arachni 0.4.6 → 0.4.7

data/modules/recon/grep/emails.rb

@@ -14,13 +14,10 @@
     limitations under the License.
 =end
 
-#
 # Looks for and logs e-mail addresses.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.1
-#
+# @version 0.1.2
 class Arachni::Modules::EMails < Arachni::Module::Base
 
     def run
@@ -36,15 +33,38 @@ class Arachni::Modules::EMails < Arachni::Module::Base
             description: %q{Greps pages for disclosed e-mail addresses.},
             elements:    [ Element::BODY ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.1',
+            version:     '0.1.2',
             targets:     %w(Generic),
             issue:       {
                 name:            %q{E-mail address disclosure},
-                description:     %q{An e-mail address is being disclosed.},
+                description:     %q{Email addresses are typically found on 
+                    'Contact us' pages, however they can also be found within
+                    scripts or code comments of the application. They are used to
+                    provide a legitimate means of contacting an organisation. As 
+                    one of the initial steps in information gathering, cyber-
+                    criminals will spider a website and using automated methods 
+                    collect as many email addresses as possible, that they may 
+                    then use in a social engineering attack against that user. 
+                    Using the same automated methods, Arachni was able to detect 
+                    one or more email addresses that were stored within the 
+                    affected page.},
                 cwe:             '200',
                 severity:        Severity::INFORMATIONAL,
-                remedy_guidance: %q{E-mail addresses should be presented in such
-                    a way that it is hard to process them automatically.}
+                remedy_guidance: %q{As a general rule, email addresses should be 
+                    presented in such a way that it is hard for scripts to 
+                    process them automatically. For example, 
+                    'test@arachni-scanner.com' may become 
+                    'test[at]yourdomain[dot]com'. Although this will force extra 
+                    user interaction when utilising the address (changing [dot] 
+                    to . etc) it will reduce the likelihood that these emails 
+                    will be discovered by an automated process. To provide 
+                    further protection against manual discovery, generic email 
+                    addresses should be used. For example on a 'contact us' page 
+                    'contactus@arachni-scanner.com' should be utilised instead 
+                    of an individual's email address such as 
+                    'john.doe@arachni-scanner.com'. Performing this extra step 
+                    may reduce the likelihood of username enumeration for the 
+                    domain.}
             },
             max_issues: 25
         }

data/modules/recon/grep/form_upload.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1
+# @version 0.2
 class Arachni::Modules::FileUpload < Arachni::Module::Base
 
 
@@ -34,13 +34,12 @@ class Arachni::Modules::FileUpload < Arachni::Module::Base
     end
 
     def self.info
-        description = 'Logs upload forms which require manual testing.'
         {
             name:        'Form-based File Upload',
-            description: description,
+            description: %q{Logs file upload forms which require manual testing.},
             elements:    [ Element::FORM ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1',
+            version:     '0.2',
             targets:     %w(Generic),
             references: {
                 'owasp.org' => 'https://www.owasp.org/index.php/Unrestricted_File_Upload'
@@ -49,9 +48,35 @@ class Arachni::Modules::FileUpload < Arachni::Module::Base
             issue:       {
                 name:        %q{Form-based File Upload},
                 cwe:         '200',
-                description: description,
+                description: %q{The design of many web applications require that 
+                    users be able to upload files that will either be stored or 
+                    processed by the receiving web server. Arachni has flagged 
+                    this not as a vulnerability, but as a prompt for the 
+                    penetration tester to conduct further manual testing on the 
+                    file upload function. An insecure form-based file upload
+                    could allow a cyber-criminal a means to abuse and 
+                    successfully exploit the server directly, and/or any third 
+                    party that may later access the file. This can occur through 
+                    uploading a file containing server side code (such as PHP) 
+                    that is then executed when requested by the client.},
                 tags:        %w(file upload),
-                severity:    Severity::INFORMATIONAL
+                severity:    Severity::INFORMATIONAL,
+                remedy_guidance: %q{The identified page should at a minimum: 1. 
+                    Whitelist permitted file types and block all others. This 
+                    should be conducted on the MIME type of the file rather than 
+                    its extension. 2. As the file is uploaded, and prior to 
+                    being handled (written to the disk) by the server, the 
+                    filename should be stripped of all control, special, or 
+                    Unicode characters. 3. Ensure that the upload is conducted 
+                    via the HTTP POST method rather than GET or PUT. 4. Ensure 
+                    that the file is written to a directory that does not hold 
+                    any execute permission, and that all files within that 
+                    directory inherit the same permissions. 5. Scan (if 
+                    possible) with an up-to-date virus scanner before being 
+                    stored. 6. Ensure that the application handles files as per
+                    the host operating system. For example the length of the 
+                    file name is appropriate, there is adequate space to store 
+                    the file, protection against overwriting other files etc.},
             },
             max_issues: 25
         }

data/modules/recon/grep/http_only_cookies.rb

@@ -14,13 +14,11 @@
     limitations under the License.
 =end
 
-#
 # Logs cookies that are accessible via JavaScript.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.1
-#
+# @version 0.1.2
 class Arachni::Modules::HttpOnlyCookies < Arachni::Module::Base
 
     def run
@@ -38,18 +36,45 @@ class Arachni::Modules::HttpOnlyCookies < Arachni::Module::Base
             description: %q{Logs cookies that are accessible via JavaScript.},
             elements:    [ Element::COOKIE ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.1',
+            version:     '0.1.2',
             targets:     %w(Generic),
             references:  {
-                'HttpOnly - OWASP' => 'https://www.owasp.org/index.php/HttpOnly'
+                'OWASP' => 'https://www.owasp.org/index.php/HttpOnly'
             },
             issue:       {
                 name:            %q{HttpOnly cookie},
-                description:     %q{The logged cookie does not have the HttpOnly
-    flag set which makes it succeptible to maniplation via client-side code.},
+                description:     %q{HTTP by itself is a stateless protocol. 
+                    Therefor the server is unable to determine which requests 
+                    are performed by which client, and which clients are 
+                    authenticated or unauthenticated. The use of HTTP cookies 
+                    within the headers, allows a web server to identify each 
+                    individual client, and can therefor determine which clients 
+                    hold valid authentication from those that do not.  These are 
+                    known as session cookies. When a cookie is set by the server 
+                    there are several flags that can be set to configure the
+                    properties of the cookie, and how it is handled by the browser.
+                    The HttpOnly flag assists in the prevention of client side
+                    scripts (such as JavaScript) accessing, and using the cookie.
+                    This can help preventing XSS attacks targeting the cookies
+                    holding the clients session token (Setting the HttpOnly flag
+                    does not prevent, or remediate against XSS vulnerabilities
+                    themselves).},
                 cwe:             '200',
                 severity:        Severity::INFORMATIONAL,
-                remedy_guidance: %q{Set the 'HttpOnly' flag in the cookie.},
+                remedy_guidance: %q{The initial steps to remedy this should
+                    be determined on whether any client side scripts (such as 
+                    JavaScript) are required to access the cookie. If this cannot
+                    be determined, then it is likely not required by the scripts 
+                    and should therefor have the HttpOnly flag as per the 
+                    following remediation actions. The server should ensure that 
+                    the cookie has its HttpOnly flag set. An example of this is 
+                    as a server header is 'Set-Cookie: NAME=VALUE; HttpOnly'. 
+                    Depending on the framework and server in use by the affected 
+                    page, the technical remediation actions will differ. 
+                    Additionally, it should be noted that some older browsers are
+                    not compatible with the HttpOnly flag, and therefore setting
+                    this flag will not protect those clients against this form
+                    of attack.},
             }
         }
     end

data/modules/recon/grep/insecure_cookies.rb

@@ -14,11 +14,8 @@
     limitations under the License.
 =end
 
-#
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.1
-#
+# @version 0.1.2
 class Arachni::Modules::InsecureCookies < Arachni::Module::Base
 
     def run
@@ -36,18 +33,48 @@ class Arachni::Modules::InsecureCookies < Arachni::Module::Base
             description: %q{Logs cookies that are served over an unencrypted channel.},
             elements:    [ Element::COOKIE ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.1',
+            version:     '0.1.2',
             targets:     %w(Generic),
             references:  {
-                'SecureFlag - OWASP' => 'https://www.owasp.org/index.php/SecureFlag'
+                'OWASP' => 'https://www.owasp.org/index.php/SecureFlag'
             },
             issue:       {
                 name:            %q{Insecure cookie},
-                description:     %q{The logged cookie is allowed to be served over
-    an unencrypted channel which makes it susceptible to sniffing.},
+                description:     %q{HTTP by itself is a stateless protocol. 
+                    Therefore the server is unable to determine which requests
+                    are performed by which client, and which clients are 
+                    authenticated or unauthenticated. The use of HTTP cookies 
+                    within the headers, allows a web server to identify each 
+                    individual client, and can therefore determine which clients
+                    hold valid authentication from those that do not. These are 
+                    known as session cookies. Because these cookies are used to 
+                    store a client's session (authenticated or unauthenticated), 
+                    it is important that the cookie is passed via an encrypted 
+                    channel. When a cookie is set by the server (send from the 
+                    server to the client in the header of response) there are 
+                    several flags that can be set to determine the properties of 
+                    the cookie, and how it is to handle by the browser. One of 
+                    these flags is known as the 'secure' flag. When the secure 
+                    flag is set, the browser will prevent it being send over any 
+                    clear text channel (HTTP), and only allow it to be sent when 
+                    an encrypted channel is used (HTTPS). Arachni discovered 
+                    that a cookie, and possible session token was set by the 
+                    server without the secure flag being set. Although the 
+                    initial setting of this cookie was via an HTTPS connection,
+                    any HTTP link to the same server will result in the cookie 
+                    being send in clear text.},
                 cwe:             '200',
                 severity:        Severity::INFORMATIONAL,
-                remedy_guidance: %q{Set the 'Secure' flag in the cookie.},
+                remedy_guidance: %q{The initial steps to remediate this should 
+                    be determined on whether the cookie is sensitive in nature, 
+                    or is used to store a session token. If the cookie does not 
+                    contain any sensitive information then the risk of this 
+                    vulnerability is reduced, however if the cookie does contain 
+                    sensitive information, then the server should ensure that 
+                    the cookie has its secure flag set. An example of this as
+                    a response header is 'Set-Cookie: NAME=VALUE; secure'.
+                    Depending on the framework and server in use by the affected 
+                    page, the technical remediation actions will differ.},
             }
         }
     end

data/modules/recon/grep/mixed_resource.rb

@@ -14,17 +14,15 @@
     limitations under the License.
 =end
 
-#
 # Mixed Resource detection module
 #
 # Looks for resources served over HTTP when the HTML code is server over HTTPS.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.3
+# @version 0.1.4
 #
 # @see http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html
-#
 class Arachni::Modules::MixedResource < Arachni::Module::Base
 
     def run
@@ -71,20 +69,42 @@ class Arachni::Modules::MixedResource < Arachni::Module::Base
             description: %q{Looks for resources served over HTTP when the HTML code is server over HTTPS.},
             elements:    [ Element::BODY ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.2',
+            version:     '0.1.4',
             references:  {
                 'Google Online Security Blog' =>
-                    'http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html'
+                    'http://googleonlinesecurity.blogspot.com/2011/06/trying-to-end-mixed-scripting.html',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection',
+                'OWASP' => 'www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Mixed Resource},
-                description:     %q{Serving resources over an unencrypted channel
-    while the HTML code is served over HTTPS can lead to
-    Man-In-The-Middle attacks and provide a false sense of security.},
+                description:     %q{The HTTP protocol by itself is clear text, 
+                    meaning that any data that is transmitted via HTTP can be 
+                    captured and the contents viewed. To keep data private, and 
+                    prevent it from being intercepted, HTTP is often tunnelled
+                    through either a Secure Sockets Layer (SSL), or Transport
+                    Layer Security (TLS) connection. When either of these encryption
+                    standards are used, it is referred to as HTTPS. Cyber-
+                    criminals will often attempt to compromise sensitive 
+                    information passed from the client to the server using HTTP. 
+                    This can be conducted via various different Man-in-The-Middle
+                    (MiTM) attacks or through network packet captures.
+                    Arachni discovered that the affected site is utilising both 
+                    HTTP and HTTPS. While the HTML code is served over HTTPS, 
+                    the server is also serving resources over an unencrypted 
+                    channel which can lead to the compromise of data, while 
+                    providing a false sense of security to the user. },
                 tags:            %w(unencrypted resource javascript stylesheet),
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Configure the server to serve all resources over the encrypted channel.}
+                remedy_guidance: %q{All pages and/or resources on the affected 
+                    site should be secured equally, utilising the latest and 
+                    most secure encryption protocols. These include SSL version 
+                    3.0 and TLS version 1.2. While TLS 1.2 is the latest and the 
+                    most preferred protocol, not all browsers will support this 
+                    encryption method. Therefore the more common SSL is included.
+                    Older protocols such as SSL version 2, and weak ciphers 
+                    (< 128 bit) should also be disabled.}
             }
 
         }

data/modules/recon/grep/password_autocomplete.rb

@@ -20,7 +20,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1
+# @version 0.2
 #
 class Arachni::Modules::PasswordAutocomplete < Arachni::Module::Base
 
@@ -42,14 +42,41 @@ class Arachni::Modules::PasswordAutocomplete < Arachni::Module::Base
                 without explicitly disabling auto-complete.},
             elements:    [ Element::FORM ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1',
+            version:     '0.2',
             targets:     %w(Generic),
             issue:       {
                 name:        %q{Password field with auto-complete},
-                description: %q{Some browsers automatically fill-in forms with
-                    sensitive user information for fields that don't have
-                    the auto-complete feature explicitly disabled.},
-                severity:    Severity::LOW
+                description: %q{In typical form-based web applications, it is
+                    common practice for developers to allow autocomplete within 
+                    the HTML form to improve the usability of the page. With 
+                    autocomplete enabled (default) it allows the browser to 
+                    cache previously entered form values entered by the user. 
+                    For legitimate purposes, this allows the user to quickly 
+                    re-enter the same data, when completing the form multiple 
+                    times. When autocomplete is enabled on either/both the 
+                    username password fields, this could allow a cyber-criminal 
+                    with access to the victim's computer the ability to have the 
+                    victims credentials autocomplete (automatically entered) as 
+                    the cyber-criminal visits the affected page. Arachni has 
+                    discovered that the response of the affected location 
+                    contains a form containing a password field that has not 
+                    disabled autocomplete.},
+                severity:    Severity::LOW,
+                remedy_guidance: %q{The autocomplete value can be configured in 
+                    two different locations. The first, and most secure, location
+                    is to disable autocomplete attribute on the <FORM> HTML tag. 
+                    This will therefor disable autocomplete for all inputs 
+                    within that form. An example of disabling autocomplete 
+                    within the form tag is '<FORM autocomplete=off>'. The second 
+                    slightly less desirable option is to disable autocomplete 
+                    attribute for a specific <INPUT> HTML tag itself. While this 
+                    may be the less desired solution from a security 
+                    perspective, it may be preferred method for usability 
+                    reasons depending on size of the form. An example of 
+                    disabling the autocomplete attribute within a password 
+                    input tag is '<INPUT type=password autocomplete=off>'. Note, 
+                    in these examples other <FORM> or <INPUT> attributes may be 
+                    required.},
             },
             max_issues: 25
         }

data/modules/recon/grep/private_ip.rb

@@ -14,14 +14,12 @@
     limitations under the License.
 =end
 
-#
 # Private IP address recon module.
 #
 # Scans for private IP addresses.
 #
 # @author   Tasos Laskos <tasos.laskos@gmail.com>
-# @version  0.2.1
-#
+# @version  0.2.2
 class Arachni::Modules::PrivateIP < Arachni::Module::Base
 
     def self.regexp
@@ -37,18 +35,34 @@ class Arachni::Modules::PrivateIP < Arachni::Module::Base
             name:        'Private IP address finder',
             description: %q{Scans pages for private IP addresses.},
             author:      'Tasos Laskos <tasos.laskos@gmail.com>',
-            version:     '0.2.1',
+            version:     '0.2.2',
             targets:     %w(Generic),
             elements:    [ Element::BODY, Element::HEADER ],
             references: {
-                'WebAppSec' => 'http://projects.webappsec.org/w/page/13246936/Information%20Leakage'
+                'WASC' => 'http://projects.webappsec.org/w/page/13246936/Information%20Leakage'
             },
             issue:       {
                 name:            %q{Private IP address disclosure},
-                description:     %q{A private IP address is disclosed in the body of the HTML page},
+                description:     %q{Private, or non-routable, IP addresses
+                    are generally used within a home or company network, and are 
+                    typically unknown to anyone outside of that network. 
+                    Cyber-criminals will attempt to identify the private IP 
+                    address range being used by their victim to aid in any 
+                    further information collection that could then lead to 
+                    possible compromise. Arachni discovered that the affected 
+                    page returned a RFC 1918 compliant private IP address, and 
+                    therefore could be revealing sensitive information. This
+                    finding typically requires manual verification to ensure the 
+                    context of this finding is correct. As any private IP 
+                    address within the HTML body will trigger this finding},
                 cwe:             '200',
                 severity:        Severity::LOW,
-                remedy_guidance: %q{Remove private IP addresses from the body of the HTML pages.},
+                remedy_guidance: %q{Identifying the context in which the 
+                    identified page displays a Private IP address is required.
+                    If the page is publicly accessible, and displaying the
+                    Private IP of the affected server (or supporting infrastructure),
+                    then measures should be put in place to ensure that the IP is
+                    removed from any response.},
             }
         }
     end

data/modules/recon/grep/ssn.rb

@@ -14,10 +14,8 @@
     limitations under the License.
 =end
 
-#
 # @author   Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>, haliphax
-# @version  0.1.2
-#
+# @version  0.1.3
 class Arachni::Modules::SSN < Arachni::Module::Base
 
     def self.regexp
@@ -37,17 +35,30 @@ class Arachni::Modules::SSN < Arachni::Module::Base
                 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>', # original
                 'haliphax' # tweaked regexp
             ],
-            version:     '0.1.2',
+            version:     '0.1.3',
             targets:     %w(Generic),
             references: {
                 'ssa.gov' => 'http://www.ssa.gov/pubs/10064.html'
             },
             issue:       {
                 name:            %q{Disclosed US Social Security Number (SSN)},
-                description:     %q{A US Social Security Number is being disclosed.},
+                description:     %q{The US Social Security Number (SSN) is a 
+                    personally identifiable number that is issued to its 
+                    citizens. A stolen or leaked SSN can lead to a compromise, 
+                    and/or the theft of the affected individual's identity. 
+                    Through the use of regular expressions, Arachni has discovered
+                    a SSN located within the response of the affected page.},
                 cwe:             '200',
                 severity:        Severity::HIGH,
-                remedy_guidance: %q{Remove all SSN occurrences from the page.},
+                remedy_guidance: %q{Initially, the SSN within the response 
+                    should be checked to ensure its validity, as it is possible 
+                    that the regular expression has matched a similar number
+                    with no relation to a real SSN. If the response does contain 
+                    a valid SSN, then all efforts should be taken to remove or
+                    further protect this information. This can be achieved by 
+                    removing the SSN all together or by masking the number so
+                    that only the last few digits are present within the 
+                    response. eg. **********123.},
             }
         }
     end