Module: Arachni::Check::Auditor
- Included in:
- Base
- Defined in:
- lib/arachni/check/auditor.rb
Overview
Included by Base and provides helper audit methods to all checks.
There are 3 main types of audit and analysis techniques available:
- Signature analysis -- #audit
- Timeout analysis -- #audit_timeout
- Differential analysis -- #audit_differential
It should be noted that actual analysis takes place at the element level.
It also provides:
- Discovery helpers for checking and logging the existence of remote files.
- Pattern matching helpers for checking and logging the existence of strings in responses or in the body of the page that's being audited.
- General Issue logging helpers.
Constant Summary collapse
- FILE_SIGNATURES_PER_PLATFORM =
Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES_PER_PLATFORM
- FILE_SIGNATURES =
Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES
- SOURCE_CODE_SIGNATURES_PER_PLATFORM =
Arachni::Element::Capabilities::Analyzable::Signature::SOURCE_CODE_SIGNATURES_PER_PLATFORM
- Format =
Holds constant bitfields that describe the preferred formatting of injection strings.
Element::Capabilities::Mutable::Format
- ELEMENTS_WITH_INPUTS =
Non-DOM auditable elements.
[ Element::Link, Element::Form, Element::Cookie, Element::NestedCookie, Element::Header, Element::LinkTemplate, Element::JSON, Element::XML ]
- DOM_ELEMENTS_WITH_INPUTS =
Auditable DOM elements.
[ Element::Link::DOM, Element::Form::DOM, Element::Cookie::DOM, Element::LinkTemplate::DOM, Element::UIInput::DOM, Element::UIForm::DOM ]
Instance Attribute Summary collapse
- #framework ⇒ Arachni::Framework readonly
-
#page ⇒ Arachni::Page
readonly
Page object to be audited.
Class Method Summary collapse
Instance Method Summary collapse
-
#audit(payloads, opts = {}, &block) ⇒ Object
If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_signature.
-
#audit_differential(opts = {}, &block) ⇒ Object
Audits elements using differential analysis and automatically logs results.
-
#audit_signature(payloads, opts = {}) ⇒ Object
Provides easy access to element auditing using simple signature analysis and automatically logs results.
-
#audit_timeout(payloads, opts = {}) ⇒ Object
Audits elements using timing attacks and automatically logs results.
- #audited(id) ⇒ Object
-
#audited?(id) ⇒ Bool
true
if audited,false
otherwise. -
#buffered_audit(payloads, opts = {}, &block) ⇒ Object
Calls Element::Capabilities::Auditable#buffered_audit for every element.
-
#each_candidate_dom_element {|element| ... } ⇒ Object
Passes each element prepared for audit to the block.
-
#each_candidate_element {|element| ... } ⇒ Object
Passes each element prepared for audit to the block.
- #http ⇒ HTTP::Client
- #initialize(page, framework) ⇒ Object
-
#log(options) ⇒ Issue
Populates and logs an Issue.
-
#log_issue(options) ⇒ Issue
Helper method for issue logging.
-
#log_remote_file(page_or_response, silent = false, options = {}) ⇒ Issue
(also: #log_remote_directory)
Logs the existence of a remote file as an issue.
-
#log_remote_file_if_exists(url, silent = false, options = {}, &block) ⇒ Object
(also: #log_remote_directory_if_exists)
Logs a remote file or directory if it exists.
-
#match_and_log(patterns, &block) ⇒ Object
Matches an array of regular expressions against a string and logs the result as an issue.
- #max_issues ⇒ Object
- #preferred ⇒ Object abstract
-
#skip?(element) ⇒ Boolean
This is called right before an Element is audited and is used to determine whether to skip it or not.
-
#trace_taint(resource, options = {}, &block) ⇒ Object
Traces the taint in the given
resource
and passes each page to theblock
. - #with_browser(*args, &block) ⇒ Object
- #with_browser_cluster(&block) ⇒ Object
Instance Attribute Details
#framework ⇒ Arachni::Framework (readonly)
317 318 319 |
# File 'lib/arachni/check/auditor.rb', line 317 def framework @framework end |
#page ⇒ Arachni::Page (readonly)
Returns Page object to be audited.
314 315 316 |
# File 'lib/arachni/check/auditor.rb', line 314 def page @page end |
Class Method Details
.has_timeout_candidates? ⇒ Boolean
43 44 45 |
# File 'lib/arachni/check/auditor.rb', line 43 def self.has_timeout_candidates? Element::Capabilities::Analyzable.has_timeout_candidates? end |
.reset ⇒ Object
39 40 41 |
# File 'lib/arachni/check/auditor.rb', line 39 def self.reset audited.clear end |
.timeout_audit_run ⇒ Object
46 47 48 |
# File 'lib/arachni/check/auditor.rb', line 46 def self.timeout_audit_run Element::Capabilities::Analyzable.timeout_audit_run end |
Instance Method Details
#audit(payloads, opts = {}, &block) ⇒ Object
If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_signature.
Uses #each_candidate_element to decide which elements to audit.
566 567 568 569 570 571 572 573 574 575 |
# File 'lib/arachni/check/auditor.rb', line 566 def audit( payloads, opts = {}, &block ) if !block_given? audit_signature( payloads, opts ) else each_candidate_element do |e| e.audit( payloads, opts, &block ) audited( e.coverage_id ) end end end |
#audit_differential(opts = {}, &block) ⇒ Object
Audits elements using differential analysis and automatically logs results.
Uses #each_candidate_element to decide which elements to audit.
608 609 610 611 612 613 |
# File 'lib/arachni/check/auditor.rb', line 608 def audit_differential( opts = {}, &block ) each_candidate_element do |e| e.differential_analysis( opts, &block ) audited( e.coverage_id ) end end |
#audit_signature(payloads, opts = {}) ⇒ Object
Provides easy access to element auditing using simple signature analysis and automatically logs results.
Uses #each_candidate_element to decide which elements to audit.
596 597 598 599 600 601 |
# File 'lib/arachni/check/auditor.rb', line 596 def audit_signature( payloads, opts = {} ) each_candidate_element do |e| e.signature_analysis( payloads, opts ) audited( e.coverage_id ) end end |
#audit_timeout(payloads, opts = {}) ⇒ Object
Audits elements using timing attacks and automatically logs results.
Uses #each_candidate_element to decide which elements to audit.
620 621 622 623 624 625 |
# File 'lib/arachni/check/auditor.rb', line 620 def audit_timeout( payloads, opts = {} ) each_candidate_element do |e| e.timeout_analysis( payloads, opts ) audited( e.coverage_id ) end end |
#audited(id) ⇒ Object
54 55 56 |
# File 'lib/arachni/check/auditor.rb', line 54 def audited( id ) Auditor.audited << "#{self.class}-#{id}" end |
#audited?(id) ⇒ Bool
Returns true
if audited, false
otherwise.
65 66 67 |
# File 'lib/arachni/check/auditor.rb', line 65 def audited?( id ) Auditor.audited.include?( "#{self.class}-#{id}" ) end |
#buffered_audit(payloads, opts = {}, &block) ⇒ Object
Calls Element::Capabilities::Auditable#buffered_audit for every element.
Uses #each_candidate_element to decide which elements to audit.
583 584 585 586 587 588 |
# File 'lib/arachni/check/auditor.rb', line 583 def buffered_audit( payloads, opts = {}, &block ) each_candidate_element do |e| e.buffered_audit( payloads, opts, &block ) audited( e.coverage_id ) end end |
#each_candidate_dom_element {|element| ... } ⇒ Object
Passes each element prepared for audit to the block.
It will use the elements from the check's Base.info hash. If no elements have been specified it will use DOM_ELEMENTS_WITH_INPUTS.
525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 |
# File 'lib/arachni/check/auditor.rb', line 525 def each_candidate_dom_element( &block ) types = self.class.elements types = DOM_ELEMENTS_WITH_INPUTS if types.empty? types.each do |elem| elem = elem.type next if !Options.audit.elements?( elem.to_s.gsub( '_dom', '' ) ) case elem when Element::Link::DOM.type prepare_each_dom_element( page.links, &block ) when Element::Form::DOM.type prepare_each_dom_element( page.forms, &block ) when Element::Cookie::DOM.type prepare_each_dom_element( page., &block ) when Element::LinkTemplate::DOM.type prepare_each_dom_element( page.link_templates, &block ) when Element::UIInput::DOM.type prepare_each_dom_element( page.ui_inputs, &block ) when Element::UIForm::DOM.type prepare_each_dom_element( page.ui_forms, &block ) else fail ArgumentError, "Unknown DOM element: #{elem}" end end end |
#each_candidate_element {|element| ... } ⇒ Object
Passes each element prepared for audit to the block.
It will use the elements from the check's Base.info hash. If no elements have been specified it will use ELEMENTS_WITH_INPUTS.
477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 |
# File 'lib/arachni/check/auditor.rb', line 477 def each_candidate_element( &block ) types = self.class.elements types = ELEMENTS_WITH_INPUTS if types.empty? types.each do |elem| elem = elem.type next if !Options.audit.elements?( elem ) case elem when Element::Link.type prepare_each_element( page.links, &block ) when Element::Form.type prepare_each_element( page.forms, &block ) when Element::Cookie.type prepare_each_element(page., &block ) when Element::NestedCookie.type prepare_each_element(page., &block ) when Element::Header.type prepare_each_element( page.headers, &block ) when Element::LinkTemplate.type prepare_each_element( page.link_templates, &block ) when Element::JSON.type prepare_each_element( page.jsons, &block ) when Element::XML.type prepare_each_element( page.xmls, &block ) else fail ArgumentError, "Unknown element: #{elem}" end end end |
#http ⇒ HTTP::Client
327 328 329 |
# File 'lib/arachni/check/auditor.rb', line 327 def http HTTP::Client end |
#initialize(page, framework) ⇒ Object
321 322 323 324 |
# File 'lib/arachni/check/auditor.rb', line 321 def initialize( page, framework ) @page = page @framework = framework end |
#log(options) ⇒ Issue
Populates and logs an Issue.
420 421 422 |
# File 'lib/arachni/check/auditor.rb', line 420 def log( ) self.class.log( .merge( referring_page: @page ) ) end |
#log_issue(options) ⇒ Issue
Helper method for issue logging.
410 411 412 |
# File 'lib/arachni/check/auditor.rb', line 410 def log_issue( ) self.class.log_issue( .merge( referring_page: @page ) ) end |
#log_remote_file(response, silent = false) ⇒ Issue #log_remote_file(page, silent = false) ⇒ Issue Also known as: log_remote_directory
Logs the existence of a remote file as an issue.
386 387 388 389 390 391 392 393 394 395 396 397 398 399 |
# File 'lib/arachni/check/auditor.rb', line 386 def log_remote_file( page_or_response, silent = false, = {} ) page = page_or_response.is_a?( Page ) ? page_or_response : page_or_response.to_page issue = log_issue({ vector: Element::Server.new( page.url ), proof: page.response.status_line, page: page }.merge( )) print_ok( "Found #{page.url}" ) if !silent issue end |
#log_remote_file_if_exists(url, silent = false, options = {}, &block) ⇒ Object Also known as: log_remote_directory_if_exists
Ignores custom 404 responses.
Logs a remote file or directory if it exists.
349 350 351 352 |
# File 'lib/arachni/check/auditor.rb', line 349 def log_remote_file_if_exists( url, silent = false, = {}, &block ) @server ||= Element::Server.new( page.url ).tap { |s| s.auditor = self } @server.log_remote_file_if_exists( url, silent, , &block ) end |
#match_and_log(patterns, &block) ⇒ Object
Matches an array of regular expressions against a string and logs the result as an issue.
364 365 366 367 |
# File 'lib/arachni/check/auditor.rb', line 364 def match_and_log( patterns, &block ) @body ||= Element::Body.new( self.page.url ).tap { |b| b.auditor = self } @body.match_and_log( patterns, &block ) end |
#max_issues ⇒ Object
283 284 285 |
# File 'lib/arachni/check/auditor.rb', line 283 def max_issues self.class.max_issues end |
#preferred ⇒ Object
427 428 429 |
# File 'lib/arachni/check/auditor.rb', line 427 def preferred [] end |
#skip?(element) ⇒ Boolean
This is called right before an Element is audited and is used to determine whether to skip it or not.
Running checks can override this as they wish but at their own peril.
442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 |
# File 'lib/arachni/check/auditor.rb', line 442 def skip?( element ) # This method also gets called from Auditable#audit to check mutations, # don't touch these, we're filtering at a higher level here, otherwise # we might mess up the audit. return true if !element.mutation? && audited?( element.coverage_id ) return true if !page.audit_element?( element ) # Don't audit elements which have been already logged as vulnerable # either by us or preferred checks. (preferred | [shortname]).each do |check| next if !framework.checks.include?( check ) klass = framework.checks[check] next if !klass.info.include?(:issue) # No point in doing the following heavy deduplication check if there # are no issues logged to begin with. next if klass.issue_counter == 0 if Data.issues.include?( klass.create_issue( vector: element ) ) return true end end false end |
#trace_taint(resource, options = {}, &block) ⇒ Object
Traces the taint in the given resource
and passes each page to the
block
.
638 639 640 641 642 643 644 |
# File 'lib/arachni/check/auditor.rb', line 638 def trace_taint( resource, = {}, &block ) with_browser_cluster do |cluster| cluster.trace_taint( resource, ) do |result| block.call( result.page ) end end end |
#with_browser(*args, &block) ⇒ Object
Operates in non-blocking mode.
660 661 662 663 |
# File 'lib/arachni/check/auditor.rb', line 660 def with_browser( *args, &block ) with_browser_cluster { |cluster| cluster.with_browser( *args, &block ) } true end |
#with_browser_cluster(&block) ⇒ Object
648 649 650 651 652 |
# File 'lib/arachni/check/auditor.rb', line 648 def with_browser_cluster( &block ) return if !browser_cluster block.call browser_cluster true end |