Class: Arachni::Browser::Javascript
- Includes:
- UI::Output, Utilities
- Defined in:
- lib/arachni/browser/javascript.rb,
lib/arachni/browser/javascript/proxy.rb,
lib/arachni/browser/javascript/dom_monitor.rb,
lib/arachni/browser/javascript/taint_tracer.rb,
lib/arachni/browser/javascript/taint_tracer/frame.rb,
lib/arachni/browser/javascript/taint_tracer/sink/base.rb,
lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb,
lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb,
lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb
Overview
Provides access to the Arachni::Browser‘s JavaScript environment, mainly helps group and organize functionality related to our custom Javascript interfaces.
Defined Under Namespace
Classes: DOMMonitor, Proxy, TaintTracer
Constant Summary collapse
- SCRIPT_BASE_URL =
Returns URL to use when requesting our custom JS scripts.
'http://javascript.browser.arachni/'
- SCRIPT_LIBRARY =
Returns Filesystem directory containing the JS scripts.
"#{File.dirname( __FILE__ )}/javascript/scripts/"
- SCRIPT_SOURCES =
Dir.glob("#{SCRIPT_LIBRARY}*.js").inject({}) do |h, path| h.merge!( path => IO.read(path) ) end
- NO_EVENTS_FOR_ELEMENTS =
Set.new([ :base, :bdo, :br, :head, :html, :iframe, :meta, :param, :script, :style, :title, :link ])
- GLOBAL_EVENTS =
Events that apply to all elements.
[ :onclick, :ondblclick, :onmousedown, :onmousemove, :onmouseout, :onmouseover, :onmouseup ]
- EVENTS_PER_ELEMENT =
Special events for each element.
{ body: [ :onload ], form: [ :onsubmit, :onreset ], # These need to be covered via Watir's API, #send_keys etc. input: [ :onselect, :onchange, :onfocus, :onblur, :onkeydown, :onkeypress, :onkeyup, :oninput ], # These need to be covered via Watir's API, #send_keys etc. textarea: [ :onselect, :onchange, :onfocus, :onblur, :onkeydown, :onkeypress, :onkeyup, :oninput ], select: [ :onchange, :onfocus, :onblur ], button: [ :onfocus, :onblur ], label: [ :onfocus, :onblur ] }
Instance Attribute Summary collapse
-
#custom_code ⇒ String
Inject custom JS code right after the initialization of the custom JS interfaces.
-
#dom_monitor ⇒ DOMMonitor
readonly
Proxy for the ‘DOMMonitor` JS interface.
-
#taint ⇒ String
Taint to look for and trace in the JS data flow.
-
#taint_tracer ⇒ TaintTracer
readonly
Proxy for the ‘TaintTracer` JS interface.
-
#token ⇒ String
Token used to namespace the injected JS code and avoid clashes.
Class Method Summary collapse
Instance Method Summary collapse
-
#data_flow_sinks ⇒ Array<Sink::DataFlow>
JS data flow sink data.
-
#debug_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.debug`, browser-side JS function.
- #debugging_data ⇒ Object
-
#dom_digest ⇒ String
Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).
-
#dom_elements_with_events ⇒ Array<Hash>
Information about all DOM elements, including any registered event listeners.
-
#execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
JS execution flow sink data.
-
#flush_data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns and clears #data_flow_sinks.
-
#flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns and clears #execution_flow_sinks.
-
#has_js_initializer?(response) ⇒ Bool
‘true` if the response HTTP::Message#body contains the code for the JS environment.
-
#initialize(browser) ⇒ Javascript
constructor
A new instance of Javascript.
-
#inject(response) ⇒ Bool
‘true` if injection was performed, `false` otherwise (in case our code is already present).
-
#intervals ⇒ Array<Array>
Arguments for JS ‘setInterval` calls.
-
#log_data_flow_sink_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.log_data_flow_sink`, browser-side, JS function.
-
#log_execution_flow_sink_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.log_execution_flow_sink`, browser-side, JS function.
-
#ready? ⇒ Bool
‘true` if our custom JS environment has been initialized.
-
#run(script) ⇒ Object
Result of ‘script`.
-
#run_without_elements(script) ⇒ Object
Executes the given code but unwraps Watir elements.
-
#serve(request, response) ⇒ Bool
‘true` if the request corresponded to a JS file and was served, `false` otherwise.
-
#set_element_ids ⇒ Object
Sets a custom ID attribute to elements with events but without a proper ID.
-
#supported? ⇒ Bool
‘true` if there is support for our JS environment in the current page, `false` otherwise.
-
#timeouts ⇒ Array<Array>
Arguments for JS ‘setTimeout` calls.
-
#wait_till_ready ⇒ Object
Blocks until the browser page is ready.
Methods included from Utilities
#available_port, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite
Methods included from UI::Output
#debug?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on
Constructor Details
#initialize(browser) ⇒ Javascript
Returns a new instance of Javascript.
130 131 132 133 134 |
# File 'lib/arachni/browser/javascript.rb', line 130 def initialize( browser ) @browser = browser @taint_tracer = TaintTracer.new( self ) @dom_monitor = DOMMonitor.new( self ) end |
Instance Attribute Details
#custom_code ⇒ String
Returns Inject custom JS code right after the initialization of the custom JS interfaces.
115 116 117 |
# File 'lib/arachni/browser/javascript.rb', line 115 def custom_code @custom_code end |
#dom_monitor ⇒ DOMMonitor (readonly)
Returns Proxy for the ‘DOMMonitor` JS interface.
119 120 121 |
# File 'lib/arachni/browser/javascript.rb', line 119 def dom_monitor @dom_monitor end |
#taint ⇒ String
Returns Taint to look for and trace in the JS data flow.
110 111 112 |
# File 'lib/arachni/browser/javascript.rb', line 110 def taint @taint end |
#taint_tracer ⇒ TaintTracer (readonly)
Returns Proxy for the ‘TaintTracer` JS interface.
123 124 125 |
# File 'lib/arachni/browser/javascript.rb', line 123 def taint_tracer @taint_tracer end |
#token ⇒ String
Returns Token used to namespace the injected JS code and avoid clashes.
106 107 108 |
# File 'lib/arachni/browser/javascript.rb', line 106 def token @token end |
Class Method Details
.events ⇒ Object
125 126 127 |
# File 'lib/arachni/browser/javascript.rb', line 125 def self.events GLOBAL_EVENTS | EVENTS_PER_ELEMENT.values.flatten.uniq end |
Instance Method Details
#data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns JS data flow sink data.
229 230 231 232 |
# File 'lib/arachni/browser/javascript.rb', line 229 def data_flow_sinks return [] if !supported? taint_tracer.data_flow_sinks end |
#debug_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.debug`, browser-side JS function.
180 181 182 |
# File 'lib/arachni/browser/javascript.rb', line 180 def debug_stub( *args ) taint_tracer.stub.function( :debug, *args ) end |
#debugging_data ⇒ Object
217 218 219 220 |
# File 'lib/arachni/browser/javascript.rb', line 217 def debugging_data return [] if !supported? taint_tracer.debugging_data end |
#dom_digest ⇒ String
Returns Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).
255 256 257 258 |
# File 'lib/arachni/browser/javascript.rb', line 255 def dom_digest return '' if !supported? dom_monitor.digest end |
#dom_elements_with_events ⇒ Array<Hash>
Returns Information about all DOM elements, including any registered event listeners.
262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 |
# File 'lib/arachni/browser/javascript.rb', line 262 def dom_elements_with_events return [] if !supported? dom_monitor.elements_with_events.map do |element| next if NO_EVENTS_FOR_ELEMENTS.include? element['tag_name'].to_sym attributes = element['attributes'] element['events'] = element['events'].map { |event, fn| [event.to_sym, fn] } | (self.class.events.flatten.map(&:to_s) & attributes.keys). map { |event| [event.to_sym, attributes[event]] } element end.compact end |
#execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns JS execution flow sink data.
223 224 225 226 |
# File 'lib/arachni/browser/javascript.rb', line 223 def execution_flow_sinks return [] if !supported? taint_tracer.execution_flow_sinks end |
#flush_data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns and clears #data_flow_sinks.
241 242 243 244 |
# File 'lib/arachni/browser/javascript.rb', line 241 def flush_data_flow_sinks return [] if !supported? taint_tracer.flush_data_flow_sinks end |
#flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns and clears #execution_flow_sinks.
235 236 237 238 |
# File 'lib/arachni/browser/javascript.rb', line 235 def flush_execution_flow_sinks return [] if !supported? taint_tracer.flush_execution_flow_sinks end |
#has_js_initializer?(response) ⇒ Bool
Returns ‘true` if the response HTTP::Message#body contains the code for the JS environment.
154 155 156 |
# File 'lib/arachni/browser/javascript.rb', line 154 def has_js_initializer?( response ) response.body.include? js_initialization_signal end |
#inject(response) ⇒ Bool
Will update the ‘Content-Length` header field.
Returns ‘true` if injection was performed, `false` otherwise (in case our code is already present).
325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 |
# File 'lib/arachni/browser/javascript.rb', line 325 def inject( response ) return false if has_js_initializer?( response ) body = response.body.dup # If we've got no taint to trace don't bother... if @taint # Schedule a tracer update at the beginning of each script block in order # to put our hooks into any newly introduced functions. # # The fact that our update call seems to be taking place before any # functions get the chance to be defined doesn't seem to matter. body.gsub!( /<script(.*?)>/i, "\\0\n#{@taint_tracer.stub.function( :update_tracers )}; // Injected by #{self.class}\n" ) # Also perform an update after each script block, this is for external # scripts. body.gsub!( /<\/script>/i, "\\0\n<script type=\"text/javascript\">#{@taint_tracer.stub.function( :update_tracers )}" << "</script> <!-- Script injected by #{self.class} -->\n" ) end response.body = <<-EOHTML <script src="#{script_url_for( :taint_tracer )}"></script> <!-- Script injected by #{self.class} --> <script> #{@taint_tracer.stub.function( :initialize, @taint )} </script> <!-- Script injected by #{self.class} --> <script src="#{script_url_for( :dom_monitor )}"></script> <!-- Script injected by #{self.class} --> <script> #{@dom_monitor.stub.function( :initialize )}; #{js_initialization_signal}; #{custom_code} </script> <!-- Script injected by #{self.class} --> #{body} EOHTML response.headers['content-length'] = response.body.bytesize true end |
#intervals ⇒ Array<Array>
Returns Arguments for JS ‘setInterval` calls.
287 288 289 290 |
# File 'lib/arachni/browser/javascript.rb', line 287 def intervals return [] if !supported? dom_monitor.intervals end |
#log_data_flow_sink_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.log_data_flow_sink`, browser-side, JS function.
174 175 176 |
# File 'lib/arachni/browser/javascript.rb', line 174 def log_data_flow_sink_stub( *args ) taint_tracer.stub.function( :log_data_flow_sink, *args ) end |
#log_execution_flow_sink_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.log_execution_flow_sink`, browser-side, JS function.
167 168 169 |
# File 'lib/arachni/browser/javascript.rb', line 167 def log_execution_flow_sink_stub( *args ) taint_tracer.stub.function( :log_execution_flow_sink, *args ) end |
#ready? ⇒ Bool
Returns ‘true` if our custom JS environment has been initialized.
192 193 194 |
# File 'lib/arachni/browser/javascript.rb', line 192 def ready? !!run( "return window._#{token}" ) rescue false end |
#run(script) ⇒ Object
Returns Result of ‘script`.
201 202 203 |
# File 'lib/arachni/browser/javascript.rb', line 201 def run( script ) @browser.watir.execute_script script end |
#run_without_elements(script) ⇒ Object
Executes the given code but unwraps Watir elements.
212 213 214 |
# File 'lib/arachni/browser/javascript.rb', line 212 def run_without_elements( script ) unwrap_elements run( script ) end |
#serve(request, response) ⇒ Bool
Returns ‘true` if the request corresponded to a JS file and was served, `false` otherwise.
303 304 305 306 307 308 309 310 311 312 |
# File 'lib/arachni/browser/javascript.rb', line 303 def serve( request, response ) return false if !request.url.start_with?( SCRIPT_BASE_URL ) || !(script = read_script( request.parsed_url.path )) response.code = 200 response.body = script response.headers['content-type'] = 'text/javascript' response.headers['content-length'] = script.bytesize true end |
#set_element_ids ⇒ Object
Sets a custom ID attribute to elements with events but without a proper ID.
247 248 249 250 |
# File 'lib/arachni/browser/javascript.rb', line 247 def set_element_ids return '' if !supported? dom_monitor.setElementIds end |
#supported? ⇒ Bool
Returns ‘true` if there is support for our JS environment in the current page, `false` otherwise.
141 142 143 144 145 146 |
# File 'lib/arachni/browser/javascript.rb', line 141 def supported? # We won't have a response if the browser was steered towards an # out-of-scope resource. response = @browser.response response && has_js_initializer?( response ) end |