Module: Arachni::Element::Capabilities::Auditable::Taint

Included in:

Arachni::Element::Capabilities::Auditable

Defined in:

lib/arachni/element/capabilities/auditable/taint.rb

Overview

Looks for specific substrings or patterns in response bodies.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@gmail.com>

Constant Summary

TAINT_OPTIONS =

{
    #
    # The regular expression to match against the response body.
    #
    # Alternatively, you can use the :substring option.
    #
    regexp:    nil,

    #
    # Verify the matched string with this value when using a regexp.
    #
    match:     nil,

    #
    # The substring to look for the response body.
    #
    # Alternatively, you can use the :regexp option.
    #
    substring: nil,

    #
    # Array of patterns to ignore.
    #
    # Useful when needing to narrow down what to log without
    # having to construct overly complex match regexps.
    #
    ignore:    nil,

    #
    # Extract the longest word from each regexp and only proceed to the
    # full match only if that word is included in the response body.
    #
    # The check is case insensitive.
    #
    longest_word_optimization: false
}

REMARK =

'This issue was identified by a pattern but the pattern matched ' <<
'the page\'s response body even before auditing the logged element.'

Instance Method Summary

• #taint_analysis(payloads, opts = { }) ⇒ Bool

  Performs taint analysis and logs an issue should there be one.

Instance Method Details

#taint_analysis(payloads, opts = { }) ⇒ Bool

Performs taint analysis and logs an issue should there be one.

It logs an issue when:

• ‘:match` == nil AND `:regexp` matches the response body

• ‘:match“ == not nil AND `:regexp` match == `:match`

• ‘:substring`exists in the response body

Parameters:

• payloads (String, Array<String>, Hash{Symbol => <String, Array<String>>}) —

  Payloads to inject, if given:

  • String – Will inject the single payload.

  • Array – Will iterate over all payloads and inject them.

  • Hash – Expects Platform (as ‘Symbol`s ) for keys and Array of

    `payloads` for values. The applicable `payloads` will be
    {Platform#pick picked} from the hash based on
    {Element::Base#platforms applicable platforms} for the
    {Base#action resource} to be audited.
    

• opts (Hash) (defaults to: { }) —

  Options as described in Module::Auditor::OPTIONS and TAINT_OPTIONS.

Returns:

• (Bool) —

  ‘true` if the audit was scheduled successfully, `false` otherwise (like if the resource is out of scope).

# File 'lib/arachni/element/capabilities/auditable/taint.rb', line 89

def taint_analysis( payloads, opts = { } )
    return false if self.auditable.empty?

    if skip_path? self.action
        print_debug "Element's action matches skip rule, bailing out."
        return false
    end

    # We'll have to keep track of logged issues for analysis a bit down the line.
    @logged_issues = []

    # Perform the taint analysis.
    opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) )
    audit( payloads, opts ) { |res, c_opts| get_matches( res, c_opts ) }
end