arachni 0.4.6 → 0.4.7

data/modules/recon/backdoors.rb

@@ -14,13 +14,10 @@
     limitations under the License.
 =end
 
-#
 # Looks for common backdoors on the server.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.2.2
-#
+# @version 0.2.3
 class Arachni::Modules::Backdoors < Arachni::Module::Base
 
     def self.filenames
@@ -41,21 +38,42 @@ class Arachni::Modules::Backdoors < Arachni::Module::Base
             description: %q{Tries to find common backdoors on the server.},
             elements:    [Element::PATH],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.2',
+            version:     '0.2.3',
             targets:     %w(Generic),
             references:  {
                 'Blackhat' => 'https://www.blackhat.com/presentations/bh-usa-07/Wysopal_and_Eng/Presentation/bh-usa-07-wysopal_and_eng.pdf'
             },
             issue:       {
                 name:            %q{A backdoor file exists on the server},
-                description:     %q{ The server response indicates that a file matching
-    the name of a common backdoor is publicly accessible.
-    This indicates that the server has been compromised and can
-    (to some extent) be remotely controled by unauthorised users.},
+                description:     %q{If a server has been previously compromised, 
+                    there is a high probability that the cyber-criminal has
+                    installed a backdoor so that they can easily return to the
+                    server if required. One method of achieving this is to place 
+                    a web backdoor or web shell within the web root of the web 
+                    server. This will then enable the cyber-criminal to access 
+                    the server through a HTTP/S session. Although extremely bad 
+                    practice, it is possible that the web backdoor or web shell 
+                    has been placed there by an administrator so they can 
+                    perform administration activities remotely. During the 
+                    initial recon stages of an attack cyber-criminals will 
+                    attempt to locate these web backdoors or shells by
+                    requesting the names of the most common and well known 
+                    backdoors. By analysing the response headers from the server 
+                    they are able to determine if a web backdoor or web shell 
+                    exists. These web backdoors or web shells can then provide 
+                    an easy path for further compromise of the server. By 
+                    utilising the same methods as the cyber-criminals, Arachni 
+                    was able to discover a possible web backdoor or web shell.},
                 tags:            %w(path backdoor file discovery),
                 severity:        Severity::HIGH,
-                remedy_guidance: %q{Perform a source code and deployment audit to eliminate any
-                    unwanted files/resources and lines of code. Preferably perform a fresh deployment.}
+                remedy_guidance: %q{If manual confirmation reveals that a web 
+                    backdoor or web shell does exist on the server then it 
+                    should be removed. It is also recommended that an incident 
+                    response investigation be conducted on the server to 
+                    establish how the web backdoor or web shell came to end up 
+                    on the server. Depending on the environment, investigation 
+                    into the compromise of any other services or servers should 
+                    be conducted.}
             }
 
         }

data/modules/recon/backup_files.rb

@@ -14,17 +14,13 @@
     limitations under the License.
 =end
 
-#
 # Backup file discovery module.
 #
 # Appends common backup extentions to the filename of the page under audit<br/>
 # and checks for its existence.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.2.2
-#
-#
+# @version 0.2.3
 class Arachni::Modules::BackupFiles < Arachni::Module::Base
 
     def self.extensions
@@ -59,23 +55,43 @@ class Arachni::Modules::BackupFiles < Arachni::Module::Base
             description: %q{Tries to find sensitive backup files.},
             elements:    [ Element::PATH ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.2',
+            version:     '0.2.3',
             targets:     %w(Generic),
             references: {
-                'WebAppSec' => 'http://www.webappsec.org/projects/threat/classes/information_leakage.shtml'
+                'WASC 1' => 'http://www.webappsec.org/projects/threat/classes/information_leakage.shtml',
+                'WASC 2' => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
             },
             issue:       {
                 name:            %q{Backup file},
-                description:     %q{The server response indicates that a file matching
-    the name of a common naming scheme for file backups can be publicly accessible.
-    A developer has probably forgotten to remove this file after testing.
-    This can lead to source code disclosure and privileged information leaks.},
+                description:     %q{A common practice when administering web 
+                    applications is to create a copy/backup of a particular file 
+                    or directory prior to making any modification to the file. 
+                    Another common practice is to add an extension or change the
+                    name of the original file to signify that it is a backup
+                    (examples include .bak, .orig, .backup, etc.). During the 
+                    initial recon stages of an attack, cyber-criminals will
+                    attempt to locate backup files by adding common extensions 
+                    onto files already discovered on the webserver. By analysing 
+                    the response headers from the server they are able to 
+                    determine if the backup file exists. These backup files can 
+                    then assist in further compromise of the web application. By 
+                    utilising the same method, Arachni was able to discover a 
+                    possible backup file.},
                 tags:            %w(path backup file discovery),
                 cew:             '530',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Do not keep alternative versions of files underneath the virtual web server root.
-                    When updating the site, delete or move the files to a directory outside the virtual root, edit them there,
-                    and move (or copy) the files back to the virtual root. Make sure that only the files that are actually in use reside under the virtual root.}
+                remedy_guidance: %q{Do not keep obsolete versions of files
+                    under the virtual web server root. When updating the
+                    site, delete or move the files to a directory outside the 
+                    virtual root, edit them there, and move (or copy) the files 
+                    back to the virtual root. Make sure that only the files that 
+                    are actually in use reside under the virtual root. 
+                    Preventing access without authentication may also be an 
+                    option and stop a client being able to view the contents of 
+                    a file, however it is still likely that the filenames will be
+                    able to be discovered. Using obscure filenames is only 
+                    implementing security through obscurity and is not a 
+                    recommended option.}
             }
 
         }

data/modules/recon/common_directories.rb

@@ -14,17 +14,13 @@
     limitations under the License.
 =end
 
-#
 # Common directories discovery module.
 #
 # Looks for common, possibly sensitive, directories on the server.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.2.2
-#
+# @version 0.2.3
 # @see http://cwe.mitre.org/data/definitions/538.html
-#
 class Arachni::Modules::CommonDirectories < Arachni::Module::Base
 
     def self.directories
@@ -48,18 +44,41 @@ class Arachni::Modules::CommonDirectories < Arachni::Module::Base
             description: %q{Tries to find common directories on the server.},
             elements:    [ Element::PATH ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.1',
+            version:     '0.2.3',
             targets:     %w(Generic),
             references: {
                 'CWE'   => 'http://cwe.mitre.org/data/definitions/538.html',
-                'OWASP' => 'https://www.owasp.org/index.php/Forced_browsing'
+                'OWASP' => 'https://www.owasp.org/index.php/Forced_browsing',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
             },
             issue:       {
                 name:            %q{Common directory},
+                description:     %q{Web applications are often made up of 
+                    multiple files and directories. It is possible that over 
+                    time some directories may become unreferenced (unused) by the
+                    web application and forgotten about by the 
+                    administrator/developer. Because web applications are built 
+                    using common frameworks, they contain common directories 
+                    that can be discovered (independent of server). During the 
+                    initial recon stages of an attack, cyber-criminals will
+                    attempt to locate unreferenced directories in the hope that 
+                    the file will assist in further compromise of the web 
+                    application. To achieve this they will make thousands of 
+                    requests using word lists containing common filenames. The 
+                    response headers from the server will then indicate if the 
+                    file exists. Arachni also contains a list of common file 
+                    names which it will attempt to access.},
                 tags:            %w(path directory common discovery),
                 cwe:             '538',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Do not expose file and directory information to the user.}
+                remedy_guidance: %q{If directories are unreferenced then they 
+                    should be removed from the web root, and/or the application 
+                    directory. Preventing access without authentication may also 
+                    be an option and can stop a client from being able to view the
+                    contents of a file, however it is still likely that the
+                    directory structure will be able to be discovered. Using 
+                    obscure directory names is implementing security through
+                    obscurity and is not a recommended option.}
             }
 
         }

data/modules/recon/common_files.rb

@@ -14,13 +14,10 @@
     limitations under the License.
 =end
 
-#
 # Looks for sensitive common files on the server.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.2.2
-#
+# @version 0.2.3
 class Arachni::Modules::CommonFiles < Arachni::Module::Base
 
     def self.filenames
@@ -41,16 +38,39 @@ class Arachni::Modules::CommonFiles < Arachni::Module::Base
             description: %q{Tries to find common sensitive files on the server.},
             elements:    [ Element::PATH ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.2.2',
+            version:     '0.2.3',
             targets:     %w(Generic),
             references: {
-                'Apache.org' => 'http://httpd.apache.org/docs/2.0/mod/mod_access.html'
+                'Apache.org' => 'http://httpd.apache.org/docs/2.0/mod/mod_access.html',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
             },
             issue:       {
                 name:            %q{Common sensitive file},
+                description:     %q{Web applications are often made up of 
+                    multiple files and directories, however it is possible that 
+                    over time some files may become unreferenced (unused) by the
+                    web application and forgotten by the administrator/developer.
+                    Because web applications are built
+                    using common frameworks, they contain common files that can 
+                    be discovered (independent of server). During the initial recon
+                    stages of an attack cyber-criminals will attempt to locate 
+                    unreferenced files in the hope that the file will assist in 
+                    further compromise of the web application. To achieve this 
+                    they will make thousands of requests using word lists 
+                    containing common filenames. The response headers from the 
+                    server will then indicate if the file exists. Arachni also 
+                    contains a list of common file names which it will attempt 
+                    to access.},
                 tags:            %w(common path file discovery),
                 severity:        Severity::LOW,
-                remedy_guidance: %q{Do not expose file and directory information to the user.}
+                remedy_guidance: %q{If files are unreferenced then they should 
+                    be removed from the web root, and/or the application 
+                    directory. Preventing access without authentication may also 
+                    be an option and stop a client from being able to view the
+                    contents of a file, however it is still likely that the
+                    filenames will be able to be discovered. Using obscure 
+                    filenames is only implementing security through obscurity 
+                    and is not a recommended option.}
             }
         }
     end

data/modules/recon/directory_listing.rb

@@ -14,15 +14,12 @@
     limitations under the License.
 =end
 
-#
 # Tries to force directory listings.
 #
 # Can't take credit for this one, it's Michal's (lcamtuf's) method from Skipfish.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.4
-#
+# @version 0.1.5
 class Arachni::Modules::DirectoryListing < Arachni::Module::Base
 
     # The compared pages must be at least 75% different
@@ -92,20 +89,43 @@ class Arachni::Modules::DirectoryListing < Arachni::Module::Base
             description: %q{Tries to force directory listings.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.5',
             targets:     %w(Generic),
             references: {
-                'CWE' => 'http://cwe.mitre.org/data/definitions/548.html'
+                'CWE' => 'http://cwe.mitre.org/data/definitions/548.html',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246922/Directory%20Indexing'
             },
             issue:       {
                 name:        %q{Directory listing},
-                description: %q{In most circumstances enabling directory listings is a bad practice
-    as it allows an attacker to better grasp the web application's structure.},
+                description: %q{Web servers permitting directory listing are 
+                    typically used for sharing files. Directory listing allows 
+                    the client to view a simple list of all the files and 
+                    folders hosted on the web server. The client is then able to
+                    traverse each directory and download the files. Cyber-
+                    criminals will utilise the presence of directory listing to 
+                    discover sensitive files, download protected content, or 
+                    even just learn how the web application is structured. 
+                    Arachni discovered that the affected page permits directory
+                    listing.},
                 tags:        %w(path directory listing index),
                 cwe:         '548',
                 severity:    Severity::LOW,
-                remedy_guidance: %q{Restrict access to important directories or files by adopting a need to know requirement for both the document and server root,
-                    and turn off features such as Automatic Directory Listings.}
+                remedy_guidance: %q{Unless the web server is being utilised to
+                    share static and non-sensitive files, enabling
+                    directory listing is considered a poor security practice
+                    and therefore should be disabled. This can typically be done
+                    with a simple configuration change on the server. The steps 
+                    to disable the directory listing will differ depending on 
+                    the type of server being used (IIS, Apache, etc.). If 
+                    directory listing is required, and permitted, then steps 
+                    should be taken to ensure that the risk of such a configuration
+                    is reduced. These can include: 1. Requiring
+                    authentication to access affected pages. 2. Adding the 
+                    affected path to the robots.txt file to prevent the 
+                    directory contents being searchable via search engines. 3.
+                    Ensuring that sensitive files are not stored within the
+                    web or document root. 4. Removing any files that are not 
+                    required for the application to function.}
             }
         }
     end

data/modules/recon/grep/captcha.rb

@@ -14,12 +14,8 @@
     limitations under the License.
 =end
 
-#
-#
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.1
-#
+# @version 0.1.2
 class Arachni::Modules::CAPTCHA < Arachni::Module::Base
 
     CAPTCHA_RX = /captcha/i
@@ -42,12 +38,34 @@ class Arachni::Modules::CAPTCHA < Arachni::Module::Base
             description: %q{Greps pages for forms with CAPTCHAs.},
             elements:    [ Element::FORM ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.1',
+            version:     '0.1.2',
+            references:  {
+                'WASC' => 'http://projects.webappsec.org/w/page/13246938/Insufficient%20Anti-automation',
+            },
             targets:     %w(Generic),
             issue:       {
                 name:        %q{CAPTCHA protected form},
-                description: %q{Arachni can't audit CAPTCHA protected forms, consider auditing manually.},
-                severity:    Severity::INFORMATIONAL
+                description: %q{To prevent the automated abuse of a page, 
+                    applications can implement what is known as a CAPTCHA. These 
+                    are used to ensure human interaction with the application, 
+                    and are often used on forms where the application conducts 
+                    sensitive actions. These typically include user registration,
+                    or submitting emails via the contact us page etc. Arachni
+                    has flagged this not as a vulnerability, but as a prompt for 
+                    the penetration tester to conduct further manual testing on 
+                    the CAPTCHA function, as Arachni cannon audit CAPTCHA
+                    protected forms. Testing for insecurely implemented CAPTCHA 
+                    is a manual process, and an insecurely implemented CAPTCHA 
+                    could allow a cyber-criminal a means to abuse these sensitive actions. },
+                severity:    Severity::INFORMATIONAL,
+                remedy_guidance: %q{Although no remediation may be required 
+                    based off of this finding alone, manual testing should 
+                    ensure that: 1. The server keeps track of CAPTCHA tokens in 
+                    use, and has the token terminated by the server after first 
+                    use or after a period of time. Therefore preventing replay
+                    attacks 2. The CAPTCHA answer is not hidden in plain text 
+                    within the response that is sent to the client. 3. The 
+                    CAPTCHA image should not be weak and easily solved.},
             },
             max_issues: 25
         }

data/modules/recon/grep/credit_card.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # Credit Card Number recon module.
 #
 # Scans page for credit card numbers.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-# @version 0.2.2
+# @version 0.2.3
 #
 # @see http://en.wikipedia.org/wiki/Bank_card_number
 # @see http://en.wikipedia.org/wiki/Luhn_algorithm
-#
 class Arachni::Modules::CreditCards < Arachni::Module::Base
 
     def self.cc_regexp
@@ -89,7 +87,7 @@ class Arachni::Modules::CreditCards < Arachni::Module::Base
             description: %q{Scans pages for credit card numbers.},
             elements:    [ Element::BODY ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.2.2',
+            version:     '0.2.3',
             references:  {
                 'Wikipedia - Bank card number' => 'http://en.wikipedia.org/wiki/Bank_card_number',
                 'Wikipedia - Luhn algorithm'   => 'http://en.wikipedia.org/wiki/Luhn_algorithm',
@@ -98,10 +96,31 @@ class Arachni::Modules::CreditCards < Arachni::Module::Base
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Credit card number disclosure},
-                description:     %q{A credit card number is disclosed in the body of the page.},
+                description:     %q{Credit card numbers are used in applications 
+                    where a user is able to purchase goods and/or services. A
+                    credit card number is a sensitive piece of information and 
+                    should be handled as such. Cyber-criminals will use various 
+                    methods to attempt to compromise credit card information 
+                    that can then be used for fraudulent purposes. Through the 
+                    use of regular expressions and CC number format validation,
+                    Arachni was able to discover a credit card number located
+                    within the affected page.},
                 cwe:             '200',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Remove credit card numbers from the body of the HTML pages.},
+                remedy_guidance: %q{Initially, the credit card number within the 
+                    response should be checked to ensure its validity, as it is 
+                    possible that the regular expression has matched on a 
+                    similar number with no relation to a real credit card. If 
+                    the response does contain a valid credit card number, then 
+                    all efforts should be taken to remove or further protect
+                    this information. This can be achieved by removing the 
+                    credit card number all together, or by masking the number so 
+                    that only the last few digits are present within the 
+                    response. eg. **********123. Additionally, credit card 
+                    numbers should not be stored by the application, unless the 
+                    organisation also complies with other security controls as 
+                    outlined in the Payment Card Industry Data Security Standard 
+                    (PCI DSS).},
             }
         }
     end

data/modules/recon/grep/cvs_svn_users.rb

@@ -14,14 +14,12 @@
     limitations under the License.
 =end
 
-#
 # CVS/SVN users recon module.
 #
 # Scans every page for CVS/SVN users.
 #
 # @author   Tasos Laskos <tasos.laskos@gmail.com>
-# @version  0.3
-#
+# @version  0.3.1
 class Arachni::Modules::CvsSvnUsers < Arachni::Module::Base
 
     def self.regexps
@@ -45,17 +43,36 @@ class Arachni::Modules::CvsSvnUsers < Arachni::Module::Base
             description: %q{Scans every page for CVS/SVN users.},
             elements:    [ Element::BODY ],
             author:      'Tasos Laskos <tasos.laskos@gmail.com>',
-            version:     '0.3',
+            version:     '0.3.1',
             targets:     %w(Generic),
             references: {
                 'CWE' => 'http://cwe.mitre.org/data/definitions/200.html'
             },
             issue:       {
                 name:            %q{CVS/SVN user disclosure},
-                description:     %q{A CVS or SVN user is disclosed in the body of the HTML page.},
+                description:     %q{Concurrent Version System (CVS) and 
+                    Subversion (SVN) provide a method for application developers 
+                    to control different versions of their code. Occasionally, 
+                    the developer's version or user information can be stored 
+                    incorrectly within the code and may be visible to the end 
+                    user (either in the HTML or code comments). As one of the
+                    initial steps in information gathering, cyber-criminals will 
+                    spider a website and using automated methods attempt to 
+                    discover any CVS/SVN information that may be present in the 
+                    page. This will aid them in developing a better 
+                    understanding of the deployed application (potentially 
+                    through the disclosure of version information), or it may 
+                    assist in further information gathering or social 
+                    engineering attacks. Using the same automated methods, 
+                    Arachni was able to detect CVS or SVN details stored within 
+                    the affected page.},
                 cwe:             '200',
                 severity:        Severity::LOW,
-                remedy_guidance: %q{Remove all CVS and SVN users from the body of the HTML page.},
+                remedy_guidance: %q{CVS and/or SVN information should not be 
+                    displayed to the end user. This can be achieved by removing 
+                    this information all together prior to deployment, or by 
+                    putting this information into a server side (PHP, ASP, JSP, 
+                    etc) code comment block as opposed to a HTML code comment.},
             },
             max_issues: 25
         }