Class: Arachni::Browser::Javascript
- Includes:
- UI::Output, Utilities
- Defined in:
- lib/arachni/browser/javascript.rb,
lib/arachni/browser/javascript/proxy.rb,
lib/arachni/browser/javascript/dom_monitor.rb,
lib/arachni/browser/javascript/taint_tracer.rb,
lib/arachni/browser/javascript/taint_tracer/frame.rb,
lib/arachni/browser/javascript/taint_tracer/sink/base.rb,
lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb,
lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb,
lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb
Overview
Provides access to the Arachni::Browser‘s JavaScript environment, mainly helps group and organize functionality related to our custom Javascript interfaces.
Defined Under Namespace
Classes: DOMMonitor, Proxy, TaintTracer
Constant Summary collapse
- SCRIPT_BASE_URL =
Returns URL to use when requesting our custom JS scripts.
'http://javascript.browser.arachni/'
- SCRIPT_LIBRARY =
Returns Filesystem directory containing the JS scripts.
"#{File.dirname( __FILE__ )}/javascript/scripts/"
- NO_EVENTS_FOR_ELEMENTS =
Set.new([ :base, :bdo, :br, :head, :html, :iframe, :meta, :param, :script, :style, :title, :link ])
- GLOBAL_EVENTS =
Events that apply to all elements.
[ :onclick, :ondblclick, :onmousedown, :onmousemove, :onmouseout, :onmouseover, :onmouseup ]
- EVENTS_PER_ELEMENT =
Special events for each element.
{ body: [ :onload ], form: [ :onsubmit, :onreset ], # These need to be covered via Watir's API, #send_keys etc. input: [ :onselect, :onchange, :onfocus, :onblur, :onkeydown, :onkeypress, :onkeyup, :oninput ], # These need to be covered via Watir's API, #send_keys etc. textarea: [ :onselect, :onchange, :onfocus, :onblur, :onkeydown, :onkeypress, :onkeyup, :oninput ], select: [ :onchange, :onfocus, :onblur ], button: [ :onfocus, :onblur ], label: [ :onfocus, :onblur ] }
Instance Attribute Summary collapse
-
#custom_code ⇒ String
Inject custom JS code right after the initialization of the custom JS interfaces.
-
#dom_monitor ⇒ DOMMonitor
readonly
Proxy for the ‘DOMMonitor` JS interface.
-
#taint ⇒ String
Taint to look for and trace in the JS data flow.
-
#taint_tracer ⇒ TaintTracer
readonly
Proxy for the ‘TaintTracer` JS interface.
-
#token ⇒ String
Token used to namespace the injected JS code and avoid clashes.
Class Method Summary collapse
Instance Method Summary collapse
-
#data_flow_sinks ⇒ Array<Sink::DataFlow>
JS data flow sink data.
-
#debug_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.debug`, browser-side JS function.
- #debugging_data ⇒ Object
-
#dom_digest ⇒ String
Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).
-
#dom_elements_with_events ⇒ Array<Hash>
Information about all DOM elements, including any registered event listeners.
-
#execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
JS execution flow sink data.
-
#flush_data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns and clears #data_flow_sinks.
-
#flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns and clears #execution_flow_sinks.
-
#has_js_initializer?(response) ⇒ Bool
‘true` if the response HTTP::Message#body contains the code for the JS environment.
-
#initialize(browser) ⇒ Javascript
constructor
A new instance of Javascript.
-
#inject(response) ⇒ Bool
‘true` if injection was performed, `false` otherwise (in case our code is already present).
-
#intervals ⇒ Array<Array>
Arguments for JS ‘setInterval` calls.
-
#log_data_flow_sink_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.log_data_flow_sink`, browser-side, JS function.
-
#log_execution_flow_sink_stub(*args) ⇒ String
JS code which will call the ‘TaintTracer.log_execution_flow_sink`, browser-side, JS function.
-
#ready? ⇒ Bool
‘true` if our custom JS environment has been initialized.
-
#run(script) ⇒ Object
Result of ‘script`.
-
#serve(request, response) ⇒ Bool
‘true` if the request corresponded to a JS file and was served, `false` otherwise.
-
#set_element_ids ⇒ Object
Sets a custom ID attribute to elements with events but without a proper ID.
-
#supported? ⇒ Bool
‘true` if there is support for our JS environment in the current page, `false` otherwise.
-
#timeouts ⇒ Array<Array>
Arguments for JS ‘setTimeout` calls.
-
#wait_till_ready ⇒ Object
Blocks until the browser page is ready.
Methods included from Utilities
#available_port, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite
Methods included from UI::Output
#debug?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on
Constructor Details
#initialize(browser) ⇒ Javascript
Returns a new instance of Javascript.
126 127 128 129 130 |
# File 'lib/arachni/browser/javascript.rb', line 126 def initialize( browser ) @browser = browser @taint_tracer = TaintTracer.new( self ) @dom_monitor = DOMMonitor.new( self ) end |
Instance Attribute Details
#custom_code ⇒ String
Returns Inject custom JS code right after the initialization of the custom JS interfaces.
111 112 113 |
# File 'lib/arachni/browser/javascript.rb', line 111 def custom_code @custom_code end |
#dom_monitor ⇒ DOMMonitor (readonly)
Returns Proxy for the ‘DOMMonitor` JS interface.
115 116 117 |
# File 'lib/arachni/browser/javascript.rb', line 115 def dom_monitor @dom_monitor end |
#taint ⇒ String
Returns Taint to look for and trace in the JS data flow.
106 107 108 |
# File 'lib/arachni/browser/javascript.rb', line 106 def taint @taint end |
#taint_tracer ⇒ TaintTracer (readonly)
Returns Proxy for the ‘TaintTracer` JS interface.
119 120 121 |
# File 'lib/arachni/browser/javascript.rb', line 119 def taint_tracer @taint_tracer end |
#token ⇒ String
Returns Token used to namespace the injected JS code and avoid clashes.
102 103 104 |
# File 'lib/arachni/browser/javascript.rb', line 102 def token @token end |
Class Method Details
.events ⇒ Object
121 122 123 |
# File 'lib/arachni/browser/javascript.rb', line 121 def self.events GLOBAL_EVENTS | EVENTS_PER_ELEMENT.values.flatten.uniq end |
Instance Method Details
#data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns JS data flow sink data.
214 215 216 217 |
# File 'lib/arachni/browser/javascript.rb', line 214 def data_flow_sinks return [] if !supported? taint_tracer.data_flow_sinks end |
#debug_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.debug`, browser-side JS function.
176 177 178 |
# File 'lib/arachni/browser/javascript.rb', line 176 def debug_stub( *args ) taint_tracer.stub.function( :debug, *args ) end |
#debugging_data ⇒ Object
202 203 204 205 |
# File 'lib/arachni/browser/javascript.rb', line 202 def debugging_data return [] if !supported? taint_tracer.debugging_data end |
#dom_digest ⇒ String
Returns Digest of the current DOM tree (i.e. node names and their attributes without text-nodes).
240 241 242 243 |
# File 'lib/arachni/browser/javascript.rb', line 240 def dom_digest return '' if !supported? dom_monitor.digest end |
#dom_elements_with_events ⇒ Array<Hash>
Returns Information about all DOM elements, including any registered event listeners.
247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 |
# File 'lib/arachni/browser/javascript.rb', line 247 def dom_elements_with_events return [] if !supported? dom_monitor.elements_with_events.map do |element| next if NO_EVENTS_FOR_ELEMENTS.include? element['tag_name'].to_sym attributes = element['attributes'] element['events'] = element['events'].map { |event, fn| [event.to_sym, fn] } | (self.class.events.flatten.map(&:to_s) & attributes.keys). map { |event| [event.to_sym, attributes[event]] } element end.compact end |
#execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns JS execution flow sink data.
208 209 210 211 |
# File 'lib/arachni/browser/javascript.rb', line 208 def execution_flow_sinks return [] if !supported? taint_tracer.execution_flow_sinks end |
#flush_data_flow_sinks ⇒ Array<Sink::DataFlow>
Returns and clears #data_flow_sinks.
226 227 228 229 |
# File 'lib/arachni/browser/javascript.rb', line 226 def flush_data_flow_sinks return [] if !supported? taint_tracer.flush_data_flow_sinks end |
#flush_execution_flow_sinks ⇒ Array<Sink::ExecutionFlow>
Returns and clears #execution_flow_sinks.
220 221 222 223 |
# File 'lib/arachni/browser/javascript.rb', line 220 def flush_execution_flow_sinks return [] if !supported? taint_tracer.flush_execution_flow_sinks end |
#has_js_initializer?(response) ⇒ Bool
Returns ‘true` if the response HTTP::Message#body contains the code for the JS environment.
150 151 152 |
# File 'lib/arachni/browser/javascript.rb', line 150 def has_js_initializer?( response ) response.body.include? js_initialization_signal end |
#inject(response) ⇒ Bool
Will update the ‘Content-Length` header field.
Returns ‘true` if injection was performed, `false` otherwise (in case our code is already present).
310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 |
# File 'lib/arachni/browser/javascript.rb', line 310 def inject( response ) return false if has_js_initializer?( response ) body = response.body.dup # If we've got no taint to trace don't bother... if @taint # Schedule a tracer update at the beginning of each script block in order # to put our hooks into any newly introduced functions. # # The fact that our update call seems to be taking place before any # functions get the chance to be defined doesn't seem to matter. body.gsub!( /<script(.*?)>/i, "\\0\n#{@taint_tracer.stub.function( :update_tracers )}; // Injected by #{self.class}\n" ) # Also perform an update after each script block, this is for external # scripts. body.gsub!( /<\/script>/i, "\\0\n<script type=\"text/javascript\">#{@taint_tracer.stub.function( :update_tracers )}" << "</script> <!-- Script injected by #{self.class} -->\n" ) end response.body = <<-EOHTML <script src="#{script_url_for( :taint_tracer )}"></script> <!-- Script injected by #{self.class} --> <script> #{@taint_tracer.stub.function( :initialize, @taint )} </script> <!-- Script injected by #{self.class} --> <script src="#{script_url_for( :dom_monitor )}"></script> <!-- Script injected by #{self.class} --> <script> #{@dom_monitor.stub.function( :initialize )}; #{js_initialization_signal}; #{custom_code} </script> <!-- Script injected by #{self.class} --> #{body} EOHTML response.headers['content-length'] = response.body.bytesize true end |
#intervals ⇒ Array<Array>
Returns Arguments for JS ‘setInterval` calls.
272 273 274 275 |
# File 'lib/arachni/browser/javascript.rb', line 272 def intervals return [] if !supported? dom_monitor.intervals end |
#log_data_flow_sink_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.log_data_flow_sink`, browser-side, JS function.
170 171 172 |
# File 'lib/arachni/browser/javascript.rb', line 170 def log_data_flow_sink_stub( *args ) taint_tracer.stub.function( :log_data_flow_sink, *args ) end |
#log_execution_flow_sink_stub(*args) ⇒ String
Returns JS code which will call the ‘TaintTracer.log_execution_flow_sink`, browser-side, JS function.
163 164 165 |
# File 'lib/arachni/browser/javascript.rb', line 163 def log_execution_flow_sink_stub( *args ) taint_tracer.stub.function( :log_execution_flow_sink, *args ) end |
#ready? ⇒ Bool
Returns ‘true` if our custom JS environment has been initialized.
188 189 190 |
# File 'lib/arachni/browser/javascript.rb', line 188 def ready? !!run( "return window._#{token}" ) rescue false end |
#run(script) ⇒ Object
Returns Result of ‘script`.
197 198 199 |
# File 'lib/arachni/browser/javascript.rb', line 197 def run( script ) @browser.watir.execute_script script end |
#serve(request, response) ⇒ Bool
Returns ‘true` if the request corresponded to a JS file and was served, `false` otherwise.
288 289 290 291 292 293 294 295 296 297 |
# File 'lib/arachni/browser/javascript.rb', line 288 def serve( request, response ) return false if !request.url.start_with?( SCRIPT_BASE_URL ) || !(script = read_script( request.parsed_url.path )) response.code = 200 response.body = script response.headers['content-type'] = 'text/javascript' response.headers['content-length'] = script.bytesize true end |
#set_element_ids ⇒ Object
Sets a custom ID attribute to elements with events but without a proper ID.
232 233 234 235 |
# File 'lib/arachni/browser/javascript.rb', line 232 def set_element_ids return '' if !supported? dom_monitor.setElementIds end |
#supported? ⇒ Bool
Returns ‘true` if there is support for our JS environment in the current page, `false` otherwise.
137 138 139 140 141 142 |
# File 'lib/arachni/browser/javascript.rb', line 137 def supported? # We won't have a response if the browser was steered towards an # out-of-scope resource. response = @browser.response response && has_js_initializer?( response ) end |