Class: Arachni::Session

Inherits:

Object

• Object
• Arachni::Session

Includes:

UI::Output, Utilities

Defined in:

lib/arachni/session.rb

Overview

Session management class.

Handles logins, provided log-out detection, stores and executes login sequences and provided general webapp session related helpers.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error

Constant Summary

LOGIN_TRIES =

5

LOGIN_RETRY_WAIT =

5

Instance Attribute Summary

• #browser ⇒ Browser readonly
• #check_options ⇒ Hash

  HTTP::Client#request options for #logged_in?.

• #login_sequence ⇒ Block readonly

Instance Method Summary

• #can_login? ⇒ Bool

  `true` if there is log-in capability, `false` otherwise.

• #clean_up ⇒ Object
• #configuration ⇒ Object
• #configure(options) ⇒ Object
• #configured? ⇒ Bool

  `true` if configured, `false` otherwise.

• #cookie(&block) ⇒ Object

  Tries to find the main session (login/ID) cookie.

• #cookies ⇒ Array<Element::Cookie>

  Session cookies.

• #ensure_logged_in ⇒ Bool^?

  `true` if logged-in, `false` otherwise, `nil` if there's no log-in capability.

• #find_login_form(opts = {}, &block) ⇒ Object

  Finds a login forms based on supplied location, collection and criteria.

• #has_browser? ⇒ Boolean
• #has_login_check? ⇒ Bool

  `true` if a login check exists, `false` otherwise.

• #http ⇒ HTTP::Client
• #initialize ⇒ Session constructor

  A new instance of Session.

• #logged_in?(http_options = {}, &block) ⇒ Bool^?

  `true` if we're logged-in, `false` otherwise.

• #login(raise = false) ⇒ Page^?

  Uses the information provided by #configure or #login_sequence to login.

• #record_login_sequence(&block) ⇒ Object
• #with_browser(*args, &block) ⇒ Object

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from UI::Output

#debug?, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on

Constructor Details

#initialize ⇒ Session

Returns a new instance of Session.

# File 'lib/arachni/session.rb', line 65

def initialize
    @check_options = {}
end

Instance Attribute Details

#browser ⇒ Browser (readonly)

Returns:

• (Browser)

# File 'lib/arachni/session.rb', line 56

def browser
  @browser
end

#check_options ⇒ Hash

Returns HTTP::Client#request options for #logged_in?.

Returns:

• (Hash) —

  HTTP::Client#request options for #logged_in?.

# File 'lib/arachni/session.rb', line 63

def check_options
  @check_options
end

#login_sequence ⇒ Block (readonly)

Returns:

• (Block)

# File 'lib/arachni/session.rb', line 59

def login_sequence
  @login_sequence
end

Instance Method Details

#can_login? ⇒ Bool

Returns `true` if there is log-in capability, `false` otherwise.

Returns:

• (Bool) —

  `true` if there is log-in capability, `false` otherwise.

# File 'lib/arachni/session.rb', line 189

def can_login?
    configured? && has_login_check?
end

#clean_up ⇒ Object

# File 'lib/arachni/session.rb', line 69

def clean_up
    configuration.clear
    shutdown_browser
end

#configuration ⇒ Object

# File 'lib/arachni/session.rb', line 109

def configuration
    Data.session.configuration
end

#configure(options) ⇒ Object

Parameters:

• options (Hash)

Options Hash (options):

• :url (String) —

  URL containing the login form.

• :inputs (Hash{String=>String}) —

  Hash containing inputs with which to locate and fill-in the form.

# File 'lib/arachni/session.rb', line 104

def configure( options )
    configuration.clear
    configuration.merge! options
end

#configured? ⇒ Bool

Returns `true` if configured, `false` otherwise.

Returns:

• (Bool) —

  `true` if configured, `false` otherwise.

# File 'lib/arachni/session.rb', line 115

def configured?
    !!@login_sequence || configuration.any?
end

#cookie(&block) ⇒ Object

Tries to find the main session (login/ID) cookie.

Parameters:

• block (Block) —

  Block to be passed the cookie.

Raises:

• (Error::NoLoginCheck) —

  If no login-check has been configured.

# File 'lib/arachni/session.rb', line 87

def cookie( &block )
    return block.call( @session_cookie ) if @session_cookie
    fail Error::NoLoginCheck, 'No login-check has been configured.' if !has_login_check?

    cookies.each do |cookie|
        logged_in?( cookies: { cookie.name => '' } ) do |bool|
            next if bool
            block.call( @session_cookie = cookie )
        end
    end
end

#cookies ⇒ Array<Element::Cookie>

Returns Session cookies.

Returns:

• (Array<Element::Cookie>) —

  Session cookies.

# File 'lib/arachni/session.rb', line 76

def cookies
    http.cookies.select(&:session?)
end

#ensure_logged_in ⇒ Bool^?

Returns `true` if logged-in, `false` otherwise, `nil` if there's no log-in capability.

Returns:

• (Bool, nil) —

  `true` if logged-in, `false` otherwise, `nil` if there's no log-in capability.

# File 'lib/arachni/session.rb', line 196

def ensure_logged_in
    return if !can_login?
    return true if logged_in?

    print_bad 'The scanner has been logged out.'
    print_info 'Trying to re-login...'

    LOGIN_TRIES.times do |i|
        self.login

        if self.logged_in?
            print_ok 'Logged-in successfully.'
            return true
        end

        print_bad "Login attempt #{i+1} failed, retrying after " <<
                      "#{LOGIN_RETRY_WAIT} seconds..."
        sleep LOGIN_RETRY_WAIT
    end

    print_bad 'Could not re-login.'
    false
end

#find_login_form(opts = {}, &block) ⇒ Object

Finds a login forms based on supplied location, collection and criteria.

Parameters:

• opts (Hash) (defaults to: {})
• block (Block) —

  If a block and a :url are given, the request will run async and the block will be called with the result of this method.

Options Hash (opts):

• :requires_password (Bool) —

  Does the login form include a password field? (Defaults to `true`)

• :action (Array, Regexp) —

  Regexp to match or String to compare against the form action.

• :inputs (String, Array, Hash, Symbol) —

  Inputs that the form must contain.

• :forms (Array<Element::Form>) —

  Collection of forms to look through.

• :pages (Page, Array<Page>) —

  Pages to look through.

• :url (String) —

  URL to fetch and look for forms.

# File 'lib/arachni/session.rb', line 138

def find_login_form( opts = {}, &block )
    async = block_given?

    requires_password = (opts[:requires_password].nil? ? true : opts[:requires_password])

    find = proc do |cforms|
        cforms.select do |f|
            next if requires_password && !f.requires_password?

            oks = []

            if action = opts[:action]
                oks << !!(action.is_a?( Regexp ) ? f.action =~ action : f.action == action)
            end

            if inputs = opts[:inputs]
                oks << f.has_inputs?( inputs )
            end

            oks.count( true ) == oks.size
        end.first
    end

    forms = if opts[:pages]
                [opts[:pages]].flatten.map { |p| p.forms }.flatten
            elsif opts[:forms]
                opts[:forms]
            elsif (url = opts[:url])
                http_opts = {
                    update_cookies:  true,
                    follow_location: true,
                    performer:       self
                }

                if async
                    http.get( url, http_opts ) do |r|
                        block.call find.call( forms_from_response( r, true ) )
                    end
                else
                    forms_from_response(
                        http.get( url, http_opts.merge( mode: :sync ) ),
                        true
                    )
                end
            end

    find.call( forms || [] ) if !async
end

#has_browser? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/session.rb', line 314

def has_browser?
    Browser.has_executable? && Options.scope.dom_depth_limit > 0
end

#has_login_check? ⇒ Bool

Returns `true` if a login check exists, `false` otherwise.

Returns:

• (Bool) —

  `true` if a login check exists, `false` otherwise.

# File 'lib/arachni/session.rb', line 305

def has_login_check?
    !!@login_check || !!(Options.session.check_url && Options.session.check_pattern)
end

#http ⇒ HTTP::Client

Returns:

• (HTTP::Client)

# File 'lib/arachni/session.rb', line 310

def http
    HTTP::Client
end

#logged_in?(http_options = {}, &block) ⇒ Bool^?

Returns `true` if we're logged-in, `false` otherwise.

Parameters:

• http_options (Hash) (defaults to: {}) —

  HTTP options to use for the check.

• block (Block) —

  If a block has been provided the check will be async and the result will be passed to it, otherwise the method will return the result.

Returns:

• (Bool, nil) —

  `true` if we're logged-in, `false` otherwise.

Raises:

• (Error::NoLoginCheck) —

  If no login-check has been configured.

# File 'lib/arachni/session.rb', line 274

def logged_in?( http_options = {}, &block )
    fail Error::NoLoginCheck if !has_login_check?

    http_options = http_options.merge(
        method:          :get,
        mode:            block_given? ? :async : :sync,
        follow_location: true,
        performer:       self
    )
    http_options.merge!( @check_options )

    print_debug 'Performing login check.'

    bool = nil
    http.request( Options.session.check_url, http_options ) do |response|
        bool = !!response.body.match( Options.session.check_pattern )

        print_debug "Login check done: #{bool}"

        if !bool
            print_debug "\n#{response.request}#{response}"
        end

        block.call( bool ) if block
    end

    bool
end

#login(raise = false) ⇒ Page^?

Uses the information provided by #configure or #login_sequence to login.

Returns:

• (Page, nil) —

  Page if the login was successful, `nil` otherwise.

Raises:

• (Error::NotConfigured) —

  If not #configured?.

• (Error::FormNotFound) —

  If the form could not be found.

# File 'lib/arachni/session.rb', line 238

def login( raise = false )
    fail Error::NotConfigured, 'Please configure the session first.' if !configured?

    refresh_browser

    page = nil
    exception_jail raise do
        page = @login_sequence ? login_from_sequence : login_from_configuration
    end

    if has_browser?
        http.update_cookies browser.cookies
    end

    page
ensure
    shutdown_browser
end

#record_login_sequence(&block) ⇒ Object

Parameters:

• block (Block) —

  Login sequence. Must return the resulting Page.

  If a #browser is available it will be passed to the block.

# File 'lib/arachni/session.rb', line 225

def record_login_sequence( &block )
    @login_sequence = block
end

#with_browser(*args, &block) ⇒ Object

Parameters:

• block (Block) —

  Block to be passed the #browser.

# File 'lib/arachni/session.rb', line 259

def with_browser( *args, &block )
    block.call browser, *args
end