Module: Arachni::Element::Capabilities::Analyzable::Taint

Included in:
Arachni::Element::Capabilities::Analyzable
Defined in:
lib/arachni/element/capabilities/analyzable/taint.rb

Overview

Looks for specific substrings or patterns in response bodies.

Author:

Constant Summary collapse

TAINT_CACHE =
{
    match: Support::Cache::LeastRecentlyPushed.new( 10_000 )
}
TAINT_OPTIONS =
{
    # The regular expression to match against the response body.
    #
    # Alternatively, you can use the :substring option.
    regexp:    nil,

    # The substring to look for the response body.
    #
    # Alternatively, you can use the :regexp option.
    substring: nil,

    # Array of patterns to ignore.
    #
    # Useful when needing to narrow down what to log without
    # having to construct overly complex match regexps.
    ignore:    nil,

    # Extract the longest word from each regexp and only proceed to the
    # full match only if that word is included in the response body.
    #
    # The check is case insensitive.
    longest_word_optimization: false
}

Instance Method Summary collapse

Instance Method Details

#taint_analysis(payloads, opts = { }) ⇒ Bool

Performs taint analysis and logs an issue should there be one.

It logs an issue when:

  • ‘:match` == nil AND `:regexp` matches the response body

  • ‘:match“ == not nil AND `:regexp` match == `:match`

  • ‘:substring`exists in the response body

Parameters:

  • payloads (String, Array<String>, Hash{Symbol => <String, Array<String>>})

    Payloads to inject, if given:

    • String – Will inject the single payload.

    • Array – Will iterate over all payloads and inject them.

    • Hash – Expects Platform (as ‘Symbol`s ) for keys and Array of

      `payloads` for values. The applicable `payloads` will be
      {Platform::Manager#pick picked} from the hash based on
      {Element::Capabilities::Submittable#platforms applicable platforms}
      for the {Element::Capabilities::Submittable#action resource} to be audited.
      
  • opts (Hash) (defaults to: { })

    Options as described in Check::Auditor::OPTIONS and TAINT_OPTIONS.

Returns:

  • (Bool)

    ‘true` if the audit was scheduled successfully, `false` otherwise (like if the resource is out of scope).



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# File 'lib/arachni/element/capabilities/analyzable/taint.rb', line 71

def taint_analysis( payloads, opts = { } )
    return false if self.inputs.empty?

    if scope.out?
        print_debug 'Taint analysis: Element is out of scope,' <<
                        " skipping: #{audit_id}"
        return false
    end

    # Buffer possible issues, we'll only register them with the system once
    # we've evaluated our control response.
    @candidate_issues = []

    # Perform the taint analysis.
    opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) )
    audit( payloads, opts ) { |response| get_matches( response ) }
end