arachni 0.4.6 → 0.4.7

data/modules/audit/ldapi.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.2
+# @version 0.1.3
 #
 # @see http://cwe.mitre.org/data/definitions/90.html
 # @see http://projects.webappsec.org/w/page/13246947/LDAP-Injection
@@ -47,7 +47,7 @@ class Arachni::Modules::LDAPInjection < Arachni::Module::Base
                 in user input validation.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.2',
+            version:     '0.1.3',
             references:  {
                 'WASC'  => 'http://projects.webappsec.org/w/page/13246947/LDAP-Injection',
                 'OWASP' => 'http://www.owasp.org/index.php/LDAP_injection'
@@ -55,14 +55,39 @@ class Arachni::Modules::LDAPInjection < Arachni::Module::Base
             targets:     %w(Generic),
             issue:       {
                 name:            %q{LDAP Injection},
-                description:     %q{LDAP queries can be injected into the web application
-    which can be used to disclose sensitive data of affect the execution flow.},
+                description:     %q{Lightweight Directory Access Protocol (LDAP) 
+                    is used by web applications to access and maintain directory 
+                    information services. One of the most common uses for LDAP 
+                    is to provide a single sign on service that will allow 
+                    clients to authenticate with a web site without any 
+                    interaction (assuming their credentials have been validated 
+                    by another service). LDAP injection occurs when untrusted 
+                    data is used by the web application to query the LDAP
+                    directory without prior sanitisation. This is a serious 
+                    security risk, as it could allow cyber-criminals the ability 
+                    to query, modify, or remove anything from the LDAP tree. It 
+                    could also allow other advanced injection techniques that 
+                    perform other more serious attacks. Arachni was able to 
+                    detect a page that is vulnerable to LDAP injection.},
                 tags:            %w(ldap injection regexp),
                 cwe:             '90',
                 severity:        Severity::HIGH,
                 cvssv2:          '',
-                remedy_guidance: %q{User inputs must be validated and filtered
-    before being used in an LDAP query.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    invalidated data is never used to form a LDAP query. To 
+                    validate data, the application should ensure that the 
+                    supplied value contains only the characters that are 
+                    required to perform the required action. For example, where 
+                    a username is required, then no non-alpha characters should 
+                    be accepted. If this is not possible, then special 
+                    characters should be escaped so they are treated 
+                    accordingly. The following characters should be escaped with 
+                    a '\' backslash; Ampersand, exclamation mark, pipe, equals, 
+                    less than, greater than, comma, plus, minus, double quote, 
+                    single quote, and semicolon. Additional character filtering 
+                    must be applied to; Open round bracket, close round bracket, 
+                    backslash, asterisks, forward slash, NUL. These characters 
+                    require ASCII escaping.},
                 remedy_code:     ''
             }
 

data/modules/audit/os_cmd_injection.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2.1
+# @version 0.2.2
 #
 # @see http://cwe.mitre.org/data/definitions/78.html
 # @see http://www.owasp.org/index.php/OS_Command_Injection
@@ -64,21 +64,42 @@ class Arachni::Modules::OSCmdInjection < Arachni::Module::Base
             description: %q{Tries to find operating system command injections.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.1',
+            version:     '0.2.2',
             references:  {
-                'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection'
+                'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection',
+                'WASC'  => 'http://projects.webappsec.org/w/page/13246950/OS%20Commanding'
             },
             targets:     %w(Windows Unix),
             issue:       {
                 name:            %q{Operating system command injection},
-                description:     %q{The web application allows an attacker to
-    execute arbitrary OS commands.},
+                description:     %q{To perform specific actions from within a 
+                    web application, it is occasionally required to run
+                    Operating System commands (Linux or Windows) and have the output of
+                    these commands captured by the web application and returned 
+                    to the client. OS command injection occurs when user supplied
+                    input is inserted into one of these commands without proper 
+                    sanitisation and executed by the server. Cyber criminals 
+                    will abuse this weakness to perform their own arbitrary 
+                    commands on the server. This can include everything from 
+                    simple ping commands to map the internal network, to 
+                    obtaining full control of the server. Arachni was able to 
+                    inject specific Operating System commands and have the output from
+                    that command contained within the server response. This 
+                    indicates that proper input sanitisation is not occurring.},
                 tags:            %w(os command code injection regexp),
                 cwe:             '78',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: %q{User inputs must be validated and filtered
-    before being evaluated as OS level commands.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    non-validated data is never used to form a command to be
+                    executed on the server. To validate data, the application 
+                    should ensure that the supplied value contains only the 
+                    characters that are required to perform the required action. 
+                    For example, where the form field expects an IP address, 
+                    only numbers and full stops should be accepted. Additionally 
+                    all control operators (&, &&, |, ||, $, \, #) should be 
+                    explicitly denied, and never accepted by as input by the 
+                    server.},
                 remedy_code:     '',
                 metasploitable:  'unix/webapp/arachni_exec'
             }

data/modules/audit/os_cmd_injection_timing.rb

@@ -14,16 +14,14 @@
     limitations under the License.
 =end
 
-#
 # OS command injection module using timing attacks.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3
+# @version 0.3.1
 #
 # @see http://cwe.mitre.org/data/definitions/78.html
 # @see http://www.owasp.org/index.php/OS_Command_Injection
-#
 class Arachni::Modules::OSCmdInjectionTiming < Arachni::Module::Base
 
     prefer :os_cmd_injection
@@ -53,27 +51,43 @@ class Arachni::Modules::OSCmdInjectionTiming < Arachni::Module::Base
             description: %q{Tries to find operating system command injections using timing attacks.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.3',
+            version:     '0.3.1',
             references:  {
-                'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection'
+                'OWASP' => 'http://www.owasp.org/index.php/OS_Command_Injection',
+                'WASC'  => 'http://projects.webappsec.org/w/page/13246950/OS%20Commanding'
             },
             targets:     %w(Windows Unix),
             issue:       {
                 name:            %q{Operating system command injection (timing attack)},
-                description:     %q{The web application allows an attacker to
-    execute arbitrary OS commands even though it does not return
-    the command output in the HTML body.
-    (This issue was discovered using a timing attack; timing attacks
-    can result in false positives in cases where the server takes
-    an abnormally long time to respond.
-    Either case, these issues will require further investigation
-    even if they are false positives.)},
+                description:     %q{To perform specific actions from within a 
+                    web application, it is occasionally required to run
+                    Operating System commands (Linux or Windows) and have the output of
+                    these commands captured by the web application and returned 
+                    to the client. OS command injection occurs when user supplied
+                    input is inserted into one of these commands without proper 
+                    sanitisation and executed by the server. Cyber criminals 
+                    will abuse this weakness to perform their own arbitrary 
+                    commands on the server. This can include everything from 
+                    simple ping commands to map the internal network, to 
+                    obtaining full control of the server. By injecting OS 
+                    commands that take a specific amount of time to execute, 
+                    Arachni was able to detect time based OS command injection.
+                    This indicates that proper input sanitisation is not 
+                    occurring.},
                 tags:            %w(os command code injection timing blind),
                 cwe:             '78',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: %q{User inputs must be validated and filtered
-    before being evaluated as OS level commands.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    non-validated data is never used to form a command to be
+                    executed on the server. To validate data, the application 
+                    should ensure that the supplied value contains only the 
+                    characters that are required to perform the required action. 
+                    For example, where the form field expects an IP address, 
+                    only numbers and full stops should be accepted. Additionally 
+                    all control operators (&, &&, |, ||, $, \, #) should be 
+                    explicitly denied, and never accepted by as input by the 
+                    server.},
                 remedy_code:     '',
                 metasploitable:  'unix/webapp/arachni_exec'
             }

data/modules/audit/path_traversal.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.4.1
+# @version 0.4.2
 #
 # @see http://cwe.mitre.org/data/definitions/22.html
 # @see http://www.owasp.org/index.php/Path_Traversal
@@ -107,7 +107,7 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
                 based on the presence of relevant content in the HTML responses.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.4.1',
+            version:     '0.4.2',
             references:  {
                 'OWASP' => 'http://www.owasp.org/index.php/Path_Traversal',
                 'WASC'  => 'http://projects.webappsec.org/Path-Traversal'
@@ -116,14 +116,50 @@ class Arachni::Modules::PathTraversal < Arachni::Module::Base
 
             issue:       {
                 name:            %q{Path Traversal},
-                description:     %q{The web application enforces improper limitation
-    of a pathname to a restricted directory.},
+                description:     %q{Web applications occasionally use
+                    parameter values to store the location of a file required by
+                    the server. An example of this is often seen in error pages 
+                    where the actual file path for the error page is called the 
+                    parameter value. For example 
+                    'yoursite.com/error.php?page=404.php'. A path traversal 
+                    occurs when the parameter value (ie. path to file being 
+                    called by the server) can be substituted with the relative 
+                    path of another resource which is located outside of the 
+                    applications working directory (web root). The server then 
+                    loads the resource and sends it in the response to the 
+                    client. Cyber-criminals will abuse this vulnerability to 
+                    view files that should otherwise not be accessible. A very 
+                    common example of this on a *nix server is where the cyber-
+                    criminal will access the /etc/passwd file to retrieve a list
+                    of users on the server. This attack would look similar to 
+                    'yoursite.com/error.php?page=../../../../etc/passwd'. As 
+                    path traversal is based on the relative path, the payload 
+                    must first traverse the file system to the root directory, 
+                    and hence the string of '../../../../'. Arachni discovered 
+                    that it was possible to substitute a parameter value with 
+                    relative path to a common operating system file and have the 
+                    contents of the file sent back in the response.},
                 tags:            %w(path traversal injection regexp),
                 cwe:             '22',
                 severity:        Severity::HIGH,
                 cvssv2:          '4.3',
-                remedy_guidance: %q{User inputs must be validated and filtered
-    before being used as a part of a filesystem path.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    non-validated data is never used to form a literal file
+                    include request. To validate data, the application should 
+                    ensure that the supplied value for a file is permitted. This can
+                    be achieved by performing whitelisting on the parameter 
+                    value. The whitelist should contain a list of pages that 
+                    the application is permitted to fetch resources from. If the 
+                    supplied value does not match any value in the whitelist 
+                    then the server should redirect to a standard error page. In 
+                    some scenarios where dynamic content is being requested it 
+                    may not be possible to perform validation of a list of 
+                    trusted resources, therefor the list must also become 
+                    dynamic (update as the files change), or perform filtering 
+                    to remove any unrequired user input such as semicolons or 
+                    periods etc. and only permit a-z0-9. It is also advised that 
+                    sensitive file are not stored within the web root, and that 
+                    the user permissions enforced by the directory are correct.},
                 remedy_code:     '',
                 metasploitable:  'unix/webapp/arachni_path_traversal'
             }

data/modules/audit/response_splitting.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # HTTP Response Splitting audit module.
 #
 # It audits links, forms and cookies.
@@ -22,12 +21,11 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.7
+# @version 0.1.8
 #
 # @see http://cwe.mitre.org/data/definitions/20.html
 # @see http://www.owasp.org/index.php/HTTP_Response_Splitting
 # @see http://www.securiteam.com/securityreviews/5WP0E2KFGK.html
-#
 class Arachni::Modules::ResponseSplitting < Arachni::Module::Base
 
     def run
@@ -56,23 +54,42 @@ class Arachni::Modules::ResponseSplitting < Arachni::Module::Base
                 if any of them end up in the response header.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.7',
+            version:     '0.1.8',
             references:  {
                 'SecuriTeam' => 'http://www.securiteam.com/securityreviews/5WP0E2KFGK.html',
-                'OWASP'      => 'http://www.owasp.org/index.php/HTTP_Response_Splitting'
+                'OWASP'      => 'http://www.owasp.org/index.php/HTTP_Response_Splitting',
+                'WASC'       => 'http://projects.webappsec.org/w/page/13246931/HTTP%20Response%20Splitting'
             },
             targets:     %w(Generic),
 
             issue:       {
                 name:            %q{Response Splitting},
-                description:     %q{The web application includes user input
-     in the response HTTP header.},
+                description:     %q{HTTP response splitting occurs when 
+                    untrusted data (usually a client's request) is inserted into 
+                    the response headers without any sanitisation or validation. 
+                    If vulnerable, this allows a cyber-criminal to essentially 
+                    split the HTTP response into two. This is abused by the 
+                    cyber-criminal injecting both CR (aka, carriage return, %0d, 
+                    or /r) characters and LF (aka, line feed, %0a, or \n) which 
+                    will then form the split. If the CR or LF characters are not 
+                    processed by the server then it cannot be exploited. Along 
+                    with these characters, the cyber-criminal can then construct 
+                    their own arbitrary response headers and body which would 
+                    then form the second response. The second response is 
+                    entirely under their control, and then permits a number of 
+                    other attacks.},
                 tags:            %w(response splitting injection header),
                 cwe:             '20',
                 severity:        Severity::MEDIUM,
                 cvssv2:          '5.0',
-                remedy_guidance: %q{User inputs must be validated and filtered
-    before being included as part of the HTTP response headers.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    non-validated data is never used to form the contents of the
+                    response header. Where any untrusted source is required to 
+                    be used in the response headers, it is important to ensure 
+                    that any hazardous characters (%0d, %0a, /r, /n, and 
+                    potentially others) are prior to being used. This is 
+                    especially important when setting cookie values, redirecting, 
+                    or when virtual hosting.},
                 remedy_code:     '',
             }
 

data/modules/audit/rfi.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # Simple Remote File Inclusion (and tutorial) module.
 #
 # It audits links, forms and cookies and will give you a good idea
@@ -22,12 +21,11 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2
+# @version 0.2.2
 #
 # @see http://cwe.mitre.org/data/definitions/94.html
 # @see http://projects.webappsec.org/Remote-File-Inclusion
 # @see http://en.wikipedia.org/wiki/Remote_File_Inclusion
-#
 class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::Module::Base
 
     #
@@ -117,7 +115,7 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
             #
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.1',
+            version:     '0.2.2',
             references:  {
                 'WASC'      => 'http://projects.webappsec.org/Remote-File-Inclusion',
                 'Wikipedia' => 'http://en.wikipedia.org/wiki/Remote_File_Inclusion'
@@ -126,9 +124,26 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
 
             issue:       {
                 name:        %q{Remote File Inclusion},
-                description: %q{The web application can be forced to include
-    3rd party remote content which can often lead to arbitrary code
-    execution, amongst other attacks.},
+                description: %q{Web applications occasionally use parameter
+                    values to store the location of a file required by the server.
+                    An example of this is often seen in error pages where the 
+                    actual file path for the error page is called the parameter 
+                    value. For example 'yoursite.com/error.php?page=404.php'. A 
+                    remote file inclusion occurs when the parameter value (ie. 
+                    path to file being called by the server) can be substituted 
+                    with the address of an external host, and the server then 
+                    performs a request to the external host and fetches the 
+                    resource. Taking the simple example above this would become 
+                    'yoursite.com/error.asp?page=http://anothersite.com/somethingBad.php'. 
+                    In most circumstances the server will process the fetched 
+                    resource. Therefore if the resource matches that of the
+                    framework being used (ASP, PHP, JSP, etc.) it is probable 
+                    that the resource will be executed on the vulnerable server. 
+                    Cyber-criminals will abuse this vulnerability to execute 
+                    arbitrary code on the server. Arachni discovered that it was 
+                    possible to substitute a parameter value with an external 
+                    resource and have the server fetch the resource and have it 
+                    returned to the client within the response. },
                 tags:       %w(remote file inclusion injection regexp),
                 cwe:        '94',
                 #
@@ -141,8 +156,21 @@ class Arachni::Modules::RFI < Arachni::Module::Base # *always* extend Arachni::M
                 #
                 severity:        Severity::HIGH,
                 cvssv2:          '7.5',
-                remedy_guidance: %q{Enforce strict validation and filtering
-                    on user inputs.},
+                remedy_guidance: %q{It is recommended that untrusted or 
+                    non-validated data is never used to form a literal file
+                    include request. To validate data, the application should 
+                    ensure that the supplied value for a file is permitted. This 
+                    can be achieved by performing whitelisting on the parameter 
+                    value. The whitelist should contain a list of pages (or 
+                    sites) that the application is permitted to fetch resources 
+                    from. If the supplied value does not match any value in the 
+                    whitelist then the server should redirect to a standard 
+                    error page. In some scenarios where dynamic content is being 
+                    requested it may not be possible to perform validation of a 
+                    list of trusted resources, therefor the list must also 
+                    become dynamic (update as the files change), or perform 
+                    filtering to remove any unrequired user input such as 
+                    semicolons or periods etc. and only permit a-z0-9.},
                 remedy_code:     '',
                 metasploitable:  'unix/webapp/arachni_php_include'
             }

data/modules/audit/session_fixation.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # Session fixation module.
 #
 # It identifies the session cookie by iterating through all cookies in the
@@ -29,8 +28,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1
-#
+# @version 0.1.1
 class Arachni::Modules::SessionFixation < Arachni::Module::Base
 
     def token
@@ -68,17 +66,50 @@ class Arachni::Modules::SessionFixation < Arachni::Module::Base
             description: %q{Checks whether or not the session cookie can be set to an arbitrary value.},
             elements:    [ Element::FORM, Element::LINK ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             references:  {
-                 'OWASP - Session fixation' => 'hhttps://www.owasp.org/index.php/Session_fixation'
+                 'OWASP' => 'https://www.owasp.org/index.php/Session_fixation',
+                 'WASC'  => 'http://projects.webappsec.org/w/page/13246960/Session%20Fixation'
              },
             targets:     %w(Generic),
             issue:       {
                 name:        %q{Session fixation},
-                description: %q{The web application allows the session ID to be fixed by a 3rd party.},
+                description: %q{HTTP by itself is a stateless protocol. Therefore
+                    the server is unable to determine which requests are 
+                    performed by which client, and which clients are 
+                    authenticated or unauthenticated. The use of HTTP cookies 
+                    within the headers, allows a web server to identify each 
+                    individual client, and can therefore determine which clients
+                    hold valid authentication from those that do not. These are 
+                    known as session cookies or session tokens. To prevent 
+                    clients from being able to guess each other's session token, 
+                    each assigned session token should be entirely random, and 
+                    be different whenever a session is established with the 
+                    server. Session fixation occurs when the client is able to 
+                    specify their own session token value, and the value of the 
+                    session cookie is not changed by the server after successful 
+                    authentication. Occasionally the session token will also 
+                    remain unchanged for the user independently of how many times
+                    they have authenticated. Cyber-criminals will abuse this 
+                    functionality by sending crafted URL links with a 
+                    predetermined session token within the link. The cyber-
+                    criminal will then wait for the victim to login and become 
+                    authenticated. If successful the cyber-criminal will know a 
+                    valid session ID, and therefore have access to the victim's
+                    session. Arachni has discovered that it is able to set its 
+                    own session token, and during the login process remains 
+                    unchanged.},
                 tags:        %w(session cookie injection fixation hijacking),
                 cwe:         '384',
-                severity:    Severity::HIGH
+                severity:    Severity::HIGH,
+                remedy_guidance: %q{The most important remediation action is to 
+                    prevent the server accepting client supplied tokens through 
+                    either a GET or POST request. Additionally, the client's
+                    session token should be changed at specific key stages of 
+                    the application flow, such as during authentication. This 
+                    will ensure that even if clients are able to set their own 
+                    cookie, it will not persist into an authenticated session. 
+                },
             }
         }
     end