Class: Arachni::OptionGroups::Audit

Inherits:

Arachni::OptionGroup

• Object
• Arachni::OptionGroup
• Arachni::OptionGroups::Audit

Defined in:

lib/arachni/option_groups/audit.rb

Overview

Options for audit scope/coverage, mostly decides what types of elements should be considered.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error

Instance Attribute Summary

• #cookies ⇒ Bool (also: #cookie_doms)

  Audit cookies.

• #cookies_extensively ⇒ Bool

  Like #cookies but all cookie audits are submitted along with any other available element on the page.

• #exclude_vector_patterns ⇒ Array<Regexp>

  Patterns to use to exclude vectors from the audit, by name.

• #forms ⇒ Bool (also: #form_doms)

  Audit forms.

• #headers ⇒ Bool

  Audit HTTP request headers.

• #include_vector_patterns ⇒ Array<Regexp>

  Patterns to use to include vectors in the audit exclusively, by name.

• #jsons ⇒ Bool

  Audit JSON request inputs.

• #link_templates ⇒ Array<Regexp> (also: #link_template_doms)

  Regular expressions with named captures, serving as templates used to extract input vectors from links.

• #links ⇒ Bool (also: #link_doms)

  Audit links.

• #nested_cookies ⇒ Bool

  Audit nested cookies.

• #parameter_names ⇒ Bool

  Inject payloads into parameter names.

• #parameter_values ⇒ Bool

  Inject payloads into parameter values.

• #ui_forms ⇒ Bool (also: #ui_form_doms)

  Audit DOM UI forms – i.e.

• #ui_inputs ⇒ Bool (also: #ui_input_doms)

  Audit DOM inputs.

• #with_both_http_methods ⇒ Bool

  If enabled, all element audits will be performed with both `GET` and `POST` HTTP methods.

• #with_extra_parameter ⇒ Bool

  Inject payloads into extra element parameters.

• #with_raw_payloads ⇒ Bool

  Allows checks to sent payloads in raw format, without HTTP encoding.

• #xmls ⇒ Bool

  Audit XML request inputs.

Instance Method Summary

• #elements(*element_types) ⇒ Object (also: #elements=, #element)

  Enables auditing of element types.

• #elements?(*element_types) ⇒ Bool (also: #element?)

  Get audit settings for the given element types.

• #link_templates? ⇒ Bool (also: #link_template_doms?)

  `true` if link templates have been specified, `false` otherwise.

• #skip_elements(*element_types) ⇒ Object (also: #skip_element)

  Disables auditing of element types.

• #to_h ⇒ Object
• #vector?(name) ⇒ Boolean
• #with_raw_payloads? ⇒ Boolean

Methods inherited from Arachni::OptionGroup

#==, attr_accessor, attributes, #attributes, defaults, #defaults, #hash, inherited, #initialize, #merge, set_defaults, #to_hash, #to_rpc_data, #update, #validate

Constructor Details

This class inherits a constructor from Arachni::OptionGroup

Instance Attribute Details

#cookies ⇒ Bool Also known as: cookie_doms

Note:

Default is `false`.

Returns Audit cookies.

Returns:

• (Bool) —

  Audit cookies.

See Also:

• Element::Cookie
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 113

def cookies
  @cookies
end

#cookies_extensively ⇒ Bool

Note:

Default is `false`.

Returns Like #cookies but all cookie audits are submitted along with any other available element on the page.

Returns:

• (Bool) —

  Like #cookies but all cookie audits are submitted along with any other available element on the page.

See Also:

• Element::Cookie#each_mutation
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 134

def cookies_extensively
  @cookies_extensively
end

#exclude_vector_patterns ⇒ Array<Regexp>

Returns Patterns to use to exclude vectors from the audit, by name.

Returns:

• (Array<Regexp>) —

  Patterns to use to exclude vectors from the audit, by name.

See Also:

• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 76

def exclude_vector_patterns
  @exclude_vector_patterns
end

#forms ⇒ Bool Also known as: form_doms

Note:

Default is `false`.

Returns Audit forms.

Returns:

• (Bool) —

  Audit forms.

See Also:

• Element::Form
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 102

def forms
  @forms
end

#headers ⇒ Bool

Note:

Default is `false`.

Returns Audit HTTP request headers.

Returns:

• (Bool) —

  Audit HTTP request headers.

# File 'lib/arachni/option_groups/audit.rb', line 140

def headers
  @headers
end

#include_vector_patterns ⇒ Array<Regexp>

Returns Patterns to use to include vectors in the audit exclusively, by name.

Returns:

• (Array<Regexp>) —

  Patterns to use to include vectors in the audit exclusively, by name.

See Also:

• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 82

def include_vector_patterns
  @include_vector_patterns
end

#jsons ⇒ Bool

Note:

Default is `false`.

Returns Audit JSON request inputs.

Returns:

• (Bool) —

  Audit JSON request inputs.

# File 'lib/arachni/option_groups/audit.rb', line 159

def jsons
  @jsons
end

#link_templates ⇒ Array<Regexp> Also known as: link_template_doms

Returns Regular expressions with named captures, serving as templates used to extract input vectors from links.

Returns:

• (Array<Regexp>) —

  Regular expressions with named captures, serving as templates used to extract input vectors from links.

See Also:

• Element::LinkTemplate

# File 'lib/arachni/option_groups/audit.rb', line 147

def link_templates
  @link_templates
end

#links ⇒ Bool Also known as: link_doms

Note:

Default is `false`.

Returns Audit links.

Returns:

• (Bool) —

  Audit links.

See Also:

• Element::Link
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 91

def links
  @links
end

#nested_cookies ⇒ Bool

Note:

Default is `false`.

Returns Audit nested cookies.

Returns:

• (Bool) —

  Audit nested cookies.

See Also:

• Element::NestedCookie
• Element::Capabilities::Auditable#audit

# File 'lib/arachni/option_groups/audit.rb', line 124

def nested_cookies
  @nested_cookies
end

#parameter_names ⇒ Bool

Note:

Default is `false`.

Returns Inject payloads into parameter names.

Returns:

• (Bool) —

  Inject payloads into parameter names.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 43

def parameter_names
  @parameter_names
end

#parameter_values ⇒ Bool

Note:

Default is `true`.

Returns Inject payloads into parameter values.

Returns:

• (Bool) —

  Inject payloads into parameter values.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 35

def parameter_values
  @parameter_values
end

#ui_forms ⇒ Bool Also known as: ui_form_doms

Note:

Default is `false`.

Returns Audit DOM UI forms – i.e. combination or orphan inputs and buttons.

Returns:

• (Bool) —

  Audit DOM UI forms – i.e. combination or orphan inputs and buttons.

# File 'lib/arachni/option_groups/audit.rb', line 179

def ui_forms
  @ui_forms
end

#ui_inputs ⇒ Bool Also known as: ui_input_doms

Note:

Default is `false`.

Returns Audit DOM inputs.

Returns:

• (Bool) —

  Audit DOM inputs.

# File 'lib/arachni/option_groups/audit.rb', line 171

def ui_inputs
  @ui_inputs
end

#with_both_http_methods ⇒ Bool

Note:

Default is `false`.

Returns If enabled, all element audits will be performed with both `GET` and `POST` HTTP methods.

Returns:

• (Bool) —

  If enabled, all element audits will be performed with both `GET` and `POST` HTTP methods.

See Also:

• Element::Capabilities::Mutable::MUTATION_OPTIONS
• Element::Capabilities::Mutable#each_mutation
• Element::Capabilities::Mutable#switch_method

# File 'lib/arachni/option_groups/audit.rb', line 70

def with_both_http_methods
  @with_both_http_methods
end

#with_extra_parameter ⇒ Bool

Note:

Default is `false`.

Returns Inject payloads into extra element parameters.

Returns:

• (Bool) —

  Inject payloads into extra element parameters.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 59

def with_extra_parameter
  @with_extra_parameter
end

#with_raw_payloads ⇒ Bool

Note:

Default is `false`.

Returns Allows checks to sent payloads in raw format, without HTTP encoding.

Returns:

• (Bool) —

  Allows checks to sent payloads in raw format, without HTTP encoding.

See Also:

• Element::Capabilities::Mutable#each_mutation

# File 'lib/arachni/option_groups/audit.rb', line 51

def with_raw_payloads
  @with_raw_payloads
end

#xmls ⇒ Bool

Note:

Default is `false`.

Returns Audit XML request inputs.

Returns:

• (Bool) —

  Audit XML request inputs.

# File 'lib/arachni/option_groups/audit.rb', line 165

def xmls
  @xmls
end

Instance Method Details

#elements(*element_types) ⇒ Object Also known as: elements=, element

Enables auditing of element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • `:links`

  • `:forms`

  • `:cookies`

  • `:headers`

# File 'lib/arachni/option_groups/audit.rb', line 239

def elements( *element_types )
    element_types.flatten.compact.each do |type|
        fail_on_unknown_element_type( type ) do
            self.send( "#{type}=", true ) rescue self.send( "#{type}s=", true )
        end
    end
    true
end

#elements?(*element_types) ⇒ Bool Also known as: element?

Get audit settings for the given element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • `:links`

  • `:forms`

  • `:cookies`

  • `:headers`

  • `:ui_inputs`

  • `:ui_forms`

  • `:xmls`

  • `:jsons`

Returns:

• (Bool)

Raises:

• (Error::InvalidLinkTemplate)

# File 'lib/arachni/option_groups/audit.rb', line 287

def elements?( *element_types )
    !(element_types.flatten.compact.map do |type|
        fail_on_unknown_element_type( type ) do
            !!(self.send( "#{type}?" ) rescue self.send( "#{type}s?" ))
        end
    end.uniq.include?( false ))
end

#link_templates? ⇒ Bool Also known as: link_template_doms?

Returns `true` if link templates have been specified, `false` otherwise.

Returns:

• (Bool) —

  `true` if link templates have been specified, `false` otherwise.

# File 'lib/arachni/option_groups/audit.rb', line 315

def link_templates?
    @link_templates.any?
end

#skip_elements(*element_types) ⇒ Object Also known as: skip_element

Disables auditing of element types.

Parameters:

• element_types (String, Symbol, Array) —

  Allowed:

  • `:links`

  • `:forms`

  • `:cookies`

  • `:headers`

# File 'lib/arachni/option_groups/audit.rb', line 260

def skip_elements( *element_types )
    element_types.flatten.compact.each do |type|
        fail_on_unknown_element_type( type ) do
            self.send( "#{type}=", false ) rescue self.send( "#{type}s=", false )
        end
    end
    true
end

#to_h ⇒ Object

# File 'lib/arachni/option_groups/audit.rb', line 320

def to_h
    h = super
    [:link_templates, :include_vector_patterns, :exclude_vector_patterns].each do |k|
        h[k] = h[k].map(&:source)
    end
    h
end

#vector?(name) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/option_groups/audit.rb', line 305

def vector?( name )
    if include_vector_patterns.any? && !include_vector_patterns.find { |p| p =~ name }
        return false
    end

    !exclude_vector_patterns.find { |p| p =~ name }
end

#with_raw_payloads? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/option_groups/audit.rb', line 190

def with_raw_payloads?
    !!@with_raw_payloads
end