Module: Arachni::Check::Auditor

Included in:

Base

Defined in:

lib/arachni/check/auditor.rb

Overview

Included by Base and provides helper audit methods to all checks.

There are 3 main types of audit and analysis techniques available:

• Taint analysis – #audit

• Timeout analysis – #audit_timeout

• Differential analysis – #audit_differential

It should be noted that actual analysis takes place at the element level, and to be more specific, the Element::Capabilities::Auditable element level.

It also provides:

• Discovery helpers for checking and logging the existence of remote files.

  • #log_remote_file

  • #log_remote_file_if_exists

• Pattern matching helpers for checking and logging the existence of strings in responses or in the body of the page that’s being audited.

  • #match_and_log

• General Issue logging helpers.

  • #log

  • #log_issue

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Constant Summary

Format =

Holds constant bitfields that describe the preferred formatting of injection strings.

Element::Capabilities::Mutable::Format

OPTIONS =

Default audit options.

{

    # Elements to audit.
    #
    # If no elements have been passed to audit methods, candidates will be
    # determined by {#each_candidate_element}.
    elements:     [Element::Link, Element::Form,
                    Element::Cookie, Element::Header,
                    Element::Body, Element::LinkTemplate],

    dom_elements: [Element::Link::DOM, Element::Form::DOM,
                   Element::Cookie::DOM, Element::LinkTemplate::DOM],

    # If set to `true` the HTTP response will be analyzed for new elements.
    # Be careful when enabling it, there'll be a performance penalty.
    #
    # If set to `false`, no training is going to occur.
    #
    # If set to `nil`, when the Auditor submits a form with original or
    # sample values this option will be overridden to `true`
    train:        nil
}

Instance Attribute Summary

• #framework ⇒ Arachni::Framework readonly
• #page ⇒ Arachni::Page readonly

  Page object to be audited.

Class Method Summary

• .has_timeout_candidates? ⇒ Boolean
• .included(m) ⇒ Object
• .reset ⇒ Object
• .timeout_audit_run ⇒ Object

Instance Method Summary

• #audit(payloads, opts = {}, &block) ⇒ Object

  If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_taint.

• #audit_differential(opts = {}, &block) ⇒ Object

  Audits elements using differential analysis and automatically logs results.

• #audit_taint(payloads, opts = {}) ⇒ Object

  Provides easy access to element auditing using simple taint analysis and automatically logs results.

• #audit_timeout(payloads, opts = {}) ⇒ Object

  Audits elements using timing attacks and automatically logs results.

• #audited(id) ⇒ Object
• #audited?(id) ⇒ Bool

  ‘true` if audited, `false` otherwise.

• #each_candidate_dom_element(types = []) {|element| ... } ⇒ Object

  Passes each element prepared for audit to the block.

• #each_candidate_element(types = []) {|element| ... } ⇒ Object

  Passes each element prepared for audit to the block.

• #http ⇒ HTTP::Client
• #initialize(page, framework) ⇒ Object
• #log(options) ⇒ Issue

  Populates and logs an Issue.

• #log_issue(options) ⇒ Issue

  Helper method for issue logging.

• #log_remote_file(page_or_response, silent = false) ⇒ Object (also: #log_remote_directory)

  Logs the existence of a remote file as an issue.

• #log_remote_file_if_exists(url, silent = false, &block) ⇒ Object (also: #log_remote_directory_if_exists)

  Logs a remote file or directory if it exists.

• #match_and_log(patterns, &block) ⇒ Object

  Matches an array of regular expressions against a string and logs the result as an issue.

• #max_issues ⇒ Object
• #preferred ⇒ Object abstract
• #skip?(element) ⇒ Boolean

  This is called right before an Element is audited and is used to determine whether to skip it or not.

• #trace_taint(resource, options = {}, &block) ⇒ Object

  Traces the taint in the given ‘resource` and passes each page to the `block`.

• #with_browser(&block) ⇒ Object
• #with_browser_cluster(&block) ⇒ Object

Instance Attribute Details

#framework ⇒ Arachni::Framework (readonly)

# File 'lib/arachni/check/auditor.rb', line 196

def framework
  @framework
end

#page ⇒ Arachni::Page (readonly)

# File 'lib/arachni/check/auditor.rb', line 193

def page
  @page
end

Class Method Details

.has_timeout_candidates? ⇒ Boolean

# File 'lib/arachni/check/auditor.rb', line 45

def self.has_timeout_candidates?
    Element::Capabilities::Analyzable.has_timeout_candidates?
end

.included(m) ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 71

def self.included( m )
    m.class_eval do

        # Determines whether or not to run the check against the given page
        # depending on which elements exist in the page, which elements the
        # check is configured to audit and user options.
        #
        # @param    [Page]    page
        #
        # @return   [Bool]
        def self.check?( page )
            return false if issue_limit_reached?
            return true  if elements.empty?

            audit = Arachni::Options.audit

            {
                # We use procs to make the decision, to avoid loading the page
                # element caches unless it's absolutely necessary.
                Element::Link              =>
                    proc { audit.links?     && !!page.links.find { |e| e.inputs.any? } },
                Element::Link::DOM         =>
                    proc { audit.link_doms? && !!page.links.find(&:dom) },
                Element::Form              =>
                    proc { audit.forms? && !!page.forms.find { |e| e.inputs.any? } },
                Element::Form::DOM         =>
                    proc { audit.form_doms? && page.has_script? && !!page.forms.find(&:dom) },
                Element::Cookie            =>
                    proc { audit.cookies? && page.cookies.any? },
                Element::Cookie::DOM       =>
                    proc { audit.cookie_doms? && page.has_script? && page.cookies.any? },
                Element::Header            =>
                    proc { audit.headers? && page.headers.any? },
                Element::LinkTemplate      =>
                    proc { audit.link_templates? && page.link_templates.find { |e| e.inputs.any? } },
                Element::LinkTemplate::DOM =>
                    proc { audit.link_template_doms? && !!page.link_templates.find(&:dom) },
                Element::Body              => !page.body.empty?,
                Element::GenericDOM        => page.has_script?,
                Element::Path              => true,
                Element::Server            => true
            }.each do |type, decider|
                return true if elements.include?( type ) &&
                    (decider.is_a?( Proc ) ? decider.call : decider)
            end

            false
        end

        def self.issue_counter
            @issue_counter ||= 0
        end

        def self.issue_counter=( int )
            @issue_counter = int
        end

        def increment_issue_counter
            self.class.issue_counter += 1
        end

        def issue_limit_reached?( count = max_issues )
            self.class.issue_limit_reached?( count )
        end

        def self.issue_limit_reached?( count = max_issues )
            issue_counter >= count if !count.nil?
        end

        def self.max_issues
            info[:max_issues]
        end

        # Helper method for creating an issue.
        #
        # @param    [Hash]  options
        #   {Issue} options.
        def self.create_issue( options )
            check_info = self.info.dup
            check_info.delete( :issue )
            check_info[:shortname] = self.shortname

            issue_data = self.info[:issue].merge( check: check_info ).merge( options )
            Issue.new( issue_data )
        end
    end
end

.reset ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 41

def self.reset
    audited.clear
end

.timeout_audit_run ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 48

def self.timeout_audit_run
    Element::Capabilities::Analyzable.timeout_audit_run
end

Instance Method Details

#audit(payloads, opts = {}, &block) ⇒ Object

If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_taint.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• OPTIONS
• Element::Capabilities::Auditable#audit
• #audit_taint

# File 'lib/arachni/check/auditor.rb', line 505

def audit( payloads, opts = {}, &block )
    opts = OPTIONS.merge( opts )
    if !block_given?
        audit_taint( payloads, opts )
    else
        each_candidate_element( opts[:elements] ) do |e|
            e.audit( payloads, opts, &block )
            audited( e.coverage_id )
        end
    end
end

#audit_differential(opts = {}, &block) ⇒ Object

Audits elements using differential analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• OPTIONS
• Element::Capabilities::Analyzable::Differential

# File 'lib/arachni/check/auditor.rb', line 538

def audit_differential( opts = {}, &block )
    opts = OPTIONS.merge( opts )
    each_candidate_element( opts[:elements] ) do |e|
        e.differential_analysis( opts, &block )
        audited( e.coverage_id )
    end
end

#audit_taint(payloads, opts = {}) ⇒ Object

Provides easy access to element auditing using simple taint analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• OPTIONS
• Element::Capabilities::Analyzable::Taint

# File 'lib/arachni/check/auditor.rb', line 524

def audit_taint( payloads, opts = {} )
    opts = OPTIONS.merge( opts )
    each_candidate_element( opts[:elements] )do |e|
        e.taint_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audit_timeout(payloads, opts = {}) ⇒ Object

Audits elements using timing attacks and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.

See Also:

• OPTIONS
• Element::Capabilities::Analyzable::Timeout

# File 'lib/arachni/check/auditor.rb', line 552

def audit_timeout( payloads, opts = {} )
    opts = OPTIONS.merge( opts )
    each_candidate_element( opts[:elements] ) do |e|
        e.timeout_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audited(id) ⇒ Object

See Also:

• #audited?

# File 'lib/arachni/check/auditor.rb', line 56

def audited( id )
    Auditor.audited << "#{self.class}-#{id}"
end

#audited?(id) ⇒ Bool

Returns ‘true` if audited, `false` otherwise.

See Also:

• #audited

# File 'lib/arachni/check/auditor.rb', line 67

def audited?( id )
    Auditor.audited.include?( "#{self.class}-#{id}" )
end

#each_candidate_dom_element(types = []) {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

If no element types have been specified in ‘opts`, it will use the elements from the check’s Base.info hash.

If no elements have been specified in ‘opts` or Base.info, it will use the elements in OPTIONS.

Yields:

• (element) —

  Each candidate element.

Yield Parameters:

• (Arachni::Element)

# File 'lib/arachni/check/auditor.rb', line 469

def each_candidate_dom_element( types = [], &block )
    types = self.class.info[:elements]    if types.empty?
    types = OPTIONS[:dom_elements]        if types.empty?

    types.each do |elem|
        elem = elem.type

        next if !Options.audit.elements?( elem.to_s.gsub( '_dom', '' ) )

        case elem
            when Element::Link::DOM.type
                prepare_each_dom_element( page.links, &block )

            when Element::Form::DOM.type
                prepare_each_dom_element( page.forms, &block )

            when Element::Cookie::DOM.type
                prepare_each_dom_element( page.cookies, &block )

            when Element::LinkTemplate::DOM.type
                prepare_each_dom_element( page.link_templates, &block )

            else
                fail ArgumentError, "Unknown DOM element: #{elem}"
        end
    end
end

#each_candidate_element(types = []) {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

If no element types have been specified in ‘opts`, it will use the elements from the check’s Base.info hash.

If no elements have been specified in ‘opts` or Base.info, it will use the elements in OPTIONS.

Yields:

• (element) —

  Each candidate element.

Yield Parameters:

• (Arachni::Element)

# File 'lib/arachni/check/auditor.rb', line 423

def each_candidate_element( types = [], &block )
    types = self.class.info[:elements] if types.empty?
    types = OPTIONS[:elements]         if types.empty?

    types.each do |elem|
        elem = elem.type

        next if elem == Element::Body.type
        next if !Options.audit.elements?( elem )

        case elem
            when Element::Link.type
                prepare_each_element( page.links, &block )

            when Element::Form.type
                prepare_each_element( page.forms, &block )

            when Element::Cookie.type
                prepare_each_element(page.cookies, &block )

            when Element::Header.type
                prepare_each_element( page.headers, &block )

            when Element::LinkTemplate.type
                prepare_each_element( page.link_templates, &block )

            else
                fail ArgumentError, "Unknown element: #{elem}"
        end
    end
end

#http ⇒ HTTP::Client

# File 'lib/arachni/check/auditor.rb', line 206

def http
    HTTP::Client
end

#initialize(page, framework) ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 200

def initialize( page, framework )
    @page      = page
    @framework = framework
end

#log(options) ⇒ Issue

Populates and logs an Issue.

# File 'lib/arachni/check/auditor.rb', line 254

def log( options )
    options       = options.dup
    vector        = options[:vector]
    audit_options = vector.respond_to?( :audit_options ) ?
        vector.audit_options : {}

    if options[:response]
        page = options.delete(:response).to_page
    elsif options[:page]
        page = options.delete(:page)
    else
        page = self.page
    end

    msg = "In #{vector.type}"

    active = vector.respond_to?( :affected_input_name ) && vector.affected_input_name

    if active
        msg << " input '#{vector.affected_input_name}'"
    elsif vector.respond_to?( :inputs )
        msg << " with inputs '#{vector.inputs.keys.join(', ')}'"
    end

    print_ok "#{msg} with action #{vector.action}"

    if verbose?
        if active
            print_verbose "Injected:  #{vector.affected_input_value.inspect}"
        end

        if options[:signature]
            print_verbose "Signature: #{options[:signature]}"
        end

        if options[:proof]
            print_verbose "Proof:     #{options[:proof]}"
        end

        if page.dom.transitions.any?
            print_verbose 'DOM transitions:'
            page.dom.print_transitions( method(:print_verbose), '    ' )
        end

        if !(request_dump = page.request.to_s).empty?
            print_verbose "Request: \n#{request_dump}"
        end

        print_verbose( '---------' ) if only_positives?
    end

    # Platform identification by vulnerability.
    platform_type = nil
    if (platform = (options.delete(:platform) || audit_options[:platform]))
        Platform::Manager[vector.action] << platform if Options.fingerprint?
        platform_type = Platform::Manager[vector.action].find_type( platform )
    end

    log_issue(options.merge(
        platform_name: platform,
        platform_type: platform_type,
        page:          page
    ))
end

#log_issue(options) ⇒ Issue

Helper method for issue logging.

See Also:

• create_issue

# File 'lib/arachni/check/auditor.rb', line 355

def log_issue( options )
    return if issue_limit_reached?
    self.class.issue_counter += 1

    issue = self.class.create_issue( options.merge( referring_page: self.page ) )
    Data.issues << issue
    issue
end

#log_remote_file(response, silent = false) ⇒ Object #log_remote_file(page, silent = false) ⇒ Object Also known as: log_remote_directory

Logs the existence of a remote file as an issue.

See Also:

• #log_issue

# File 'lib/arachni/check/auditor.rb', line 334

def log_remote_file( page_or_response, silent = false )
    page = page_or_response.is_a?( Page ) ?
        page_or_response : page_or_response.to_page

    log_issue(
        vector: Element::Server.new( page.url ),
        page:   page
    )

    print_ok( "Found #{page.url}" ) if !silent
end

#log_remote_file_if_exists(url, silent = false, &block) ⇒ Object Also known as: log_remote_directory_if_exists

Note:

Ignores custom 404 responses.

Logs a remote file or directory if it exists.

See Also:

• Element::Server#remote_file_exist?

# File 'lib/arachni/check/auditor.rb', line 228

def log_remote_file_if_exists( url, silent = false, &block )
    Element::Server.new( page.url ).tap { |s| s.auditor = self }.
        log_remote_file_if_exists( url, silent, &block )
end

#match_and_log(patterns, &block) ⇒ Object

Matches an array of regular expressions against a string and logs the result as an issue.

See Also:

• Element::Body#match_and_log

# File 'lib/arachni/check/auditor.rb', line 243

def match_and_log( patterns, &block )
    Element::Body.new( self.page.url ).tap { |b| b.auditor = self }.
        match_and_log( patterns, &block )
end

#max_issues ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 159

def max_issues
    self.class.max_issues
end

#preferred ⇒ Object

This method is abstract.

See Also:

• Base#preferred
• Base.prefer

# File 'lib/arachni/check/auditor.rb', line 367

def preferred
    []
end

#skip?(element) ⇒ Boolean

This is called right before an Element is audited and is used to determine whether to skip it or not.

Running checks can override this as they wish but at their own peril.

See Also:

• Page#audit?

# File 'lib/arachni/check/auditor.rb', line 382

def skip?( element )
    # This method also gets called from Auditable#audit to check mutations,
    # don't touch these, we're filtering at a higher level here, otherwise
    # we might mess up the audit.
    return true if !element.mutation? && audited?( element.coverage_id )
    return true if !page.audit_element?( element )

    # Don't audit elements which have been already logged as vulnerable
    # either by us or preferred checks.
    (preferred | [shortname]).each do |check|
        next if !framework.checks.include?( check )

        klass = framework.checks[check]
        next if !klass.info.include?(:issue)

        # No point in doing the following heavy deduplication check if there
        # are no issues logged to begin with.
        next if klass.issue_counter == 0

        if Data.issues.include?( klass.create_issue( vector: element ) )
            return true
        end
    end

    false
end

#trace_taint(resource, options = {}, &block) ⇒ Object

Traces the taint in the given ‘resource` and passes each page to the `block`.

# File 'lib/arachni/check/auditor.rb', line 571

def trace_taint( resource, options = {}, &block )
    with_browser_cluster do |cluster|
        cluster.trace_taint( resource, options ) do |result|
            # Mark the job as done and abort further analysis if the block
            # returns true.
            cluster.job_done( result.job ) if block.call( result.page )
        end
    end
end

#with_browser(&block) ⇒ Object

Note:

Operates in non-blocking mode.

See Also:

• BrowserCluster::Worker#with_browser

# File 'lib/arachni/check/auditor.rb', line 595

def with_browser( &block )
    with_browser_cluster { |cluster| cluster.with_browser( &block ) }
    true
end

#with_browser_cluster(&block) ⇒ Object

# File 'lib/arachni/check/auditor.rb', line 583

def with_browser_cluster( &block )
    return if !browser_cluster
    block.call browser_cluster
    true
end