Module: Arachni::Module::Auditor

Included in:

Base

Defined in:

lib/module/auditor.rb

Overview

Auditor module

Included by Base.<br/> Includes audit methods.

@author: Tasos “Zapotek” Laskos

<tasos.laskos@gmail.com>
<zapotek@segfault.gr>

@version: 0.2.2

Defined Under Namespace

Modules: Element, Format

Constant Summary

OPTIONS =

Default audit options.

{

    #
    # Elements to audit.
    #
    # Only required when calling {#audit}.<br/>
    # If no elements have been passed to audit it will
    # use the elements in {#self.info}.
    #
    :elements => [ Element::LINK, Element::FORM,
                   Element::COOKIE, Element::HEADER,
                   Issue::Element::BODY ],

    #
    # The regular expression to match against the response body.
    #
    :regexp   => nil,

    #
    # Verify the matched string with this value.
    #
    :match    => nil,

    #
    # Formatting of the injection strings.
    #
    # A new set of audit inputs will be generated
    # for each value in the array.
    #
    # Values can be OR'ed bitfields of all available constants
    # of {Auditor::Format}.
    #
    # @see  Auditor::Format
    #
    :format   => [ Format::STRAIGHT, Format::APPEND,
                   Format::NULL, Format::APPEND | Format::NULL ],

    #
    # If 'train' is set to true the HTTP response will be
    # analyzed for new elements. <br/>
    # Be carefull when enabling it, there'll be a performance penalty.
    #
    # When the Auditor submits a form with original or sample values
    # this option will be overriden to true.
    #
    :train     => false,

    #
    # Enable skipping of already audited inputs
    #
    :redundant => false,

    #
    # Make requests asynchronously
    #
    :async     => true
}

Instance Method Summary

• #audit(injection_str, opts = { }, &block) ⇒ Object

  Provides easy access to element auditing.

• #audit_elems(elements, injection_str, opts = { }, &block) ⇒ Object

  Audits Auditalble HTML/HTTP elements.

• #audit_timeout(strings, opts) ⇒ Object

  Audits elements using a 2 phase timing attack and logs results.

• #audit_timeout_debug_msg(phase, delay) ⇒ Object
• #audit_timeout_phase_2(elem) ⇒ Object

  Runs phase 2 of the timing attack auditng an individual element (which passed phase 1) with a higher delay and timeout.

• #log(opts, res = nil) ⇒ Object

  Logs a vulnerability based on a regular expression and it’s matched string.

• #match_and_log(regexps, string = @page.html, &block) ⇒ Object

  Matches the HTML in @page.html to an array of regular expressions and logs the results.

• #method_missing(sym, *args, &block) ⇒ Object

  Provides the following methods: * audit_links() * audit_forms() * audit_cookies() * audit_headers().

• #skip?(elem) ⇒ Boolean

  ABSTRACT - OPTIONAL.

• #timing_attack(strings, opts, &block) ⇒ Object

  Audits elements using a timing attack.

Dynamic Method Handling

This class handles dynamic methods through the method_missing method

#method_missing(sym, *args, &block) ⇒ Object

Provides the following methods:

• audit_links()

• audit_forms()

• audit_cookies()

• audit_headers()

Metaprogrammed to avoid redundant code while maintaining compatibility and method shortcuts.

Raises:

• (NoMethodError)

See Also:

• #audit_elems

# File 'lib/module/auditor.rb', line 421

def method_missing( sym, *args, &block )

    elem = sym.to_s.gsub!( 'audit_', '@' )
    raise NoMethodError.new( "Undefined method '#{sym.to_s}'.", sym, args ) if !elem

    elems = @page.instance_variable_get( elem )

    if( elems && elem )
        raise ArgumentError.new( "Missing required argument 'injection_str'" +
            " for audit_#{elem.gsub( '@', '' )}()." ) if( !args[0] )
        audit_elems( elems, args[0], args[1] ? args[1]: {}, &block )
    else
        raise NoMethodError.new( "Undefined method '#{sym.to_s}'.", sym, args )
    end
end

Instance Method Details

#audit(injection_str, opts = { }, &block) ⇒ Object

Provides easy access to element auditing.

If no elements have been specified in ‘opts’ it will use the elements from the module’s “self.info()” hash. <br/> If no elements have been specified in ‘opts’ or “self.info()” it will use the elements in OPTIONS. <br/>

Parameters:

• injection_str (String) —

  the string to be injected

• opts (Hash) (defaults to: { }) —

  options as described in OPTIONS

• &block (Block) —

  block to be passed the:

  • HTTP response

  • name of the input vector

  • updated opts

  The block will be called as soon as the
  HTTP response is received.
  

# File 'lib/module/auditor.rb', line 266

def audit( injection_str, opts = { }, &block )

    if( !opts.include?( :elements) || !opts[:elements] || opts[:elements].empty? )
        opts[:elements] = self.class.info[:elements]
    end

    if( !opts.include?( :elements) || !opts[:elements] || opts[:elements].empty? )
        opts[:elements] = OPTIONS[:elements]
    end

    opts  = OPTIONS.merge( opts )

    opts[:elements].each {
        |elem|

        case elem

            when  Element::LINK
                audit_links( injection_str, opts, &block )

            when  Element::FORM
                audit_forms( injection_str, opts, &block )

            when  Element::COOKIE
                audit_cookies( injection_str, opts, &block )

            when  Element::HEADER
                audit_headers( injection_str, opts, &block )
            else
                raise( 'Unknown element to audit:  ' + elem.to_s )

        end

    }
end

#audit_elems(elements, injection_str, opts = { }, &block) ⇒ Object

Audits Auditalble HTML/HTTP elements

Parameters:

• elements (Array<Arachni::Element::Auditable>) —

  auditable elements to audit

• injection_str (String) —

  the string to be injected

• opts (Hash) (defaults to: { }) —

  options as described in OPTIONS

• &block (Block) —

  block to be passed the:

  • HTTP response

  • name of the input vector

  • updated opts

  The block will be called as soon as the
  HTTP response is received.
  

See Also:

• #method_missing

# File 'lib/module/auditor.rb', line 452

def audit_elems( elements, injection_str, opts = { }, &block )

    opts            = OPTIONS.merge( opts )
    url             = @page.url

    opts[:injected_orig] = injection_str

    elements.each{
        |elem|
        elem.auditor( self )
        elem.audit( injection_str, opts, &block )
    }
end

#audit_timeout(strings, opts) ⇒ Object

Audits elements using a 2 phase timing attack and logs results.

‘opts’ needs to contain a :timeout value in milliseconds.</br> Optionally, you can add a :timeout_divider.

Phase 1 uses the timeout value passed in opts, phase 2 uses (timeout * 2). </br> If phase 1 fails, phase 2 is aborted. </br> If we have a result in phase 1, phase 2 verifies that result with the higher timeout.

Parameters:

• strings (Array) —

  injection strings ‘__TIME__’ will be substituded with (timeout / timeout_divider)

• opts (Hash) —

  options as described in OPTIONS

# File 'lib/module/auditor.rb', line 331

def audit_timeout( strings, opts )
    logged = Set.new

    delay = opts[:timeout]

    audit_timeout_debug_msg( 1, delay )
    timing_attack( strings, opts ) {
        |res, opts, elem|

        if !logged.include?( opts[:altered] )
            logged << opts[:altered]
            audit_timeout_phase_2( elem )
        end
    }
end

#audit_timeout_debug_msg(phase, delay) ⇒ Object

# File 'lib/module/auditor.rb', line 375

def audit_timeout_debug_msg( phase, delay )
    print_debug( '---------------------------------------------' )
    print_debug( "Running phase #{phase.to_s} of timing attack." )
    print_debug( "Delay set to: #{delay.to_s} milliseconds" )
    print_debug( '---------------------------------------------' )
end

#audit_timeout_phase_2(elem) ⇒ Object

Runs phase 2 of the timing attack auditng an individual element (which passed phase 1) with a higher delay and timeout

# File 'lib/module/auditor.rb', line 351

def audit_timeout_phase_2( elem )

    opts = elem.opts
    opts[:timeout] *= 2

    audit_timeout_debug_msg( 2, opts[:timeout] )

    str = opts[:timing_string].gsub( '__TIME__',
        ( (opts[:timeout] + 3000) / opts[:timeout_divider] ).to_s )

    elem.auditor( self )
    elem.audit( str, opts ) {
        |res, opts|

        if res.timed_out?

            # all issues logged by timing attacks need manual verification.
            # end of story.
            opts[:verification] = true
            log( opts, res)
        end
    }
end

#log(opts, res = nil) ⇒ Object

Logs a vulnerability based on a regular expression and it’s matched string

Parameters:

• regexp (Regexp)
• match (String)

# File 'lib/module/auditor.rb', line 192

def log( opts, res = nil )

    method = nil

    request_headers  = nil
    response_headers = @page.response_headers
    response         = @page.html
    url              = @page.url
    method           = @page.method.to_s.upcase if @page.method

    if( res )
        request_headers  = res.request.headers
        response_headers = res.headers
        response         = res.body
        url              = res.effective_url
        method           = res.request.method.to_s.upcase
    end

    if response_headers['content-type'] &&
       !response_headers['content-type'].substring?( 'text' )
        response = nil
    end

    begin
        print_ok( "In #{opts[:element]} var '#{opts[:altered]}' ( #{url} )" )
    rescue
    end

    print_verbose( "Injected string:\t" + opts[:injected] ) if opts[:injected]
    print_verbose( "Verified string:\t" + opts[:match].to_s ) if opts[:match]
    print_verbose( "Matched regular expression: " + opts[:regexp].to_s )
    print_debug( 'Request ID: ' + res.request.id.to_s ) if res
    print_verbose( '---------' ) if only_positives?

    # Instantiate a new Vulnerability class and
    # append it to the results array
    vuln = Issue.new( {
        :var          => opts[:altered],
        :url          => url,
        :injected     => opts[:injected],
        :id           => opts[:id],
        :regexp       => opts[:regexp],
        :regexp_match => opts[:match],
        :elem         => opts[:element],
        :verification => opts[:verification] || false,
        :method       => method,
        :response     => response,
        :opts         => opts,
        :headers      => {
            :request    => request_headers,
            :response   => response_headers,
        }
    }.merge( self.class.info ) )
    register_results( [vuln] )
end

#match_and_log(regexps, string = @page.html, &block) ⇒ Object

Matches the HTML in @page.html to an array of regular expressions and logs the results.

Parameters:

• regexps (Array<Regexp>)
• string (String) (defaults to: @page.html)
• block (Block) —

  block to verify matches before logging must return true/false

# File 'lib/module/auditor.rb', line 138

def match_and_log( regexps, string = @page.html, &block )

    # make sure that we're working with an array
    regexps = [regexps].flatten

    elems = self.class.info[:elements]
    elems = OPTIONS[:elements] if !elems || elems.empty?

    regexps.each {
        |regexp|

        string.scan( regexp ).flatten.uniq.each {
            |match|

            next if !match
            next if block && !block.call( match )

            log(
                :regexp  => regexp,
                :match   => match,
                :element => Issue::Element::BODY
            )
        } if elems.include? Issue::Element::BODY

        next if string == @page.html

        @page.response_headers.each {
            |k,v|
            next if !v

            v.to_s.scan( regexp ).flatten.uniq.each {
                |match|

                next if !match
                next if block && !block.call( match )

                log(
                    :var => k,
                    :regexp  => regexp,
                    :match   => match,
                    :element => Issue::Element::HEADER
                )
            }
        } if elems.include? Issue::Element::HEADER

    }
end

#skip?(elem) ⇒ Boolean

ABSTRACT - OPTIONAL

This is called right before an [Arachni::Parser::Element] is submitted/auditted and is used to determine whether to skip it or not.

Implementation details are left up to the running module.

Parameters:

• elem (Arachni::Parser::Element)

Returns:

• (Boolean)

# File 'lib/module/auditor.rb', line 312

def skip?( elem )
    return false
end

#timing_attack(strings, opts, &block) ⇒ Object

Audits elements using a timing attack.

‘opts’ needs to contain a :timeout value in milliseconds.</br> Optionally, you can add a :timeout_divider.

Parameters:

• strings (Array) —

  injection strings ‘__TIME__’ will be substituded with (timeout / timeout_divider)

• opts (Hash) —

  options as described in OPTIONS

• &block (Block) —

  block to call if a timeout occurs, it will be passed the response and opts

# File 'lib/module/auditor.rb', line 394

def timing_attack( strings, opts, &block )

    opts[:timeout_divider] ||= 1
    [strings].flatten.each {
        |str|

        opts[:timing_string] = str
        str = str.gsub( '__TIME__', ( (opts[:timeout] + 3000) / opts[:timeout_divider] ).to_s )
        audit( str, opts ) {
            |res, opts, elem|
            block.call( res, opts, elem ) if block && res.timed_out?
        }
    }
end