arachni 0.4.3.2 → 0.4.4

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    NDA1NGU4YzIyZmY3Y2JlNGZiYzc2NjE5NGYyZTdlMDM5N2NhMzdlNg==
+    NGVjNDkxZDVkMmEyM2I5ODAxZjg0ZDI0NTk2NjBkNWY0MDIyMTZhZg==
   data.tar.gz: !binary |-
-    MjU0OTE5ZWZlYzkwZWY2NWZlODg1ZWY4MzQzYzIwZGNhZjU1OGQ1ZA==
+    M2Y1NGFjN2EzNTBhMDRiYmI4ZDc1ZTY1ZTY4NmRhZGFhMTE3MWQ3NA==
 !binary "U0hBNTEy":
   metadata.gz: !binary |-
-    YTIwMzRjZDcwNDljYWY3MzUyYjhmN2M2ZjU5M2UzMWVlNzk0NWI0NTIwMmZl
-    MGU5MDM3YWE4NTNmYmZlNmU3OGFkNzkxYmExOGU0N2U0YzdmNmM2ODk5ZGI1
-    MzM2MGRhMTljZjJiNDI2Y2Q1ZDI1M2Y4MThmNjY4NGMzMWQ0MGQ=
+    N2MwNzBhYzQ5NGJiYjhlYzZiNjMwMWE2ZjQ0NzEzNWY0MDI1YmNhYmFjMTk0
+    MWMyOGVkODRlMzczODNhZWJkNmJkNTJlNDllZjEzZTJiMzUyMjI5NzhkMzMz
+    N2NlNjA0YTc2YzUyNjU3MDdiMmE2OTExZDU3YmIwY2E1NDU1YTc=
   data.tar.gz: !binary |-
-    ZDhmMjU1NzViNGUxOGE2MjU1Y2E2ZDYzYzViZDE4Njc3MzNhMGRmODFlNGM0
-    ZDUwMWIzMGI4YjU4MzY2NDA3ZDU3YzYwMWY4N2VlNDU2MjMyNjhhZjcxMDk0
-    OTFmZTQ1NWMxODE2NmI5N2IyZDcxNzU0OWNhNWI0M2NiM2VkNTE=
+    NDAyNGRiNjVhMTY5ZTk4MDJiMzMxMWEyNDljZjgwODk1NzMyOGQ2NWM3Yzcy
+    NmExYzc1MGFjYWFmOTAwMDdjYjY3NGZkMDc5ZDQ1M2ZjNWY3ZjJkMTc2MGUx
+    YmQzNTY3MWMzNjE3YTIxN2M1NGJkMjE3MjJhMTc5MjVlZTVlNzM=

data/CHANGELOG.md

@@ -1,5 +1,47 @@
 # ChangeLog
 
+## 0.4.4 _(August 10, 2013)_
+
+- Options
+    - Added:
+        - `--http-username` -- Username for HTTP authentication.
+        - `--http-password` -- Password for HTTP authentication.
+- `Element::Capabilities::Auditable::RDiff` -- Optimized and improved accuracy
+    of analysis.
+- Reports
+    - HTML -- Fixed display of untrusted issues.
+- Modules
+    - Recon
+        - Added:
+            - X-Forwarded-For Access Restriction Bypass (`x_forwarded_for_access_restriction_bypass`)
+                - Retries denied requests with a `X-Forwarded-For` header
+                  to try and trick the web application into thinking that the
+                  request originates from `localhost` and checks whether the
+                  restrictions were bypassed.
+            - Form-based upload (`form_upload`)
+                - Flags file-upload forms as they require manual testing.
+        - .htaccess LIMIT misconfiguration (`htaccess_limit`)
+            - Updated to use verb tampering as well.
+    - Audit
+        - Added:
+            - Source code disclosure (`source_code_disclosure`)
+                - Checks whether or not the web application can be forced to
+                    reveal source code.
+            - Code execution via the php://input wrapper (`code_execution_php_input_wrapper`)
+                - It injects PHP code into the HTTP request body and uses the
+                php://input wrapper to try and load it
+        - Blind SQL Injection (Boolean/Differential analysis) (`sqli_blind_rdiff`)
+            - Improved accuracy of results.
+        - Path traversal (`path_traversal`)
+            - Severity set to "High".
+            - Updated to start with `/` and go all the way up to
+                `/../../../../../../`.
+            - Added fingerprints for `/proc/self/environ`.
+            - Improved coverage for MS Windows.
+        - Remote file inclusion (`rfi`)
+            - Updated to handle cases where the web application appends its own
+                extension to the injected string.
+
 ## 0.4.3.2 _(July 16, 2013)_
 
 - Plugins

data/README.md

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>0.4.3.2</td>
+        <td>0.4.4</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -308,6 +308,7 @@ Audit modules actively engage the web application via its inputs.
 - XSS in event attributes of HTML elements (`xss_event`).
 - XSS in HTML tags (`xss_tag`).
 - XSS in HTML 'script' tags  (`xss_script_tag`).
+- Source code disclosure (`source_code_disclosure`)
 
 ##### Recon (Passive)
 
@@ -335,6 +336,8 @@ Recon modules look for the existence of files, folders and signatures.
 - Insecure cookies (`insecure_cookies`).
 - HttpOnly cookies (`http_only_cookies`).
 - Auto-complete for password form fields (`password_autocomplete`).
+- X-Forwarded-For Access Restriction Bypass (`x_forwarded_for_access_restriction_bypass`)
+- Form-based upload (`form_upload`)
 
 ### Report Management
 

data/lib/arachni/element/capabilities/auditable.rb

@@ -631,6 +631,11 @@ module Auditable
                 next
             end
 
+            if elem.matches_skip_like_blocks?
+                print_debug 'Element matches one or more skip_like blocks, skipping.'
+                next
+            end
+
             if !orphan? && @auditor.skip?( elem )
                 mid = elem.audit_id( injection_str, opts )
                 print_debug "Auditor's #skip? method returned true for mutation, skipping: #{mid}"

data/lib/arachni/element/capabilities/auditable/rdiff.rb

@@ -52,25 +52,25 @@ module Auditable::RDiff
     # Performs differential analysis and logs an issue should there be one.
     #
     #     opts = {
-    #         :precision => 3,
-    #         :faults    => [ 'fault injections' ],
-    #         :bools     => [ 'boolean injections' ]
+    #         pairs: [
+    #               { 'true expression' => 'false expression' }
+    #         ]
     #     }
     #
     #     element.rdiff_analysis( opts )
     #
     # Here's how it goes:
     #
-    # * let `default` be the default/original response
-    # * let `fault`   be the response of the fault injection
-    # * let `bool`    be the response of the boolean injection
+    # * let `control` be the control/control response
+    # * let `true_response`   be the response of the injection of 'true expression'
+    # * let `false_response`    be the response of the injection of 'false expression'
     #
     # A vulnerability is logged if:
     #
-    #     default == bool AND bool.code == 200 AND fault != bool
+    #     control == true_response AND true_response.code == 200 AND false_response != true_response
     #
     # The `bool` response is also checked in order to determine if it's a custom
-    # 404, if it is it'll be skipped.
+    # 404, if it is then it'll be skipped.
     #
     # If a block has been provided analysis and logging will be delegated to it.
     #
@@ -79,20 +79,11 @@ module Auditable::RDiff
     #   As seen in {Arachni::Element::Capabilities::Mutable::Format}.
     # @option   opts    [Integer]       :precision
     #   Amount of {String#rdiff refinement} iterations to perform.
-    # @option   opts    [Array<String>] :faults
-    #   Array of fault injection strings (these are supposed to force erroneous
-    #   conditions when interpreted).
-    # @option   opts    [Array<String>] :bools
-    #   Array of boolean injection strings (these are supposed to not alter the
-    #   webapp behavior when interpreted).
+    # @option   opts    [Array<Hash>] :pairs
+    #   Pair of strings that should yield different results when interpreted.
+    #   Keys should be the `true` expressions.
     # @param    [Block]     block
-    #   To be used for custom analysis of responses; will be passed the following:
-    #
-    #     * injected string
-    #     * audited element
-    #     * default response body
-    #     * boolean response
-    #     * fault injection response body
+    #   To be used for custom analysis of gathered data.
     #
     # @return   [Bool]
     #   `true` if the audit was scheduled successfully, `false` otherwise (like
@@ -106,128 +97,120 @@ module Auditable::RDiff
 
         opts = self.class::MUTATION_OPTIONS.merge( RDIFF_OPTIONS.merge( opts ) )
 
-        # don't continue if there's a missing value
-        auditable.values.each { |val| return if !val || val.empty? }
+        return false if auditable.empty?
+
+        # Don't continue if there's a missing value.
+        auditable.values.each { |val| return if val.to_s.empty? }
 
         return false if rdiff_audited?
         rdiff_audited
 
-        responses = {
-            # will hold the original, default, response that results from submitting
-            orig: nil,
-
-            # will hold responses of boolean injections
-            good: {},
-
-            # will hold responses of fault injections
-            bad:  {}
-        }
-
-        # submit the element, as is, opts[:precision] amount of times and
-        # rdiff the responses in order to arrive to a refined response without
-        # any superfluous dynamic content
-        opts[:precision].times {
-            # get the default responses
-            audit( '', opts ) do |res|
-                responses[:orig] ||= res.body
-                # remove context-irrelevant dynamic content like banners and such
-                responses[:orig] = responses[:orig].rdiff( res.body )
+        responses = {}
+        control  = nil
+        opts[:precision].times do
+            # Get the default response.
+            submit do |res|
+                if control
+                    print_status 'Got default/control response.'
+                end
+
+                # Remove context-irrelevant dynamic content like banners and such.
+                control = (control ? control.rdiff( res.body ) : res.body)
             end
-        }
-
-        # perform fault injection opts[:precision] amount of times and
-        # rdiff the responses in order to arrive to a refined response without
-        # any superfluous dynamic content
-        opts[:precision].times {
-            opts[:faults].each do |str|
-                # get mutations of self using the fault seed, which will
-                # cause an internal/silent error when evaluated
-                mutations( str, opts ).each do |elem|
+        end
+
+        opts[:pairs].each do |pair|
+            responses[pair] ||= {}
+            true_expr, false_expr = pair.to_a.first
+
+            opts[:precision].times do
+                mutations( true_expr, opts ).each do |elem|
                     print_status elem.status_string
 
-                    # submit the mutation and store the response
+                    # Submit the mutation and store the response.
                     elem.submit( opts ) do |res|
-                        responses[:bad][elem.altered] ||= res.body.clone
-                        # remove context-irrelevant dynamic content like banners and such
-                        # from the error page
-                        responses[:bad][elem.altered] =
-                            responses[:bad][elem.altered].rdiff( res.body.clone )
+                        if responses[pair][elem.altered][:true]
+                            elem.print_status "Gathering data for '#{elem.altered}' " <<
+                                                  "#{type} input -- Got true  response:" <<
+                                                  " #{true_expr}"
+                        end
+
+                        responses[pair][elem.altered] ||= {}
+                        responses[pair][elem.altered][:mutation] = elem
+
+                        # Keep the latest response for the {Arachni::Issue}.
+                        responses[pair][elem.altered][:response]        = res
+                        responses[pair][elem.altered][:injected_string] = true_expr
+
+                        responses[pair][elem.altered][:true] ||= res.body.clone
+                        # Remove context-irrelevant dynamic content like banners
+                        # and such from the error page.
+                        responses[pair][elem.altered][:true] =
+                            responses[pair][elem.altered][:true].rdiff( res.body.clone )
                     end
                 end
-            end
-        }
-
-        # get injection variations that will not affect the outcome of the query
-        opts[:bools].each do |str|
-
-            # get mutations of self using the boolean seed, which will not
-            # alter the execution flow
-            mutations( str, opts ).each do |elem|
-                print_status elem.status_string
-
-                # submit the mutation and store the response
-                elem.submit( opts ) do |res|
-                    responses[:good][elem.altered] ||= []
-                    # save the response and some data for analysis
-                    responses[:good][elem.altered] << {
-                        'str'  => str,
-                        'res'  => res,
-                        'elem' => elem
-                    }
+
+                mutations( false_expr, opts ).each do |elem|
+                    responses[pair][elem.altered] ||= {}
+
+                    # Submit the mutation and store the response.
+                    elem.submit( opts ) do |res|
+                        if responses[pair][elem.altered][:false]
+                            elem.print_status "Gathering data for '#{elem.altered}'" <<
+                                                  " #{type} input -- Got false " <<
+                                                  "response: #{false_expr}"
+                        end
+
+                        responses[pair][elem.altered][:false] ||= res.body.clone
+
+                        # Remove context-irrelevant dynamic content like banners
+                        # and such from the error page.
+                        responses[pair][elem.altered][:false] =
+                            responses[pair][elem.altered][:false].rdiff( res.body.clone )
+                    end
                 end
             end
         end
 
-        # when this runs the "responses" hash will have been populated and we
-        # can continue with analysis
-        http.after_run {
-
-            responses[:good].keys.each do |key|
-                responses[:good][key].each do |res|
-
-                    # if there's a block passed then delegate analysis to it
-                    if block
-                        exception_jail( false ){
-                            block.call( res['str'], res['elem'], responses[:orig],
-                                        res['res'], responses[:bad][key] )
-                        }
-
-                    # if default_response_body == bool_response_body AND
-                    #    bool_response_code == 200 AND
-                    #    fault_response_body != bool_response_body
-                    elsif responses[:orig] == res['res'].body &&
-                            responses[:bad][key] != res['res'].body &&
-                            res['res'].code == 200
-
-                        # check to see if the current boolean response we're analyzing
-                        # is a custom 404 page
-                        http.custom_404?( res['res'] ) do |bool|
-                            # if this is a custom 404 page bail out
-                            next if bool
-
-                            # if this isn't a custom 404 page then it means that
-                            # the element is vulnerable, so go ahead and log the issue
-
-                            # information for the Metareport report
-                            opts = {
-                                injected_orig: res['str'],
-                                combo:         res['elem'].auditable
-                            }
+
+        # When this runs the "responses" hash will have been populated and we
+        # can continue with analysis.
+        http.after_run do
+            responses.each do |pair, data|
+                if block
+                    exception_jail( false ){ block.call( pair, data ) }
+                    next
+                end
+
+                data.each do |input_name, result|
+                    # if default_response_body == true_response_body AND
+                    #    false_response_body != true_response_code AND
+                    #    true_response_code == 200
+                    if control == result[:true] &&
+                        result[:false] != result[:true] &&
+                        result[:response].code == 200
+
+                        # Check to see if the `true` response we're analyzing
+                        # is a custom 404 page.
+                        http.custom_404?( result[:response] ) do |custom_404|
+                            # If this is a custom 404 page bail out.
+                            next if custom_404
 
                             @auditor.log({
-                                    var:      key,
-                                    opts:     opts,
-                                    injected: res['str'],
-                                    id:       res['str'],
-                                    elem:     res['elem'].type,
-                                }, res['res']
+                                var:      input_name,
+                                opts:     {
+                                    injected_orig: result[:injected_string],
+                                    combo:         result[:mutation].auditable
+                                },
+                                injected: result[:mutation].altered_value,
+                                elem:     type
+                                }, result[:response]
                             )
                         end
                     end
-
                 end
             end
-        }
+        end
 
         true
     end

data/lib/arachni/framework.rb

@@ -800,7 +800,10 @@ class Framework
         print_info 'Depending on server responsiveness and network' <<
             ' conditions this may take a while.'
 
-        # run all the queued HTTP requests and harvest the responses
+        # Run all the queued HTTP requests and harvest the responses.
+        http.run
+
+        # Needed for some HTTP callbacks.
         http.run
 
         session.ensure_logged_in

data/lib/arachni/http.rb

@@ -108,14 +108,6 @@ class HTTP
             method:          :auto
         }
 
-        if opts.url
-            parsed_url = uri_parse( opts.url )
-            hydra_opts.merge!(
-                username: parsed_url.user,
-                password: parsed_url.password
-            )
-        end
-
         @url = opts.url.to_s
         @url = nil if @url.empty?
 
@@ -151,7 +143,9 @@ class HTTP
             follow_location:               false,
             max_redirects:                 opts.redirect_limit,
             disable_ssl_peer_verification: true,
-            timeout:                       opts.http_timeout || HTTP_TIMEOUT
+            timeout:                       opts.http_timeout || HTTP_TIMEOUT,
+            username:                      opts.http_username,
+            password:                      opts.http_password
         }.merge( proxy_opts )
 
         @request_count  = 0
@@ -289,6 +283,9 @@ class HTTP
         update_cookies  = opts[:update_cookies]
         follow_location = opts[:follow_location] || false
 
+        username = opts.delete( :username )
+        password = opts.delete( :password )
+
         #
         # The exception jail function wraps the block passed to it
         # in exception handling and runs it.
@@ -348,7 +345,9 @@ class HTTP
             }.merge( @opts )
 
             opts[:follow_location] = follow_location if follow_location
-            opts[:timeout]         = timeout if timeout
+            opts[:timeout]         = timeout  if timeout
+            opts[:username]        = username if username
+            opts[:password]        = password if password
 
             req = Typhoeus::Request.new( curl, opts )
             req.train if train

data/lib/arachni/mixins/progress_bar.rb

@@ -27,7 +27,7 @@ module ProgressBar
     # Formats elapsed time to hour:min:sec
     #
     def format_time( t )
-        t = t.to_i
+        t = t.to_i rescue 0
         sec = t % 60
         min = ( t / 60 ) % 60
         hour = t / 3600