Module: Arachni::Element::Capabilities::Auditable
- Includes:
- Inputtable, Mutable, Submittable, WithAuditor, Utilities
- Included in:
- Analyzable, DOM, Form, Form::Capabilities::Auditable, Link, Link::Capabilities::Auditable, LinkTemplate, LinkTemplate::Capabilities::Auditable
- Defined in:
- lib/arachni/element/capabilities/auditable.rb,
lib/arachni/element/capabilities/auditable/dom.rb
Overview
Provides inputs, HTTP submission and audit functionality to Mutable elements.
Defined Under Namespace
Modules: DOM
Constant Summary collapse
- OPTIONS =
Default audit options.
{ # Optionally enable skipping of already audited inputs, disabled by default. redundant: false, # Block to be passed each mutation right before being submitted. # Allows for last minute changes. each_mutation: nil, # Block to be passed each mutation to determine if it should be skipped. skip_like: nil }
Constants included from Mutable
Mutable::EXTRA_NAME, Mutable::FUZZ_NAME, Mutable::FUZZ_NAME_VALUE, Mutable::MUTATION_OPTIONS
Constants included from Inputtable
Instance Attribute Summary collapse
-
#audit_options ⇒ Hash
Audit and general options for convenience’s sake.
Attributes included from WithAuditor
Attributes included from Mutable
#affected_input_name, #format, #seed
Attributes included from Inputtable
Class Method Summary collapse
-
.reset ⇒ Object
Empties the de-duplication/uniqueness look-up table.
-
.skip_like(&block) ⇒ Auditable
‘self`.
Instance Method Summary collapse
-
#audit(payloads, opts = {}, &block) ⇒ Boolean?
Submits mutations of ‘self` and calls the `block` to handle the results.
-
#audit_id(payload = nil) ⇒ String
ID string used to identify the #audit of ‘self` by its WithAuditor#auditor.
-
#audit_status_message ⇒ String
Status message explaining what input vector is being audited, containing its name, Base#type and Submittable#action.
-
#audit_status_message_action ⇒ Object
abstract
Action URL to be used in #audit_status_message instead of Submittable#action.
-
#audit_verbose_message ⇒ String
Verbose message including the payload used to audit the current vector.
-
#coverage_hash ⇒ Integer
Digest of #coverage_id.
-
#coverage_id ⇒ String
String identifying self’s coverage of the web application’s input surface.
- #dup ⇒ Object
- #initialize(options) ⇒ Object
-
#matches_skip_like_blocks? ⇒ Boolean
‘true` if the element matches one or more Auditable.skip_like_blocks, `false` otherwise.
-
#reset ⇒ Object
Resets the audit options to their original values.
-
#skip?(elem) ⇒ Boolean
abstract
‘true` if `self` should be audited, `false` otherwise.
Methods included from WithAuditor
#marshal_dump, #orphan?, #prepare_for_report, #remove_auditor
Methods included from Mutable
#affected_input_value, #affected_input_value=, #each_mutation, #immutables, #inspect, #mutation?, #mutations, #switch_method, #to_h, #to_rpc_data
Methods included from Submittable
#action, #action=, #http, #http_request, #id, #method, #method=, #platforms, #submit, #to_h
Methods included from Inputtable
#[], #[]=, #changes, #has_inputs?, #inputtable_id, #to_h, #try_input, #update, #valid_input_data?, #valid_input_name?, #valid_input_name_data?, #valid_input_value?, #valid_input_value_data?
Methods included from Utilities
#available_port, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite
Instance Attribute Details
#audit_options ⇒ Hash
Returns Audit and general options for convenience’s sake.
33 34 35 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 33 def @audit_options end |
Class Method Details
.reset ⇒ Object
Empties the de-duplication/uniqueness look-up table.
Unless you’re sure you need this, set the :redundant flag to true when calling audit methods to bypass it.
52 53 54 55 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 52 def Auditable.reset State.audit.clear @@skip_like_blocks = [] end |
.skip_like(&block) ⇒ Auditable
Returns ‘self`.
62 63 64 65 66 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 62 def self.skip_like( &block ) fail 'Missing block.' if !block_given? skip_like_blocks << block self end |
Instance Method Details
#audit(payloads, opts = {}, &block) ⇒ Boolean?
Requires an WithAuditor#auditor.
Submits mutations of ‘self` and calls the `block` to handle the results.
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 117 def audit( payloads, opts = {}, &block ) fail ArgumentError, 'Missing block.' if !block_given? return false if self.inputs.empty? if scope.out? print_debug_level_2 "#{__method__}: Element is out of scope, " << "skipping: #{audit_id}" return false end case payloads when String audit_single( payloads, opts, &block ) when Array return if payloads.empty? payloads.each do |payload| audit_single( payload, opts, &block ) end when Hash platform_payloads = platforms.any? ? platforms.pick( payloads ) : payloads return if platform_payloads.empty? payload_platforms = Set.new( payloads.keys ) platform_payloads.each do |platform, payloads_for_platform| audit( [payloads_for_platform].flatten.compact, opts.merge( platform: platform, payload_platforms: payload_platforms ), &block ) end else raise ArgumentError, "Unsupported payload type '#{payloads.class}'. " << 'Expected one of: String, Array, Hash' end end |
#audit_id(payload = nil) ⇒ String
Returns ID string used to identify the #audit of ‘self` by its WithAuditor#auditor.
206 207 208 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 206 def audit_id( payload = nil ) "#{auditor.class.name}:#{coverage_id}:#{payload}" end |
#audit_status_message ⇒ String
Returns Status message explaining what input vector is being audited, containing its name, Base#type and Submittable#action.
176 177 178 179 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 176 def "Auditing #{self.type} input '#{affected_input_name}'" << " pointing to: '#{}'" end |
#audit_status_message_action ⇒ Object
Action URL to be used in #audit_status_message instead of Submittable#action.
185 186 187 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 185 def self.action end |
#audit_verbose_message ⇒ String
Returns Verbose message including the payload used to audit the current vector.
191 192 193 194 195 196 197 198 199 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 191 def s = "With: #{seed.inspect}" if seed != affected_input_value s << " -> #{affected_input_value.inspect}" end s end |
#coverage_hash ⇒ Integer
Returns Digest of #coverage_id.
220 221 222 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 220 def coverage_hash coverage_id.persistent_hash end |
#coverage_id ⇒ String
Differences in input values will not be taken into consideration.
Returns String identifying self’s coverage of the web application’s input surface.
214 215 216 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 214 def coverage_id "#{action}:#{type}:#{inputs.keys.sort}" end |
#dup ⇒ Object
233 234 235 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 233 def dup copy_auditable( super ) end |
#initialize(options) ⇒ Object
68 69 70 71 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 68 def initialize( ) super @audit_options = {} end |
#matches_skip_like_blocks? ⇒ Boolean
Returns ‘true` if the element matches one or more skip_like_blocks, `false` otherwise.
229 230 231 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 229 def matches_skip_like_blocks? Auditable.matches_skip_like_blocks? self end |
#reset ⇒ Object
Resets the audit options to their original values.
74 75 76 77 78 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 74 def reset super if defined?( super ) @audit_options = {} self end |
#skip?(elem) ⇒ Boolean
To be overridden by inputs element implementations for more fine-grained audit control.
Returns ‘true` if `self` should be audited, `false` otherwise.
169 170 171 |
# File 'lib/arachni/element/capabilities/auditable.rb', line 169 def skip?( elem ) false end |