arachni 0.4.0.4 → 0.4.1

data/modules/recon/grep/private_ip.rb

@@ -1,54 +1,56 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # Private IP address recon module.
 #
-# Scans every page for prvate IP addresses.
+# Scans for private IP addresses.
 #
-# @author: morpheuslaw <msidagni@nopsec.com>
-# @version: 0.1
+# @author   Tasos Laskos <tasos.laskos@gmail.com>
+# @version  0.2.1
 #
-class PrivateIP < Arachni::Module::Base
+class Arachni::Modules::PrivateIP < Arachni::Module::Base
 
-    def initialize( page )
-        @page = page
+    def self.regexp
+        @regexp ||= /(?<!\.)(?<!\d)(?:(?:10|127)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168|169\.254|172\.0?(?:1[6-9]|2[0-9]|3[01]))(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}(?!\d)(?!\.)/
     end
 
-    def run( )
-        regexp = /(?<!\.)(?<!\d)(?:(?:10|127)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168|169\.254|172\.0?(?:1[6-9]|2[0-9]|3[01]))(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){2}(?!\d)(?!\.)/
-        match_and_log( regexp )
+    def run
+        match_and_log( self.class.regexp )
     end
 
     def self.info
         {
-            :name           => 'Private IP address finder',
-            :description    => %q{Scans pages for private IP addresses.},
-            :author         => 'morpheuslaw <msidagni@nopsec.com>',
-            :version        => '0.1',
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Private IP address disclosure.},
-                :description => %q{A private IP address is disclosured in the body of the HTML page},
-                :cwe         => '200',
-                :severity    => Issue::Severity::LOW,
-                :cvssv2      => '0',
-                :remedy_guidance    => %q{Remove private IP addresses from the body of the HTML pages.},
-                :remedy_code => '',
+            name:        'Private IP address finder',
+            description: %q{Scans pages for private IP addresses.},
+            author:      'Tasos Laskos <tasos.laskos@gmail.com>',
+            version:     '0.2.1',
+            targets:     %w(Generic),
+            elements:    [ Element::BODY, Element::HEADER ],
+            references: {
+                'WebAppSec' => 'http://projects.webappsec.org/w/page/13246936/Information%20Leakage'
+            },
+            issue:       {
+                name:            %q{Private IP address disclosure.},
+                description:     %q{A private IP address is disclosed in the body of the HTML page},
+                cwe:             '200',
+                severity:        Severity::LOW,
+                remedy_guidance: %q{Remove private IP addresses from the body of the HTML pages.},
             }
         }
     end
 
 end
-end
-end

data/modules/recon/grep/ssn.rb

@@ -1,53 +1,55 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
-# @author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>, haliphax
-# @version: 0.1.1
+# @author   Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>, haliphax
+# @version  0.1.2
 #
-class SSN < Arachni::Module::Base
+class Arachni::Modules::SSN < Arachni::Module::Base
 
-    def initialize( page )
-        @page = page
+    def self.regexp
+        @regexp ||= /\b(((?!000)(?!666)(?:[0-6]\d{2}|7[0-2][0-9]|73[0-3]|7[5-6][0-9]|77[0-2]))-((?!00)\d{2})-((?!0000)\d{4}))\b/
     end
 
-    def run( )
-        regexp = /\b(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}\b/
-        match_and_log( regexp )
+    def run
+        match_and_log( self.class.regexp ){ |m| m.gsub( /\D/, '' ).size == 9 }
     end
 
     def self.info
         {
-            :name           => 'SSN',
-            :description    => %q{Greps pages for disclosed US Social Security Numbers.},
-            :author         => [
+            name:        'SSN',
+            description: %q{Greps pages for disclosed US Social Security Numbers.},
+            elements:    [ Element::BODY ],
+            author:      [
                 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # original
                 'haliphax' # tweaked regexp
             ],
-            :version        => '0.1.1',
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Disclosed US Social Security Number.},
-                :description => %q{A US Social Security Number is being disclosed.},
-                :cwe         => '200',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2      => '0',
-                :remedy_guidance    => %q{Remove all SSN occurences from the page.},
-                :remedy_code => '',
+            version:     '0.1.2',
+            targets:     %w(Generic),
+            references: {
+                'ssa.gov' => 'http://www.ssa.gov/pubs/10064.html'
+            },
+            issue:       {
+                name:            %q{Disclosed US Social Security Number.},
+                description:     %q{A US Social Security Number is being disclosed.},
+                cwe:             '200',
+                severity:        Severity::HIGH,
+                remedy_guidance: %q{Remove all SSN occurrences from the page.},
             }
         }
     end
 
 end
-end
-end

data/modules/recon/grep/unencrypted_password_forms.rb

@@ -0,0 +1,84 @@
+=begin
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
+
+#
+# Unencrypted password form
+#
+# Looks for password inputs that don't submit data over an encrypted channel (HTTPS).
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+#
+# @version 0.1.5
+#
+# @see http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection
+#
+class Arachni::Modules::UnencryptedPasswordForms < Arachni::Module::Base
+
+    def determine_name( input )
+        input['name'] || input['id']
+    end
+
+    def password?( input )
+        input['type'].to_s.downcase == 'password'
+    end
+
+    def check_form?( form )
+        uri_parse( form.action ).scheme.downcase == 'http' && form.raw['auditable']
+    end
+
+    def run
+        page.forms.each { |form| check_and_log( form ) }
+    end
+
+    def check_and_log( form )
+        return if !check_form?( form )
+
+        form.raw['auditable'].each do |input|
+            name = determine_name( input )
+            next if !password?( input ) || audited?( input ) || !name
+
+            log( var: name, match: name, element: Element::FORM )
+
+            print_ok( "Found unprotected password field '#{name}' at #{page.url}" )
+            audited( input )
+        end
+    end
+
+    def self.info
+        {
+            name:        'UnencryptedPasswordForms',
+            description: %q{Looks for password inputs that don't submit data
+                over an encrypted channel (HTTPS).},
+            elements:    [ Element::FORM ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
+            version:     '0.1.5',
+            references:  {
+                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection'
+            },
+            targets:     %w(Generic),
+            issue:       {
+                name:            %q{Unencrypted password form.},
+                description:     %q{Transmission of password does not use an encrypted channel.},
+                tags:            %w(unencrypted password form),
+                cwe:             '319',
+                severity:        Severity::MEDIUM,
+                remedy_guidance: %q{Forms with sensitive content, like passwords, must be sent over HTTPS.}
+            }
+
+        }
+    end
+
+end

data/modules/recon/htaccess_limit.rb

@@ -1,74 +1,58 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.2
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-class Htaccess < Arachni::Module::Base
-
-    include Arachni::Module::Utilities
+# @version 0.1.4
+#
+class Arachni::Modules::Htaccess < Arachni::Module::Base
 
     def run
-        return if @page.code != 401
+        return if page.code != 401
+        http.post( page.url ) { |res| check_and_log( res ) }
+    end
 
-        @http.post( @page.url ).on_complete {
-            |res|
-            __log_results( res ) if res.code == 200
-        }
+    def check_and_log( res )
+        return if res.code != 200
+        log( { element: Element::SERVER }, res )
+        print_ok 'Request was accepted: ' + res.effective_url
     end
 
     def self.info
         {
-            :name           => '.htaccess LIMIT misconfiguration',
-            :description    => %q{Checks for misconfiguration in LIMIT directives that blocks
+            name:        '.htaccess LIMIT misconfiguration',
+            description: %q{Checks for misconfiguration in LIMIT directives that blocks
                 GET requests but allows POST.},
-            :elements       => [ ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.1.2',
-            :references     => {},
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{Misconfiguration in LIMIT directive of .htaccess file.},
-                :description => %q{The .htaccess file blocks GET requests but allows POST.},
-                :tags        => [ 'htaccess', 'server', 'limit' ],
-                :cwe         => '',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '',
-                :remedy_guidance    => '',
-                :remedy_code => '',
+            elements:    [ Element::SERVER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1.4',
+            targets:     %w(Generic),
+            references: {
+                'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limit'
+            },
+            issue:       {
+                name:        %q{Misconfiguration in LIMIT directive of .htaccess file.},
+                description: %q{The .htaccess file blocks GET requests but allows POST.},
+                tags:        %w(htaccess server limit),
+                severity:    Severity::HIGH,
+                remedy_guidance:  %q{Do not use the LIMIT tag.
+                    If you are in a situation where you want to allow specific request methods, you should use LimitExcept instead.}
             }
         }
     end
 
-    def __log_results( res )
-
-        log_issue(
-            :url          => res.effective_url,
-            :method       => res.request.method.to_s.upcase,
-            :elem         => Issue::Element::SERVER,
-            :response     => res.body,
-            :headers      => {
-                :request    => res.request.headers,
-                :response   => res.headers,
-            }
-        )
-
-        print_ok( 'Request was accepted: ' + res.effective_url )
-    end
-
-end
-end
 end

data/modules/recon/http_put.rb

@@ -1,87 +1,73 @@
 =begin
-                  Arachni
-  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+    Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
 
-  This is free software; you can copy and distribute and modify
-  this program under the term of the GPL v2.0 License
-  (See LICENSE file for details)
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
 
-=end
+        http://www.apache.org/licenses/LICENSE-2.0
 
-module Arachni
-module Modules
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+=end
 
 #
 # HTTP PUT recon module.
 #
-# @author: Tasos "Zapotek" Laskos
-#                                      <tasos.laskos@gmail.com>
-#                                      <zapotek@segfault.gr>
-# @version: 0.1.3
+# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-class HTTP_PUT < Arachni::Module::Base
+# @version 0.1.5
+#
+class Arachni::Modules::HTTP_PUT < Arachni::Module::Base
 
-    include Arachni::Module::Utilities
+    def self.substring
+        @substring ||= 'PUT' + seed
+    end
 
-    def prepare
-        @@__checked ||= Set.new
+    def self.body
+        @body ||= 'Created by Arachni. ' + substring
     end
 
     def run
-        path = get_path( @page.url ) + 'Arachni-' + seed.to_s[0..4].to_s
-        return if @@__checked.include?( path )
-        @@__checked << path
+        path = get_path( page.url ) + 'Arachni-' + seed.to_s[0..4].to_s
+        return if audited?( path )
+        audited( path )
 
-        body = 'Created by Arachni. PUT' + seed
+        http.request( path, method: :put, body: self.class.body ) do |res|
+            http.get( path ) { |c_res| check_and_log( c_res ) } if res.code == 201
+        end
+    end
 
-        @http.request( path, :method => :put, :body => body ).on_complete {
-            |res|
-            next if res.code != 201
-            @http.get( path ).on_complete {
-                |res|
-                __log_results( res ) if res.body && res.body.substring?( 'PUT' + seed )
-            }
-        }
+    def check_and_log( res )
+        return if !res.body.to_s.include?( self.class.substring )
+
+        log( { element: Element::SERVER }, res )
+        print_ok 'File has been created: ' + res.effective_url
     end
 
     def self.info
         {
-            :name           => 'HTTP PUT',
-            :description    => %q{Checks if uploading files is possible using the HTTP PUT method.},
-            :elements       => [ ],
-            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.1.3',
-            :references     => {},
-            :targets        => { 'Generic' => 'all' },
-            :issue   => {
-                :name        => %q{HTTP PUT is enabled.},
-                :description => %q{3rd parties can upload files to the web-server.},
-                :tags        => [ 'http', 'methods', 'put', 'server' ],
-                :cwe         => '650',
-                :severity    => Issue::Severity::HIGH,
-                :cvssv2       => '',
-                :remedy_guidance    => '',
-                :remedy_code => '',
+            name:        'HTTP PUT',
+            description: %q{Checks if uploading files is possible using the HTTP PUT method.},
+            elements:    [ Element::SERVER ],
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            version:     '0.1.4',
+            targets:     %w(Generic),
+            references: {
+                'W3' => 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html'
+            },
+            issue:       {
+                name:            %q{HTTP PUT is enabled.},
+                description:     %q{3rd parties can upload files to the web-server.},
+                tags:            %w(http methods put server),
+                cwe:             '650',
+                severity:        Severity::HIGH,
+                remedy_guidance: %q{Disable the PUT method on the Web Server and/or disable write permissions to the web server directory.}
             }
         }
     end
 
-    def __log_results( res )
-
-        log_issue(
-            :url          => res.effective_url,
-            :method       => res.request.method.to_s.upcase,
-            :elem         => Issue::Element::SERVER,
-            :response     => res.body,
-            :headers      => {
-                :request    => res.request.headers,
-                :response   => res.headers,
-            }
-        )
-
-        print_ok( 'File has been created: ' + res.effective_url )
-    end
-
-end
-end
 end