Class: Arachni::Reporters::HTML

Inherits:
Arachni::Reporter::Base show all
Includes:
TemplateUtilities
Defined in:
components/reporters/plugin_formatters/html/vector_collector.rb,
components/reporters/plugin_formatters/html/uncommon_headers.rb,
components/reporters/plugin_formatters/html/cookie_collector.rb,
components/reporters/plugin_formatters/html/http_dicattack.rb,
components/reporters/plugin_formatters/html/form_dicattack.rb,
components/reporters/plugin_formatters/html/content_types.rb,
components/reporters/plugin_formatters/html/waf_detector.rb,
components/reporters/plugin_formatters/html/login_script.rb,
components/reporters/plugin_formatters/html/uniformity.rb,
components/reporters/plugin_formatters/html/healthmap.rb,
components/reporters/plugin_formatters/html/autologin.rb,
components/reporters/plugin_formatters/html/metrics.rb,
components/reporters/plugin_formatters/html/exec.rb,
components/reporters/html.rb

Overview

Creates an HTML report with scan results.

Author:

Defined Under Namespace

Modules: TemplateUtilities Classes: TemplateScope

Constant Summary collapse

TEMPLATE_FILE =
File.dirname( __FILE__ ) + '/html/default.erb'
TEMPLATE_DIR =
File.dirname( TEMPLATE_FILE ) + '/' +
File.basename( TEMPLATE_FILE, '.erb' ) + '/'
OWASP_TOP_10_URL =
'https://www.owasp.org/index.php/Top_10_2013-Top_10'
OWASP_TOP_10_DATA =
{
    'A1-Injection' => {
        code:       'A1',
        description: %q{
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data
is sent to an interpreter as part of a command or query. The attacker’s hostile
data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A1-Injection',
        checks:      [
            :command_injection,
            :command_injection_php_input_wrapper,
            :command_injection_timing,
            :ldap_injection,
            :no_sql_injection,
            :no_sql_injection_differential,
            :os_cmd_injection,
            :os_cmd_injection_timing,
            :sql_injection,
            :sql_injection_differential,
            :sql_injection_timing,
            :xpath_injection,
            :xxe
        ]
    },
    'A2-Broken Authentication and Session Management' => {
        code:        'A2',
        description: %q{
Application functions related to authentication and session management are often
not implemented correctly, allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other users’
identities.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A2-Broken_Authentication_and_Session_Management',
        checks:      [
            :session_fixation
        ]
    },
    'A3-Cross-Site Scripting (XSS)' => {
        code:        'A3',
        description: %q{
XSS flaws occur whenever an application takes untrusted data and sends it to a
web browser without proper validation or escaping. XSS allows attackers to
execute scripts in the victim’s browser which can hijack user sessions, deface
web sites, or redirect the user to malicious sites.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)',
        checks:      [
            :xss,
            :xss_dom,
            :xss_dom_inputs,
            :xss_dom_script_context,
            :xss_event,
            :xss_path,
            :xss_script_context,
            :xss_tag
        ]
    },
    'A5-Security Misconfiguration' => {
        code:        'A5',
        description: %q{
Good security requires having a secure configuration defined and deployed for
the application, frameworks, application server, web server, database server,
and platform. Secure settings should be defined, implemented, and maintained,
as defaults are often insecure. Additionally, software should be kept up to date.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration',
        checks:      [
            :cookie_set_for_parent_domain,
            :hsts,
            :insecure_cors_policy,
            :htaccess_limit,
            :http_put,
            :insecure_client_access_policy,
            :insecure_cross_Domain_policy_access,
            :insecure_cross_Domain_policy_headers,
            :origin_spood_access_restriction_bypass,
            :xst
        ]
    },
    'A6-Sensitive Data Exposure' => {
        code:        'A6',
        description: %q{
Many web applications do not properly protect sensitive data, such as credit
cards, tax IDs, and authentication credentials. Attackers may steal or modify
such weakly protected data to conduct credit card fraud, identity theft, or other
crimes. Sensitive data deserves extra protection such as encryption at rest or
in transit, as well as special precautions when exchanged with the browser.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure',
        checks:      [
            :backup_directories,
            :backup_files,
            :credit_card,
            :cvs_svn_users,
            :private_ip,
            :ssn
        ]
    },
    'A8-Sensitive Data Exposure' => {
        code:        'A8',
        description: %q{
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request,
including the victim’s session cookie and any other automatically included
authentication information, to a vulnerable web application. This allows the
attacker to force the victim’s browser to generate requests the vulnerable
application thinks are legitimate requests from the victim.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)',
        checks:      [
            :csrf
        ]
    },
    'A10-Unvalidated Redirects and Forwards' => {
        code:        'A10',
        description: %q{
Web applications frequently redirect and forward users to other pages and websites,
and use untrusted data to determine the destination pages. Without proper validation,
attackers can redirect victims to phishing or malware sites, or use forwards to
access unauthorized pages.
},
        url:         'https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards',
        checks:      [
            :unvalidated_redirect,
            :unvalidated_redirect_dom
        ]
    }
}

Constants inherited from Arachni::Reporter::Base

Arachni::Reporter::Base::REPORT_FP

Constants included from Arachni

BANNER, Cookie, Form, Header, JSON, Link, LinkTemplate, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes inherited from Arachni::Reporter::Base

#options, #report

Class Method Summary collapse

Instance Method Summary collapse

Methods included from TemplateUtilities

#base64_encode, #code_highlight, #data_dump, #erb, #escapeHTML, #highlight_issue_page_body, #highlight_proof, #id_to_location, #issue_id, #issue_location, #key_to_words, #md, #normalize

Methods inherited from Arachni::Reporter::Base

#format_plugin_results, has_outfile?, #has_outfile?, #initialize, #outfile, outfile_option, #skip_responses?

Methods inherited from Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Reporter::Base

Class Method Details

.infoObject


436
437
438
439
440
441
442
443
444
445
446
447
448
# File 'components/reporters/html.rb', line 436

def self.info
    {
        name:         'HTML',
        description:  %q{Exports the audit results as a compressed HTML report.},
        content_type: 'application/zip',
        author:       'Tasos "Zapotek" Laskos <[email protected]>',
        version:      '0.4.3',
        options:      [
            Options.outfile( '.html.zip' ),
            Options.skip_responses
        ]
    }
end

Instance Method Details

#global_dataObject


345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# File 'components/reporters/html.rb', line 345

def global_data
    grouped_issues = {
        trusted:   {},
        untrusted: {}
    }

    Arachni::Issue::Severity::ORDER.each do |severity|
        by_severity = report.issues.select { |i| i.severity.to_sym == severity }
        next if by_severity.empty?

        by_name = {}
        by_severity.each do |issue|
            by_name[issue.name] ||= []
            by_name[issue.name] << issue
        end
        next if by_name.empty?

        grouped_issues[:trusted][by_severity.first.severity] =
            by_name.inject({}) do |h, (name, issues)|
                i = issues.select(&:trusted?)
                next h if i.empty?

                h[name] = i
                h
            end

        grouped_issues[:untrusted][by_severity.first.severity] =
            by_name.inject({}) do |h, (name, issues)|
                i = issues.select(&:untrusted?)
                next h if i.empty?

                h[name] = i
                h
            end

        [:trusted, :untrusted].each do |t|
            if grouped_issues[t][by_severity.first.severity].empty?
                grouped_issues[t].delete by_severity.first.severity
            end
        end
    end

    [:trusted, :untrusted].each do |t|
        grouped_issues.delete( t ) if grouped_issues[t].empty?
    end

    prepare_data.merge(
        report:         report,
        grouped_issues: grouped_issues,
        plugins:        format_plugin_results
    )
end

#runObject

Runs the HTML report.


399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
# File 'components/reporters/html.rb', line 399

def run
    FileUtils.rm_rf outfile

    print_line
    print_status 'Creating HTML report...'

    TemplateScope.global_data = global_data

    tmpdir = "#{Arachni::Options.paths.tmpdir}/#{generate_token}/"

    FileUtils.rm_rf tmpdir
    FileUtils.mkdir_p tmpdir

    FileUtils.mkdir_p "#{tmpdir}/js/lib"
    FileUtils.mkdir_p "#{tmpdir}/css/lib"

    FileUtils.cp_r "#{TEMPLATE_DIR}/fonts", "#{tmpdir}/"
    FileUtils.cp_r "#{TEMPLATE_DIR}/js/lib", "#{tmpdir}/js/"
    FileUtils.cp_r "#{TEMPLATE_DIR}/css/lib", "#{tmpdir}/css/"

    %w(js/helpers.js js/init.js.erb js/charts.js.erb js/configuration.js.erb
        css/main.css).each do |f|
        if f.end_with? '.erb'
            IO.write( "#{tmpdir}/#{f.split('.erb').first}", erb( "#{TEMPLATE_DIR}/#{f}" ) )
        else
            FileUtils.cp( "#{TEMPLATE_DIR}/#{f}" , "#{tmpdir}/#{f}" )
        end
    end

    IO.write( "#{tmpdir}/index.html", erb( TEMPLATE_FILE ) )

    compress( tmpdir, outfile )
    FileUtils.rm_rf tmpdir

    print_status "Saved in '#{outfile}'."
end