Class: Watobo::Modules::Active::Flash::Crossdomain
- Inherits:
-
ActiveCheck
- Object
- Session
- ActiveCheck
- Watobo::Modules::Active::Flash::Crossdomain
- Defined in:
- modules/active/Flash/crossdomain.rb
Constant Summary
Constants included from Constants
Constants::AC_GROUP_APACHE, Constants::AC_GROUP_DOMINO, Constants::AC_GROUP_ENUMERATION, Constants::AC_GROUP_FILE_INCLUSION, Constants::AC_GROUP_FLASH, Constants::AC_GROUP_GENERIC, Constants::AC_GROUP_JBOSS, Constants::AC_GROUP_JOOMLA, Constants::AC_GROUP_SAP, Constants::AC_GROUP_SQL, Constants::AC_GROUP_TYPO3, Constants::AC_GROUP_XSS, Constants::AUTH_TYPE_BASIC, Constants::AUTH_TYPE_DIGEST, Constants::AUTH_TYPE_NONE, Constants::AUTH_TYPE_NTLM, Constants::CHAT_SOURCE_AUTO_SCAN, Constants::CHAT_SOURCE_FUZZER, Constants::CHAT_SOURCE_INTERCEPT, Constants::CHAT_SOURCE_MANUAL, Constants::CHAT_SOURCE_MANUAL_SCAN, Constants::CHAT_SOURCE_PROXY, Constants::CHAT_SOURCE_UNDEF, Constants::DEFAULT_PORT_HTTP, Constants::DEFAULT_PORT_HTTPS, Constants::FINDING_TYPE_HINT, Constants::FINDING_TYPE_INFO, Constants::FINDING_TYPE_UNDEFINED, Constants::FINDING_TYPE_VULN, Constants::FIRST_TIME_FILE, Constants::GUI_REGULAR_FONT_SIZE, Constants::GUI_SMALL_FONT_SIZE, Constants::ICON_PATH, Constants::LOG_DEBUG, Constants::LOG_INFO, Constants::SCAN_CANCELED, Constants::SCAN_FINISHED, Constants::SCAN_PAUSED, Constants::SCAN_STARTED, Constants::TE_CHUNKED, Constants::TE_COMPRESS, Constants::TE_DEFLATE, Constants::TE_GZIP, Constants::TE_IDENTITY, Constants::TE_NONE, Constants::VULN_RATING_CRITICAL, Constants::VULN_RATING_HIGH, Constants::VULN_RATING_INFO, Constants::VULN_RATING_LOW, Constants::VULN_RATING_MEDIUM, Constants::VULN_RATING_UNDEFINED
Instance Method Summary collapse
- #generateChecks(chat) ⇒ Object
-
#initialize(project, prefs = {}) ⇒ Crossdomain
constructor
A new instance of Crossdomain.
- #reset ⇒ Object
Methods included from CheckInfoMixin::InfoMethods
Constructor Details
#initialize(project, prefs = {}) ⇒ Crossdomain
Returns a new instance of Crossdomain.
50 51 52 53 54 55 56 |
# File 'modules/active/Flash/crossdomain.rb', line 50 def initialize(project, prefs={}) super(project, prefs) @checked_dirs = Hash.new end |
Instance Method Details
#generateChecks(chat) ⇒ Object
59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 |
# File 'modules/active/Flash/crossdomain.rb', line 59 def generateChecks(chat) directory = chat.request.dir if not @checked_dirs.has_key?(directory) @checked_dirs[directory] = :checked checker = proc { test_request = nil test_response = nil path = directory + "/crossdomain.xml" # IMPORTANT!!! # use copyRequest(chat) for cloning the original request test = chat.copyRequest test.setDir(path) status, test_request, test_response = fileExists?(test, :default => true) if status == true # Do a simple match on the response to detect # if we have <allow-access-from domain="*"/> if test_response.join =~ /<allow-access-from\s+domain="\*"\s+/i then proof_pattern = $~ addFinding( test_request, test_response, :check_pattern => "<allow-access-from\\s+domain=\"*\"\\s+", :proof_pattern => proof_pattern.to_s, :test_item => "test-item", :chat => chat, :title => "Badly configured crossdomain.xml", :rating => VULN_RATING_CRITICAL, :threat => "The current crossdomain.xml policy allows cross domain access from everywhere", :measure => "Restrict the allowed hosts setting inside the policy", :class => "Flash security" ) end end [ test_request, test_response ] } yield checker end # end ifnot end |
#reset ⇒ Object
46 47 48 |
# File 'modules/active/Flash/crossdomain.rb', line 46 def reset() @checked_dirs.clear end |