Module: Arachni::Element::JSON::Capabilities::Mutable

Includes:
Capabilities::Mutable
Defined in:
lib/arachni/element/json/capabilities/mutable.rb

Overview

Extends Capabilities::Mutable with Arachni::Element::JSON-specific functionality.

Author:

  • Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Constant Summary

Constants included from Capabilities::Mutable

Capabilities::Mutable::EXTRA_NAME, Capabilities::Mutable::FUZZ_NAME, Capabilities::Mutable::FUZZ_NAME_VALUE, Capabilities::Mutable::MUTATION_OPTIONS

Instance Attribute Summary

Attributes included from Capabilities::Mutable

#affected_input_name, #format, #seed

Instance Method Summary collapse

Methods included from Capabilities::Mutable

#affected_input_value, #affected_input_value=, #dup, #immutables, #inspect, #mutation?, #mutations, #parameter_name_audit?, #reset, #switch_method, #to_h, #to_rpc_data, #with_raw_payload, #with_raw_payload?

Instance Method Details

#affected_input_name=(name) ⇒ Object

Overrides Capabilities::Mutable#affected_input_name= to allow for non-string data of variable depth.

Parameters:

  • name (Array<String>, String)

    Sets the name of the fuzzed input.

    If the `name` is an `Array`, it will be treated as a path to the location of the input.

See Also:



30
31
32
33
34
35
36
# File 'lib/arachni/element/json/capabilities/mutable.rb', line 30

def affected_input_name=( name )
    if name.is_a?( Array ) && name.size == 1
        name = name.first
    end

    @affected_input_name = name
end

#each_mutation(payload, options = {}) {|mutation| ... } ⇒ Object

Note:

Vector names in Capabilities::Mutable#immutables will be excluded.

Overrides Capabilities::Mutable#each_mutation to allow for auditing of non-string data of variable depth.

Parameters:

Yields:

  • (mutation)

    Each generated mutation.

See Also:



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# File 'lib/arachni/element/json/capabilities/mutable.rb', line 47

def each_mutation( payload, options = {}, &block )
    return if self.inputs.empty?

    if !valid_input_data?( payload )
        print_debug_level_2 "Payload not supported by #{self}: #{payload.inspect}"
        return
    end

    print_debug_trainer( options )
    print_debug_formatting( options )

    options   = prepare_mutation_options( options )
    generated = Arachni::Support::LookUp::HashSet.new

    if options[:parameter_values]
        options[:format].each do |format|
            traverse_inputs do |path, value|
                next if immutable_input?( path )

                create_and_yield_if_unique( generated, {}, payload, path,
                                            format_str( payload, format, value.to_s ), format, &block
                )
            end
        end
    end

    if options[:with_extra_parameter]
        if valid_input_name?( EXTRA_NAME )
            each_formatted_payload( payload, options[:format] ) do |format, formatted_payload|
                elem                     = self.dup
                elem.affected_input_name = EXTRA_NAME
                elem.inputs              =
                    elem.inputs.merge( EXTRA_NAME => formatted_payload )
                elem.seed                = payload
                elem.format              = format

                yield_if_unique( elem, generated, &block )
            end
        else
            print_debug_level_2 'Extra name not supported as input name by' <<
                                    " #{audit_id}: #{payload.inspect}"
        end
    end

    if options[:parameter_names]
        if valid_input_name_data?( payload )
            elem                     = self.dup
            elem.affected_input_name = FUZZ_NAME
            elem.inputs              = elem.inputs.merge( payload => FUZZ_NAME_VALUE )
            elem.seed                = payload

            yield_if_unique( elem, generated, &block )
        else
            print_debug_level_2 'Payload not supported as input name by' <<
                                    " #{audit_id}: #{payload.inspect}"
        end
    end

    nil
end