arachni 0.4.6 → 0.4.7

data/modules/recon/grep/unencrypted_password_forms.rb

@@ -14,17 +14,13 @@
     limitations under the License.
 =end
 
-#
 # Unencrypted password form
 #
 # Looks for password inputs that don't submit data over an encrypted channel (HTTPS).
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.6
-#
+# @version 0.1.7
 # @see http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection
-#
 class Arachni::Modules::UnencryptedPasswordForms < Arachni::Module::Base
 
     def determine_name( input )
@@ -64,18 +60,41 @@ class Arachni::Modules::UnencryptedPasswordForms < Arachni::Module::Base
                 over an encrypted channel (HTTPS).},
             elements:    [ Element::FORM ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com> ',
-            version:     '0.1.6',
+            version:     '0.1.7',
             references:  {
-                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection'
+                'OWASP Top 10 2010' => 'http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection',
+                'OWASP' => 'www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet',
+                'WASC' => 'http://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection'
             },
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Unencrypted password form},
-                description:     %q{Transmission of password does not use an encrypted channel.},
+                description:     %q{The HTTP protocol by itself is clear text, 
+                    meaning that any data that is transmitted via HTTP can be 
+                    captured and the contents viewed. To keep data private, and 
+                    prevent it from being intercepted, HTTP is often tunnelled
+                    through either Secure Sockets Layer (SSL), or Transport 
+                    Layer Security (TLS). When either of these encryption 
+                    standards are used it is referred to as HTTPS. Cyber-
+                    criminals will often attempt to compromise credentials 
+                    passed from the client to the server using HTTP. This can be 
+                    conducted via various different Man-in-The-Middle (MiTM)
+                    attacks or through network packet captures. Arachni 
+                    discovered that the affected page contains a 'password' 
+                    input, however the value of the field is not sent to the 
+                    server utilising HTTPS. Therefore it is possible that any
+                    submitted credential may become compromised.},
                 tags:            %w(unencrypted password form),
                 cwe:             '319',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Forms with sensitive content, like passwords, must be sent over HTTPS.}
+                remedy_guidance: %q{The affected site should be secured 
+                    utilising the latest and most secure encryption protocols. 
+                    These include SSL version 3.0 and TLS version 1.2. While 
+                    TLS 1.2 is the latest and the most preferred protocol, not 
+                    all browsers will support this encryption method. Therefor 
+                    the more common SSL is included. Older protocols such as SSL 
+                    version 2, and weak ciphers (< 128 bit) should also be 
+                    disabled.}
             }
 
         }

data/modules/recon/htaccess_limit.rb

@@ -14,11 +14,8 @@
     limitations under the License.
 =end
 
-#
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.5
-#
+# @version 0.1.6
 class Arachni::Modules::Htaccess < Arachni::Module::Base
 
     def run
@@ -42,18 +39,36 @@ class Arachni::Modules::Htaccess < Arachni::Module::Base
                 GET requests but allows POST.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.5',
+            version:     '0.1.6',
             targets:     %w(Generic),
             references: {
                 'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limit'
             },
             issue:       {
                 name:        %q{Misconfiguration in LIMIT directive of .htaccess file},
-                description: %q{The .htaccess file blocks GET requests but allows POST.},
+                description: %q{There are a number of HTTP methods that can be 
+                    used on a webserver, for example OPTIONS, HEAD, GET, POST, 
+                    PUT, DELETE etc.  Each of these methods perform a different 
+                    function, and each has an associated level of risk when
+                    their use is permitted on the webserver. The '<Limit>'
+                    directive within Apache's '.htaccess' file allows
+                    administrators to define which of the methods they would 
+                    like to block. However, as this is a blacklisting approach, it
+                    is inevitable that a server administrator may accidentally
+                    miss adding certain HTTP methods to be blocked, therefore
+                    increasing the level of risk to the application and/or 
+                    server.},
                 tags:        %w(htaccess server limit),
                 severity:    Severity::HIGH,
-                remedy_guidance:  %q{Do not use the LIMIT tag.
-                    If you are in a situation where you want to allow specific request methods, you should use LimitExcept instead.}
+                remedy_guidance:  %q{The preferred configuration is to prevent
+                    the use of unauthorised HTTP methods by utilising the
+                    <LimitExcept> directive. This directive uses a whitelisting 
+                    approach to permit HTTP methods while blocking all others 
+                    not listed in the directive, and will therefor block any 
+                    method tampering attempts. Most commonly, the only HTTP 
+                    methods required for most scenarios are GET and POST. An
+                    example of permitting these HTTP methods is: 
+                    '<LimitExcept POST GET> require valid-user </LimitExcept>'}
             }
         }
     end

data/modules/recon/http_put.rb

@@ -14,13 +14,10 @@
     limitations under the License.
 =end
 
-#
 # HTTP PUT recon module.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
-# @version 0.1.5
-#
+# @version 0.1.6
 class Arachni::Modules::HTTP_PUT < Arachni::Module::Base
 
     def self.substring
@@ -54,18 +51,43 @@ class Arachni::Modules::HTTP_PUT < Arachni::Module::Base
             description: %q{Checks if uploading files is possible using the HTTP PUT method.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.6',
             targets:     %w(Generic),
             references: {
                 'W3' => 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html'
             },
             issue:       {
                 name:            %q{Publicly writable directory},
-                description:     %q{3rd parties can upload files to the web-server.},
+                description:     %q{There are various methods in which a file (or
+                    files) may be uploaded to a webserver. One method that can be
+                    used is the HTTP PUT method. The PUT method is mainly used 
+                    during development of applications and allows developers to
+                    upload (or put) files on the server within the web root. By 
+                    nature of the design, the PUT method typically does not 
+                    provide any filtering and therefore allows sever side
+                    executable code (PHP, ASP, etc) to be uploaded to the 
+                    server. Cyber-criminals will search for servers supporting 
+                    the PUT method with the intention of modifying existing 
+                    pages, or uploading web shells to take control of the 
+                    server. Arachni has discovered that the affected path allows 
+                    clients to use the PUT method. During this test, Arachni has 
+                    PUT a file on the server within the web root and
+                    successfully performed a GET request to its location and 
+                    matched the contents.},
                 tags:            %w(http methods put server),
                 cwe:             '650',
                 severity:        Severity::HIGH,
-                remedy_guidance: %q{Disable the PUT method on the Web Server and/or disable write permissions to the web server directory.}
+                remedy_guidance: %q{Where possible the HTTP PUT method should be 
+                    globally disabled. This can typically be done with a simple 
+                    configuration change on the server. The steps to disable the 
+                    PUT method will differ depending on the type of server being 
+                    used (IIS, Apache, etc.). For cases where the PUT method is 
+                    required to meet application functionality, such as REST 
+                    style web services, strict limitations should be
+                    implemented to ensure that only secure (SSL/TLS enabled), 
+                    and authorised clients are permitted to use the PUT method. 
+                    Additionally, the server's file system permissions should
+                    also enforce strict limitations.}
             }
         }
     end

data/modules/recon/interesting_responses.rb

@@ -14,13 +14,9 @@
     limitations under the License.
 =end
 
-require 'digest/md5'
-
-#
 # Logs all non 200 (OK) and non 404 server responses.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-#
 class Arachni::Modules::InterestingResponses < Arachni::Module::Base
 
     IGNORE_CODES = [ 200, 404 ].to_set
@@ -48,13 +44,12 @@ class Arachni::Modules::InterestingResponses < Arachni::Module::Base
         return if IGNORE_CODES.include?( res.code ) || res.body.to_s.empty? ||
             issue_limit_reached?
 
-        digest = Digest::MD5.hexdigest( res.body )
-        path   = uri_parse( res.effective_url ).path
+        path = uri_parse( res.effective_url ).path
 
-        return if audited?( path ) || audited?( digest )
+        return if audited?( path ) || audited?( res.body )
 
         audited( path )
-        audited( digest )
+        audited( res.body )
 
         log( { id: "Code: #{res.code}", element: Element::SERVER }, res )
         print_ok "Found an interesting response -- Code: #{res.code}."
@@ -66,14 +61,17 @@ class Arachni::Modules::InterestingResponses < Arachni::Module::Base
             description: %q{Logs all non 200 (OK) server responses.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.5',
             targets:     %w(Generic),
             references:  {
                 'w3.org' => 'http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html'
             },
             issue:       {
                 name:        %q{Interesting response},
-                description: %q{The server responded with a non 200 (OK) code. },
+                description: %q{The server responded with a non 200 (OK) nor 404
+                (Not Found) status code. This is a non-issue, however exotic HTTP
+                response status codes can provide useful insights into the behavior
+                of the web application and assist with the penetration test.},
                 tags:        %w(interesting response server),
                 severity:    Severity::INFORMATIONAL
             },

data/modules/recon/localstart_asp.rb

@@ -18,7 +18,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.1
+# @version 0.1.2
 class Arachni::Modules::LocalstartASP < Arachni::Module::Base
 
     def run
@@ -52,14 +52,44 @@ class Arachni::Modules::LocalstartASP < Arachni::Module::Base
             description: %q{Checks for localstart.asp.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.1',
+            version:     '0.1.2',
             targets:     %w(Generic),
             issue:       {
                 name:            %q{Exposed localstart.asp page},
-                description:     %q{The default management ISS page localstart.asp
-                    is still on the server.},
+                description:     %q{To restrict access to specific pages on a 
+                    webserver, developers can implement various methods of 
+                    authentication, therefore only allowing access to clients
+                    with valid credentials. There are several forms of
+                    authentication that can be used. The simplest forms of 
+                    authentication are known as 'Basic' and 'Basic Realm'. 
+                    These methods of authentication have several known 
+                    weaknesses such as being susceptible to brute force attacks. 
+                    Additionally, when utilising the NTLM mechanism in a windows
+                    environment, several disclosures of information exist, and 
+                    any brute force attack occurs against the server's local 
+                    users, or domain users if the web server is a domain
+                    member. Cyber-criminals will attempt to locate protected 
+                    pages to gain access to them and also perform brute force
+                    attacks to discover valid credentials. Arachni discovered
+                    the following page requires NTLM based basic authentication
+                    in order to be accessed.},
                 tags:            %w(asp iis server),
-                severity:        Severity::LOW
+                severity:        Severity::LOW,
+                remedy_guidance: %q{If the pages being protected are not 
+                    required for the functionality of the web application they 
+                    should be removed, otherwise, it is recommended that basic
+                    and basic realm authentication are not used to protect 
+                    against pages requiring authentication. If NTLM based basic 
+                    authentication must be used, then default server and domain 
+                    accounts such as 'administrator' and 'root' should be disabled,
+                    as these will undoubtedly be the first accounts to be 
+                    targeted in any such attack. Additionally, the webserver
+                    should not be joined to any corporate domain where usernames 
+                    are readily available (such as from email addresses). If the 
+                    pages are required, and it is possible to remove the basic 
+                    authentication, then a stronger and more resilient form-based
+                    authentication mechanism should be implemented to protect the
+                    affected pages.}
             }
         }
     end

data/modules/recon/webdav.rb

@@ -14,7 +14,6 @@
     limitations under the License.
 =end
 
-#
 # WebDAV detection recon module.
 #
 # It doesn't check for a functional DAV implementation but uses the
@@ -22,11 +21,10 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.4
+# @version 0.1.5
 #
 # @see http://en.wikipedia.org/wiki/WebDAV
 # @see http://www.webdav.org/specs/rfc4918.html
-#
 class Arachni::Modules::WebDav < Arachni::Module::Base
 
     def self.dav_method
@@ -55,7 +53,7 @@ class Arachni::Modules::WebDav < Arachni::Module::Base
             description: %q{Checks for WebDAV enabled directories.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.4',
+            version:     '0.1.5',
             references:  {
                 'WebDAV.org' => 'http://www.webdav.org/specs/rfc4918.html',
                 'Wikipedia'  => 'http://en.wikipedia.org/wiki/WebDAV',
@@ -63,11 +61,29 @@ class Arachni::Modules::WebDav < Arachni::Module::Base
             targets:     %w(Generic),
             issue:       {
                 name:            %q{WebDAV},
-                description:     %q{WebDAV is enabled on the server.
-    Consider auditing further using a specialised tool.},
+                description:     %q{Web Distributed Authoring and Versioning 
+                    (WebDAV) is a facility that enables basic file management 
+                    (reading and writing) to a web server. It essentially allows 
+                    the webserver to be mounted by the client as a traditional 
+                    file system allowing users a very simplistic means to access 
+                    it as they would any other medium or network share. If 
+                    discovered, attackers will attempt to harvest information 
+                    from the WebDAV enabled directories, or even upload 
+                    malicious files that could then be used to compromise the 
+                    server. Arachni discovered tha the affected page allows WebDAV
+                    access. This was discovered as the server allowed several 
+                    specific methods that are specific to WebDAV (PROPFIND, 
+                    PROPPATCH, etc.) however further testing should be conducted 
+                    on the WebDAV component specifically as Arachni does support 
+                    this feature.},
                 tags:            %w(webdav options methods server),
                 severity:        Severity::INFORMATIONAL,
-                remedy_guidance: %q{Disable WebDAV if not required. If it is required, perform an audit using specialized tools.}
+                remedy_guidance: %q{Identification of the requirement to run a 
+                    WebDAV server should be considered. If it is not required 
+                    then it should be disabled. However, if it is required to
+                    meet the application functionality, then it should be 
+                    protected by SSL/TLS as well as the implementation of a 
+                    strong authentication mechanism.}
             }
 
         }

data/modules/recon/x_forwarded_for_access_restriction_bypass.rb

@@ -15,7 +15,7 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
-# @version 0.1
+# @version 0.2
 class Arachni::Modules::XForwardedAccessRestrictionBypass < Arachni::Module::Base
 
     def run
@@ -39,15 +39,36 @@ class Arachni::Modules::XForwardedAccessRestrictionBypass < Arachni::Module::Bas
                 from localhost and checks whether the restrictions was bypassed.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1',
+            version:     '0.2',
             targets:     %w(Generic),
+            references:  {
+                'owasp'  => 'www.owasp.org/index.php/Session_Management_Cheat_Sheet',
+            },
+
             issue:       {
                 name:        %q{Access restriction bypass via X-Forwarded-For},
-                description: %q{Access restrictions can be bypassed by tricking
-                    the web application into thinking that the request originated
-                    from localhost.},
+                description: %q{The X-Forwarded-For header is utilised by 
+                    proxies and/or load balancers to track the originating IP 
+                    address of the client. As the request progresses through a 
+                    proxy, the X-Forwarded-For header is added to the existing 
+                    headers, and the value of the client's IP is then set within
+                    this header. Occasionally, poorly implemented access 
+                    restrictions are based off of the originating IP address 
+                    alone. For example, any public IP address may be forced to
+                    authenticate, while an internal IP address may not. Because
+                    this header can also be set by the client, it allows cyber-
+                    criminals to spoof their IP address and potentially gain 
+                    access to restricted pages. Arachni discovered a resource 
+                    that it did not have permission to access, but been granted
+                    access after spoofing the address of localhost (127.0.0.1),
+                    thus bypassing any requirement to authenticate.},
                 tags:        %w(access restriction server bypass),
-                severity:    Severity::HIGH
+                severity:    Severity::HIGH,
+                remedy_guidance: %q{Remediation actions may be vastly different 
+                    depending on the framework being used, and how the 
+                    application has been coded. However, the X-Forwarded-For 
+                    header should never be used to validate a client's access 
+                    as it is trivial to change.}
             }
         }
     end

data/modules/recon/xst.rb

@@ -21,7 +21,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
 #
-# @version 0.1.5
+# @version 0.1.6
 #
 # @see http://cwe.mitre.org/data/definitions/693.html
 # @see http://capec.mitre.org/data/definitions/107.html
@@ -60,7 +60,7 @@ class Arachni::Modules::XST < Arachni::Module::Base
             description: %q{Sends an HTTP TRACE request and checks if it succeeded.},
             elements:    [ Element::SERVER ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            version:     '0.1.5',
+            version:     '0.1.6',
             references:  {
                 'CAPEC' => 'http://capec.mitre.org/data/definitions/107.html',
                 'OWASP' => 'http://www.owasp.org/index.php/Cross_Site_Tracing'
@@ -68,12 +68,33 @@ class Arachni::Modules::XST < Arachni::Module::Base
             targets:     %w(Generic),
             issue:       {
                 name:            %q{HTTP TRACE},
-                description:     %q{The HTTP TRACE method is enabled.
-    This misconfiguration can become a pivoting point for a Cross-Site Scripting (XSS) attack.},
+                description:     %q{The TRACE HTTP method allows a client so 
+                    send a request to the server, and have the same request then 
+                    send back in the server's response. This allows the client 
+                    to determine if the server is receiving the request as 
+                    expected or if specific parts of the request are not 
+                    arriving as expected. For example incorrect encoding or a 
+                    load balancer has filtered or changed a value. On many 
+                    default installations the TRACE method is still enabled. 
+                    While not vulnerable by itself, it does provide a method for 
+                    cyber-criminals to bypass the HTTPOnly cookie, and therefore 
+                    could allow a XSS attack to successfully access a session 
+                    token. Arachni has discovered that the affected page permits 
+                    the HTTP TRACE method. },
                 tags:            %w(xst methods trace server),
                 cwe:             '693',
                 severity:        Severity::MEDIUM,
-                remedy_guidance: %q{Disable the TRACE method if not required or use input/output validation.}
+                remedy_guidance: %q{The HTTP TRACE method is normally not 
+                    required within production sites, and should therefor be 
+                    disabled. Depending on the function being performed by the 
+                    web application, ie. Serves static content or provides a 
+                    portal where users must authenticate, then the risk level 
+                    can start low and increase as more functionality is 
+                    implemented. The remediation is typically a very simple 
+                    configuration change and in most cases will not have any 
+                    negative impact on the server or application. For framework 
+                    specific remediation see the following page 
+                    'www.owasp.org/index.php/Cross_Site_Tracing'.}
             }
 
         }