Class: Arachni::Checks::HtaccessLimit

# File 'components/checks/passive/htaccess_limit.rb', line 31

def self.info
    {
        name:        '.htaccess LIMIT misconfiguration',
        description: %q{Checks for misconfiguration in LIMIT directives that blocks
            GET requests but allows POST.},
        elements:    [ Element::Server ],
        author:      'Tasos "Zapotek" Laskos <[email protected]>',
        version:     '0.1.7',

        issue:       {
            name:        %q{Misconfiguration in LIMIT directive of .htaccess file},
            description: %q{
There are a number of HTTP methods that can be used on a webserver (for example
`OPTIONS`, `HEAD`, `GET`, `POST`, `PUT`, `DELETE `etc.).
Each of these methods perform a different function, and each has an associated
level of risk when their use is permitted on the webserver.

The `<Limit>` directive within Apache's `.htaccess` file allows administrators
to define which of the methods they would like to block. However, as this is a
blacklisting approach, it is inevitable that a server administrator may
accidentally miss adding certain HTTP methods to be blocked, thus increasing
the level of risk to the application and/or server.
},
            references: {
                'Apache.org' => 'http://httpd.apache.org/docs/2.2/mod/core.html#limit'
            },
            tags:        %w(htaccess server limit),
            severity:    Severity::HIGH,
            remedy_guidance:  %q{
The preferred configuration is to prevent the use of unauthorised HTTP methods
by utilising the `<LimitExcept>` directive.

This directive uses a whitelisting approach to permit HTTP methods while
blocking all others not listed in the directive, and will therefor block any
method tampering attempts.

Most commonly, the only HTTP methods required for most scenarios are `GET` and
`POST`. An example of permitting these HTTP methods is:
 `<LimitExcept POST GET> require valid-user </LimitExcept>`
}
        }
    }
end

Instance Method Details

#check_and_log(response) ⇒ `Object`

# File 'components/checks/passive/htaccess_limit.rb', line 20

def check_and_log( response )
    return if response.code != 200

    log(
        vector:   Element::Server.new( response.url ),
        response: response,
        proof:    response.status_line
    )
    print_ok "Request was accepted: #{response.url}"
end

#run ⇒ `Object`

# File 'components/checks/passive/htaccess_limit.rb', line 12

def run
    return if page.code != 401

    [:post, :head, :blah]. each do |m|
        http.request( page.url, method: m ) { |response| check_and_log( response ) }
    end
end

Class: Arachni::Checks::HtaccessLimit

Overview

Constant Summary

Constants included from Arachni::Check::Auditor

Constants included from Arachni

Instance Attribute Summary

Attributes included from Arachni::Check::Auditor

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Arachni::Check::Base

Methods included from Arachni::Check::Auditor

Methods inherited from Arachni::Component::Base

Methods included from Arachni::Component::Output

Methods included from UI::Output

Methods included from Arachni::Component::Utilities

Methods included from Utilities

Methods included from Arachni

Constructor Details

Class Method Details

.info ⇒ Object

Instance Method Details

#check_and_log(response) ⇒ Object

#run ⇒ Object

.info ⇒ `Object`

#check_and_log(response) ⇒ `Object`

#run ⇒ `Object`