, res )
     end
 
     def self.info
         {
-            :name           => 'XSS',
-            :description    => %q{Cross-Site Scripting module.
+            name:        'XSS',
+            description: %q{Cross-Site Scripting module.
                 It doesn't just look for the injected XSS string in the HMTL code
                 but actually parses the code and looks for the injected element proper.
             },
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.3.1',
-            :references     => {
+            elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.3.2',
+            references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
                 'Secunia'  => 'http://secunia.com/advisories/9716/'
             },
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Cross-Site Scripting (XSS)},
-                :description => %q{Client-side code (like JavaScript) can
-                    be injected into the web application which is then returned to the user's browser.
-                    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
-                :tags        => [ 'xss', 'regexp', 'injection', 'script' ],
-                :cwe         => '79',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '9.0',
-                :remedy_guidance    => 'User inputs must be validated and filtered
-                    before being returned as part of the HTML code of a page.',
-                :remedy_code => '',
+            targets:     %w(Generic),
+            issue:       {
+                name:            %q{Cross-Site Scripting (XSS)},
+                description:     %q{Client-side code (like JavaScript) can
+    be injected into the web application which is then returned to the user's browser.
+    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
+                tags:            %w(xss regexp injection script),
+                cwe:             '79',
+                severity:        Severity::HIGH,
+                cvssv2:          '9.0',
+                remedy_guidance: 'User inputs must be validated and filtered
+    before being returned as part of the HTML code of a page.',
             }
-
         }
     end
 
 end
-end
-end

data/modules/audit/xss_event.rb

@@ -1,32 +1,31 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
-# XSS in HTML element event attribute. <br/>
 # It injects a string and checks if it appears inside an event attribute of any HTML tag.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.2
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1.3
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
 # @see http://secunia.com/advisories/9716/
 #
-class XSSEvent < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
+class Arachni::Modules::XSSEvent < Arachni::Module::Base
 
     EVENT_ATTRS = [
         'onload',
@@ -48,82 +47,64 @@ class XSSEvent < Arachni::Module::Base
         'onmouseout',
         'onmouseover',
         'onmouseup',
-        'src' # not an event but it fits the module structure
+        'src' # not an event but it'll work
     ]
 
-    def prepare
-        @_injection_strs = [
+    def self.strings
+        @strings ||= [
             ";arachni_xss_in_element_event=" + seed + '//',
             "\";arachni_xss_in_element_event=" + seed + '//',
-            "';arachni_xss_in_element_event=" + seed + '//',
+            "';arachni_xss_in_element_event=" + seed + '//'
         ]
-
-        @_opts = {
-            :format => [ Format::APPEND ],
-        }
     end
 
     def run
-        @_injection_strs.each {
-            |str|
-            audit( str, @_opts ) {
-                |res, opts|
-                log( opts, res ) if !( opts[:id] = _check( res, opts[:injected] ) ).empty?
-            }
-        }
+        self.class.strings.each do |str|
+            audit( str, format: [ Format::APPEND ] ) do |res, opts|
+                check_and_log( res, str, opts )
+            end
+        end
     end
 
-    def _check( res, injected_str )
-        return [] if !res.body || !res.body.substring?( injected_str )
+    def check_and_log( res, injected, opts )
+        return if !res.body || !res.body.include?( injected )
 
         doc = Nokogiri::HTML( res.body )
-        EVENT_ATTRS.each {
-            |attr|
-            doc.xpath("//*[@#{attr}]").each {
-                |elem|
-                if elem.attributes[attr].to_s.substring?( injected_str )
-                    return elem.to_s
+        EVENT_ATTRS.each do |attr|
+            doc.xpath( "//*[@#{attr}]" ).each do |elem|
+                if elem.attributes[attr].to_s.include?( injected )
+                    log( opts.merge( id: elem.to_s ), res )
                 end
-            }
-        }
-
-        return []
+            end
+        end
     end
 
     def self.info
         {
-            :name           => 'XSS in HTML element event attribute',
-            :description    => %q{Cross-Site Scripting in event tag of HTML element.},
-            :elements       => [
-                Issue::Element::FORM,
-                Issue::Element::LINK,
-                Issue::Element::COOKIE,
-                Issue::Element::HEADER
-            ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.1.2',
-            :references     => {
+            name:        'XSS in HTML element event attribute',
+            description: %q{Cross-Site Scripting in event tag of HTML element.},
+            elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.1.3',
+            references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
                 'Secunia'  => 'http://secunia.com/advisories/9716/'
             },
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Cross-Site Scripting in event tag of HTML element.},
-                :description => %q{Unvalidated user input is being embedded inside an HMTL event element such as "onmouseover".
-                    This makes Cross-Site Scripting attacks much easier to mount since the user input
-                    lands in code waiting to be executed.},
-                :tags        => [ 'xss', 'event', 'injection', 'regexp', 'dom', 'attribute' ],
-                :cwe         => '79',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '9.0',
-                :remedy_guidance    => 'User inputs must be validated and filtered
-                    before being included in executable code or not be included at all.',
-                :remedy_code => '',
+            targets:     %w(Generic),
+            issue:       {
+                name:            %q{Cross-Site Scripting in event tag of HTML element.},
+                description:     %q{Unvalidated user input is being embedded inside an HMTL event element such as "onmouseover".
+    This makes Cross-Site Scripting attacks much easier to mount since the user input
+    lands in code waiting to be executed.},
+                tags:            %w(xss event injection regexp dom attribute),
+                cwe:             '79',
+                severity:        Severity::HIGH,
+                cvssv2:          '9.0',
+                remedy_guidance: 'User inputs must be validated and filtered
+    before being included in executable code or not be included at all.',
             }
 
         }
     end
 
 end
-end
-end

data/modules/audit/xss_path.rb

@@ -1,131 +1,105 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # XSS in path audit module.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.6
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1.8
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
 # @see http://secunia.com/advisories/9716/
 #
-class XSSPath < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
-
-    def prepare
-        @_tag_name = 'my_tag_' + seed
-        @str = '<' + @_tag_name + ' />'
-        @__injection_strs = [
-            @str,
-            '?' + @str,
-            '?>"\'>' + @str,
-            '?=>"\'>' + @str
-        ]
+class Arachni::Modules::XSSPath < Arachni::Module::Base
 
-        @@audited ||= Set.new
+    def self.tag
+        @tag ||= 'my_tag_' + seed
     end
 
-    def run
-        path = get_path( @page.url )
+    def self.string
+        @string ||= '<' + tag + '/>'
+    end
 
-        return if @@audited.include?( path )
-        @@audited << path
+    def self.requests
+        @requests ||= [
+            [ string, {} ],
+            [ '>"\'>' + string, {} ],
 
-        @__injection_strs.each {
-            |str|
+            [ '', { string => '' } ],
+            [ '', { '>"\'>' + string => '' } ],
 
+            [ '', { '' => string } ],
+            [ '', { '' => '>"\'>' + string } ]
+        ]
+    end
+
+    def run
+        path = get_path( page.url )
+
+        return if audited?( path )
+        audited( path )
+
+        self.class.requests.each do |str, params|
             url  = path + str
 
             print_status( "Checking for: #{url}" )
 
-            req  = @http.get( url )
-
-            req.on_complete {
-                |res|
-                check_and_log( res, str )
-            }
-        }
+            http.get( url, params: params ) { |res| check_and_log( res, str ) }
+        end
     end
 
     def check_and_log( res, str )
-        # check for the existence of the tag name before parsing to verify
-        # no reason to waste resources...
-        return if ! res.body.substring?( @_tag_name )
-
-        doc = Nokogiri::HTML( res.body )
+        # check for the existence of the tag name in the response before
+        # parsing to verify, no reason to waste resources...
+        return if !res.body || !res.body.include?( self.class.string )
 
         # see if we managed to successfully inject our element
-        if !doc.xpath( "//#{@_tag_name}" ).empty?
-            __log_results( res, str )
-        end
+        return if Nokogiri::HTML( res.body ).css( self.class.tag ).empty?
+
+        log( { element: Element::PATH, injected: str }, res )
     end
 
 
     def self.info
         {
-            :name           => 'XSSPath',
-            :description    => %q{Cross-Site Scripting module for path injection},
-            :elements       => [ ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            :version        => '0.1.6',
-            :references     => {
+            name:        'XSSPath',
+            description: %q{Cross-Site Scripting module for path injection},
+            elements:    [ Element::PATH ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.1.8',
+            references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
                 'Secunia'  => 'http://secunia.com/advisories/9716/'
             },
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Cross-Site Scripting (XSS) in path},
-                :description => %q{Client-side code, like JavaScript, can
-                    be injected into the web application.},
-                :tags        => [ 'xss', 'path', 'injection', 'regexp' ],
-                :cwe         => '79',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '9.0',
-                :remedy_guidance    => '',
-                :remedy_code => '',
+            targets:     %w(Generic),
+            issue:       {
+                name:            %q{Cross-Site Scripting (XSS) in path},
+                description:     %q{Client-side code, like JavaScript, can
+    be injected into the web application.},
+                tags:            %w(xss path injection regexp),
+                cwe:             '79',
+                severity:        Severity::HIGH,
+                cvssv2:          '9.0',
+                remedy_guidance: %q{Path must be validated and filtered
+                    before being returned as part of the HTML code of a page.}
             }
 
         }
     end
 
-    def __log_results( res, id )
-        url = res.effective_url
-        log_issue(
-            :var          => 'n/a',
-            :url          => url,
-            :injected     => id,
-            :id           => id,
-            :regexp       => 'n/a',
-            :regexp_match => 'n/a',
-            :elem         => Issue::Element::PATH,
-            :response     => res.body,
-            :headers      => {
-                :request    => res.request.headers,
-                :response   => res.headers,
-            }
-        )
-
-        # inform the user that we have a match
-        print_ok( "Match at #{url}" )
-        print_verbose( "Injected string: #{id}" )
-    end
-
-
-end
-end
 end