Class: Arachni::Checks::Rfi

Inherits:

Arachni::Check::Base

• Object
• Arachni::Component::Base
• Arachni::Check::Base
• Arachni::Checks::Rfi

Defined in:

components/checks/active/rfi.rb

Overview

Simple Remote File Inclusion (and tutorial) check.

See Also:

• http://cwe.mitre.org/data/definitions/94.html
• http://projects.webappsec.org/Remote-File-Inclusion
• http://en.wikipedia.org/wiki/Remote_File_Inclusion

Author:

• Tasos "Zapotek" Laskos tasos.laskos@arachni-scanner.com

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, NestedCookie, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary

• .info ⇒ Object

  REQUIRED.

• .options ⇒ Object

  It's Framework convention to name the method which contains the audit options Rfi.options.

• .payloads ⇒ Object

  It's Framework convention to name the method which contains the strings to be injected Rfi.payloads.

Instance Method Summary

• #clean_up ⇒ Object

  OPTIONAL.

• #prepare ⇒ Object

  OPTIONAL.

• #run ⇒ Object

  REQUIRED.

Methods inherited from Arachni::Check::Base

#browser_cluster, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.info ⇒ Object

REQUIRED

Do not omit any of the info.

# File 'components/checks/active/rfi.rb', line 92

def self.info
    {
        name:        'Remote File Inclusion',
        description: %q{
Injects a remote URL in all available inputs and checks for relevant content in
the HTTP response body.
},

        # Arachni needs to know what elements the check plans to audit
        # before invoking it. If a page doesn't have any of those elements
        # there's no point in running the check.
        #
        # If you want the check to run no-matter what, leave the array
        # empty or don't define it at all.
        elements:    ELEMENTS_WITH_INPUTS - [Element::LinkTemplate],
        author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
        version:     '0.3.2',

        issue:       {
            name:        %q{Remote File Inclusion},
            description:     %q{
Web applications occasionally use parameter values to store the location of a file
which will later be required by the server.

An example of this is often seen in error pages, where the actual file path for
the error page is stored in a parameter value -- for example `example.com/error.php?page=404.php`.

A remote file inclusion occurs when the parameter value (ie. path to file being
called by the server) can be substituted with the address of remote resource --
for example: `yoursite.com/error.asp?page=http://anothersite.com/somethingBad.php`

In some cases, the server will process the fetched resource; therefore,
if the resource contains server-side code matching that of the framework being
used (ASP, PHP, JSP, etc.), it is probable that the resource will be executed
as if it were part of the web application.

Arachni discovered that it was possible to substitute a parameter value with an
external resource and have the server fetch it and include its contents in the response.
},
            references:  {
                'WASC'      => 'http://projects.webappsec.org/Remote-File-Inclusion',
                'Wikipedia' => 'http://en.wikipedia.org/wiki/Remote_File_Inclusion'
            },
            tags:       %w(remote file inclusion injection regexp),
            cwe:        94,

            # Severity can be:
            #
            # Severity::HIGH
            # Severity::MEDIUM
            # Severity::LOW
            # Severity::INFORMATIONAL
            severity:        Severity::HIGH,
            remedy_guidance: %q{
It is recommended that untrusted data is never used to form a file location to
be included.

To validate data, the application should ensure that the supplied value for a file
is permitted. This can be achieved by performing whitelisting on the parameter
value, by matching it against a list of permitted files. If the supplied value
does not match any value in the whitelist, then the server should redirect to a
standard error page.

In some scenarios, where dynamic content is being requested, it may not be possible
to perform validation against a list of trusted resources, therefore the list must
also become dynamic (updated as the files change), or perform filtering to remove
extraneous user input (such as semicolons, periods etc.) and only permit `a-z0-9`.

It is also advised that sensitive files are not stored within the web root and
that the user permissions enforced by the directory are correct.
}
        }
    }
end

.options ⇒ Object

It's Framework convention to name the method which contains the audit options options.

# File 'components/checks/active/rfi.rb', line 58

def self.options
    @options ||= {
        signatures: '705cd559b16e6946826207c2199bd890',
        submit:     {
            follow_location: false
        }
    }
end

.payloads ⇒ Object

It's Framework convention to name the method which contains the strings to be injected payloads.

# File 'components/checks/active/rfi.rb', line 46

def self.payloads
    @payloads ||= [
        'hTtP://tests.arachni-scanner.com/rfi.md5.txt',
        'http://tests.arachni-scanner.com/rfi.md5.txt',
        'tests.arachni-scanner.com/rfi.md5.txt'
    ]
end

Instance Method Details

#clean_up ⇒ Object

OPTIONAL

This is called after #run has finished executing and it allows you to clean up after yourself.

# File 'components/checks/active/rfi.rb', line 83

def clean_up
    print_debug 'In #clean_up'
end

#prepare ⇒ Object

OPTIONAL

Gets called before any other method, right after initialization. It provides you with a way to setup your check's dynamic data.

# File 'components/checks/active/rfi.rb', line 24

def prepare
    #
    # You can use #print_debug for debugging.
    # Don't over-do it though, debugging messages are supposed to be helpful
    # so don't flood the output.
    #
    # Debugging output will only appear if "--debug" is enabled.
    #
    print_debug 'In #prepare'
end

#run ⇒ Object

REQUIRED

This is used to deliver the check's payload, whatever it may be.

# File 'components/checks/active/rfi.rb', line 72

def run
    print_debug 'In #run'
    audit self.class.payloads, self.class.options
end