Module: Arachni::Element::Capabilities::Mutable

Included in:

Arachni::Element::Cookie, Arachni::Element::Cookie::Capabilities::Mutable, DOM::Capabilities::Mutable, Form, Form::Capabilities::Mutable, Header, Header::Capabilities::Mutable, JSON, JSON::Capabilities::Mutable, Link, LinkTemplate, NestedCookie, XML::Capabilities::Mutable

Defined in:

lib/arachni/element/capabilities/mutable.rb

Overview

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Modules: Format

Constant Summary

MUTATION_OPTIONS =

Default formatting and mutation options.

{

    # Formatting of the injection strings.
    #
    # A new set of audit inputs will be generated for each value in the array.
    #
    # Values can be OR'ed bitfields of all available constants of {Format}.
    format:                 [
        Format::STRAIGHT, Format::APPEND,
        Format::NULL, Format::APPEND | Format::NULL
    ],

    # Inject the payload into parameter values.
    #
    # * `nil`: Use system settings (`!Options.audit.parameter_values`).
    # * `true`
    # * `false`
    parameter_values:       nil,

    # Place the payload as an input name.
    #
    # * `nil`: Use system settings (`!Options.audit.parameter_names`).
    # * `true`
    # * `false`
    parameter_names:        nil,

    # Add mutations with non-encoded payloads.
    #
    # * `nil`: Use system settings (`!Options.audit.with_raw_parameters`).
    # * `true`
    # * `false`
    with_raw_payloads:       nil,

    # Add the payload to an extra parameter.
    #
    # * `nil`: Use system settings (`!Options.audit.with_extra_parameter`).
    # * `true`
    # * `false`
    with_extra_parameter:   nil,

    # `nil`:   Use system settings (`!Options.audit.with_both_http_methods`).
    # `true`:  Don't create mutations with other methods (GET/POST).
    # `false`: Create mutations with other methods (GET/POST).
    with_both_http_methods: nil,

    # Array of parameter names remain untouched.
    skip:                   []
}

EXTRA_NAME =

'extra_arachni_input'

FUZZ_NAME =

'Parameter name fuzzing'

FUZZ_NAME_VALUE =

'arachni_name_fuzz'

Instance Attribute Summary

• #affected_input_name ⇒ String

  Name of the mutated parameter.

• #format ⇒ Object

  Returns the value of attribute format.

• #seed ⇒ String

  Original seed used for the #mutations.

Instance Method Summary

• #affected_input_value ⇒ nil, String

  `nil` if no input has been fuzzed, the `String` value of the fuzzed input.

• #affected_input_value=(value) ⇒ Object
• #dup ⇒ Object
• #each_mutation(payload, options = {}) {|mutation| ... } ⇒ Object

  Injects the `payload` in self's values according to formatting options and returns an array of mutations of self.

• #immutables ⇒ Set

  Names of input vectors to be excluded from #mutations.

• #inspect ⇒ Object
• #mutation? ⇒ Bool

  `true` if the element has been mutated, `false` otherwise.

• #mutations(payload, opts = {}) ⇒ Array

  Injects the `payload` in self's values according to formatting options and returns an array of mutations of self.

• #parameter_name_audit? ⇒ Boolean
• #reset ⇒ Object

  Resets the inputs to their original format/values.

• #switch_method ⇒ Object
• #to_h ⇒ Object
• #to_rpc_data ⇒ Object
• #with_raw_payload ⇒ Object
• #with_raw_payload? ⇒ Boolean

  `true` if the mutation's #affected_input_value has been set to skip encoding, `false` otherwise.

Instance Attribute Details

#affected_input_name ⇒ String

Returns Name of the mutated parameter.

Returns:

• (String) —

  Name of the mutated parameter.

# File 'lib/arachni/element/capabilities/mutable.rb', line 17

def affected_input_name
  @affected_input_name
end

#format ⇒ Object

Returns the value of attribute format.

# File 'lib/arachni/element/capabilities/mutable.rb', line 23

def format
  @format
end

#seed ⇒ String

Returns Original seed used for the #mutations.

Returns:

• (String) —

  Original seed used for the #mutations.

# File 'lib/arachni/element/capabilities/mutable.rb', line 21

def seed
  @seed
end

Instance Method Details

#affected_input_value ⇒ nil, String

Returns `nil` if no input has been fuzzed, the `String` value of the fuzzed input.

Returns:

• (nil, String) —

  `nil` if no input has been fuzzed, the `String` value of the fuzzed input.

# File 'lib/arachni/element/capabilities/mutable.rb', line 110

def affected_input_value
    return if !affected_input_name
    self[affected_input_name].to_s
end

#affected_input_value=(value) ⇒ Object

Parameters:

• value (String) —

  Sets the value for the fuzzed input.

# File 'lib/arachni/element/capabilities/mutable.rb', line 117

def affected_input_value=( value )
    self[affected_input_name] = value
end

#dup ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 321

def dup
    copy_mutable( super )
end

#each_mutation(payload, options = {}) {|mutation| ... } ⇒ Object

Note:

Vector names in #immutables will be excluded.

Injects the `payload` in self's values according to formatting options and returns an array of mutations of self.

Parameters:

• payload (String) —

  String to inject.

• options (Hash) (defaults to: {}) —

  MUTATION_OPTIONS

Yields:

• (mutation) —

  Each generated mutation.

Yield Parameters:

• (Mutable)

See Also:

• #immutables

# File 'lib/arachni/element/capabilities/mutable.rb', line 167

def each_mutation( payload, options = {}, &block )
    return if self.inputs.empty?

    if !valid_input_data?( payload )
        print_debug_level_2 "Payload not supported by #{self}: #{payload.inspect}"
        return
    end

    print_debug_trainer( options )
    print_debug_formatting( options )

    options          = prepare_mutation_options( options )
    generated        = Support::LookUp::HashSet.new
    filled_in_inputs = Options.input.fill( @inputs )

    if options[:parameter_values]
        @inputs.keys.each do |name|
            # Don't let parameter name pollution from an old audit of an
            # input name trick us into doing the same for elements without
            # that option.
            next if name == EXTRA_NAME
            next if immutables.include?( name )

            each_formatted_payload(
                payload, options[:format], filled_in_inputs[name]
            ) do |format, formatted_payload|

                elem = create_and_yield_if_unique(
                    generated, filled_in_inputs, payload, name,
                    formatted_payload, format, &block
                )

                next if !elem

                if options[:with_raw_payloads]
                    yield_if_unique( elem.with_raw_payload, generated, &block )
                end

                if options[:with_both_http_methods]
                    yield_if_unique( elem.switch_method, generated, &block )
                end
            end
        end
    end

    if options[:with_extra_parameter]
        if valid_input_name?( EXTRA_NAME )
            each_formatted_payload( payload, options[:format] ) do |format, formatted_payload|

                elem = create_and_yield_if_unique(
                    generated, filled_in_inputs.merge( EXTRA_NAME => '' ),
                    payload, EXTRA_NAME, formatted_payload, format, &block
                )

                next if !elem || !options[:with_both_http_methods]
                yield_if_unique( elem.switch_method, generated, &block )
            end
        else
            print_debug_level_2 'Extra name not supported as input name by' <<
                                    " #{audit_id}: #{payload.inspect}"
        end
    end

    if options[:parameter_names]
        if valid_input_name_data?( payload )
            elem                     = self.dup.update( filled_in_inputs )
            elem.affected_input_name = FUZZ_NAME
            elem[payload]            = FUZZ_NAME_VALUE
            elem.seed                = payload

            yield_if_unique( elem, generated, &block )
        else
            print_debug_level_2 'Payload not supported as input name by' <<
                                    " #{audit_id}: #{payload.inspect}"
        end
    end

    nil
end

#immutables ⇒ Set

Returns Names of input vectors to be excluded from #mutations.

Returns:

• (Set) —

  Names of input vectors to be excluded from #mutations.

# File 'lib/arachni/element/capabilities/mutable.rb', line 141

def immutables
    @immutables ||= Set.new
end

#inspect ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 292

def inspect
    s = "#<#{self.class} (#{http_method}) "

    if !orphan?
        s << "auditor=#{auditor.class} "
    end

    s << "url=#{url.inspect} "
    s << "action=#{action.inspect} "

    s << "default-inputs=#{default_inputs.inspect} "
    s << "inputs=#{inputs.inspect} "
    s << "raw_inputs=#{raw_inputs.inspect} "

    if mutation?
        s << "seed=#{seed.inspect} "
        s << "affected-input-name=#{affected_input_name.inspect} "
        s << "affected-input-value=#{affected_input_value.inspect}"
    end

    s << '>'
end

#mutation? ⇒ Bool

Returns `true` if the element has been mutated, `false` otherwise.

Returns:

• (Bool) —

  `true` if the element has been mutated, `false` otherwise.

# File 'lib/arachni/element/capabilities/mutable.rb', line 135

def mutation?
    !!self.affected_input_name
end

#mutations(payload, opts = {}) ⇒ Array

Injects the `payload` in self's values according to formatting options and returns an array of mutations of self.

Vector names in #immutables will be excluded.

Parameters:

• payload (String) —

  The string to inject.

• opts (Hash) (defaults to: {}) —

  MUTATION_OPTIONS

Returns:

• (Array)

See Also:

• #immutables

# File 'lib/arachni/element/capabilities/mutable.rb', line 274

def mutations( payload, opts = {} )
    combo = []
    each_mutation( payload, opts ) { |m| combo << m }
    combo
end

#parameter_name_audit? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/element/capabilities/mutable.rb', line 247

def parameter_name_audit?
    affected_input_name == FUZZ_NAME
end

#reset ⇒ Object

Resets the inputs to their original format/values.

# File 'lib/arachni/element/capabilities/mutable.rb', line 100

def reset
    super
    @affected_input_name = nil
    @seed                = nil
    self
end

#switch_method ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 257

def switch_method
    self.dup.tap { |c| c.method = (c.method == :get ? :post : :get) }
end

#to_h ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 280

def to_h
    h = super

    if mutation?
        h[:affected_input_name]  = self.affected_input_name
        h[:affected_input_value] = self.affected_input_value
        h[:seed]                 = self.seed
    end

    h
end

#to_rpc_data ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 315

def to_rpc_data
    d = super
    d.delete 'immutables'
    d
end

#with_raw_payload ⇒ Object

# File 'lib/arachni/element/capabilities/mutable.rb', line 251

def with_raw_payload
    self.dup.tap do |c|
        c.raw_inputs << c.affected_input_name
    end
end

#with_raw_payload? ⇒ Boolean

Returns `true` if the mutation's #affected_input_value has been set to skip encoding, `false` otherwise.

Returns:

• (Boolean) —

  `true` if the mutation's #affected_input_value has been set to skip encoding, `false` otherwise.

# File 'lib/arachni/element/capabilities/mutable.rb', line 148

def with_raw_payload?
    raw_inputs.include? affected_input_name
end