Class: Arachni::Modules::Audit::XSS
- Inherits:
-
Arachni::Module::Base
- Object
- Arachni::Module::Base
- Arachni::Modules::Audit::XSS
- Includes:
- Arachni::Module::Registrar, Arachni::UI::Output
- Defined in:
- modules/audit/xss.rb
Overview
XSS recon module.
It audits links, forms and cookies.
@author: Anastasios “Zapotek” Laskos
<tasos.laskos@gmail.com>
<zapotek@segfault.gr>
@version: $Rev: 371 $
Class Method Summary (collapse)
Instance Method Summary (collapse)
-
- (XSS) initialize(page)
constructor
A new instance of XSS.
- - (Object) prepare
- - (Object) run
Methods included from Arachni::Module::Registrar
#add_storage, #get_storage, #get_store, included, #register_results
Methods included from Arachni::UI::Output
#debug!, #debug?, #only_positives!, #only_positives?, #print_debug, #print_debug_backtrace, #print_debug_pp, #print_error, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #verbose!, #verbose?
Methods inherited from Arachni::Module::Base
#clean_up, deps, #get_cookie_simple, #get_cookies, #get_cookies_simple, #get_data_file, #get_form_simple, #get_forms, #get_forms_simple, #get_links, #get_links_simple, #get_request_headers, #get_response_headers
Methods included from Arachni::Module::Auditor
#audit_cookies, #audit_forms, #audit_headers, #audit_links, #get_matches, #inject_each_var
Methods included from Arachni::Module::Trainer
Methods included from Arachni::Module::ElementDB
#init_cookies, #init_forms, #init_links, #update_cookies, #update_forms, #update_links, #work_on_cookies, #work_on_forms, #work_on_links
Constructor Details
- (XSS) initialize(page)
A new instance of XSS
37 38 39 40 41 42 |
# File 'modules/audit/xss.rb', line 37 def initialize( page ) super( page ) @__injection_strs_file = [] @results = [] end |
Class Method Details
+ (Object) info
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
# File 'modules/audit/xss.rb', line 88 def self.info { 'Name' => 'XSS', 'Description' => %q{Cross-Site Scripting recon module}, 'Elements' => [ Vulnerability::Element::FORM, Vulnerability::Element::LINK, Vulnerability::Element::COOKIE, Vulnerability::Element::HEADER ], 'Author' => 'zapotek', 'Version' => '$Rev: 371 $', 'References' => { 'ha.ckers' => 'http://ha.ckers.org/xss.html', 'Secunia' => 'http://secunia.com/advisories/9716/' }, 'Targets' => { 'Generic' => 'all' }, 'Vulnerability' => { 'Name' => %q{Cross-Site Scripting (XSS)}, 'Description' => %q{Client-side code, like JavaScript, can be injected into the web application.}, 'CWE' => '79', 'Severity' => Vulnerability::Severity::HIGH, 'CVSSV2' => '9.0', 'Remedy_Guidance' => '', 'Remedy_Code' => '', } } end |
Instance Method Details
- (Object) prepare
44 45 46 |
# File 'modules/audit/xss.rb', line 44 def prepare( ) @__injection_strs_file = 'injection_strings.txt' end |
- (Object) run
48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'modules/audit/xss.rb', line 48 def run( ) # # it's better to save big arrays to a file # a big array is ugly, messy and can't be updated as easily # # but don't open the file yourself, use get_data_file( filename ) # with a block and read each line # # the file must be under modules/<modtype>/<modname>/<filename> # get_data_file( @__injection_strs_file ) { |str| audit_headers( str, Regexp.new( str ), str ).each { |res| @results << Vulnerability.new( res.merge( self.class.info ) ) } audit_forms( str, Regexp.new( str ), str ).each { |res| @results << Vulnerability.new( res.merge( self.class.info ) ) } audit_links( str, Regexp.new( str ), str ).each { |res| @results << Vulnerability.new( res.merge( self.class.info ) ) } ( str, Regexp.new( str ), str ).each { |res| @results << Vulnerability.new( res.merge( self.class.info ) ) } } register_results( @results ) end |