Module: Arachni::Check::Auditor

Included in:
Base
Defined in:
lib/arachni/check/auditor.rb

Overview

Included by Base and provides helper audit methods to all checks.

There are 3 main types of audit and analysis techniques available:

It should be noted that actual analysis takes place at the element level.

It also provides:

Author:

Constant Summary collapse

FILE_SIGNATURES_PER_PLATFORM =
Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES_PER_PLATFORM
FILE_SIGNATURES =
Arachni::Element::Capabilities::Analyzable::Signature::FILE_SIGNATURES
SOURCE_CODE_SIGNATURES_PER_PLATFORM =
Arachni::Element::Capabilities::Analyzable::Signature::SOURCE_CODE_SIGNATURES_PER_PLATFORM
Format =

Holds constant bitfields that describe the preferred formatting of injection strings.

Element::Capabilities::Mutable::Format
ELEMENTS_WITH_INPUTS =

Non-DOM auditable elements.

[
    Element::Link, Element::Form, Element::Cookie, Element::NestedCookie,
    Element::Header, Element::LinkTemplate, Element::JSON, Element::XML
]
DOM_ELEMENTS_WITH_INPUTS =

Auditable DOM elements.

[
    Element::Link::DOM, Element::Form::DOM, Element::Cookie::DOM,
    Element::LinkTemplate::DOM, Element::UIInput::DOM, Element::UIForm::DOM
]

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#frameworkArachni::Framework (readonly)

Returns:


317
318
319
# File 'lib/arachni/check/auditor.rb', line 317

def framework
  @framework
end

#pageArachni::Page (readonly)

Returns Page object to be audited.

Returns:


314
315
316
# File 'lib/arachni/check/auditor.rb', line 314

def page
  @page
end

Class Method Details

.has_timeout_candidates?Boolean

Returns:

  • (Boolean)

43
44
45
# File 'lib/arachni/check/auditor.rb', line 43

def self.has_timeout_candidates?
    Element::Capabilities::Analyzable.has_timeout_candidates?
end

.resetObject


39
40
41
# File 'lib/arachni/check/auditor.rb', line 39

def self.reset
    audited.clear
end

.timeout_audit_runObject


46
47
48
# File 'lib/arachni/check/auditor.rb', line 46

def self.timeout_audit_run
    Element::Capabilities::Analyzable.timeout_audit_run
end

Instance Method Details

#audit(payloads, opts = {}, &block) ⇒ Object

If a block has been provided it calls Element::Capabilities::Auditable#audit for every element, otherwise, it defaults to #audit_signature.

Uses #each_candidate_element to decide which elements to audit.


566
567
568
569
570
571
572
573
574
575
# File 'lib/arachni/check/auditor.rb', line 566

def audit( payloads, opts = {}, &block )
    if !block_given?
        audit_signature( payloads, opts )
    else
        each_candidate_element do |e|
            e.audit( payloads, opts, &block )
            audited( e.coverage_id )
        end
    end
end

#audit_differential(opts = {}, &block) ⇒ Object

Audits elements using differential analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.


608
609
610
611
612
613
# File 'lib/arachni/check/auditor.rb', line 608

def audit_differential( opts = {}, &block )
    each_candidate_element do |e|
        e.differential_analysis( opts, &block )
        audited( e.coverage_id )
    end
end

#audit_signature(payloads, opts = {}) ⇒ Object

Provides easy access to element auditing using simple signature analysis and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.


596
597
598
599
600
601
# File 'lib/arachni/check/auditor.rb', line 596

def audit_signature( payloads, opts = {} )
    each_candidate_element do |e|
        e.signature_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audit_timeout(payloads, opts = {}) ⇒ Object

Audits elements using timing attacks and automatically logs results.

Uses #each_candidate_element to decide which elements to audit.


620
621
622
623
624
625
# File 'lib/arachni/check/auditor.rb', line 620

def audit_timeout( payloads, opts = {} )
    each_candidate_element do |e|
        e.timeout_analysis( payloads, opts )
        audited( e.coverage_id )
    end
end

#audited(id) ⇒ Object

Parameters:

  • id (#to_s)

    Identifier of the object to be marked as audited.

See Also:


54
55
56
# File 'lib/arachni/check/auditor.rb', line 54

def audited( id )
    Auditor.audited << "#{self.class}-#{id}"
end

#audited?(id) ⇒ Bool

Returns true if audited, false otherwise.

Parameters:

  • id (#to_s)

    Identifier of the object to be checked.

Returns:

  • (Bool)

    true if audited, false otherwise.

See Also:


65
66
67
# File 'lib/arachni/check/auditor.rb', line 65

def audited?( id )
    Auditor.audited.include?( "#{self.class}-#{id}" )
end

#buffered_audit(payloads, opts = {}, &block) ⇒ Object

Calls Element::Capabilities::Auditable#buffered_audit for every element.

Uses #each_candidate_element to decide which elements to audit.

See Also:

  • Element::Capabilities::Auditable#buffered_audit

583
584
585
586
587
588
# File 'lib/arachni/check/auditor.rb', line 583

def buffered_audit( payloads, opts = {}, &block )
    each_candidate_element do |e|
        e.buffered_audit( payloads, opts, &block )
        audited( e.coverage_id )
    end
end

#each_candidate_dom_element {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

It will use the elements from the check's Base.info hash. If no elements have been specified it will use DOM_ELEMENTS_WITH_INPUTS.

Yields:

  • (element)

    Each candidate element.

Yield Parameters:


525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
# File 'lib/arachni/check/auditor.rb', line 525

def each_candidate_dom_element( &block )
    types = self.class.elements
    types = DOM_ELEMENTS_WITH_INPUTS if types.empty?

    types.each do |elem|
        elem = elem.type

        next if !Options.audit.elements?( elem.to_s.gsub( '_dom', '' ) )

        case elem
            when Element::Link::DOM.type
                prepare_each_dom_element( page.links, &block )

            when Element::Form::DOM.type
                prepare_each_dom_element( page.forms, &block )

            when Element::Cookie::DOM.type
                prepare_each_dom_element( page.cookies, &block )

            when Element::LinkTemplate::DOM.type
                prepare_each_dom_element( page.link_templates, &block )

            when Element::UIInput::DOM.type
                prepare_each_dom_element( page.ui_inputs, &block )

            when Element::UIForm::DOM.type
                prepare_each_dom_element( page.ui_forms, &block )

            else
                fail ArgumentError, "Unknown DOM element: #{elem}"
        end
    end
end

#each_candidate_element {|element| ... } ⇒ Object

Passes each element prepared for audit to the block.

It will use the elements from the check's Base.info hash. If no elements have been specified it will use ELEMENTS_WITH_INPUTS.

Yields:

  • (element)

    Each candidate element.

Yield Parameters:


477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
# File 'lib/arachni/check/auditor.rb', line 477

def each_candidate_element( &block )
    types = self.class.elements
    types = ELEMENTS_WITH_INPUTS if types.empty?

    types.each do |elem|
        elem = elem.type

        next if !Options.audit.elements?( elem )

        case elem
            when Element::Link.type
                prepare_each_element( page.links, &block )

            when Element::Form.type
                prepare_each_element( page.forms, &block )

            when Element::Cookie.type
                prepare_each_element(page.cookies, &block )

            when Element::NestedCookie.type
                prepare_each_element(page.nested_cookies, &block )

            when Element::Header.type
                prepare_each_element( page.headers, &block )

            when Element::LinkTemplate.type
                prepare_each_element( page.link_templates, &block )

            when Element::JSON.type
                prepare_each_element( page.jsons, &block )

            when Element::XML.type
                prepare_each_element( page.xmls, &block )

            else
                fail ArgumentError, "Unknown element: #{elem}"
        end
    end
end

#httpHTTP::Client

Returns:


327
328
329
# File 'lib/arachni/check/auditor.rb', line 327

def http
    HTTP::Client
end

#initialize(page, framework) ⇒ Object

Parameters:


321
322
323
324
# File 'lib/arachni/check/auditor.rb', line 321

def initialize( page, framework )
    @page      = page
    @framework = framework
end

#log(options) ⇒ Issue

Populates and logs an Issue.

Parameters:

  • options (Hash)

    Issue initialization options.

Returns:


420
421
422
# File 'lib/arachni/check/auditor.rb', line 420

def log( options )
    self.class.log( options.merge( referring_page: @page ) )
end

#log_issue(options) ⇒ Issue

Helper method for issue logging.

Parameters:

Returns:

See Also:

  • create_issue

410
411
412
# File 'lib/arachni/check/auditor.rb', line 410

def log_issue( options )
    self.class.log_issue( options.merge( referring_page: @page ) )
end

#log_remote_file(response, silent = false) ⇒ Issue #log_remote_file(page, silent = false) ⇒ Issue Also known as: log_remote_directory

Logs the existence of a remote file as an issue.

Overloads:

  • #log_remote_file(response, silent = false) ⇒ Issue

    Parameters:

    • response (HTTP::Response)
    • silent (Bool) (defaults to: false)

      If false, a message will be printed to stdout containing the status of the operation.

  • #log_remote_file(page, silent = false) ⇒ Issue

    Parameters:

    • page (Page)
    • silent (Bool) (defaults to: false)

      If false, a message will be printed to stdout containing the status of the operation.

Returns:

See Also:


386
387
388
389
390
391
392
393
394
395
396
397
398
399
# File 'lib/arachni/check/auditor.rb', line 386

def log_remote_file( page_or_response, silent = false, options = {} )
    page = page_or_response.is_a?( Page ) ?
        page_or_response : page_or_response.to_page

    issue = log_issue({
        vector: Element::Server.new( page.url ),
        proof:  page.response.status_line,
        page:   page
    }.merge( options ))

    print_ok( "Found #{page.url}" ) if !silent

    issue
end

#log_remote_file_if_exists(url, silent = false, options = {}, &block) ⇒ Object Also known as: log_remote_directory_if_exists

Note:

Ignores custom 404 responses.

Logs a remote file or directory if it exists.

Parameters:

  • url (String)

    Resource to check.

  • silent (Bool) (defaults to: false)

    If false, a message will be printed to stdout containing the status of the operation.

  • block (Proc)

    Called if the file exists, just before logging the issue, and is passed the HTTP response.

Returns:

  • (Object)
    • nil if no URL was provided.
    • false if the request couldn't be fired.
    • true if everything went fine.

See Also:


349
350
351
352
# File 'lib/arachni/check/auditor.rb', line 349

def log_remote_file_if_exists( url, silent = false, options = {}, &block )
    @server ||= Element::Server.new( page.url ).tap { |s| s.auditor = self }
    @server.log_remote_file_if_exists( url, silent, options, &block )
end

#match_and_log(patterns, &block) ⇒ Object

Matches an array of regular expressions against a string and logs the result as an issue.

Parameters:

  • patterns (Array<Regexp>)

    Array of regular expressions to be tested.

  • block (Block)

    Block to verify matches before logging, must return true/false.

See Also:


364
365
366
367
# File 'lib/arachni/check/auditor.rb', line 364

def match_and_log( patterns, &block )
    @body ||= Element::Body.new( self.page.url ).tap { |b| b.auditor = self }
    @body.match_and_log( patterns, &block )
end

#max_issuesObject


283
284
285
# File 'lib/arachni/check/auditor.rb', line 283

def max_issues
    self.class.max_issues
end

#preferredObject

This method is abstract.

427
428
429
# File 'lib/arachni/check/auditor.rb', line 427

def preferred
    []
end

#skip?(element) ⇒ Boolean

This is called right before an Element is audited and is used to determine whether to skip it or not.

Running checks can override this as they wish but at their own peril.

Parameters:

Returns:

  • (Boolean)

    true if the element should be skipped, false otherwise.

See Also:

  • Page#audit?

442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
# File 'lib/arachni/check/auditor.rb', line 442

def skip?( element )
    # This method also gets called from Auditable#audit to check mutations,
    # don't touch these, we're filtering at a higher level here, otherwise
    # we might mess up the audit.
    return true if !element.mutation? && audited?( element.coverage_id )
    return true if !page.audit_element?( element )

    # Don't audit elements which have been already logged as vulnerable
    # either by us or preferred checks.
    (preferred | [shortname]).each do |check|
        next if !framework.checks.include?( check )

        klass = framework.checks[check]
        next if !klass.info.include?(:issue)

        # No point in doing the following heavy deduplication check if there
        # are no issues logged to begin with.
        next if klass.issue_counter == 0

        if Data.issues.include?( klass.create_issue( vector: element ) )
            return true
        end
    end

    false
end

#trace_taint(resource, options = {}, &block) ⇒ Object

Traces the taint in the given resource and passes each page to the block.

Parameters:

  • resource (Page, String, HTTP::Response)

    Resource to load and whose environment to trace, if given a String it will be treated it as a URL and will be loaded.

  • options (Hash) (defaults to: {})
  • block (Block)

    Block to handle each page snapshot. If the block returns a true value, further analysis will be aborted.


638
639
640
641
642
643
644
# File 'lib/arachni/check/auditor.rb', line 638

def trace_taint( resource, options = {}, &block )
    with_browser_cluster do |cluster|
        cluster.trace_taint( resource, options ) do |result|
            block.call( result.page )
        end
    end
end

#with_browser(*args, &block) ⇒ Object

Note:

Operates in non-blocking mode.

Parameters:

See Also:

  • BrowserCluster::Worker#with_browser

660
661
662
663
# File 'lib/arachni/check/auditor.rb', line 660

def with_browser( *args, &block )
    with_browser_cluster { |cluster| cluster.with_browser( *args, &block ) }
    true
end

#with_browser_cluster(&block) ⇒ Object

Parameters:

  • block (Block)

    Block to passed a BrowserCluster, if one is available.


648
649
650
651
652
# File 'lib/arachni/check/auditor.rb', line 648

def with_browser_cluster( &block )
    return if !browser_cluster
    block.call browser_cluster
    true
end