Class: Arachni::Checks::CommonAdminInterfaces

Inherits:

Arachni::Check::Base

• Object
• Arachni::Component::Base
• Arachni::Check::Base
• Arachni::Checks::CommonAdminInterfaces

Defined in:

components/checks/passive/common_admin_interfaces.rb

Overview

Looks for common administration interfaces on the server.

Author:

• Brendan Coles bcoles@gmail.com

• Tasos Laskos tasos.laskos@arachni-scanner.com

Constant Summary

Constants included from Arachni::Check::Auditor

Arachni::Check::Auditor::DOM_ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::ELEMENTS_WITH_INPUTS, Arachni::Check::Auditor::FILE_SIGNATURES, Arachni::Check::Auditor::FILE_SIGNATURES_PER_PLATFORM, Arachni::Check::Auditor::Format, Arachni::Check::Auditor::SOURCE_CODE_SIGNATURES_PER_PLATFORM

Constants included from Arachni

BANNER, Arachni::Cookie, Form, Header, JSON, Link, LinkTemplate, NestedCookie, Severity, UIForm, UIInput, VERSION, WEBSITE, WIKI, XML

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

#framework, #page

Class Method Summary

• .info ⇒ Object
• .resources ⇒ Object

Instance Method Summary

• #run ⇒ Object

Methods inherited from Arachni::Check::Base

#browser_cluster, #clean_up, elements, exempt_platforms, has_exempt_platforms?, has_platforms?, #initialize, platforms, #plugins, prefer, #preferred, preferred, #prepare, #session, supports_platforms?

Methods included from Arachni::Check::Auditor

#audit, #audit_differential, #audit_signature, #audit_timeout, #audited, #audited?, #buffered_audit, #each_candidate_dom_element, #each_candidate_element, has_timeout_candidates?, #http, #initialize, #log, #log_issue, #log_remote_file, #log_remote_file_if_exists, #match_and_log, #max_issues, #preferred, reset, #skip?, timeout_audit_run, #trace_taint, #with_browser, #with_browser_cluster

Methods inherited from Arachni::Component::Base

author, description, fullname, #shortname, shortname, shortname=, version

Methods included from Arachni::Component::Output

#depersonalize_output, #depersonalize_output?, #intercept_print_message

Methods included from UI::Output

#caller_location, #debug?, #debug_level, #debug_level_1?, #debug_level_2?, #debug_level_3?, #debug_level_4?, #debug_off, #debug_on, #disable_only_positives, #error_buffer, #error_log_fd, #error_logfile, #has_error_log?, #included, #log_error, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_exception, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_debug_level_4, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #set_error_logfile, #unmute, #verbose?, #verbose_off, #verbose_on

Methods included from Arachni::Component::Utilities

#read_file

Methods included from Utilities

#available_port, available_port_mutex, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_file, #cookies_from_parser, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_parser, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_parser, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_path?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from Arachni

URI, collect_young_objects, #get_long_win32_filename, jruby?, null_device, profile?, windows?

Constructor Details

This class inherits a constructor from Arachni::Check::Base

Class Method Details

.info ⇒ Object

# File 'components/checks/passive/common_admin_interfaces.rb', line 32

def self.info
    {
        name:        'Common administration interfaces',
        description: %q{Tries to find common admin interfaces on the server.},
        elements:    [ Element::Server ],
        author:      [
            'Brendan Coles <bcoles@gmail.com>',
            'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>'
        ],
        version:     '0.1.1',
        targets:     %w(Generic),
        references: {
            'Apache.org' => 'http://httpd.apache.org/docs/2.0/mod/mod_access.html',
            'WASC'       => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
        },
        issue: {
            name:            %q{Common administration interface},
            description:     %q{An administration interface was identified and should be reviewed.},
            tags:            %w(common path file discovery),
            severity:        Severity::LOW,
            remedy_guidance: %q{
Access to administration interfaces should be restricted to trusted IP addresses only.
}
        }
    }
end

.resources ⇒ Object

# File 'components/checks/passive/common_admin_interfaces.rb', line 15

def self.resources
    @filenames ||= read_file( 'admin-panels.txt' )
end

Instance Method Details

#run ⇒ Object

# File 'components/checks/passive/common_admin_interfaces.rb', line 19

def run
    return if page.code != 200

    path = get_path( page.url )
    return if audited?( path )

    self.class.resources.each do |file|
        log_remote_file_if_exists( path + file )
    end

    audited( path )
end