Class: WPScan::Finders::Users::RSSGenerator

Inherits:

WpVersion::RSSGenerator

Object
CMSScanner::Finders::Finder
WpVersion::RSSGenerator
WPScan::Finders::Users::RSSGenerator

show all

Defined in:: app/finders/users/rss_generator.rb

Overview

Users disclosed from the dc:creator field in the RSS The names disclosed are display names, however depending on the configuration of the blog, they can be the same than usernames

Instance Method Summary collapse

#process_urls(urls, _opts = {}) ⇒ Object

Methods inherited from WpVersion::RSSGenerator

#aggressive_urls, #passive_urls_xpath

Methods included from Finder::WpVersion::SmartURLChecker

#create_version

Instance Method Details

#process_urls(urls, _opts = {}) ⇒ `Object`

# File 'app/finders/users/rss_generator.rb', line 8

def process_urls(urls, _opts = {})
  found = []

  urls.each do |url|
    res = Browser.get_and_follow_location(url)

    next unless res.code == 200 && res.body =~ /<dc\:creator>/i

    potential_usernames = []

    begin
      res.xml.xpath('//item/dc:creator').each do |node|
        potential_username = node.text.to_s

        # Ignoring potential username longer than 60 characters and containing accents
        # as they are considered invalid. See https://github.com/wpscanteam/wpscan/issues/1215
        next if potential_username.length > 60 || potential_username =~ /[^\x00-\x7F]/

        potential_usernames << potential_username
      end
    rescue Nokogiri::XML::XPath::SyntaxError
      next
    end

    potential_usernames.uniq.each do |potential_username|
      found << CMSScanner::User.new(potential_username, found_by: found_by, confidence: 50)
    end

    break
  end

  found
end