Class: Arachni::OptionGroups::Audit

Inherits:

Arachni::OptionGroup

• Object
• Arachni::OptionGroup
• Arachni::OptionGroups::Audit

Defined in:

lib/arachni/option_groups/audit.rb

Overview

Options for audit scope/coverage, mostly decides what types of elements should be considered.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error

Instance Attribute Summary

• #cookies ⇒ Bool (also: #cookie_doms)

  Audit cookies.

• #cookies_extensively ⇒ Bool

  Like #cookies but all cookie audits are submitted along with any other available element on the page.

• #exclude_vector_patterns ⇒ Array<Regexp>

  Patterns to use to exclude vectors from the audit, by name.

• #forms ⇒ Bool (also: #form_doms)

  Audit forms.

• #headers ⇒ Bool

  Audit HTTP request headers.

• #include_vector_patterns ⇒ Array<Regexp>

  Patterns to use to include vectors in the audit exclusively, by name.

• #jsons ⇒ Bool

  Audit JSON request inputs.

• #link_templates ⇒ Array<Regexp> (also: #link_template_doms)

  Regular expressions with named captures, serving as templates used to extract input vectors from links.

• #links ⇒ Bool (also: #link_doms)

  Audit links.

• #parameter_names ⇒ Bool

  Inject payloads into parameter names.

• #parameter_values ⇒ Bool

  Inject payloads into parameter values.

• #with_both_http_methods ⇒ Bool

  If enabled, all element audits will be performed with both ‘GET` and `POST` HTTP methods.

• #with_extra_parameter ⇒ Bool

  Inject payloads into extra element parameters.

• #xmls ⇒ Bool

  Audit XML request inputs.

Instance Method Summary

• #elements(*element_types) ⇒ Object (also: #elements=, #element)

  Enables auditing of element types.

• #elements?(*element_types) ⇒ Bool (also: #element?)

  Get audit settings for the given element types.

• #link_templates? ⇒ Bool (also: #link_template_doms?)

  ‘true` if link templates have been specified, `false` otherwise.

• #skip_elements(*element_types) ⇒ Object (also: #skip_element)

  Disables auditing of element types.

• #to_h ⇒ Object
• #vector?(name) ⇒ Boolean

Methods inherited from Arachni::OptionGroup

#==, attr_accessor, #attributes, attributes, defaults, #defaults, #hash, inherited, #initialize, #merge, set_defaults, #to_hash, #to_rpc_data, #update, #validate

Constructor Details

This class inherits a constructor from Arachni::OptionGroup

Instance Attribute Details

#cookies ⇒ Bool Also known as: cookie_doms

Note:

Default is ‘false`.

Returns Audit cookies.

Returns:

• (Bool) —

  Audit cookies.

See Also:

• Element::Cookie
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 105

def cookies
  @cookies
end

#cookies_extensively ⇒ Bool

Note:

Default is ‘false`.

Returns Like #cookies but all cookie audits are submitted along with any other available element on the page.

Returns:

• (Bool) —

  Like #cookies but all cookie audits are submitted along with any other available element on the page.

See Also:

• Element::Cookie#each_mutation
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 117

def cookies_extensively
  @cookies_extensively
end

#exclude_vector_patterns ⇒ Array<Regexp>

Returns Patterns to use to exclude vectors from the audit, by name.

Returns:

• (Array<Regexp>) —

  Patterns to use to exclude vectors from the audit, by name.

See Also:

• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 68

def exclude_vector_patterns
  @exclude_vector_patterns
end

#forms ⇒ Bool Also known as: form_doms

Note:

Default is ‘false`.

Returns Audit forms.

Returns:

• (Bool) —

  Audit forms.

See Also:

• Element::Form
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 94

def forms
  @forms
end

#headers ⇒ Bool

Note:

Default is ‘false`.

Returns Audit HTTP request headers.

Returns:

• (Bool) —

  Audit HTTP request headers.

# File 'lib/arachni/option_groups/audit.rb', line 123

def headers
  @headers
end

#include_vector_patterns ⇒ Array<Regexp>

Returns Patterns to use to include vectors in the audit exclusively, by name.

Returns:

• (Array<Regexp>) —

  Patterns to use to include vectors in the audit exclusively, by name.

See Also:

• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 74

def include_vector_patterns
  @include_vector_patterns
end

#jsons ⇒ Bool

Note:

Default is ‘false`.

Returns Audit JSON request inputs.

Returns:

• (Bool) —

  Audit JSON request inputs.

# File 'lib/arachni/option_groups/audit.rb', line 142

def jsons
  @jsons
end

#link_templates ⇒ Array<Regexp> Also known as: link_template_doms

Returns Regular expressions with named captures, serving as templates used to extract input vectors from links.

Returns:

• (Array<Regexp>) —

  Regular expressions with named captures, serving as templates used to extract input vectors from links.

See Also:

• Element::LinkTemplate

# File 'lib/arachni/option_groups/audit.rb', line 130

def link_templates
  @link_templates
end

#links ⇒ Bool Also known as: link_doms

Note:

Default is ‘false`.

Returns Audit links.

Returns:

• (Bool) —

  Audit links.

See Also:

• Element::Link
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 83

def links
  @links
end

#parameter_names ⇒ Bool

Note:

Default is ‘false`.

Returns Inject payloads into parameter names.

Returns:

• (Bool) —

  Inject payloads into parameter names.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 43

def parameter_names
  @parameter_names
end

#parameter_values ⇒ Bool

Note:

Default is ‘true`.

Returns Inject payloads into parameter values.

Returns:

• (Bool) —

  Inject payloads into parameter values.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 35

def parameter_values
  @parameter_values
end

#with_both_http_methods ⇒ Bool

Note:

Default is ‘false`.

Returns If enabled, all element audits will be performed with both ‘GET` and `POST` HTTP methods.

Returns:

• (Bool) —

  If enabled, all element audits will be performed with both ‘GET` and `POST` HTTP methods.

See Also:

• Element::Capabilities::Mutable::MUTATION_OPTIONS
• Element::Capabilities::Mutable#each_mutation
• Element::Capabilities::Mutable#switch_method

# File 'lib/arachni/option_groups/audit.rb', line 62

def with_both_http_methods
  @with_both_http_methods
end

#with_extra_parameter ⇒ Bool

Note:

Default is ‘false`.

Returns Inject payloads into extra element parameters.

Returns:

• (Bool) —

  Inject payloads into extra element parameters.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 51

def with_extra_parameter
  @with_extra_parameter
end

#xmls ⇒ Bool

Note:

Default is ‘false`.

Returns Audit XML request inputs.

Returns:

• (Bool) —

  Audit XML request inputs.

# File 'lib/arachni/option_groups/audit.rb', line 148

def xmls
  @xmls
end

Instance Method Details

#elements(*element_types) ⇒ Object Also known as: elements=, element

Enables auditing of element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • ‘:links`

  • ‘:forms`

  • ‘:cookies`

  • ‘:headers`

# File 'lib/arachni/option_groups/audit.rb', line 198

def elements( *element_types )
    element_types.flatten.compact.each do |type|
        fail_on_unknown_element_type( type ) do
            self.send( "#{type}=", true ) rescue self.send( "#{type}s=", true )
        end
    end
    true
end

#elements?(*element_types) ⇒ Bool Also known as: element?

Get audit settings for the given element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • ‘:links`

  • ‘:forms`

  • ‘:cookies`

  • ‘:headers`

Returns:

• (Bool)

Raises:

• (Error::InvalidLinkTemplate)

# File 'lib/arachni/option_groups/audit.rb', line 242

def elements?( *element_types )
    !(element_types.flatten.compact.map do |type|
        fail_on_unknown_element_type( type ) do
            !!(self.send( "#{type}?" ) rescue self.send( "#{type}s?" ))
        end
    end.uniq.include?( false ))
end

#link_templates? ⇒ Bool Also known as: link_template_doms?

Returns ‘true` if link templates have been specified, `false` otherwise.

Returns:

• (Bool) —

  ‘true` if link templates have been specified, `false` otherwise.

# File 'lib/arachni/option_groups/audit.rb', line 270

def link_templates?
    @link_templates.any?
end

#skip_elements(*element_types) ⇒ Object Also known as: skip_element

Disables auditing of element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • ‘:links`

  • ‘:forms`

  • ‘:cookies`

  • ‘:headers`

# File 'lib/arachni/option_groups/audit.rb', line 219

def skip_elements( *element_types )
    element_types.flatten.compact.each do |type|
        fail_on_unknown_element_type( type ) do
            self.send( "#{type}=", false ) rescue self.send( "#{type}s=", false )
        end
    end
    true
end

#to_h ⇒ Object

# File 'lib/arachni/option_groups/audit.rb', line 275

def to_h
    h = super
    [:link_templates, :include_vector_patterns, :exclude_vector_patterns].each do |k|
        h[k] = h[k].map(&:to_s)
    end
    h
end

#vector?(name) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/option_groups/audit.rb', line 260

def vector?( name )
    if include_vector_patterns.any? && !include_vector_patterns.find { |p| p =~ name }
        return false
    end

    !exclude_vector_patterns.find { |p| p =~ name }
end