arachni 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 113357f2e377065a79df18200488cc13fe744b6d
-  data.tar.gz: 41739b4e27d567d15f67f9ed86c571c24143c3a0
+  metadata.gz: 9c9fcad54f45425bae6cfe2e13128890fe6bd259
+  data.tar.gz: 5909dde7398a67e4da8f94fdbb11f40e3fc6d9b7
 SHA512:
-  metadata.gz: 0418e763e4b5577d1d6856cbbf3cdc242ba04525e10de155b4b86484e6208acdf78cea104e0ce9e75a44aab73fb8e7d40c10be0459d58811b8f7a83b6b4971e1
-  data.tar.gz: 2ab357a8d52233a026374d1f0bd09ba03d8ebffa9d939d8a97f51bf76c638e95362c1f080b6ed78c54e630d1a13a0c4ddd90dbe61555259dddef762d3a3385e3
+  metadata.gz: 9adfdde00f808552c7f8387f5bf7bb766672fee202b757dc150eb92eb5f33326ab3fb680ada9b1cf024f26c1a9c503006d47238d5359f9eb9c2f42b27538f0bf
+  data.tar.gz: fe7f56f73a56ddc426095e9abd9b54315c0be4ba493fb2a1666521a38cb8a88a4e3992a810ff0b1d936a4d9e4d6a5f23f5c319333241686f8adca5789c891b89

data/CHANGELOG.md

@@ -1,5 +1,55 @@
 # ChangeLog
 
+## 1.0.6 _(December 07, 2014)_
+
+- `arachni_rpcd` -- Fixed bug causing the `--nickname` option to not be understood.
+- `UI::Output` -- Flush output stream after each message.
+- `Platform::Manager`
+    - Removed 'coldfusion`.
+    - Added `sql` and `nosql` parents for DBs.
+- `Check::Auditor#skip?` -- Ignore mutations when checking for redundancies.
+- `Browser` -- Fixed issue causing `select` inputs in forms to not be set.
+- `Element::Cookie.encode` -- Added '&' to the list of reserved characters.
+- `Issue`
+    - `#recheck` -- Rechecks the existence of the issue.
+- `Element::Capabilities`
+    - `WithNode`
+        - `#html=` -- Recode string before storing.
+    - `WithDOM`
+        - `#dom` -- Return `nil` on `Inputtable::Error`.
+    - `Auditable` -- Updated response analysis messages to include vector type,
+        name and action URL.
+- `Framework` -- Split into `Parts`:
+    - `Audit`
+        - If `Options.platforms` are given, checks which don't support them are
+            completely skipped.
+    - `Browser`
+    - `Check`
+    - `Data`
+        - `#pop_page_from_url_queue` -- Fixed issue causing multiple-choice
+            redirections to cause an error.
+    - `Platform`
+    - `Plugin`
+    - `Report`
+    - `Scope`
+    - `State`
+- `State::Framework`
+    - Added `#done?`
+    - `#abort` -- Fixed exception message.
+- Checks
+    - Active
+        - `sql_injection` -- Slight payload update to catch double-quote cases.
+        - `code_injection` -- Slight PHP payload update, to ensure it works in more cases.
+        - `code_injection_timing` -- Updated payloads to mirror `code_injection`.
+        - `os_command_injection` -- Updated payloads to handle chained commands.
+        - `os_command_injection_timing` -- Updated payloads to handle chained commands.
+        - `path_traversal` -- Fixed MS Windows output pattern.
+        - `sql_injection_differential` -- Set platform to generic `sql`.
+        - `no_sql_injection_differential` -- Set platform to generic  `nosql`.
+        - `unvalidated_redirect` -- Disable `follow_location`.
+    - Passive
+        - `common_files` -- Added `.svn/all-wcprops`.
+
 ## 1.0.5 _(November 14, 2014)_
 
 - Executables

data/README.md

@@ -1,9 +1,17 @@
+**NOTICE**:
+
+* Arachni's license has changed, please see the _LICENSE_ file before working
+    with the project.
+* v1.0 is not backwards compatible with v0.4.
+
+<hr/>
+
 # Arachni - Web Application Security Scanner Framework
 
 <table>
     <tr>
         <th>Version</th>
-        <td>1.0.5</td>
+        <td>1.0.6</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -348,7 +356,6 @@ Active checks engage the web application via its inputs.
 
 - SQL injection (`sql_injection`) -- Error based detection.
     - Oracle
-    - ColdFusion
     - InterBase
     - PostgreSQL
     - MySQL

data/components/checks/active/code_injection.rb

@@ -12,7 +12,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.2
+# @version 0.2.1
 #
 # @see http://cwe.mitre.org/data/definitions/94.html
 # @see http://php.net/manual/en/function.eval.php
@@ -23,11 +23,11 @@
 class Arachni::Checks::CodeInjection < Arachni::Check::Base
 
     def self.rand1
-        @rand1 ||= '287630581954'
+        @rand1 ||= '28763'
     end
 
     def self.rand2
-        @rand2 ||= '4196403186331128'
+        @rand2 ||= '4196403'
     end
 
     def self.options
@@ -41,7 +41,7 @@ class Arachni::Checks::CodeInjection < Arachni::Check::Base
     def self.code_strings
         # code strings to be injected to the webapp
         @code_strings ||= {
-            php:    "echo #{rand1}+#{rand2};",
+            php:    "print #{rand1}+#{rand2};",
             perl:   "print #{rand1}+#{rand2};",
             python: "print #{rand1}+#{rand2}",
             asp:    "Response.Write\x28#{rand1}+#{rand2}\x29"
@@ -72,7 +72,7 @@ Injects code snippets and assess whether or not execution was successful.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.2',
+            version:     '0.2.1',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/active/code_injection_timing.rb

@@ -14,7 +14,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.3
+# @version 0.3.1
 #
 # @see http://cwe.mitre.org/data/definitions/94.html
 # @see http://php.net/manual/en/function.eval.php
@@ -35,7 +35,7 @@ class Arachni::Checks::CodeInjectionTiming < Arachni::Check::Base
             jsp:    'Thread.sleep(__TIME__);',
             asp:    'Thread.Sleep(__TIME__);',
         }.inject({}) do |h, (platform, payload)|
-            h[platform] = [ ' ', ' && ', ';' ].map { |sep| "#{sep} #{payload}" }
+            h[platform] = [ ' %s', ';%s', "\";%s#", "';%s#" ].map { |s| s % payload }
             h
         end
     end
@@ -54,7 +54,7 @@ a time delay.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.3',
+            version:     '0.3.1',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/active/no_sql_injection_differential.rb

@@ -7,7 +7,7 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::NoSqlInjectionDifferential < Arachni::Check::Base
 
     def self.options
@@ -40,7 +40,8 @@ that of a vulnerable application.
 },
             elements:    [ Element::Link, Element::Form, Element::Cookie ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
+            platforms:   [ :nosql ],
 
             issue:       {
                 name:            %q{Blind NoSQL Injection (differential analysis)},

data/components/checks/active/os_cmd_injection.rb

@@ -10,7 +10,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.2.1
+# @version 0.2.2
 #
 # @see http://cwe.mitre.org/data/definitions/78.html
 # @see http://www.owasp.org/index.php/OS_Command_Injection
@@ -23,8 +23,8 @@ class Arachni::Checks::OsCmdInjection < Arachni::Check::Base
                     /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
                 ],
                 windows: [
-                    /\[boot loader\](.*)\[operating systems\]/im,
-                    /\[fonts\](.*)\[extensions\]/im
+                    /\[boot loader\].*\[operating systems\]/im,
+                    /\[fonts\].*\[extensions\]/im
                 ]
             },
             format: [ Format::STRAIGHT, Format::APPEND ]
@@ -49,7 +49,13 @@ class Arachni::Checks::OsCmdInjection < Arachni::Check::Base
         }.inject({}) do |h, (platform, payloads)|
             h[platform] ||= []
             payloads.each do |payload|
-                h[platform] |= [ '', '&&', '|', ';' ].map { |sep| "#{sep} #{payload}" }
+                h[platform] << "#{payload}"
+
+                ['', '\'', '"'].each do |q|
+                    h[platform] |= [ '&&', '|', ';' ].
+                        map { |sep| "#{q} #{sep} #{payload} #{sep} #{q}" }
+                end
+
                 h[platform] << "` #{payload}`"
             end
             h
@@ -69,7 +75,7 @@ Tries to find Operating System command injections.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.2.1',
+            version:     '0.2.2',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/active/os_cmd_injection_timing.rb

@@ -10,7 +10,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.3
+# @version 0.3.1
 #
 # @see http://cwe.mitre.org/data/definitions/78.html
 # @see http://www.owasp.org/index.php/OS_Command_Injection
@@ -23,8 +23,15 @@ class Arachni::Checks::OsCmdInjectionTiming < Arachni::Check::Base
             unix:    'sleep __TIME__',
             windows: 'ping -n __TIME__ localhost'
         }.inject({}) do |h, (platform, payload)|
-            h[platform] = [ '', '&', '&&', '|', ';' ].map { |sep| "#{sep} #{payload}" }
-            h[platform] << "`#{payload}`"
+            h[platform] ||= []
+            h[platform] << "#{payload}"
+
+            ['', '\'', '"'].each do |q|
+                h[platform] |= [ '&', '&&', '|', ';' ].
+                    map { |sep| "#{q} #{sep} #{payload} #{sep} #{q}" }
+            end
+
+            h[platform] << "` #{payload}`"
             h
         end
     end
@@ -46,7 +53,7 @@ Tries to find operating system command injections using timing attacks.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.3',
+            version:     '0.3.1',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/active/path_traversal.rb

@@ -28,8 +28,8 @@ class Arachni::Checks::PathTraversal < Arachni::Check::Base
                     /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
                 ],
                 windows: [
-                    /\[boot loader\](.*)\[operating systems\]/im,
-                    /\[fonts\](.*)\[extensions\]/im
+                    /\[boot loader\].*\[operating systems\]/im,
+                    /\[fonts\].*\[extensions\]/im
                 ],
                 tomcat: [
                     /<web\-app/im

data/components/checks/active/sql_injection.rb

@@ -40,7 +40,7 @@ class Arachni::Checks::SqlInjection < Arachni::Check::Base
     # Prepares the payloads that will hopefully cause the webapp to output SQL
     # error messages if included as part of an SQL query.
     def self.payloads
-        @payloads ||= [ '\'`--', ')' ]
+        @payloads ||= [ '"\'`--', ')' ]
     end
 
     def self.options

data/components/checks/active/sql_injection/patterns/mssql

@@ -1,5 +1,6 @@
 System\.Data\.OleDb\.OleDbException
 \[Microsoft\]\[ODBC SQL Server Driver\]
+\[Macromedia\]\[SQLServer JDBC Driver\]
 \[SqlException
 System\.Data\.SqlClient\.SqlException
 Unclosed quotation mark after the character string

data/components/checks/active/sql_injection_differential.rb

@@ -14,7 +14,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.4.2
+# @version 0.4.3
 #
 # @see http://cwe.mitre.org/data/definitions/89.html
 # @see http://capec.mitre.org/data/definitions/7.html
@@ -59,7 +59,8 @@ that of a vulnerable application.
 },
             elements:    [ Element::Link, Element::Form, Element::Cookie ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.4.2',
+            version:     '0.4.3',
+            platforms:   [ :sql ],
 
             issue:       {
                 name:            %q{Blind SQL Injection (differential analysis)},

data/components/checks/active/unvalidated_redirect.rb

@@ -12,7 +12,7 @@
 # header field to determine whether the attack was successful.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.2
+# @version 0.2.1
 # @see http://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
 
@@ -32,7 +32,7 @@ class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
     end
 
     def run
-        audit( self.class.payloads ) do |response, element|
+        audit( self.class.payloads, submit: { follow_location: false } ) do |response, element|
             # If this was a sample/default value submission ignore it, we only
             # care about our payloads.
             next if !payload? element.seed
@@ -67,7 +67,7 @@ URL to determine whether the attack was successful.
 },
             elements:    [Element::Form, Element::Link, Element::Cookie, Element::Header],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.2',
+            version:     '0.2.1',
 
             issue:       {
                 name:            %q{Unvalidated redirect},

data/components/checks/passive/common_directories/directories.txt

@@ -508,3 +508,5 @@ YT
 ZA
 ZM
 ZW
+intern
+extern

data/components/checks/passive/common_files/filenames.txt

@@ -6,6 +6,7 @@ CVS/Repository
 CVS/Root
 CVS/Entries
 .svn/wc.db
+.svn/all-wcprops
 .git/HEAD
 _mmServerScripts/MMHTTPDB.php
 _mmServerScripts/MMHTTPDB.asp

data/lib/arachni/browser.rb

@@ -896,7 +896,7 @@ class Browser
 
             begin
                 input.set( value.to_s )
-                # Disabled inputs and such...
+            # Disabled inputs and such...
             rescue Watir::Exception::ObjectDisabledException,
                 Watir::Exception::ObjectReadOnlyException,
                 Selenium::WebDriver::Error::InvalidElementStateError => e
@@ -904,6 +904,22 @@ class Browser
                                         " because: #{e} [#{e.class}"
             end
         end
+
+        form.selects.each do |input|
+            name_or_id = name_or_id_for( input )
+            value      = inputs ? inputs[name_or_id] : value_for( input )
+
+            begin
+                input.select_value( value.to_s )
+            # Disabled inputs and such...
+            rescue Watir::Exception::ObjectDisabledException,
+                Watir::Exception::ObjectReadOnlyException,
+                Watir::Exception::NoValueFoundException,
+                Selenium::WebDriver::Error::InvalidElementStateError => e
+                print_debug_level_2 "Could not fill in form select '#{name_or_id}'" <<
+                                        " because: #{e} [#{e.class}"
+            end
+        end
     end
 
     def skip_state?( state )

data/lib/arachni/check/auditor.rb

@@ -380,8 +380,11 @@ module Auditor
     #
     # @see  Page#audit?
     def skip?( element )
-        return true if audited?( element.coverage_id ) ||
-            !page.audit_element?( element )
+        # This method also gets called from Auditable#audit to check mutations,
+        # don't touch these, we're filtering at a higher level here, otherwise
+        # we might mess up the audit.
+        return true if !element.mutation? && audited?( element.coverage_id )
+        return true if !page.audit_element?( element )
 
         # Don't audit elements which have been already logged as vulnerable
         # either by us or preferred checks.

data/lib/arachni/check/base.rb

@@ -138,27 +138,47 @@ class Base < Component::Base
         # @return   [Bool]
         #   `true` if the check can benefit from knowing the platform beforehand,
         #   `false` otherwise.
+        #
         # @see .platforms
         def has_platforms?
             platforms.any?
         end
 
-        # @return   [Array<Symbol>] Targeted platforms.
+        # @return   [Array<Symbol>]
+        #   Targeted platforms.
+        #
         # @see .info
         def platforms
-            [info[:platforms]].flatten.compact
+            @platforms ||= [info[:platforms]].flatten.compact
+        end
+
+        # @param    [Array<Symbol, String>]     platforms
+        #   List of platforms to check for support.
+        #
+        # @return   [Boolean]
+        #   `true` if any of the given platforms are supported, `false` otherwise.
+        def supports_platforms?( platforms )
+            return true if platforms.empty? || !has_platforms?
+
+            # Determine if we've got anything for the given platforms, the same
+            # way payloads are picked.
+            foo_data = self.platforms.inject({}) { |h, platform| h.merge!( platform => true ) }
+            Platform::Manager.new( platforms ).pick( foo_data ).any?
         end
 
-        # @return   [Array<Symbol>] Targeted element types.
+        # @return   [Array<Symbol>]
+        #   Targeted element types.
+        #
         # @see .info
         def elements
-            [info[:elements]].flatten.compact
+            @elements ||= [info[:elements]].flatten.compact
         end
 
         # Schedules self to be run *after* the specified checks and prevents
         # auditing elements that have been previously logged by any of these checks.
         #
-        # @return   [Array] Check names.
+        # @return   [Array]
+        #   Check names.
         def prefer( *args )
             @preferred = args.flatten.compact
         end
@@ -170,6 +190,11 @@ class Base < Component::Base
         def preferred
             @preferred ||= []
         end
+
+        # @private
+        def clear_info_cache
+            @elements = @platforms = nil
+        end
     end
 
 end