Class: Arachni::Checks::PasswordAutocomplete

Inherits:
Arachni::Check::Base show all
Defined in:
components/checks/passive/grep/password_autocomplete.rb

Overview

Greps pages for forms which have password fields without explicitly disabling auto-complete.

Author:

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.infoObject


32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'components/checks/passive/grep/password_autocomplete.rb', line 32

def self.info
    {
        name:        'Password field with auto-complete',
        description: %q{Greps pages for forms which have password fields
            without explicitly disabling auto-complete.},
        elements:    [ Element::Form ],
        author:      'Tasos "Zapotek" Laskos <[email protected]>',
        version:     '0.3.1',

        issue:       {
            name:        %q{Password field with auto-complete},
            description: %q{
In typical form-based web applications, it is common practice for developers to
allow `autocomplete` within the HTML form to improve the usability of the page.
With `autocomplete` enabled (default), the browser is allowed to cache previously
entered form values.

For legitimate purposes, this allows the user to quickly re-enter the same data
when completing the form multiple times.

When `autocomplete` is enabled on either/both the username and password fields,
this could allow a cyber-criminal with access to the victim's computer the ability
to have the victim's credentials automatically entered as the cyber-criminal
visits the affected page.

Arachni has discovered that the affected page contains a form containing a
password field that has not disabled `autocomplete`.
},
            severity:    Severity::LOW,
            remedy_guidance: %q{
The `autocomplete` value can be configured in two different locations.

The first and most secure location is to disable the `autocomplete` attribute on
the `<form>` HTML tag. This will disable `autocomplete` for all inputs within that form.
An example of disabling `autocomplete` within the form tag is `<form autocomplete=off>`.

The second slightly less desirable option is to disable the `autocomplete` attribute
for a specific `<input>` HTML tag.
While this may be the less desired solution from a security perspective, it may
be preferred method for usability reasons, depending on size of the form.
An example of disabling the `autocomplete` attribute within a password input tag
is `<input type=password autocomplete=off>`.
}
        },
        max_issues: 25
    }
end

Instance Method Details

#has_input_with_autocomplete_off?(form) ⇒ Boolean

Returns:

  • (Boolean)

25
26
27
28
29
30
# File 'components/checks/passive/grep/password_autocomplete.rb', line 25

def has_input_with_autocomplete_off?( form )
    form.inputs.each do |k, v|
        return true if form.details_for( k )[:autocomplete] == 'off'
    end
    false
end

#runObject


15
16
17
18
19
20
21
22
23
# File 'components/checks/passive/grep/password_autocomplete.rb', line 15

def run
    page.forms.each do |form|
        next if !form.requires_password?
        next if form.simple[:autocomplete] == 'off'
        next if has_input_with_autocomplete_off? form

        log( vector: form )
    end
end