Class: Arachni::Parser

Inherits:
Object show all
Includes:
Module::Utilities
Defined in:
lib/parser/parser.rb,
lib/parser/page.rb,
lib/parser/elements.rb

Overview

Analyzer class

Analyzes HTML code extracting forms, links and cookies depending on user opts.<br/>

It grabs all element attributes not just URLs and variables.<br/> All URLs are converted to absolute and URLs outside the domain are ignored.<br/>

Forms

Form analysis uses both regular expressions and the Nokogiri parser<br/> in order to be able to handle badly written HTML code, such as not closed<br/> tags and tag overlaps.

In order to ease audits, in addition to parsing forms into data structures<br/> like “select” and “option”, all auditable inputs are put under the<br/> “auditable” key.

Links are extracted using the Nokogiri parser.

Cookies

Cookies are extracted from the HTTP headers and parsed by WEBrick::Cookie

@author: Tasos “Zapotek” Laskos

<[email protected]>
<[email protected]>

@version: 0.2

Defined Under Namespace

Modules: Element Classes: Page

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Module::Utilities

#exception_jail, #get_path, #normalize_url, #read_file, #seed

Constructor Details

#initialize(opts, res) ⇒ Parser

Constructor <br/> Instantiates Analyzer class with user options.

Parameters:



68
69
70
71
72
73
74
 
# File 'lib/parser/parser.rb', line 68

def initialize( opts, res )
    @opts = opts

    @url  = res.effective_url
    @html = res.body
    @response_headers = res.headers_hash
end

Instance Attribute Details

#optsOptions (readonly)

Options instance

Returns:



60
61
62
 
# File 'lib/parser/parser.rb', line 60

def opts
  @opts
end

#urlString

Returns the url of the page.

Returns:

  • (String)

    the url of the page



53
54
55
 
# File 'lib/parser/parser.rb', line 53

def url
  @url
end

Instance Method Details

#cookiesArray<Element::Cookie>

Extracts cookies from an HTTP headers

Parameters:

  • headers (String)

    HTTP headers

  • html (String)

    the HTML code of the page

Returns:



343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
 
# File 'lib/parser/parser.rb', line 343

def cookies

    cookies_arr = []
    cookies     = []

    begin
        doc.search( "//meta[@http-equiv]" ).each {
            |elem|

            next if elem['http-equiv'].downcase != 'set-cookie'
            k, v = elem['content'].split( ';' )[0].split( '=', 2 )
            cookies_arr << Element::Cookie.new( @url, { 'name' => k, 'value' => v } )
        }
    rescue
    end

    # don't ask me why....
    if @response_headers.to_s.substring?( 'set-cookie' )
        begin
            cookies << WEBrick::Cookie.parse_set_cookies( @response_headers['Set-Cookie'].to_s )
            cookies << WEBrick::Cookie.parse_set_cookies( @response_headers['set-cookie'].to_s )
        rescue
            return cookies_arr
        end
    end

    cookies.flatten.uniq.each_with_index {
        |cookie, i|
        cookies_arr[i] = Hash.new

        cookie.instance_variables.each {
            |var|
            value = cookie.instance_variable_get( var ).to_s
            value.strip!

            key = normalize_name( var )
            val = value.gsub( /[\"\\\[\]]/, '' )

            next if val == seed
            cookies_arr[i][key] = val
        }

        # cookies.reject!{ |cookie| cookie['name'] == cookies_arr[i]['name'] }

        cookies_arr[i] = Element::Cookie.new( @url, cookies_arr[i] )
    }
    cookies_arr.flatten!
    return cookies_arr
end

#docObject 



125
126
127
128
 
# File 'lib/parser/parser.rb', line 125

def doc
  return @doc if @doc
  @doc = Nokogiri::HTML( @html ) if @html rescue nil
end

#exclude?(url) ⇒ Boolean

Returns:

  • (Boolean) 


489
490
491
492
493
494
495
496
 
# File 'lib/parser/parser.rb', line 489

def exclude?( url )
    @opts.exclude.each {
        |pattern|
        return true if url.to_s =~ pattern
    }

    return false
end

#extract_domain(url) ⇒ String

Extracts the domain from a URI object

Parameters:

  • url (URI)

Returns:



478
479
480
481
482
483
484
485
486
487
 
# File 'lib/parser/parser.rb', line 478

def extract_domain( url )

    if !url.host then return false end

    splits = url.host.split( /\./ )

    if splits.length == 1 then return true end

    splits[-2] + "." + splits[-1]
end

#forms(html = nil) ⇒ Array<Element::Form>

TODO: Add support for radio buttons.

Extracts forms from HTML document

Parameters:

  • html (String) (defaults to: nil)

Returns:

See Also:

  • #form_attrs
  • #form_textareas
  • #form_selects
  • #form_inputs
  • #merge_select_with_input


227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
 
# File 'lib/parser/parser.rb', line 227

def forms( html = nil )

    elements = []

    begin
        html = html || @html.clone
        #
        # This imitates Firefox's behavior when it comes to
        # broken/unclosed form tags
        #

        # get properly closed forms
        forms = html.scan( /<form(.*?)<\/form>/ixm ).flatten

        # now remove them from html...
        forms.each { |form| html.gsub!( form, '' ) }

        # and get unclosed forms.
        forms |= html.scan( /<form (.*)(?!<\/form>)/ixm ).flatten

    rescue Exception => e
        return elements
    end

    i = 0
    forms.each {
        |form|

        elements[i] = Hash.new
        elements[i]['attrs']    = form_attrs( form )

        if( !elements[i]['attrs'] || !elements[i]['attrs']['action'] )
            action = @url.to_s
        else
            action = elements[i]['attrs']['action']
        end
        action = URI.escape( action ).to_s

        elements[i]['attrs']['action'] = to_absolute( action.clone ).to_s

        if( !elements[i]['attrs']['method'] )
            elements[i]['attrs']['method'] = 'post'
        else
            elements[i]['attrs']['method'] =
                elements[i]['attrs']['method'].downcase
        end

        url = URI.parse( URI.escape( elements[i]['attrs']['action'] ) )
        if !in_domain?( url )
            next
        end

        elements[i]['textarea'] = form_textareas( form )
        elements[i]['select']   = form_selects( form )
        elements[i]['input']    = form_inputs( form )

        # merge the form elements to make auditing easier
        elements[i]['auditable'] =
            elements[i]['input'] | elements[i]['textarea']

        elements[i]['auditable'] =
            merge_select_with_input( elements[i]['auditable'],
                elements[i]['select'] )

        elements[i] = Element::Form.new( @url, elements[i] )


        i += 1
    }

    elements.reject {
        |form|
        !form.is_a?( Element::Form ) || form.auditable.empty?
    }
end

#headersHash

Returns a list of valid auditable HTTP header fields.

It’s more of a placeholder method, it doesn’t actually analyze anything.<br/> It’s a long shot that any of these will be vulnerable but better be safe than sorry.

Returns:

  • (Hash)

    HTTP header fields



193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
 
# File 'lib/parser/parser.rb', line 193

def headers( )
    headers_arr  = []
    {
        'accept'          => 'text/html,application/xhtml+xml,application' +
            '/xml;q=0.9,*/*;q=0.8',
        'accept-charset'  => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
        'accept-language' => 'en-gb,en;q=0.5',
        'accept-encoding' => 'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
        'from'       => @opts.authed_by || '',
        'user-agent' => @opts.user_agent || '',
        'referer'    => @url,
        'pragma'     => 'no-cache'
    }.each {
        |k,v|
        headers_arr << Element::Header.new( @url, { k => v } )
    }

    return headers_arr
end

#in_domain?(uri) ⇒ Boolean

Returns true if uri is in the same domain as the page, returns false otherwise

Returns:

  • (Boolean) 


461
462
463
464
465
466
467
468
469
 
# File 'lib/parser/parser.rb', line 461

def in_domain?( uri )
    curi = URI.parse( normalize_url( uri.to_s ) )

    if( @opts.follow_subdomains )
        return extract_domain( curi ) ==  extract_domain( URI( @url.to_s ) )
    end

    return curi.host == URI.parse( normalize_url( @url.to_s ) ).host
end

#include?(url) ⇒ Boolean

Returns:

  • (Boolean) 


498
499
500
501
502
503
504
505
506
 
# File 'lib/parser/parser.rb', line 498

def include?( url )
    return true if @opts.include.empty?

    @opts.include.each {
        |pattern|
        return true if url.to_s =~ pattern
    }
    return false
end

#link_vars(link) ⇒ Hash

Extracts variables and their values from a link

Parameters:

Returns:

  • (Hash)

    name=>value pairs

See Also:



402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
 
# File 'lib/parser/parser.rb', line 402

def link_vars( link )
    if !link then return {} end

    var_string = link.split( /\?/ )[1]
    if !var_string then return {} end

    var_hash = Hash.new
    var_string.split( /&/ ).each {
        |pair|
        name, value = pair.split( /=/ )

        next if value == seed
        var_hash[name] = value
    }

    var_hash

end

#linksArray<Element::Link>

Extracts links from HTML document

Parameters:

Returns:

See Also:



312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
 
# File 'lib/parser/parser.rb', line 312

def links

    link_arr = []
    elements_by_name( 'a' ).each_with_index {
        |link|

        link['href'] = to_absolute( link['href'] )

        if !link['href'] then next end
        if( exclude?( link['href'] ) ) then next end
        if( !include?( link['href'] ) ) then next end
        if !in_domain?( URI.parse( link['href'] ) ) then next end

        link['vars'] = link_vars( link['href'] )


        link_arr << Element::Link.new( @url, link )

    }

    return link_arr
end

#merge_with_cookiejar(cookies) ⇒ Array<Element::Cookie>

Merges ‘cookies’ with the cookiejar and returns it as an array

Parameters:

  • cookies (Array<Hash>)

Returns:



168
169
170
171
172
173
174
175
176
177
178
179
180
181
 
# File 'lib/parser/parser.rb', line 168

def merge_with_cookiejar( cookies )
    return cookies if !@opts.cookies

    @opts.cookies.each_pair {
        |name, value|
        cookies << Element::Cookie.new( @url,
            {
                'name'    => name,
                'value'   => value
            } )
    }

    return cookies
end

#merge_with_cookiestore(cookies) ⇒ Object 



130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
 
# File 'lib/parser/parser.rb', line 130

def merge_with_cookiestore( cookies )

    @cookiestore ||= []

    if @cookiestore.empty?
        @cookiestore = cookies
    else
        tmp = {}
        @cookiestore.each {
            |cookie|
            tmp.merge!( cookie.simple )
        }

        cookies.each {
            |cookie|
            tmp.merge!( cookie.simple )
        }

        @cookiestore = tmp.map {
            |name, value|
            Element::Cookie.new( @url, {
                'name'    => name,
                'value'   => value
            } )
        }
    end

    return @cookiestore

end

#runPage

Runs the Analyzer and extracts forms, links and cookies

Returns:



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
# File 'lib/parser/parser.rb', line 81

def run

    # non text files won't contain any auditable elements
    type = Arachni::HTTP.content_type( @response_headers )
    if type.is_a?( String) && !type.substring?( 'text' )
        return Page.new( {
            :url         => @url,
            :query_vars  => link_vars( @url ),
            :html        => @html,
            :headers     => [],
            :response_headers     => @response_headers,
            :forms       => [],
            :links       => [],
            :cookies     => [],
            :cookiejar   => []
        } )
    end


    cookies_arr = cookies
    cookies_arr = merge_with_cookiejar( cookies_arr.flatten.uniq )

    jar = {}
    jar = @opts.cookies = Arachni::HTTP.parse_cookiejar( @opts.cookie_jar ) if @opts.cookie_jar

    preped = {}
    cookies_arr.each{ |cookie| preped.merge!( cookie.simple ) }

    jar = preped.merge( jar )

    return Page.new( {
        :url         => @url,
        :query_vars  => link_vars( @url ),
        :html        => @html,
        :headers     => headers(),
        :response_headers     => @response_headers,
        :forms       => @opts.audit_forms ? forms() : [],
        :links       => @opts.audit_links ? links() : [],
        :cookies     => merge_with_cookiestore( merge_with_cookiejar( cookies_arr ) ),
        :cookiejar   => jar
    } )

end

#to_absolute(link) ⇒ String

Converts relative URL link into an absolute URL based on the location of the page

Parameters:

Returns:



429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
 
# File 'lib/parser/parser.rb', line 429

def to_absolute( link )

    begin
        if URI.parse( link ).host
            return link
        end
    rescue Exception => e
        return nil if link.nil?
        #      return link
    end

    # remove anchor
    link = URI.encode( link.to_s.gsub( /#[a-zA-Z0-9_-]*$/, '' ) )

    begin
        relative = URI(link)
        url = URI.parse( @url )

        absolute = url.merge(relative)

        absolute.path = '/' if absolute.path.empty?
    rescue Exception => e
        return
    end

    return absolute.to_s
end