Module: Arachni::Element::Capabilities::Analyzable::Taint
- Included in:
- Arachni::Element::Capabilities::Analyzable
- Defined in:
- lib/arachni/element/capabilities/analyzable/taint.rb
Overview
Looks for specific substrings or patterns in response bodies.
Constant Summary collapse
- TAINT_CACHE =
{ match: Support::Cache::LeastRecentlyPushed.new( 10_000 ) }
- TAINT_OPTIONS =
{ # The regular expression to match against the response body. # # Alternatively, you can use the :substring option. regexp: nil, # The substring to look for the response body. # # Alternatively, you can use the :regexp option. substring: nil, # Array of patterns to ignore. # # Useful when needing to narrow down what to log without # having to construct overly complex match regexps. ignore: nil, # Extract the longest word from each regexp and only proceed to the # full match only if that word is included in the response body. # # The check is case insensitive. longest_word_optimization: false }
Instance Method Summary collapse
-
#taint_analysis(payloads, opts = { }) ⇒ Bool
Performs taint analysis and logs an issue should there be one.
Instance Method Details
#taint_analysis(payloads, opts = { }) ⇒ Bool
Performs taint analysis and logs an issue should there be one.
It logs an issue when:
-
‘:match` == nil AND `:regexp` matches the response body
-
‘:match“ == not nil AND `:regexp` match == `:match`
-
‘:substring`exists in the response body
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 |
# File 'lib/arachni/element/capabilities/analyzable/taint.rb', line 71 def taint_analysis( payloads, opts = { } ) return false if self.inputs.empty? if scope.out? print_debug 'Taint analysis: Element is out of scope,' << " skipping: #{audit_id}" return false end # Buffer possible issues, we'll only register them with the system once # we've evaluated our control response. @candidate_issues = [] # Perform the taint analysis. opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) ) audit( payloads, opts ) { |response| get_matches( response ) } end |