Class: Arachni::Modules::Audit::ResponseSplitting

Inherits:
Arachni::Module::Base show all
Includes:
Arachni::Module::Registrar, Arachni::UI::Output
Defined in:
modules/audit/response_splitting.rb

Overview

HTTP Response Splitting recon module.

It audits links, forms and cookies.

@author: Anastasios “Zapotek” Laskos 

                                     <tasos.laskos@gmail.com>
                                     <zapotek@segfault.gr>

@version: $Rev: 371 $

See Also:

Class Method Summary (collapse)

Instance Method Summary (collapse)

Methods included from Arachni::Module::Registrar

#add_storage, #get_storage, #get_store, included, #register_results

Methods included from Arachni::UI::Output

#debug!, #debug?, #only_positives!, #only_positives?, #print_debug, #print_debug_backtrace, #print_debug_pp, #print_error, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #verbose!, #verbose?

Methods inherited from Arachni::Module::Base

#clean_up, deps, #get_cookie_simple, #get_cookies, #get_cookies_simple, #get_data_file, #get_form_simple, #get_forms, #get_forms_simple, #get_links, #get_links_simple, #get_request_headers, #get_response_headers

Methods included from Arachni::Module::Auditor

#audit_cookies, #audit_forms, #audit_headers, #audit_links, #get_matches, #inject_each_var

Methods included from Arachni::Module::Trainer

#train

Methods included from Arachni::Module::ElementDB

#init_cookies, #init_forms, #init_links, #update_cookies, #update_forms, #update_links, #work_on_cookies, #work_on_forms, #work_on_links

Constructor Details

- (ResponseSplitting) initialize(page)

A new instance of ResponseSplitting 



40
41
42
43
44
45
46
47
48
 
# File 'modules/audit/response_splitting.rb', line 40

def initialize( page )
    super( page )

    # initialize the header
    @__header = ''
    
    # initialize the hash that's hold the results
    @results = []
end

Class Method Details

+ (Object) info 



87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'modules/audit/response_splitting.rb', line 87

def self.info
    {
        'Name'           => 'ResponseSplitting',
        'Description'    => %q{Response Splitting recon module.
            Tries to inject some data into the webapp and figure out
            if any of them end up in the response header. 
        },
        'Elements'       => [
            Vulnerability::Element::FORM,
            Vulnerability::Element::LINK,
            Vulnerability::Element::COOKIE
        ],
        'Author'         => 'zapotek',
        'Version'        => '$Rev: 371 $',
        'References'     => {
             'SecuriTeam'    => 'http://www.securiteam.com/securityreviews/5WP0E2KFGK.html',
             'OWASP'         => 'http://www.owasp.org/index.php/HTTP_Response_Splitting'
        },
        'Targets'        => { 'Generic' => 'all' },
            
        'Vulnerability'   => {
            'Name'        => %q{Response splitting},
            'Description' => %q{The web application includes user input
                 in the response HTTP header.},
            'CWE'         => '20',
            'Severity'    => Vulnerability::Severity::MEDIUM,
            'CVSSV2'       => '5.0',
            'Remedy_Guidance'    => '',
            'Remedy_Code' => '',
        }

    }
end

Instance Method Details

- (Object) prepare 



50
51
52
53
54
55
56
57
 
# File 'modules/audit/response_splitting.rb', line 50

def prepare( )
    
    # the header to inject...
    # what we will check for in the response header
    # is the existence of the "x-crlf-safe" field.
    # if we find it it means that the site is vulnerable
    @__header = "\r\nX-CRLF-Safe: no"
end

- (Object) run 



59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'modules/audit/response_splitting.rb', line 59

def run( )
    
    # try to inject the header via the forms of the page
    # and pass a block that will check for a positive result
    audit_forms( @__header ) {
        |url, res, var|
        __log_results( Vulnerability::Element::FORM, var, res, url )
    }
    
    # try to inject the header via the link variables
    # and pass a block that will check for a positive result        
    audit_links( @__header ) {
        |url, res, var|
        __log_results( Vulnerability::Element::LINK, var, res, url )
    }
    
    # try to inject the header via cookies
    # and pass a block that will check for a positive result
    audit_cookies( @__header ) {
        |url, res, var|
        __log_results( Vulnerability::Element::COOKIE, var, res, url )
    }
    
    #register our results with the system
    register_results( @results )
end