=begin Copyright 2010-2014 Tasos Laskos Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. =end # # Cross-Site tracing recon module. # # But not really...it only checks if the TRACE HTTP method is enabled. # # @author Tasos "Zapotek" Laskos # # @version 0.1.6 # # @see http://cwe.mitre.org/data/definitions/693.html # @see http://capec.mitre.org/data/definitions/107.html # @see http://www.owasp.org/index.php/Cross_Site_Tracing # class Arachni::Modules::XST < Arachni::Module::Base def self.ran? @ran ||= false end def self.ran @ran = true end def run return if self.class.ran? print_status( "Checking..." ) http.trace( page.url ) do |res| next if res.code != 200 || res.body.to_s.empty? log( { element: Element::SERVER }, res ) print_ok "TRACE is enabled." end end def clean_up self.class.ran end def self.info { name: 'XST', description: %q{Sends an HTTP TRACE request and checks if it succeeded.}, elements: [ Element::SERVER ], author: 'Tasos "Zapotek" Laskos ', version: '0.1.6', references: { 'CAPEC' => 'http://capec.mitre.org/data/definitions/107.html', 'OWASP' => 'http://www.owasp.org/index.php/Cross_Site_Tracing' }, targets: %w(Generic), issue: { name: %q{HTTP TRACE}, description: %q{The TRACE HTTP method allows a client so send a request to the server, and have the same request then send back in the server's response. This allows the client to determine if the server is receiving the request as expected or if specific parts of the request are not arriving as expected. For example incorrect encoding or a load balancer has filtered or changed a value. On many default installations the TRACE method is still enabled. While not vulnerable by itself, it does provide a method for cyber-criminals to bypass the HTTPOnly cookie, and therefore could allow a XSS attack to successfully access a session token. Arachni has discovered that the affected page permits the HTTP TRACE method. }, tags: %w(xst methods trace server), cwe: '693', severity: Severity::MEDIUM, remedy_guidance: %q{The HTTP TRACE method is normally not required within production sites, and should therefor be disabled. Depending on the function being performed by the web application, ie. Serves static content or provides a portal where users must authenticate, then the risk level can start low and increase as more functionality is implemented. The remediation is typically a very simple configuration change and in most cases will not have any negative impact on the server or application. For framework specific remediation see the following page 'www.owasp.org/index.php/Cross_Site_Tracing'.} } } end end