Class: Arachni::Checks::HtaccessLimit

Inherits:
Arachni::Check::Base show all
Defined in:
components/checks/passive/htaccess_limit.rb

Overview

Author:

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.infoObject


31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# File 'components/checks/passive/htaccess_limit.rb', line 31

def self.info
    {
        name:        '.htaccess LIMIT misconfiguration',
        description: %q{Checks for misconfiguration in LIMIT directives that blocks
            GET requests but allows POST.},
        elements:    [ Element::Server ],
        author:      'Tasos "Zapotek" Laskos <[email protected]>',
        version:     '0.1.7',

        issue:       {
            name:        %q{Misconfiguration in LIMIT directive of .htaccess file},
            description: %q{
There are a number of HTTP methods that can be used on a webserver (for example
`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).
Each of these methods perform a different function, and each has an associated
level of risk when their use is permitted on the webserver.

The `<Limit>` directive within Apache's `.htaccess` file allows administrators
to define which of the methods they would like to block. However, as this is a
blacklisting approach, it is inevitable that a server administrator may
accidentally miss adding certain HTTP methods to be blocked, thus increasing
the level of risk to the application and/or server.
},
            references: {
                'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limit'
            },
            tags:        %w(htaccess server limit),
            severity:    Severity::HIGH,
            remedy_guidance:  %q{
The preferred configuration is to prevent the use of unauthorised HTTP methods
by utilising the `<LimitExcept>` directive.

This directive uses a whitelisting approach to permit HTTP methods while
blocking all others not listed in the directive, and will therefor block any
method tampering attempts.

Most commonly, the only HTTP methods required for most scenarios are `GET` and
`POST`. An example of permitting these HTTP methods is:
 `<LimitExcept POST GET> require valid-user </LimitExcept>`
}
        }
    }
end

Instance Method Details

#check_and_log(response) ⇒ Object


20
21
22
23
24
25
26
27
28
29
# File 'components/checks/passive/htaccess_limit.rb', line 20

def check_and_log( response )
    return if response.code != 200

    log(
        vector:   Element::Server.new( response.url ),
        response: response,
        proof:    response.status_line
    )
    print_ok "Request was accepted: #{response.url}"
end

#runObject


12
13
14
15
16
17
18
# File 'components/checks/passive/htaccess_limit.rb', line 12

def run
    return if page.code != 401

    [:post, :head, :blah]. each do |m|
        http.request( page.url, method: m ) { |response| check_and_log( response ) }
    end
end