Module: Arachni::Element::Capabilities::Auditable::Taint

Included in:

Arachni::Element::Capabilities::Auditable

Defined in:

lib/arachni/element/capabilities/auditable/taint.rb

Overview

Looks for specific substrings or patterns in response bodies.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@gmail.com>

Constant Summary

TAINT_OPTIONS =

{
    #
    # The regular expression to match against the response body.
    #
    # Alternatively, you can use the :substring option.
    #
    regexp:    nil,

    #
    # Verify the matched string with this value when using a regexp.
    #
    match:     nil,

    #
    # The substring to look for the response body.
    #
    # Alternatively, you can use the :regexp option.
    #
    substring: nil,

    #
    # Array of patterns to ignore.
    #
    # Useful when needing to narrow down what to log without
    # having to construct overly complex match regexps.
    #
    ignore:    nil
}

Instance Method Summary

• #taint_analysis(seed, opts = { }) ⇒ Object

  Performs taint analysis and logs an issue should there be one.

Instance Method Details

#taint_analysis(seed, opts = { }) ⇒ Object

Performs taint analysis and logs an issue should there be one.

It logs an issue when:

• :match == nil AND :regexp matches the response body

• :match == not nil AND :regexp match == :match

• :substring exists in the response body

Parameters:

• seed (String) —

  the string to be injected

• opts (Hash) (defaults to: { }) —

  options as described in Module::Auditor::OPTIONS and TAINT_OPTIONS

# File 'lib/arachni/element/capabilities/auditable/taint.rb', line 66

def taint_analysis( seed, opts = { } )
    opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) )
    opts[:substring] = seed if !opts[:regexp] && !opts[:substring]
    audit( seed, opts ) { |res, c_opts| get_matches( res, c_opts ) }
end