Class: Arachni::Session

Inherits:
Object show all
Includes:
UI::Output, Utilities
Defined in:
lib/arachni/session.rb

Overview

Session management class.

Handles logins, provided log-out detection, stores and executes login sequences and provided general webapp session related helpers.

Author:

Defined Under Namespace

Classes: Error

Constant Summary collapse

LOGIN_TRIES = 
5
LOGIN_RETRY_WAIT = 
5

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from Utilities

#available_port, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from UI::Output

#debug?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on

Instance Attribute Details

#browserBrowser (readonly)

Returns:



52
53
54
 
# File 'lib/arachni/session.rb', line 52

def browser
  @browser
end

#login_sequenceBlock (readonly)

Returns:

  • (Block) 


55
56
57
 
# File 'lib/arachni/session.rb', line 55

def 
  @login_sequence
end

Instance Method Details

#can_login?Bool

Returns ‘true` if there is log-in capability, `false` otherwise.

Returns:

  • (Bool)

    ‘true` if there is log-in capability, `false` otherwise.



176
177
178
 
# File 'lib/arachni/session.rb', line 176

def can_login?
    configured? && 
end

#clean_upObject 



57
58
59
60
 
# File 'lib/arachni/session.rb', line 57

def clean_up
    configuration.clear
    shutdown_browser
end

#configurationObject 



97
98
99
 
# File 'lib/arachni/session.rb', line 97

def configuration
    Data.session.configuration
end

#configure(options) ⇒ Object

Parameters:

Options Hash (options):

  • :url (String)

    URL containing the login form.

  • :inputs (Hash{String=>String})

    Hash containing inputs with which to locate and fill-in the form.



92
93
94
95
 
# File 'lib/arachni/session.rb', line 92

def configure( options )
    configuration.clear
    configuration.merge! options
end

#configured?Bool

Returns ‘true` if configured, `false` otherwise.

Returns:

  • (Bool)

    ‘true` if configured, `false` otherwise.



103
104
105
 
# File 'lib/arachni/session.rb', line 103

def configured?
    !!@login_sequence || configuration.any?
end

#cookie(&block) ⇒ Object

Tries to find the main session (login/ID) cookie.

Parameters:

  • block (Block)

    Block to be passed the cookie.

Raises:



75
76
77
78
79
80
81
82
83
84
85
 
# File 'lib/arachni/session.rb', line 75

def cookie( &block )
    return block.call( @session_cookie ) if @session_cookie
    fail Error::NoLoginCheck, 'No login-check has been configured.' if !

    cookies.each do |cookie|
        logged_in?( cookies: { cookie.name => '' } ) do |bool|
            next if bool
            block.call( @session_cookie = cookie )
        end
    end
end

#cookiesArray<Element::Cookie>

Returns Session cookies.

Returns:



64
65
66
 
# File 'lib/arachni/session.rb', line 64

def cookies
    http.cookies.select(&:session?)
end

#ensure_logged_inBool?

Returns ‘true` if logged-in, `false` otherwise, `nil` if there’s no log-in capability.

Returns:

  • (Bool, nil)

    ‘true` if logged-in, `false` otherwise, `nil` if there’s no log-in capability.



183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
 
# File 'lib/arachni/session.rb', line 183

def ensure_logged_in
    return if !can_login?
    return true if logged_in?

    print_bad 'The scanner has been logged out.'
    print_info 'Trying to re-login...'

    LOGIN_TRIES.times do |i|
        break if !.response.timed_out? rescue Error

        print_bad "Login attempt #{i+1} failed, retrying after " <<
                      "#{LOGIN_RETRY_WAIT} seconds..."
        sleep LOGIN_RETRY_WAIT
    end

    if logged_in?
        print_ok 'Logged-in successfully.'
        true
    else
        print_bad 'Could not re-login.'
        false
    end
end

#find_login_form(opts = {}, &block) ⇒ Object

Finds a login forms based on supplied location, collection and criteria.

Parameters:

  • opts (Hash) (defaults to: {})
  • block (Block)

    If a block and a :url are given, the request will run async and the block will be called with the result of this method.

Options Hash (opts):

  • :requires_password (Bool)

    Does the login form include a password field? (Defaults to ‘true`)

  • :action (Array, Regexp)

    Regexp to match or String to compare against the form action.

  • :inputs (String, Array, Hash, Symbol)

    Inputs that the form must contain.

  • :forms (Array<Element::Form>)

    Collection of forms to look through.

  • :pages (Page, Array<Page>)

    Pages to look through.

  • :url (String)

    URL to fetch and look for forms.



126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
 
# File 'lib/arachni/session.rb', line 126

def ( opts = {}, &block )
    async = block_given?

    requires_password = (opts[:requires_password].nil? ? true : opts[:requires_password])

    find = proc do |cforms|
        cforms.select do |f|
            next if requires_password && !f.requires_password?

            oks = []

            if action = opts[:action]
                oks << !!(action.is_a?( Regexp ) ? f.action =~ action : f.action == action)
            end

            if inputs = opts[:inputs]
                oks << f.has_inputs?( inputs )
            end

            oks.count( true ) == oks.size
        end.first
    end

    forms = if opts[:pages]
                [opts[:pages]].flatten.map { |p| p.forms }.flatten
            elsif opts[:forms]
                opts[:forms]
            elsif (url = opts[:url])
                http_opts = {
                    update_cookies:  true,
                    follow_location: true
                }

                if async
                    http.get( url, http_opts ) do |r|
                        block.call find.call( forms_from_response( r, true ) )
                    end
                else
                    forms_from_response(
                        http.get( url, http_opts.merge( mode: :sync ) ),
                        true
                    )
                end
            end

    find.call( forms || [] ) if !async
end

#has_browser?Boolean

Returns:

  • (Boolean) 


283
284
285
 
# File 'lib/arachni/session.rb', line 283

def has_browser?
    Browser.has_executable? && Options.scope.dom_depth_limit > 0
end

#has_login_check?Bool

Returns ‘true` if a login check exists, `false` otherwise.

Returns:

  • (Bool)

    ‘true` if a login check exists, `false` otherwise.



274
275
276
 
# File 'lib/arachni/session.rb', line 274

def 
    !!@login_check || !!(Options.session.check_url && Options.session.check_pattern)
end

#httpHTTP::Client

Returns:



279
280
281
 
# File 'lib/arachni/session.rb', line 279

def http
    HTTP::Client
end

#logged_in?(http_options = {}, &block) ⇒ Bool?

Returns ‘true` if we’re logged-in, ‘false` otherwise.

Parameters:

  • http_options (Hash) (defaults to: {})

    HTTP options to use for the check.

  • block (Block)

    If a block has been provided the check will be async and the result will be passed to it, otherwise the method will return the result.

Returns:

  • (Bool, nil)

    ‘true` if we’re logged-in, ‘false` otherwise.

Raises:



256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
 
# File 'lib/arachni/session.rb', line 256

def logged_in?( http_options = {}, &block )
    fail Error::NoLoginCheck if !

    http_options = http_options.merge(
        mode:            block_given? ? :async : :sync,
        follow_location: true
    )

    bool = nil
    http.get( Options.session.check_url, http_options ) do |response|
        bool = !!response.body.match( Options.session.check_pattern )
        block.call( bool ) if block
    end
    bool
end

#loginPage?

Uses the information provided by #configure or #login_sequence to login.

Returns:

  • (Page, nil)

    Page if the login was successful, ‘nil` otherwise.

Raises:



225
226
227
228
229
230
231
232
233
234
235
236
237
 
# File 'lib/arachni/session.rb', line 225

def 
    fail Error::NotConfigured, 'Please configure the session first.' if !configured?

    refresh_browser

    page = @login_sequence ?  : 

    if has_browser?
        http.update_cookies browser.cookies
    end

    page
end

#record_login_sequence(&block) ⇒ Object

Parameters:

  • block (Block)

    Login sequence. Must return the resulting Page.

    If a #browser is available it will be passed to the block.



212
213
214
 
# File 'lib/arachni/session.rb', line 212

def ( &block )
    @login_sequence = block
end

#with_browser(&block) ⇒ Object

Parameters:

  • block (Block)

    Block to be passed the #browser.



241
242
243
 
# File 'lib/arachni/session.rb', line 241

def with_browser( &block )
    block.call browser
end