arachni 0.4.6 → 0.4.7

data/modules/audit/source_code_disclosure.rb

@@ -20,7 +20,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2
+# @version 0.2.1
 #
 # @see http://cwe.mitre.org/data/definitions/540.html
 class Arachni::Modules::SourceCodeDisclosure < Arachni::Module::Base
@@ -122,19 +122,55 @@ class Arachni::Modules::SourceCodeDisclosure < Arachni::Module::Base
                 can be forced to reveal source code.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.2',
+            version:     '0.2.1',
             targets:     %w(PHP ASP JSP),
             references:  {
                 'CWE' => 'http://cwe.mitre.org/data/definitions/540.html'
             },
             issue:       {
                 name:            %q{Source code disclosure},
-                description:     %q{The web application can be forced to reveal source code.},
+                description:     %q{A modern web application will be reliant on 
+                    several different programming languages. These languages can 
+                    be broken up into two flavours. These are client side 
+                    languages such as those that run in the browser eg. 
+                    JavaScript and HTML, and server side languages that are 
+                    executed by the server (ASP, PHP, JSP, etc) to form the 
+                    dynamic pages (client side code) that are then sent to the 
+                    client. Because all server side code should be executed by 
+                    the server, it should never be seen by the client. However 
+                    in some scenarios, it is possible that 1. The server side 
+                    code has syntax errors and therefore is not executed by the
+                    server but is instead sent to the client, or 2. Using
+                    crafted requests it is possible to force the server into 
+                    displaying the source code of the application without 
+                    executing it. As the server side source code often contains 
+                    sensitive information such as database connection strings or 
+                    details into the application workflow this can be extremely 
+                    risky. Cyber-criminals will attempt to discover pages that 
+                    either accidentally or forcefully allow the server side source
+                    code to be disclosed, to assist in discovering further 
+                    vulnerabilities or sensitive information. Arachni has 
+                    detected server side source code within the server's
+                    response. Note: false positives may occur when requesting 
+                    binary files such as images (.JPG or .PNG) and may require
+                    manual verification.},
                 tags:            %w(code source file inclusion disclosure),
                 cwe:             '540',
                 severity:        Severity::HIGH,
-                remedy_guidance: %q{User inputs must be validated and filtered
-                    before being included in a file-system path during file reading operations.},
+                remedy_guidance: %q{If confirmation reveals the leakage of
+                    server side source code, then the following remediation
+                    actions should be applied. Determine the context in which 
+                    the source code is disclosed. ie. Caused through coding 
+                    errors, or abusing existing functionality. If due to errors 
+                    in the server side code, then the code causing the 
+                    disclosure should be rewritten. If it is through the abuse 
+                    of existing functionality then it is important that input
+                    sanitisation be conducted to prevent application files (ASP, 
+                    JSP, PHP or config files) from being called. It is also
+                    important that the file system permissions are correctly 
+                    configured, and that all unused files are removed from the 
+                    web root. If these are not an option, then the vulnerable 
+                    file should be removed from the server.},
             }
 
         }

data/modules/audit/sqli.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.2.1
+# @version 0.2.2
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://unixwiz.net/techtips/sql-injection.html
@@ -71,24 +71,75 @@ class Arachni::Modules::SQLInjection < Arachni::Module::Base
             description: %q{SQL injection module, uses known SQL DB errors to identify vulnerabilities.},
             elements:    [Element::LINK, Element::FORM, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.2.1',
+            version:     '0.2.2',
             references:  {
                 'UnixWiz'    => 'http://unixwiz.net/techtips/sql-injection.html',
                 'Wikipedia'  => 'http://en.wikipedia.org/wiki/SQL_injection',
                 'SecuriTeam' => 'http://www.securiteam.com/securityreviews/5DP0N1P76E.html',
-                'OWASP'      => 'http://www.owasp.org/index.php/SQL_Injection'
+                'OWASP'      => 'http://www.owasp.org/index.php/SQL_Injection',
+                'WASC'       => 'http://projects.webappsec.org/w/page/13246963/SQL%20Injection',
+                'W3 Schools' => 'http://www.w3schools.com/sql/sql_injection.asp'
             },
             targets:     %w(Oracle ColdFusion InterBase PostgreSQL MySQL MSSQL EMC
                             SQLite DB2 Informix Firebird MaxDB Sybase Frontbase Ingres HSQLDB),
             issue:       {
                 name:            %q{SQL Injection},
-                description:     %q{SQL code can be injected into the web application.},
+                description:     %q{Databases are used to store data. Due to the 
+                    requirement for dynamic content of today's web applications, 
+                    many web applications rely on a database backend to store 
+                    data that will be called upon and processed by the web 
+                    application (or other programs). Web applications retrieve 
+                    data from the database by using a Structured Query Language 
+                    (SQL) query. To meet demands of many developers, database 
+                    servers (such as MSSQL, MySQL, Oracle etc.) have 
+                    additional built-in functionality that can allow extensive
+                    control of the database and interaction with the host 
+                    operating system itself. An SQL injection occurs when a 
+                    value originating from the client's request is used within an
+                    SQL query without prior sanitisation. This could allow the 
+                    cyber-criminal to steal the data stored in the database, or 
+                    use the additional functionality of the database server to 
+                    take complete control of the server. When discovered, this 
+                    allows cyber-criminals the ability to inject their own SQL 
+                    query (injected query will normally be placed within the 
+                    existing application query) and have it executed by the 
+                    database server. The successful exploitation of a SQL 
+                    injection can be a devastating to an organisation, and is 
+                    one of the most commonly exploited web application 
+                    vulnerabilities. To discover a SQL injection, Arachni 
+                    injects multiple different payloads into specific locations 
+                    within the client request. Arachni discovered that the 
+                    affected page and parameter may be vulnerable. This 
+                    injection was detected as Arachni was able to cause the 
+                    server to respond to the request with a database related 
+                    error. This is the easiest form of detection, and is known 
+                    as error based SQL injection vulnerability.},
                 tags:            %w(sql injection regexp database error),
                 cwe:             '89',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being included in database queries.',
+                remedy_guidance: %q{The only proven method to prevent against 
+                    SQL injection attacks while still maintaining full 
+                    application functionality is to use parameterized queries
+                    (also known as prepared statements). When utilising this 
+                    method of querying the database any value supplied by the
+                    client will be handled as a string value rather than part of 
+                    the SQL query. Additionally, when utilising parameterized
+                    queries, the database engine will automatically check to 
+                    make sure the string being used matches that of the column.
+                    For example the database engine will check the user supplied 
+                    input is an integer if the database column is also an 
+                    integer. Depending on the framework being used, 
+                    implementation of parameterized queries will differ.
+                    Other methods to help protect against SQL injection 
+                    vulnerabilities exist however are not as effective and may
+                    either limit web application functionality, or remain 
+                    vulnerable.
+                    Additional remediation activities such as configuring strict 
+                    database permissions to limit queries that can be executed, 
+                    and configuring the webserver to display custom error 
+                    messages to prevent error based detection will both further 
+                    reduce the risk.},
                 metasploitable:  'auxiliary/arachni_sqlmap'
             }
         }

data/modules/audit/sqli_blind_rdiff.rb

@@ -21,7 +21,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.4.1
+# @version 0.4.2
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
@@ -64,25 +64,70 @@ class Arachni::Modules::BlindrDiffSQLInjection < Arachni::Module::Base
                 with that of a vulnerable application.},
             elements:    [ Element::LINK, Element::FORM, Element::COOKIE ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.4.1',
+            version:     '0.4.2',
             references:  {
                 'OWASP'         => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
-                'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'
+                'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html',
+                'WASC'          => 'http://projects.webappsec.org/w/page/13246963/SQL%20Injection',
+                'W3 Schools'    => 'http://www.w3schools.com/sql/sql_injection.asp'
             },
             targets:     %w(Generic),
 
             issue:       {
                 name:            %q{Blind SQL Injection (differential analysis)},
-                description:     %q{SQL code can be injected into the web application
-    even though it may not be obvious due to suppression of error messages.},
+                description:     %q{Databases are used to store data. Due to the 
+                    requirement for dynamic content of today's web applications, 
+                    many web applications rely on a database backend to store 
+                    data that will be called upon and processed by the web 
+                    application (or other programs). Web applications retrieve 
+                    data from the database by using a Structured Query Language 
+                    (SQL) query. To meet demands of many developers, database 
+                    servers (such as MSSQL, MySQL, Oracle etc.) have additional
+                    built-in functionality that can allow extensive control of
+                    the database and interaction with the host operating system 
+                    itself. An SQL injection occurs when a value originating 
+                    from the client's request is used within an SQL query without
+                    prior sanitisation. This could allow the cyber-criminal to 
+                    steal the data stored in the database, or use the additional 
+                    functionality of the database server to take complete 
+                    control of the server. When discovered, this allows cyber-
+                    criminals the ability to inject their own SQL query 
+                    (injected query will normally be placed within the existing 
+                    application query) and have it executed by the database 
+                    server. The successful exploitation of a SQL injection can 
+                    be a devastating to an organisation, and is one of the most 
+                    commonly exploited web application vulnerabilities. To 
+                    discover a SQL injection, Arachni injects multiple different 
+                    payloads into specific locations within the client request. 
+                    Arachni discovered that the affected page and parameter may 
+                    be vulnerable. This injection was detected as Arachni was 
+                    able to inject specific SQL queries that if vulnerable 
+                    result in the responses for each injection being different. 
+                    This is known as a blind SQL injection vulnerability.},
                 tags:            %w(sql blind rdiff injection database),
                 cwe:             '89',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: %q{Suppression of error messages leads to
-    security through obscurity which is not a good practise.
-    The web application needs to enforce stronger validation
-    on user inputs.},
+                remedy_guidance: %q{The only proven method to prevent against 
+                    SQL injection attacks while still maintaining full 
+                    application functionality is to use parameterized queries
+                    (also known as prepared statements). When utilising this 
+                    method of querying the database any value supplied by the 
+                    client will be handled as a string value rather than part of 
+                    the SQL query. Additionally, when utilising parameterized
+                    queries, the database engine will automatically check to 
+                    make sure the sting being used matches that of the column. 
+                    For example the database engine will check the user supplied 
+                    input is an integer if the database column is also an 
+                    integer. Depending on the framework being used, 
+                    implementation of parameterized queries will differ.
+                    Other methods to help protect against SQL injection 
+                    vulnerabilities exist however are not as effective and may 
+                    either limit web application functionality, or remain 
+                    vulnerable.
+                    Additional remediation activities such as configuring strict 
+                    database permissions to limit queries that can be executed 
+                    will further reduce the risk.},
                 remedy_code:     '',
                 metasploitable:  'unix/webapp/arachni_sqlmap'
             }

data/modules/audit/sqli_blind_timing.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3.1
+# @version 0.3.2
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
@@ -50,30 +50,73 @@ class Arachni::Modules::BlindTimingSQLInjection < Arachni::Module::Base
                 connection suddenly chokes up this module will probably produce false positives).},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.3',
+            version:     '0.3.2',
             references:  {
                 'OWASP'         => 'http://www.owasp.org/index.php/Blind_SQL_Injection',
-                'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html'
+                'MITRE - CAPEC' => 'http://capec.mitre.org/data/definitions/7.html',
+                'WASC'          => 'http://projects.webappsec.org/w/page/13246963/SQL%20Injection',
+                'W3 Schools'    => 'http://www.w3schools.com/sql/sql_injection.asp'
             },
             targets:     %w(MySQL PostgreSQL MSSQL),
             issue:       {
                 name:            %q{Blind SQL Injection (timing attack)},
-                description:     %q{SQL code can be injected into the web application
-    even though it may not be obvious due to suppression of error messages.
-    (This issue was discovered using a timing attack; timing attacks
-    can result in false positives in cases where the server takes
-    an abnormally long time to respond.
-    Either case, these issues will require further investigation
-    even if they are false positives.)},
+                description:     %q{Databases are used to store data. Due to the 
+                    requirement for dynamic content of today's web applications, 
+                    many web applications rely on a database backend to store 
+                    data that will be called upon and processed by the web 
+                    application (or other programs). Web applications retrieve 
+                    data from the database by using a Structured Query Language 
+                    (SQL) query. To meet demands of many developers, database 
+                    servers (such as MSSQL, MySQL, Oracle etc.) have 
+                    additional built-in functionality that can allow extensive
+                    control of the database and interaction with the host 
+                    operating system itself. An SQL injection occurs when a 
+                    value originating from the clients request is used within an 
+                    SQL query without prior sanitisation. This could allow the 
+                    cyber-criminal to steal the data stored in the database, or 
+                    use the additional functionality of the database server to 
+                    ake complete control of the server. When discovered, this 
+                    allows cyber-criminals the ability to inject their own SQL 
+                    query (injected query will normally be placed within the 
+                    existing application query) and have it executed by the 
+                    database server. The successful exploitation of a SQL 
+                    injection can be a devastating to an organisation, and is 
+                    one of the most commonly exploited web application 
+                    vulnerabilities. To discover a SQL injection, Arachni 
+                    injects multiple different payloads into specific locations 
+                    within the client request. Arachni discovered that the 
+                    affected page and parameter may be vulnerable. This 
+                    injection was detected as Arachni was able to inject 
+                    specific SQL queries containing 'waits' and/or 'benchmarks' 
+                    that if vulnerable result in the responses for each request 
+                    being delayed before being send by the server. For example 
+                    if the injection payload told the database server to way for 
+                    20 seconds, then the client will receive the response 20 
+                    seconds after making the initial request. This is known as a 
+                    time based blind SQL injection vulnerability.},
                 tags:            %w(sql blind timing injection database),
                 cwe:             '89',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: %q{Suppression of error messages leads to
-    security through obscurity which is not a good practise.
-    The web application needs to enforce stronger validation
-    on user inputs.},
-                remedy_code:     '',
+                remedy_guidance: %q{The only proven method to prevent against 
+                    SQL injection attacks while still maintaining full 
+                    application functionality is to use parameterized queries
+                    (also known as prepared statements). When utilising this 
+                    method of querying the database any value supplied by the 
+                    client will be handled as a string value rather than part of 
+                    the SQL query. Additionally, when utilising parameterized
+                    queries, the database engine will automatically check to 
+                    make sure the sting being used matches that of the column. 
+                    For example the database engine will check the user supplied 
+                    input is an integer if the database column is also an 
+                    integer. Depending on the framework being used, 
+                    implementation of parameterized queries will differ. Other methods to
+                    help protect against SQL injection vulnerabilities exist 
+                    however are not as effective and may either limit web 
+                    application functionality, or remain vulnerable.
+                    Additional remediation activities such as configuring strict 
+                    database permissions to limit queries that can be executed 
+                    will further reduce the risk.},
                 metasploitable:  'unix/webapp/arachni_sqlmap'
             }
 

data/modules/audit/unvalidated_redirect.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # Unvalidated redirect audit module.
 #
 # It audits links, forms and cookies, injects URLs and checks the `Location`
@@ -22,10 +21,9 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.5
+# @version 0.1.6
 #
 # @see http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
-#
 class Arachni::Modules::UnvalidatedRedirect < Arachni::Module::Base
 
     def self.payloads
@@ -50,20 +48,42 @@ class Arachni::Modules::UnvalidatedRedirect < Arachni::Module::Base
                 to determnine whether the attack was successful.},
             elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.5',
+            version:     '0.1.6',
             references:  {
-                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards'
+                'OWASP' => 'http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246981/URL%20Redirector%20Abuse'
             },
             targets:     %w(Generic),
 
             issue:       {
                 name:            %q{Unvalidated redirect},
-                description:     %q{The web application redirects users to unvalidated URLs.},
-                tags: %w(unvalidated redirect injection header location),
+                description:     %q{Web applications occasionally use
+                    parameter values to store the address of the page to which
+                    the client will be redirected. As an example, this is
+                    often seen in error pages where the error page is the page 
+                    to be displayed. For example 
+                    'yoursite.com/page.asp?redirect=www.yoursite.com/404.asp'. 
+                    An unvalidated redirect occurs when the client is able to
+                    modify the affected parameter value in the request and have 
+                    a redirect response to the new value sent by the server. 
+                    Therefore, redirecting the client to that site. For example,
+                    the following request 'yoursite.com/page.asp?redirect=www.anothersite.com'
+                    will redirect to 'anothersite.com'. Cyber-criminals will abuse
+                    these vulnerabilities in social engineering attacks to get 
+                    users to unknowingly visit a malicious site hosted by the 
+                    cyber-criminal. Arachni has discovered that the server does 
+                    not validate the parameter value prior to redirecting the 
+                    client to the injected value.},
+                tags:            %w(unvalidated redirect injection header location),
                 cwe:             '819',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Server side verification should be employed
-                    to ensure that the redirect destination is the one intended.}
+                remedy_guidance: %q{The application should ensure that the 
+                    supplied value for a redirect is permitted. This can be 
+                    achieved by performing whitelisting on the parameter value. 
+                    The whitelist should contain a list of pages or sites that 
+                    the application is permitted to redirect users to. If the 
+                    supplied value does not match any value in the whitelist 
+                    then the server should redirect to a standard error page.}
             }
         }
     end

data/modules/audit/xpath.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # XPath Injection audit module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.3
+# @version 0.1.4
 #
 # @see http://cwe.mitre.org/data/definitions/91.html
 # @see http://www.owasp.org/index.php/XPATH_Injection
 # @see http://www.owasp.org/index.php/Testing_for_XPath_Injection_%28OWASP-DV-010%29
-#
 class Arachni::Modules::XPathInjection < Arachni::Module::Base
 
     def self.error_strings
@@ -50,19 +48,48 @@ class Arachni::Modules::XPathInjection < Arachni::Module::Base
             description: %q{XPath injection module},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.3',
+            version:     '0.1.4',
             references:  {
-                'OWASP' => 'http://www.owasp.org/index.php/XPATH_Injection'
+                'OWASP' => 'http://www.owasp.org/index.php/XPATH_Injection',
+                'WASC' => 'http://projects.webappsec.org/w/page/13247005/XPath%20Injection'
             },
             targets:     %w(General PHP Java dotNET libXML2),
             issue:       {
                 name:            %q{XPath Injection},
-                description:     %q{XPath queries can be injected into the web application.},
+                description:     %q{XML Path Language (XPath) queries are used 
+                    by web applications for selecting nodes from XML documents. 
+                    Once selected, the value of these nodes can then be used by 
+                    the application. A simple example for the use of XML 
+                    documents is to store user information. As part of the 
+                    authentication process, the application will perform an 
+                    XPath query to confirm the login credentials and retrieve 
+                    that user's information to use in the following request. 
+                    XPath injection occurs where untrusted data is used to build 
+                    the XPath query. Cyber-criminals may abuse this injection 
+                    vulnerability to bypass authentication, query other user's 
+                    information, or, if the XML document contains privileged user
+                    credentials, allow the cyber-criminal to escalate their
+                    privileges. Arachni injected XPath queries into the page,
+                    and based on the responses from the server, has discovered
+                    the page is vulnerable to XPath injection.},
                 tags:            %w(xpath database error injection regexp),
                 cwe:             '91',
                 severity:        Severity::HIGH,
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being included in database queries.',
+                remedy_guidance: %q{The preferred way to protect against XPath 
+                    injection is to utilise parameterized (also known as prepared)
+                    XPath queries. When utilising this method of querying the 
+                    XML document any value supplied by the client will be 
+                    handled as a string rather than part of the XPath query. An 
+                    alternative to parameterized queries it to use precompiled
+                    XPath queries. Precompiled XPath queries are not generated 
+                    dynamically and will therefor never process user supplied 
+                    input as XPath. Depending on the framework being used, 
+                    implementation of parameterized queries or precompiled queries
+                    will differ. Depending on the framework being used by the 
+                    application parameterized queries and/or precompiled queries
+                    may not be possible. In this case, input filtering on all 
+                    untrusted input should occur to ensure that it is not 
+                    included as part of the query.}
             }
         }
     end