Class: Arachni::Checks::InsecureCORSPolicy
- Inherits:
-
Arachni::Check::Base
- Object
- Arachni::Component::Base
- Arachni::Check::Base
- Arachni::Checks::InsecureCORSPolicy
- Defined in:
- components/checks/passive/grep/insecure_cors_policy.rb
Overview
Constant Summary
Constants included from Arachni::Check::Auditor
Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM
Constants included from Arachni
BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, NestedCookie, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML
Instance Attribute Summary
Attributes included from Arachni::Check::Auditor
Class Method Summary collapse
Instance Method Summary collapse
Methods inherited from Arachni::Check::Base
#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?
Methods included from Arachni::Check::Auditor
#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster
Methods inherited from Arachni::Component::Base
author, description, fullname, #shortname, shortname, shortname=, version
Methods included from Arachni::Component::Output
#depersonalize_output, #depersonalize_output?, #intercept_print_message
Methods included from UI::Output
#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on
Methods included from Arachni::Component::Utilities
Methods included from Utilities
#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite
Methods included from Arachni
URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?
Constructor Details
This class inherits a constructor from Arachni::Check::Base
Class Method Details
.info ⇒ Object
24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 |
# File 'components/checks/passive/grep/insecure_cors_policy.rb', line 24 def self.info { name: 'Insecure CORS policy', description: %q{Checks the host for a wildcard (`*`) `Access-Control-Allow-Origin` header.}, author: 'Tasos Laskos <[email protected]>', version: '0.1.1', elements: [ Element::Server ], issue: { name: %q{Insecure 'Access-Control-Allow-Origin' header}, description: %q{ _Cross Origin Resource Sharing (CORS)_ is an HTML5 technology which gives modern web browsers the ability to bypass restrictions implemented by the _Same Origin Policy_. The _Same Origin Policy_ requires that both the JavaScript and the page are loaded from the same domain in order to allow JavaScript to interact with the page. This in turn prevents malicious JavaScript being executed when loaded from external domains. The CORS policy allows the application to specify exceptions to the protections implemented by the browser, and allows the developer to whitelist domains for which external JavaScript is permitted to execute and interact with the page. A weak CORS policy is one which whitelists all domains using a wildcard (`*`), which will allow any externally loaded JavaScript resource to interact with the affected page. This can severely increase the risk of attacks such as Cross Site Scripting etc. Arachni detected that the CORS policy being set by the server was weak, and used a wildcard value. This is evident by the `Access-Control-Allow-Origin` header being set to `*`. }, references: { 'OWASP' => 'https://www.owasp.org/index.php/CORS_OriginHeaderScrutiny', 'Mozilla Developer Network' => 'https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS' }, severity: Severity::LOW, remedy_guidance: %q{ It is important that weak CORS policies are not used. Policies can be hardened by removing the wildcard and individually specifying the domains where the trusted JavaScript resources are located. If the list of hosts for externally hosted JavaScript resources is excessive, then a whole top level domain can be whitelisted by using a combination of the wildcard and the domain (example: `*.arachni-scanner.com`). } } } end |
Instance Method Details
#run ⇒ Object
13 14 15 16 17 18 19 20 21 22 |
# File 'components/checks/passive/grep/insecure_cors_policy.rb', line 13 def run return if audited?( page.parsed_url.host ) || page.response.headers['Access-Control-Allow-Origin'] != '*' audited( page.parsed_url.host ) log( vector: Element::Server.new( page.url ), proof: page.response.headers_string[/Access-Control-Allow-Origin.*$/i] ) end |