arachni 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 99e76bd9a28d81d3b89c8a4544dad6a6ccbe5c54
-  data.tar.gz: 4c204ffb2b1b72f3820cda0b58681a073c9234de
+  metadata.gz: 113357f2e377065a79df18200488cc13fe744b6d
+  data.tar.gz: 41739b4e27d567d15f67f9ed86c571c24143c3a0
 SHA512:
-  metadata.gz: 514fcc4191723fcfd0ef82355f19555ed4d21efab9cb8f6e3fd7a388aff526e8550919dbc16c18137f7310d22c30614ad165a63d0f399de36c8ddecdad9cb6e0
-  data.tar.gz: 1eca14df793d96453809d737ad229f36632eab832e1482801ec6a1a98f78de7f6f2ee30992f694b00056658ad9e23e788496af3c0da18fbdc6d953f738859d4d
+  metadata.gz: 0418e763e4b5577d1d6856cbbf3cdc242ba04525e10de155b4b86484e6208acdf78cea104e0ce9e75a44aab73fb8e7d40c10be0459d58811b8f7a83b6b4971e1
+  data.tar.gz: 2ab357a8d52233a026374d1f0bd09ba03d8ebffa9d939d8a97f51bf76c638e95362c1f080b6ed78c54e630d1a13a0c4ddd90dbe61555259dddef762d3a3385e3

data/CHANGELOG.md

@@ -1,5 +1,47 @@
 # ChangeLog
 
+## 1.0.5 _(November 14, 2014)_
+
+- Executables
+    - `arachni_console` -- Require the UI::Output interface after Arachni.
+- Error log
+    - Redacted HTTP authentication credentials.
+- `Session`
+    - Added `#record_login_sequence`, allowing for arbitrary login sequences to
+        be stored and replayed.
+- `URI`
+   - `#domain` -- Fixed `nil` error on missing host.
+   - `.query_parameters` -- Recode query string before parsing to fix encoding errors.
+- `UI::Output`
+    - `#log_error` -- Store errors in memory, as well as in logfile.
+- `RPC::Server::Framework::MultiInstance`
+    - `#errors` -- Return errors from memory buffer instead of logfile, to
+        prevent "Too many open file" exceptions.
+- ` Framework`
+    - `#audit_page` -- Keep track of checked elements at the `Framework` level
+        too and remove them from pages.
+- `Browser`
+    - Fixed `nil` error on failed process spawn.
+    - `Javascript` -- Updated to preload and cache script sources to avoid
+        hitting the disk in order to prevent "Too many open file" exceptions.
+        - `#run_without_elements` -- Runs a script but unwraps `Watir` elements.
+        - `Proxy` -- Updated to use `#run_without_elements`.
+- `BrowserCluster::Worker`
+    - Print error message on failure to respawn.
+- `Check::Auditor` -- Updated audit helpers to mark elements as audited at the
+    check component level, to avoid sending redundant workload to the analysis
+    classes only to be ignored there.
+    - `#skip?` -- Optimized redundant issue checks.
+- Checks
+    - Active
+        - `no_sql_injection` -- Updated payloads to be per platform.
+    - Passive
+        - `common_files` -- Added more filenames. [PR #504]
+- Plugins
+    - Added
+        - `login_script` -- Exposes a Watir WebDriver interface to an external
+            script in order to allow for arbitrary login sequences.
+
 ## 1.0.4 _(October 25, 2014)_
 
 - CLI options

data/README.md

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.0.4</td>
+        <td>1.0.5</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -121,7 +121,7 @@ you with its findings.
  - Proxy authentication.
  - Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLMv1 and others).
  - Automatic log-out detection and re-login during the scan (when the initial
-    login was performed via the `autologin` or `proxy` plugins).
+    login was performed via the `autologin`, `login_script` or `proxy` plugins).
  - Custom 404 page detection.
  - UI abstraction:
     - [Command-line Interface](https://github.com/Arachni/arachni/wiki/Executables).
@@ -419,7 +419,10 @@ Active checks engage the web application via its inputs.
 - Path XSS (`xss_path`).
 - XSS in event attributes of HTML elements (`xss_event`).
 - XSS in HTML tags (`xss_tag`).
-- XSS in "script" context (`xss_script_context`).
+- XSS in script context (`xss_script_context`).
+- DOM XSS (`xss_dom`).
+- DOM XSS inputs (`xss_dom_inputs`).
+- DOM XSS script context (`xss_dom_script_context`).
 - Source code disclosure (`source_code_disclosure`)
 
 ##### Passive
@@ -475,7 +478,8 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
 
 - Passive Proxy  (`proxy`) -- Analyzes requests and responses between the web app and
     the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
-- Form based AutoLogin (`autologin`).
+- Form based login (`autologin`).
+- Script based login (`login_script`).
 - Dictionary attacker for HTTP Auth (`http_dicattack`).
 - Dictionary attacker for form based authentication (`form_dicattack`).
 - Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.

data/bin/arachni_console

@@ -7,8 +7,8 @@
     web site for more information on licensing and terms of use.
 =end
 
-require_relative '../ui/cli/output'
 require_relative '../lib/arachni'
+require_relative '../ui/cli/output'
 require 'irb'
 require 'irb/completion'
 

data/components/checks/active/no_sql_injection.rb

@@ -7,7 +7,7 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::NoSqlInjection < Arachni::Check::Base
 
     def self.error_patterns
@@ -31,7 +31,7 @@ class Arachni::Checks::NoSqlInjection < Arachni::Check::Base
     # Prepares the payloads that will hopefully cause the webapp to output SQL
     # error messages if included as part of an SQL query.
     def self.payloads
-        @payloads ||= [ '\';.")' ]
+        @payloads ||= { mongodb: '\';.")' }
     end
 
     def self.options
@@ -57,8 +57,8 @@ NoSQL injection check, uses known DB errors to identify vulnerabilities.
             elements:    [Element::Link, Element::Form, Element::Cookie,
                           Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
-            platforms:   options[:regexp].keys,
+            version:     '0.1.1',
+            platforms:   payloads.keys,
 
             issue:       {
                 name:            %q{NoSQL Injection},

data/components/checks/passive/common_directories/directories.txt

@@ -258,6 +258,7 @@ network
 xamp
 xampp
 lamp
+phpmyadmin
 AD
 AE
 AF

data/components/checks/passive/common_files/filenames.txt

@@ -19,6 +19,7 @@ config.php
 php.ini
 error_log
 elmah.axd
+server-status
 WEB-INF (copy)/web.xml
 WEB-INF - Copy/web.xml
 Copy of WEB-INF/web.xml

data/components/plugins/login_script.rb

@@ -0,0 +1,156 @@
+=begin
+    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+
+# Automated login plugin using a custom login script.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+class Arachni::Plugins::LoginScript < Arachni::Plugin::Base
+
+    STATUSES  = {
+        success:       'Login was successful.',
+        failure:       'The script was executed successfully, but the login check failed.',
+        error:         'A runtime error was encountered while executing the login script.',
+        missing_check: 'No session check was provided, either via interface options or the script.'
+    }
+
+    def prepare
+        script = IO.read( @options[:script] )
+        @script = proc { |browser| eval script }
+
+        framework_pause
+        print_info 'System paused.'
+    end
+
+    def run
+        session.record_login_sequence do |browser|
+            print_info 'Running the script.'
+            @script.call browser ? browser.watir : nil
+            print_info 'Execution completed.'
+        end
+
+        begin
+            session.login
+        rescue => e
+            set_status :error
+            print_exception e
+            return
+        end
+
+        if !session.logged_in?
+            set_status :failure, :error
+            return
+        end
+
+        cookies = http.cookies.inject({}){ |h, c| h.merge!( c.simple ) }
+
+        set_status :success, :ok, { 'cookies' => cookies }
+
+        print_info 'Cookies set to:'
+        cookies.each do |name, val|
+            print_info "    * #{name.inspect} = #{val.inspect}"
+        end
+
+    rescue Arachni::Session::Error::NoLoginCheck
+        set_status :missing_check, :error
+    rescue => e
+        set_status :error
+        print_exception e
+    end
+
+    def clean_up
+        if @failed
+            print_info 'Aborting the scan.'
+            framework_abort
+            return
+        end
+
+        framework_resume
+    end
+
+    def set_status( status, type = nil, extra = {} )
+        type ||= status
+
+        register_results(
+            {
+                'status'  => status.to_s,
+                'message' => STATUSES[status]
+            }.merge( extra )
+        )
+
+        @failed = true if type == :error
+        send "print_#{type}", STATUSES[status]
+    end
+
+    def self.info
+        {
+            name:        'Login script',
+            description: %q{
+Loads and sets an external script as the system's login sequence, to be executed
+prior to the scan and whenever a log-out is detected.
+
+The script needn't necessarily perform an actual login operation. If another
+process is used to manage sessions, the script can be used to communicate with
+that process and, for example, load and set cookies from a shared cookie-jar.
+
+**With browser (slow):**
+
+If a [browser](http://watirwebdriver.com/) is available, it will be exposed to
+the script via the `browser` variable. Otherwise, that variable will have a
+value of `nil`.
+
+    browser.goto 'http://testfire.net/bank/login.aspx'
+
+    form = browser.form( id: 'login' )
+    form.text_field( name: 'uid' ).set 'jsmith'
+    form.text_field( name: 'passw' ).set 'Demo1234'
+
+    form.submit
+
+    # You can also configure the session check from the script, dynamically,
+    # if you don't want to set static options via the user interface.
+    framework.options.session.check_url     = browser.url
+    framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/
+
+**Without browser (fast):**
+
+If a real browser environment is not required for the login operation, then
+using the system-wide HTTP interface is preferable, as it will be much faster
+and consume much less resources.
+
+    response = http.post( 'http://testfire.net/bank/login.aspx',
+        parameters:     {
+            'uid'   => 'jsmith',
+            'passw' => 'Demo1234'
+        },
+        mode:           :sync,
+        update_cookies: true
+    )
+
+    framework.options.session.check_url     = to_absolute( response.headers.location, response.url )
+    framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/
+
+**From cookie-jar:**
+
+If an external process is used to manage sessions, you can keep Arachni in sync
+by loading cookies from a shared Netscape-style cookie-jar file.
+
+    http.cookie_jar.load 'cookies.txt'
+},
+            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
+            version:     '0.1',
+            options:     [
+                Options::Path.new( :script,
+                    required:    true,
+                    description: 'Script that includes the login sequence.'
+                ),
+            ],
+            priority:    0 # run before any other plugin
+        }
+    end
+
+end

data/components/reporters/plugin_formatters/html/login_script.rb

@@ -0,0 +1,48 @@
+=begin
+    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+
+class Arachni::Reporters::HTML
+
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+class PluginFormatters::LoginScript < Arachni::Plugin::Formatter
+    include TemplateUtilities
+
+    def run
+        ERB.new( tpl ).result( binding )
+    end
+
+    def tpl
+        <<-HTML
+        <% if results['status'] == 'success' %>
+                <p class="alert alert-success">
+                    <%= results['message'] %>
+                </p>
+
+                <h3>Cookies set to:</h3>
+
+                <dl class="dl-horizontal">
+                    <% results['cookies'].each do |k, v| %>
+                        <dt>
+                            <code><%= escapeHTML( k ) %></code>
+                        </dt>
+                        <dd>
+                            <code><%= escapeHTML( v ) %></code>
+                        </dd>
+                    <% end %>
+                </dl>
+        <% else %>
+            <p class="alert alert-danger">
+                <%= results['message'] %>
+            </p>
+        <% end %>
+        HTML
+    end
+
+end
+
+end

data/components/reporters/plugin_formatters/stdout/login_script.rb

@@ -0,0 +1,23 @@
+=begin
+    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+
+class Arachni::Reporters::Stdout
+
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+class PluginFormatters::LoginScript < Arachni::Plugin::Formatter
+
+    def run
+        print_ok results['message']
+
+        return if !results['cookies']
+        print_info 'Cookies set to:'
+        results['cookies'].each_pair { |name, val| print_info "    * #{name} = #{val}" }
+    end
+
+end
+end

data/components/reporters/plugin_formatters/xml/login_script.rb

@@ -0,0 +1,26 @@
+=begin
+    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+
+class Arachni::Reporters::XML
+
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+class PluginFormatters::LoginScript < Arachni::Plugin::Formatter
+
+    def run( xml )
+        xml.message results['message']
+        xml.status results['status']
+
+        if results['cookies']
+            xml.cookies {
+                results['cookies'].each { |name, value| xml.cookie name: name, value: value }
+            }
+        end
+    end
+
+end
+end

data/components/reporters/xml/schema.xsd

@@ -25,6 +25,7 @@
         <xs:choice minOccurs="0" maxOccurs="9">
             <xs:element name="healthmap" type="plugin_healthmap" maxOccurs="1"/>
             <xs:element name="autologin" type="plugin_autologin" maxOccurs="1"/>
+            <xs:element name="login_script" type="plugin_login_script" maxOccurs="1"/>
             <xs:element name="content_types" type="plugin_content_types" maxOccurs="1"/>
             <xs:element name="cookie_collector" type="plugin_cookie_collector" maxOccurs="1"/>
             <xs:element name="form_dicattack" type="plugin_form_dicattack" maxOccurs="1"/>
@@ -187,6 +188,22 @@
         </xs:all>
     </xs:complexType>
 
+    <xs:complexType name="plugin_login_script">
+        <xs:all>
+            <xs:element name="name" type="xs:string"/>
+            <xs:element name="description" type="xs:string"/>
+            <xs:element name="results" type="plugin_login_script_results"/>
+        </xs:all>
+    </xs:complexType>
+
+    <xs:complexType name="plugin_login_script_results">
+        <xs:all>
+            <xs:element name="status" type="xs:string"/>
+            <xs:element name="message" type="xs:string"/>
+            <xs:element name="cookies" type="cookies" minOccurs="0"/>
+        </xs:all>
+    </xs:complexType>
+
     <xs:complexType name="plugin_healthmap">
         <xs:all>
             <xs:element name="name" type="xs:string"/>

data/lib/arachni/browser.rb

@@ -820,7 +820,7 @@ class Browser
             c[:value]    = Cookie.decode( c[:value].to_s )
             c[:httponly] = !js_cookies.include?( original_name )
 
-            Cookie.new c.merge( url: @last_url )
+            Cookie.new c.merge( url: @last_url || url )
         end
     end
 
@@ -1007,8 +1007,10 @@ class Browser
                 print_debug 'Spawn timed-out.'
             end
 
-            last_attempt_output = IO.read( @process.io.stdout )
-            print_debug last_attempt_output
+            if @process.io.stdout
+                last_attempt_output = IO.read( @process.io.stdout )
+                print_debug last_attempt_output
+            end
 
             if done
                 print_debug 'PhantomJS is ready.'
@@ -1046,12 +1048,13 @@ class Browser
         end
 
         @process     = nil
+        @watir       = nil
         @pid         = nil
         @browser_url = nil
     end
 
     def browser_alive?
-        @process && @process.alive?
+        @watir && @process && @process.alive?
     rescue Errno::ECHILD
         false
     end