Module: Arachni::Check::Auditor

Included in:

Base

Defined in:

lib/arachni/check/auditor.rb

Overview

Included by Base and provides helper audit methods to all checks.

There are 3 main types of audit and analysis techniques available:

• Signature analysis – #audit

• Timeout analysis – #audit_timeout

• Differential analysis – #audit_differential

It should be noted that actual analysis takes place at the element level.

It also provides:

• Discovery helpers for checking and logging the existence of remote files.

  • #log_remote_file

  • #log_remote_file_if_exists

• Pattern matching helpers for checking and logging the existence of strings in responses or in the body of the page that’s being audited.

  • #match_and_log

• General Issue logging helpers.

  • #log

  • #log_issue

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Constant Summary

FILE_SIGNATURES_PER_PLATFORM =

Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES_PER_PLATFORM

FILE_SIGNATURES =

Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES

SOURCE_CODE_SIGNATURES_PER_PLATFORM =

Arachni::Element::Capabilities::Analyzable::Signature::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Format =

Holds constant bitfields that describe the preferred formatting of injection strings.

Element::Capabilities::Mutable::Format

ELEMENTS_WITH_INPUTS =

Non-DOM auditable elements.

[
    Element::Link, Element::Form, Element::Cookie, Element::Header,
    Element::LinkTemplate, Element::JSON, Element::XML
]

DOM_ELEMENTS_WITH_INPUTS =

Auditable DOM elements.

[
    Element::Link::DOM, Element::Form::DOM, Element::Cookie::DOM,
    Element::LinkTemplate::DOM, Element::UIInput::DOM, Element::UIForm::DOM
]

Instance Attribute Summary

• #framework ⇒ Arachni::Framework readonly
• #page ⇒ Arachni::Page readonly

  Page object to be audited.

Class Method Summary

• .has_timeout_candidates? ⇒ Boolean
• .included(m) ⇒ Object
• .reset ⇒ Object
• .timeout_audit_run ⇒ Object

Instance Method Summary

• #audit(payloads, opts = {}, &block) ⇒ Object

  If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_signature.

• #audit_differential(opts = {}, &block) ⇒ Object

  Audits elements using differential analysis and automatically logs results.

• #audit_signature(payloads, opts = {}) ⇒ Object

  Provides easy access to element auditing using simple signature analysis and automatically logs results.

• #audit_timeout(payloads, opts = {}) ⇒ Object

  Audits elements using timing attacks and automatically logs results.

• #audited(id) ⇒ Object
• #audited?(id) ⇒ Bool

  ‘true` if audited, `false` otherwise.

• #buffered_audit(payloads, opts = {}, &block) ⇒ Object

  Calls Element::Capabilities::Auditable#buffered_audit for every element.

• #each_candidate_dom_element {|element| ... } ⇒ Object

  Passes each element prepared for audit to the block.

• #each_candidate_element {|element| ... } ⇒ Object

  Passes each element prepared for audit to the block.

• #http ⇒ HTTP::Client
• #initialize(page, framework) ⇒ Object
• #log(options) ⇒ Issue

  Populates and logs an Issue.

• #log_issue(options) ⇒ Issue

  Helper method for issue logging.

• #log_remote_file(page_or_response, silent = false, options = {}) ⇒ Issue (also: #log_remote_directory)

  Logs the existence of a remote file as an issue.

• #log_remote_file_if_exists(url, silent = false, options = {}, &block) ⇒ Object (also: #log_remote_directory_if_exists)

  Logs a remote file or directory if it exists.

• #match_and_log(patterns, &block) ⇒ Object

  Matches an array of regular expressions against a string and logs the result as an issue.

• #max_issues ⇒ Object
• #preferred ⇒ Object abstract
• #skip?(element) ⇒ Boolean

  This is called right before an Element is audited and is used to determine whether to skip it or not.

• #trace_taint(resource, options = {}, &block) ⇒ Object

  Traces the taint in the given ‘resource` and passes each page to the `block`.

• #with_browser(*args, &block) ⇒ Object
• #with_browser_cluster(&block) ⇒ Object

Instance Attribute Details

#framework ⇒ Arachni::Framework (readonly)

Returns:

• (Arachni::Framework)

# File 'lib/arachni/check/auditor.rb', line 315

def framework
  @framework
end

#page ⇒ Arachni::Page (readonly)

Returns Page object to be audited.

Returns:

• (Arachni::Page) —

  Page object to be audited.

# File 'lib/arachni/check/auditor.rb', line 312

def page
  @page
end

Class Method Details

.has_timeout_candidates? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/check/auditor.rb', line 43

def self.has_timeout_candidates?
    Element::Capabilities::Analyzable.has_timeout_candidates?
end

.included(m) ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 69

def self.included( m )
    m.class_eval do

        # Determines whether or not to run the check against the given page
        # depending on which elements exist in the page, which elements the
        # check is configured to audit and user options.
        #
        # @param    [Page]    page
        # @param    [Element::Base, Array<Element::Base>]    restrict_to_elements
        #   Element types to check for.
        #
        # @return   [Bool]
        def self.check?( page, restrict_to_elements = nil, ignore_dom_depth = false )
            return false if issue_limit_reached?
            return true  if elements.empty?

            audit                = Arachni::Options.audit
            restrict_to_elements = [restrict_to_elements].flatten.compact

            # We use procs to make the decisions to avoid loading the page
            # element caches unless it's absolutely necessary.
            #
            # Also, it's better to audit Form & Cookie DOM elements only
            # after the page has gone through the browser, because then
            # we'll have some context in the metadata which can help us
            # optimize DOM audits.
            {
                Element::Link              =>
                    proc { audit.links?     && !!page.links.find { |e| e.inputs.any? } },
                Element::Link::DOM         =>
                    proc { audit.link_doms? && !!page.links.find(&:dom) },
                Element::Form              =>
                    proc { audit.forms? && !!page.forms.find { |e| e.inputs.any? } },
                Element::Form::DOM         =>
                    proc { (ignore_dom_depth || page.dom.depth > 0) &&
                        audit.form_doms? && page.has_script? && !!page.forms.find(&:dom) },
                Element::Cookie            =>
                    proc { audit.cookies? && page.cookies.any? },
                Element::Cookie::DOM       =>
                    proc { (ignore_dom_depth || page.dom.depth > 0) &&
                        audit.cookie_doms? && page.has_script? && page.cookies.any? },
                Element::Header            =>
                    proc { audit.headers? && page.headers.any? },
                Element::LinkTemplate      =>
                    proc { audit.link_templates? && page.link_templates.find { |e| e.inputs.any? } },
                Element::LinkTemplate::DOM =>
                    proc { audit.link_template_doms? && !!page.link_templates.find(&:dom) },
                Element::JSON              =>
                    proc { audit.jsons? && page.jsons.find { |e| e.inputs.any? } },
                Element::XML               =>
                    proc { audit.xmls? && page.xmls.find { |e| e.inputs.any? } },
                Element::UIInput             => false,
                Element::UIInput::DOM        =>
                    proc { audit.ui_inputs? && page.ui_inputs.any? },
                Element::UIForm            => false,
                Element::UIForm::DOM       =>
                    proc { audit.ui_forms? && page.ui_forms.any? },
                Element::Body              => !page.body.empty?,
                Element::GenericDOM        => page.has_script?,
                Element::Path              => true,
                Element::Server            => true
            }.each do |type, decider|
                next if restrict_to_elements.any? && !restrict_to_elements.include?( type )

                return true if elements.include?( type ) &&
                    (decider.is_a?( Proc ) ? decider.call : decider)
            end

            false
        end

        def self.issue_counter
            @issue_counter ||= 0
        end

        def self.issue_counter=( int )
            @issue_counter = int
        end

        def increment_issue_counter
            self.class.issue_counter += 1
        end

        def issue_limit_reached?( count = max_issues )
            self.class.issue_limit_reached?( count )
        end

        def self.issue_limit_reached?( count = max_issues )
            issue_counter >= count if !count.nil?
        end

        def self.max_issues
            info[:max_issues]
        end

        # Populates and logs an {Arachni::Issue}.
        #
        # @param    [Hash]  options
        #   {Arachni::Issue} initialization options.
        #
        # @return   [Issue]
        def self.log( options )
            options       = options.dup
            vector        = options[:vector]
            audit_options = vector.respond_to?( :audit_options ) ?
                vector.audit_options : {}

            if options[:referring_page]
                referring_page = options[:referring_page]
            elsif vector.page
                referring_page = vector.page
            else
                fail ArgumentError, 'Missing :referring_page option.'
            end

            if options[:response]
                page = options.delete(:response).to_page
            elsif options[:page]
                page = options.delete(:page)
            else
                page = referring_page
            end

            # Don't check the page scope, the check may have exceeded the DOM depth
            # limit but the check is allowed to do that, only check for an out of
            # scope response.
            return if !page.response.parsed_url.seed_in_host? && page.response.scope.out?

            msg = "In #{vector.type}"

            active = vector.respond_to?( :affected_input_name ) && vector.affected_input_name

            if active
                msg << " input '#{vector.affected_input_name}'"
            elsif vector.respond_to?( :inputs )
                msg << " with inputs '#{vector.inputs.keys.join(', ')}'"
            end

            vector.print_ok "#{msg} with action #{vector.action}"

            if Arachni::UI::Output.verbose?
                if active
                    vector.print_verbose "Injected:  #{vector.affected_input_value.inspect}"
                end

                if options[:signature]
                    vector.print_verbose "Signature: #{options[:signature]}"
                end

                if options[:proof]
                    vector.print_verbose "Proof:     #{options[:proof]}"
                end

                if page.dom.transitions.any?
                    vector.print_verbose 'DOM transitions:'
                    page.dom.print_transitions( method(:print_verbose), '    ' )
                end

                if !(request_dump = page.request.to_s).empty?
                    vector.print_verbose "Request: \n#{request_dump}"
                end

                vector.print_verbose( '---------' ) if only_positives?
            end

            # Platform identification by vulnerability.
            platform_type = nil
            if (platform = (options.delete(:platform) || audit_options[:platform]))
                Platform::Manager[vector.action] << platform if Options.fingerprint?
                platform_type = Platform::Manager[vector.action].find_type( platform )
            end

            log_issue(options.merge(
                platform_name:  platform,
                platform_type:  platform_type,
                page:           page,
                referring_page: referring_page
            ))
        end

        # Helper method for issue logging.
        #
        # @param    [Hash]  options
        #   {Issue} options.
        #
        # @return   [Issue]
        #
        # @see .create_issue
        def self.log_issue( options )
            return if issue_limit_reached?
            self.issue_counter += 1

            issue = create_issue( options )
            Data.issues << issue
            issue
        end

        # Helper method for creating an issue.
        #
        # @param    [Hash]  options
        #   {Issue} options.
        def self.create_issue( options )
            check_info = self.info.dup
            check_info.delete( :issue )
            check_info[:shortname] = self.shortname

            issue_data = self.info[:issue].merge( check: check_info ).merge( options )
            Issue.new( issue_data )
        end
    end
end

.reset ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 39

def self.reset
    audited.clear
end

.timeout_audit_run ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 46

def self.timeout_audit_run
    Element::Capabilities::Analyzable.timeout_audit_run
end

Instance Method Details

#audit(payloads, opts = {}, &block) ⇒ Object

If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_signature.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• Element::Capabilities::Auditable#audit
• #audit_signature

# File 'lib/arachni/check/auditor.rb', line 561

def audit( payloads, opts = {}, &block )
    if !block_given?
        audit_signature( payloads, opts )
    else
        each_candidate_element do |e|
            e.audit( payloads, opts, &block )
            audited( e.coverage_id )
        end
    end
end

#audit_differential(opts = {}, &block) ⇒ Object

Audits elements using differential analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• Element::Capabilities::Analyzable::Differential

# File 'lib/arachni/check/auditor.rb', line 603

def audit_differential( opts = {}, &block )
    each_candidate_element do |e|
        e.differential_analysis( opts, &block )
        audited( e.coverage_id )
    end
end

#audit_signature(payloads, opts = {}) ⇒ Object

Provides easy access to element auditing using simple signature analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• Element::Capabilities::Analyzable::Signature

# File 'lib/arachni/check/auditor.rb', line 591

def audit_signature( payloads, opts = {} )
    each_candidate_element do |e|
        e.signature_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audit_timeout(payloads, opts = {}) ⇒ Object

Audits elements using timing attacks and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• Element::Capabilities::Analyzable::Timeout

# File 'lib/arachni/check/auditor.rb', line 615

def audit_timeout( payloads, opts = {} )
    each_candidate_element do |e|
        e.timeout_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audited(id) ⇒ Object

Parameters:

• id (#to_s) —

  Identifier of the object to be marked as audited.

See Also:

• #audited?

# File 'lib/arachni/check/auditor.rb', line 54

def audited( id )
    Auditor.audited << "#{self.class}-#{id}"
end

#audited?(id) ⇒ Bool

Returns ‘true` if audited, `false` otherwise.

Parameters:

• id (#to_s) —

  Identifier of the object to be checked.

Returns:

• (Bool) —

  ‘true` if audited, `false` otherwise.

See Also:

• #audited

# File 'lib/arachni/check/auditor.rb', line 65

def audited?( id )
    Auditor.audited.include?( "#{self.class}-#{id}" )
end

#buffered_audit(payloads, opts = {}, &block) ⇒ Object

Calls Element::Capabilities::Auditable#buffered_audit for every element.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• Element::Capabilities::Auditable#buffered_audit

# File 'lib/arachni/check/auditor.rb', line 578

def buffered_audit( payloads, opts = {}, &block )
    each_candidate_element do |e|
        e.buffered_audit( payloads, opts, &block )
        audited( e.coverage_id )
    end
end

#each_candidate_dom_element {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

It will use the elements from the check’s Base.info hash. If no elements have been specified it will use DOM_ELEMENTS_WITH_INPUTS.

Yields:

• (element) —

  Each candidate element.

Yield Parameters:

• (Arachni::Element::DOM)

# File 'lib/arachni/check/auditor.rb', line 520

def each_candidate_dom_element( &block )
    types = self.class.elements
    types = DOM_ELEMENTS_WITH_INPUTS if types.empty?

    types.each do |elem|
        elem = elem.type

        next if !Options.audit.elements?( elem.to_s.gsub( '_dom', '' ) )

        case elem
            when Element::Link::DOM.type
                prepare_each_dom_element( page.links, &block )

            when Element::Form::DOM.type
                prepare_each_dom_element( page.forms, &block )

            when Element::Cookie::DOM.type
                prepare_each_dom_element( page.cookies, &block )

            when Element::LinkTemplate::DOM.type
                prepare_each_dom_element( page.link_templates, &block )

            when Element::UIInput::DOM.type
                prepare_each_dom_element( page.ui_inputs, &block )

            when Element::UIForm::DOM.type
                prepare_each_dom_element( page.ui_forms, &block )

            else
                fail ArgumentError, "Unknown DOM element: #{elem}"
        end
    end
end

#each_candidate_element {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

It will use the elements from the check’s Base.info hash. If no elements have been specified it will use ELEMENTS_WITH_INPUTS.

Yields:

• (element) —

  Each candidate element.

Yield Parameters:

• (Arachni::Element)

# File 'lib/arachni/check/auditor.rb', line 475

def each_candidate_element( &block )
    types = self.class.elements
    types = ELEMENTS_WITH_INPUTS if types.empty?

    types.each do |elem|
        elem = elem.type

        next if !Options.audit.elements?( elem )

        case elem
            when Element::Link.type
                prepare_each_element( page.links, &block )

            when Element::Form.type
                prepare_each_element( page.forms, &block )

            when Element::Cookie.type
                prepare_each_element(page.cookies, &block )

            when Element::Header.type
                prepare_each_element( page.headers, &block )

            when Element::LinkTemplate.type
                prepare_each_element( page.link_templates, &block )

            when Element::JSON.type
                prepare_each_element( page.jsons, &block )

            when Element::XML.type
                prepare_each_element( page.xmls, &block )

            else
                fail ArgumentError, "Unknown element: #{elem}"
        end
    end
end

#http ⇒ HTTP::Client

Returns:

• (HTTP::Client)

# File 'lib/arachni/check/auditor.rb', line 325

def http
    HTTP::Client
end

#initialize(page, framework) ⇒ Object

Parameters:

• page (Page)
• framework (Framework)

# File 'lib/arachni/check/auditor.rb', line 319

def initialize( page, framework )
    @page      = page
    @framework = framework
end

#log(options) ⇒ Issue

Populates and logs an Issue.

Parameters:

• options (Hash) —

  Issue initialization options.

Returns:

• (Issue)

# File 'lib/arachni/check/auditor.rb', line 418

def log( options )
    self.class.log( options.merge( referring_page: @page ) )
end

#log_issue(options) ⇒ Issue

Helper method for issue logging.

Parameters:

• options (Hash) —

  Issue options.

Returns:

• (Issue)

See Also:

• create_issue

# File 'lib/arachni/check/auditor.rb', line 408

def log_issue( options )
    self.class.log_issue( options.merge( referring_page: @page ) )
end

#log_remote_file(response, silent = false) ⇒ Issue #log_remote_file(page, silent = false) ⇒ Issue Also known as: log_remote_directory

Logs the existence of a remote file as an issue.

Overloads:

• #log_remote_file(response, silent = false) ⇒ Issue

  Parameters:

  • response (HTTP::Response)
  • silent (Bool) (defaults to: false) —

    If ‘false`, a message will be printed to stdout containing the status of the operation.

• #log_remote_file(page, silent = false) ⇒ Issue

  Parameters:

  • page (Page)
  • silent (Bool) (defaults to: false) —

    If ‘false`, a message will be printed to stdout containing the status of the operation.

Returns:

• (Issue)

See Also:

• #log_issue

# File 'lib/arachni/check/auditor.rb', line 384

def log_remote_file( page_or_response, silent = false, options = {} )
    page = page_or_response.is_a?( Page ) ?
        page_or_response : page_or_response.to_page

    issue = log_issue({
        vector: Element::Server.new( page.url ),
        proof:  page.response.status_line,
        page:   page
    }.merge( options ))

    print_ok( "Found #{page.url}" ) if !silent

    issue
end

#log_remote_file_if_exists(url, silent = false, options = {}, &block) ⇒ Object Also known as: log_remote_directory_if_exists

Note:

Ignores custom 404 responses.

Logs a remote file or directory if it exists.

Parameters:

• url (String) —

  Resource to check.

• silent (Bool) (defaults to: false) —

  If ‘false`, a message will be printed to stdout containing the status of the operation.

• block (Proc) —

  Called if the file exists, just before logging the issue, and is passed the HTTP response.

Returns:

• (Object) —

  • ‘nil` if no URL was provided.

  • ‘false` if the request couldn’t be fired.

  • ‘true` if everything went fine.

See Also:

• Element::Server#remote_file_exist?

# File 'lib/arachni/check/auditor.rb', line 347

def log_remote_file_if_exists( url, silent = false, options = {}, &block )
    @server ||= Element::Server.new( page.url ).tap { |s| s.auditor = self }
    @server.log_remote_file_if_exists( url, silent, options, &block )
end

#match_and_log(patterns, &block) ⇒ Object

Matches an array of regular expressions against a string and logs the result as an issue.

Parameters:

• patterns (Array<Regexp>) —

  Array of regular expressions to be tested.

• block (Block) —

  Block to verify matches before logging, must return ‘true`/`false`.

See Also:

• Element::Body#match_and_log

# File 'lib/arachni/check/auditor.rb', line 362

def match_and_log( patterns, &block )
    @body ||= Element::Body.new( self.page.url ).tap { |b| b.auditor = self }
    @body.match_and_log( patterns, &block )
end

#max_issues ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 281

def max_issues
    self.class.max_issues
end

#preferred ⇒ Object

This method is abstract.

See Also:

• Base#preferred
• Base.prefer

# File 'lib/arachni/check/auditor.rb', line 425

def preferred
    []
end

#skip?(element) ⇒ Boolean

This is called right before an Element is audited and is used to determine whether to skip it or not.

Running checks can override this as they wish but at their own peril.

Parameters:

• element (Arachni::Element)

Returns:

• (Boolean) —

  ‘true` if the element should be skipped, `false` otherwise.

See Also:

• Page#audit?

# File 'lib/arachni/check/auditor.rb', line 440

def skip?( element )
    # This method also gets called from Auditable#audit to check mutations,
    # don't touch these, we're filtering at a higher level here, otherwise
    # we might mess up the audit.
    return true if !element.mutation? && audited?( element.coverage_id )
    return true if !page.audit_element?( element )

    # Don't audit elements which have been already logged as vulnerable
    # either by us or preferred checks.
    (preferred | [shortname]).each do |check|
        next if !framework.checks.include?( check )

        klass = framework.checks[check]
        next if !klass.info.include?(:issue)

        # No point in doing the following heavy deduplication check if there
        # are no issues logged to begin with.
        next if klass.issue_counter == 0

        if Data.issues.include?( klass.create_issue( vector: element ) )
            return true
        end
    end

    false
end

#trace_taint(resource, options = {}, &block) ⇒ Object

Traces the taint in the given ‘resource` and passes each page to the `block`.

Parameters:

• resource (Page, String, HTTP::Response) —

  Resource to load and whose environment to trace, if given a ‘String` it will be treated it as a URL and will be loaded.

• options (Hash) (defaults to: {}) —

  See BrowserCluster::Jobs::TaintTrace accessors.

• block (Block) —

  Block to handle each page snapshot. If the ‘block` returns a `true` value, further analysis will be aborted.

# File 'lib/arachni/check/auditor.rb', line 633

def trace_taint( resource, options = {}, &block )
    with_browser_cluster do |cluster|
        cluster.trace_taint( resource, options ) do |result|
            block.call( result.page )
        end
    end
end

#with_browser(*args, &block) ⇒ Object

Note:

Operates in non-blocking mode.

Parameters:

• block (Block) —

  Block to passed a BrowserCluster::Worker, if/when one is available.

See Also:

• BrowserCluster::Worker#with_browser

# File 'lib/arachni/check/auditor.rb', line 655

def with_browser( *args, &block )
    with_browser_cluster { |cluster| cluster.with_browser( *args, &block ) }
    true
end

#with_browser_cluster(&block) ⇒ Object

Parameters:

• block (Block) —

  Block to passed a BrowserCluster, if one is available.

# File 'lib/arachni/check/auditor.rb', line 643

def with_browser_cluster( &block )
    return if !browser_cluster
    block.call browser_cluster
    true
end