arachni 0.4.6 → 0.4.7

data/modules/audit/xss.rb

@@ -21,7 +21,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.3.3
+# @version 0.3.4
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
@@ -85,23 +85,68 @@ class Arachni::Modules::XSS < Arachni::Module::Base
             },
             elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.3.2',
+            version:     '0.3.4',
             references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
-                'Secunia'  => 'http://secunia.com/advisories/9716/'
+                'Secunia'  => 'http://secunia.com/advisories/9716/',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                'OWASP' => 'www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Cross-Site Scripting (XSS)},
-                description:     %q{Client-side code (like JavaScript) can
-    be injected into the web application which is then returned to the user's browser.
-    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.},
-                tags:            %w(xss regexp injection script),
+                description:     %q{Client side scripts are used extensively by 
+                    modern web applications. They perform simple functions such 
+                    as the formatting of text to full manipulation of client 
+                    side data and operating system interaction. Cross Site 
+                    Scripting (XSS) is where the client is able to inject 
+                    scripts into a request and have the server return the script 
+                    to the client. This occurs because the application is taking 
+                    untrusted data (in this example from the client) and reusing 
+                    it without performing any data validation or sanitisation. 
+                    If the injected script is returned immediately this is known 
+                    as reflected XSS. If the injected script is stored by the 
+                    server and returned to any client visiting the affected page 
+                    then this is known as persistent XSS (also stored XSS). A 
+                    common attack used by cyber-criminals is to steal a client's 
+                    session token by injecting JavaScript, however XSS 
+                    vulnerabilities can also be abused to exploit clients for 
+                    example by visiting the page either directly or through a 
+                    crafted HTTP link delivered via a social engineering email. 
+                    Note: many modern browsers attempt to implement some form of 
+                    XSS protection, however these do not protect against all 
+                    methods of attack, and in some cases can easily be bypassed. 
+                    Arachni has discovered that it is possible to insert script 
+                    content directly into HTML element content. For example 
+                    '<body> INJECTION_HERE </body>' where INJECTION_HERE 
+                    represents the location where the Arachni payload was 
+                    detected.},
                 cwe:             '79',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being returned as part of the HTML code of a page.',
+                remedy_guidance: %q{To remediate XSS vulnerabilities it is 
+                    important to never use untrusted or unfiltered data within 
+                    the code of a HTML page. Untrusted data can originate not 
+                    only form the client but potentially a third party, or 
+                    previously uploaded file etc. Filtering of untrusted data 
+                    typically involves converting special characters to their 
+                    HTML entity encoding equivalent (however other methods do 
+                    exist. see ref.). These special characters include (ignoring 
+                    commas) '&, <, >, ", ', /'. An example of HTML entity encode 
+                    is converting a '<' to '&lt;'. Although it is possible to 
+                    filter untrusted input, there are five locations within a 
+                    HTML page where untrusted input (even if it has been 
+                    filtered) should never be placed. These locations include 1. 
+                    Directly in a script. 2. inside a HTML comment. 3. in an 
+                    attribute name. 4. in a tag name. 5. Directly in CSS. Where 
+                    untrusted data is inserted into HTML element content, HTML 
+                    common attributes, JavaScript data values, JSON values, HTML 
+                    style property values, or HTML URL parameter values it must 
+                    be filtered. Each of these locations have their own form of 
+                    escaping and filtering.
+                    Because many browsers attempt to implement XSS protection, 
+                    any manual verification of this finding should be conducted 
+                    utilising multiple different browsers and browser versions.},
             }
         }
     end

data/modules/audit/xss_event.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # It injects a string and checks if it appears inside an event attribute of any HTML tag.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.3
+# @version 0.1.4
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
 # @see http://secunia.com/advisories/9716/
-#
 class Arachni::Modules::XSSEvent < Arachni::Module::Base
 
     EVENT_ATTRS = [
@@ -84,23 +82,69 @@ class Arachni::Modules::XSSEvent < Arachni::Module::Base
             description: %q{Cross-Site Scripting in event tag of HTML element.},
             elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.3',
+            version:     '0.1.4',
             references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
-                'Secunia'  => 'http://secunia.com/advisories/9716/'
+                'Secunia'  => 'http://secunia.com/advisories/9716/',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                'OWASP' => 'www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Cross-Site Scripting in event tag of HTML element},
-                description:     %q{Unvalidated user input is being embedded inside an HMTL event element such as "onmouseover".
-    This makes Cross-Site Scripting attacks much easier to mount since the user input
-    lands in code waiting to be executed.},
+                description:     %q{Client side scripts are used extensively by 
+                    modern web applications. They perform simple functions such 
+                    as the formatting of text to full manipulation of client 
+                    side data and operating system interaction. Cross Site 
+                    Scripting (XSS) is where the client is able to inject 
+                    scripts into a request and have the server return the script 
+                    to the client. This occurs because the application is taking 
+                    untrusted data (in this example from the client) and reusing 
+                    it without performing any data validation or sanitisation. 
+                    If the injected script is returned immediately this is known 
+                    as reflected XSS. If the injected script is stored by the 
+                    server and returned to any client visiting the affected page 
+                    then this is known as persistent XSS (also stored XSS). A 
+                    common attack used by cyber-criminals is to steal a client's 
+                    session token by injecting JavaScript, however XSS 
+                    vulnerabilities can also be abused to exploit clients for 
+                    example by visiting the page either directly or through a 
+                    crafted HTTP link delivered via a social engineering email. 
+                    Note: many modern browsers attempt to implement some form of 
+                    XSS protection, however these do not protect against all 
+                    methods of attack, and in some cases can easily be bypassed. 
+                    Arachni has discovered that it is possible to insert script 
+                    content directly into HTML event. For example 
+                    '<div onmouseover="x=INJECTION_HERE"</div>' where 
+                    INJECTION_HERE represents the location where the Arachni 
+                    payload was detected.},
                 tags:            %w(xss event injection regexp dom attribute),
                 cwe:             '79',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being included in executable code or not be included at all.',
+                remedy_guidance: %q{To remediate XSS vulnerabilities it is 
+                    important to never use untrusted or unfiltered data within 
+                    the code of a HTML page. Untrusted data can originate not 
+                    only form the client but potentially a third party, or 
+                    previously uploaded file etc. Filtering of untrusted data 
+                    typically involves converting special characters to their 
+                    HTML entity encoding equivalent (however other methods do 
+                    exist. see ref.). These special characters include (ignoring 
+                    commas) '&, <, >, ", ', /'. An example of HTML entity encode 
+                    is converting a '<' to '&lt;'. Although it is possible to 
+                    filter untrusted input, there are five locations within a 
+                    HTML page where untrusted input (even if it has been 
+                    filtered) should never be placed. These locations include 1. 
+                    Directly in a script. 2. inside a HTML comment. 3. in an 
+                    attribute name. 4. in a tag name. 5. Directly in CSS. Where 
+                    untrusted data is inserted into HTML element content, HTML 
+                    common attributes, JavaScript data values, JSON values, HTML 
+                    style property values, or HTML URL parameter values it must 
+                    be filtered. Each of these locations have their own form of 
+                    escaping and filtering.
+                    Because many browsers attempt to implement XSS protection, 
+                    any manual verification of this finding should be conducted 
+                    utilising multiple different browsers and browser versions.},
             }
 
         }

data/modules/audit/xss_path.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # XSS in path audit module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.8
+# @version 0.1.9
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
 # @see http://secunia.com/advisories/9716/
-#
 class Arachni::Modules::XSSPath < Arachni::Module::Base
 
     def self.tag
@@ -81,22 +79,71 @@ class Arachni::Modules::XSSPath < Arachni::Module::Base
             description: %q{Cross-Site Scripting module for path injection},
             elements:    [ Element::PATH ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.8',
+            version:     '0.1.9',
             references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
-                'Secunia'  => 'http://secunia.com/advisories/9716/'
+                'Secunia'  => 'http://secunia.com/advisories/9716/',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                'OWASP' => 'www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Cross-Site Scripting (XSS) in path},
-                description:     %q{Client-side code, like JavaScript, can
-    be injected into the web application.},
+                description:     %q{Client side scripts are used extensively by 
+                    modern web applications. They perform simple functions such 
+                    as the formatting of text to full manipulation of client 
+                    side data and operating system interaction. Cross Site 
+                    Scripting (XSS) is where the client is able to inject 
+                    scripts into a request and have the server return the script 
+                    to the client. This occurs because the application is taking 
+                    untrusted data (in this example from the client) and reusing 
+                    it without performing any data validation or sanitisation. 
+                    If the injected script is returned immediately this is known 
+                    as reflected XSS. If the injected script is stored by the 
+                    server and returned to any client visiting the affected page 
+                    then this is known as persistent XSS (also stored XSS). A 
+                    common attack used by cyber-criminals is to steal a client's 
+                    session token by injecting JavaScript, however XSS 
+                    vulnerabilities can also be abused to exploit clients for 
+                    example by visiting the page either directly or through a 
+                    crafted HTTP link delivered via a social engineering email. 
+                    Note: many modern browsers attempt to implement some form of 
+                    XSS protection, however these do not protect against all 
+                    methods of attack, and in some cases can easily be bypassed. 
+                    Arachni has discovered that it is possible to insert script 
+                    content directly into the requests PATH, or within a request 
+                    header, and have it returned in the server's response. For 
+                    example 'HTTP://yoursite.com/INJECTION_HERE/' or 
+                    'referer: HTTP://yoursite.com/INJECTION_HERE' where 
+                    INJECTION_HERE represents the location where the Arachni 
+                    payload was injected.},
                 tags:            %w(xss path injection regexp),
                 cwe:             '79',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: %q{Path must be validated and filtered
-                    before being returned as part of the HTML code of a page.}
+                remedy_guidance: %q{To remediate XSS vulnerabilities it is 
+                    important to never use untrusted or unfiltered data within 
+                    the code of a HTML page. Untrusted data can originate not 
+                    only form the client but potentially a third party, or 
+                    previously uploaded file etc. Filtering of untrusted data 
+                    typically involves converting special characters to their 
+                    HTML entity encoding equivalent (however other methods do 
+                    exist. see ref.). These special characters include (ignoring 
+                    commas) '&, <, >, ", ', /'. An example of HTML entity encode 
+                    is converting a '<' to '&lt;'. Although it is possible to 
+                    filter untrusted input, there are five locations within a 
+                    HTML page where untrusted input (even if it has been 
+                    filtered) should never be placed. These locations include 1. 
+                    Directly in a script. 2. inside a HTML comment. 3. in an 
+                    attribute name. 4. in a tag name. 5. Directly in CSS. Where 
+                    untrusted data is inserted into HTML element content, HTML 
+                    common attributes, JavaScript data values, JSON values, HTML 
+                    style property values, or HTML URL parameter values it must 
+                    be filtered. Each of these locations have their own form of 
+                    escaping and filtering.
+                    Because many browsers attempt to implement XSS protection, 
+                    any manual verification of this finding should be conducted 
+                    utilising multiple different browsers and browser versions.}
             }
 
         }

data/modules/audit/xss_script_tag.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.4
+# @version 0.1.5
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
@@ -67,23 +67,69 @@ class Arachni::Modules::XSSScriptTag < Arachni::Module::Base
             description: %q{Injects strings and checks if they appear inside HTML 'script' tags.},
             elements:    [Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.4',
+            version:     '0.1.5',
             references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
-                'Secunia'  => 'http://secunia.com/advisories/9716/'
+                'Secunia'  => 'http://secunia.com/advisories/9716/',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                'OWASP' => 'www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Cross-Site Scripting in HTML \'script\' tag},
-                description:     %q{Unvalidated user input is being embedded inside a <script> element.
-    This makes Cross-Site Scripting attacks much easier to mount since user input lands inside
-    a trusted script.},
+                description:     %q{Client side scripts are used extensively by 
+                    modern web applications. They perform simple functions such 
+                    as the formatting of text to full manipulation of client 
+                    side data and operating system interaction. Cross Site 
+                    Scripting (XSS) is where the client is able to inject 
+                    scripts into a request and have the server return the script 
+                    to the client. This occurs because the application is taking 
+                    untrusted data (in this example from the client) and reusing 
+                    it without performing any data validation or sanitisation. 
+                    If the injected script is returned immediately this is known 
+                    as reflected XSS. If the injected script is stored by the 
+                    server and returned to any client visiting the affected page 
+                    then this is known as persistent XSS (also stored XSS). A 
+                    common attack used by cyber-criminals is to steal a client's 
+                    session token by injecting JavaScript, however XSS 
+                    vulnerabilities can also be abused to exploit clients for 
+                    example by visiting the page either directly or through a 
+                    crafted HTTP link delivered via a social engineering email. 
+                    Note: many modern browsers attempt to implement some form of 
+                    XSS protection, however these do not protect against all 
+                    methods of attack, and in some cases can easily be bypassed. 
+                    Arachni has discovered that it is possible to insert content 
+                    directly into a script. For example 
+                    '<script> INJECTION_HERE </script>' where INJECTION_HERE 
+                    represents the location where the Arachni payload was 
+                    detected.},
                 tags:            %w(xss script tag regexp dom attribute injection),
                 cwe:             '79',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being included in executable code or not be included at all.',
+                remedy_guidance: %q{To remediate XSS vulnerabilities it is 
+                    important to never use untrusted or unfiltered data within 
+                    the code of a HTML page. Untrusted data can originate not 
+                    only form the client but potentially a third party, or 
+                    previously uploaded file etc. Filtering of untrusted data 
+                    typically involves converting special characters to their 
+                    HTML entity encoding equivalent (however other methods do 
+                    exist. see ref.). These special characters include (ignoring 
+                    commas) '&, <, >, ", ', /'. An example of HTML entity encode 
+                    is converting a '<' to '&lt;'. Although it is possible to 
+                    filter untrusted input, there are five locations within a 
+                    HTML page where untrusted input (even if it has been 
+                    filtered) should never be placed. These locations include 1. 
+                    Directly in a script. 2. inside a HTML comment. 3. in an 
+                    attribute name. 4. in a tag name. 5. Directly in CSS. Where 
+                    untrusted data is inserted into HTML element content, HTML 
+                    common attributes, JavaScript data values, JSON values, HTML 
+                    style property values, or HTML URL parameter values it must 
+                    be filtered. Each of these locations have their own form of 
+                    escaping and filtering.
+                    Because many browsers attempt to implement XSS protection, 
+                    any manual verification of this finding should be conducted 
+                    utilising multiple different browsers and browser versions.}
             }
         }
     end

data/modules/audit/xss_tag.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.5
+# @version 0.1.6
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
@@ -67,22 +67,68 @@ class Arachni::Modules::XSSHTMLTag < Arachni::Module::Base
             description: %q{Cross-Site Scripting in HTML tag.},
             elements:    [ Element::FORM, Element::LINK, Element::COOKIE, Element::HEADER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.5',
+            version:     '0.1.6',
             references:  {
                 'ha.ckers' => 'http://ha.ckers.org/xss.html',
-                'Secunia'  => 'http://secunia.com/advisories/9716/'
+                'Secunia'  => 'http://secunia.com/advisories/9716/',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Cross-Site Scripting (XSS) in HTML tag},
-                description:     %q{Unvalidated user input is being embedded in a HTML element.
-    This can lead to a Cross-Site Scripting vulnerability or a form of HTML manipulation.},
+                description:     %q{Client side scripts are used extensively by 
+                    modern web applications. They perform simple functions such 
+                    as the formatting of text to full manipulation of client 
+                    side data and operating system interaction. Cross Site 
+                    Scripting (XSS) is where the client is able to inject 
+                    scripts into a request and have the server return the script 
+                    to the client. This occurs because the application is taking 
+                    untrusted data (in this example from the client) and reusing 
+                    it without performing any data validation or sanitisation. 
+                    If the injected script is returned immediately this is known 
+                    as reflected XSS. If the injected script is stored by the 
+                    server and returned to any client visiting the affected page 
+                    then this is known as persistent XSS (also stored XSS). A 
+                    common attack used by cyber-criminals is to steal a client's 
+                    session token by injecting JavaScript, however XSS 
+                    vulnerabilities can also be abused to exploit clients for 
+                    example by visiting the page either directly or through a 
+                    crafted HTTP link delivered via a social engineering email. 
+                    Note: many modern browsers attempt to implement some form of 
+                    XSS protection, however these do not protect against all 
+                    methods of attack, and in some cases can easily be bypassed. 
+                    Arachni has discovered that it is possible to insert content 
+                    directly into a HTML tag. for example 
+                    '<INJECTION_HERE href=.......etc>' where INJECTION_HERE 
+                    represents the location where the Arachni payload was 
+                    detected.},
                 tags:            %w(xss script tag regexp dom attribute injection),
                 cwe:             '79',
                 severity:        Severity::HIGH,
                 cvssv2:          '9.0',
-                remedy_guidance: 'User inputs must be validated and filtered
-    before being returned as part of the HTML code of a page.',
+                remedy_guidance: %q{To remediate XSS vulnerabilities it is 
+                    important to never use untrusted or unfiltered data within 
+                    the code of a HTML page. Untrusted data can originate not 
+                    only form the client but potentially a third party, or 
+                    previously uploaded file etc. Filtering of untrusted data 
+                    typically involves converting special characters to their 
+                    HTML entity encoding equivalent (however other methods do 
+                    exist. see ref.). These special characters include (ignoring 
+                    commas) '&, <, >, ", ', /'. An example of HTML entity encode 
+                    is converting a '<' to '&lt;'. Although it is possible to 
+                    filter untrusted input, there are five locations within a 
+                    HTML page where untrusted input (even if it has been 
+                    filtered) should never be placed. These locations include 
+                    1. Directly in a script. 2. inside a HTML comment. 3. in an 
+                    attribute name. 4. in a tag name. 5. Directly in CSS. Where 
+                    untrusted data is inserted into HTML element content, HTML 
+                    common attributes, JavaScript data values, JSON values, HTML 
+                    style property values, or HTML URL parameter values it must 
+                    be filtered. Each of these locations have their own form of 
+                    escaping and filtering.
+                    Because many browsers attempt to implement XSS protection, 
+                    any manual verification of this finding should be conducted 
+                    utilising multiple different browsers and browser versions.},
             }
 
         }

data/modules/recon/allowed_methods.rb

@@ -19,7 +19,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.4
+# @version 0.1.5
 #
 # @see http://en.wikipedia.org/wiki/WebDAV
 # @see http://www.webdav.org/specs/rfc4918.html
@@ -61,17 +61,37 @@ class Arachni::Modules::AllowedMethods < Arachni::Module::Base
             description: %q{Checks for supported HTTP methods.},
             elements:    [Element::SERVER],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.5',
             targets:     %w(Generic),
             references:  {
                 'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limitexcept'
             },
             issue:       {
                 name:            %q{Allowed HTTP methods},
-                description:     %q{The webserver claims that it supports the logged methods.},
+                description:     %q{There are a number of HTTP methods that can 
+                    be used on a webserver, for example OPTIONS, HEAD, GET, 
+                    POST, PUT, DELETE etc.  Each of these methods perform a 
+                    different function, and each have an associate level of risk 
+                when their use is permitted on the webserver. A client can use 
+                    the OPTION method within a request to query a server to 
+                    determine which methods are allowed. Cyber-criminals will 
+                    almost always perform this simple test as it will give a 
+                    very quick indication of any risk methods being permitted by 
+                    the server. Arachni discovered that several methods 
+                    supported by the server.},
                 tags:            %w(http methods options),
                 severity:        Severity::INFORMATIONAL,
-                remedy_guidance: %q{Configure your web server to disallow unnecessary HTTP method.}
+                remedy_guidance: %q{It is recommended that a whitelisting 
+                    approach be taken to explicitly permit the HTTP methods required
+                    by the application and block all others.
+                    Typically the only HTTP methods required for most 
+                    applications are the GET and POST . All other
+                    methods perform actions that are rarely required, or perform 
+                    actions that are inherently risky. These risky methods (such 
+                    as PUT, DELETE, etc) should be protected by strict 
+                    limitations such as ensuring that the channel is secure 
+                    (SSL/TLS enabled), and only authorised and trusted clients 
+                    are permitted to use them.}
             }
         }
     end