RubyGems - arachni - Versions diffs - 0.2.2.1 - Mend

arachni 0.2.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (262) hide show

data/ACKNOWLEDGMENTS.md +14 -0
data/AUTHORS.md +6 -0
data/CHANGELOG.md +162 -0
data/CONTRIBUTORS.md +10 -0
data/EXPLOITATION.md +429 -0
data/HACKING.md +101 -0
data/LICENSE.md +341 -0
data/README.md +350 -0
data/Rakefile +86 -0
data/bin/arachni +22 -0
data/bin/arachni_web +77 -0
data/bin/arachni_xmlrpc +21 -0
data/bin/arachni_xmlrpcd +82 -0
data/bin/arachni_xmlrpcd_monitor +74 -0
data/conf/README.webui.yaml.txt +44 -0
data/conf/webui.yaml +11 -0
data/external/metasploit/LICENSE +24 -0
data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb +142 -0
data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb +113 -0
data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb +150 -0
data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb +141 -0
data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb +92 -0
data/external/metasploit/plugins/arachni.rb +536 -0
data/getoptslong.rb +241 -0
data/lib/anemone.rb +2 -0
data/lib/anemone/cookie_store.rb +35 -0
data/lib/anemone/core.rb +371 -0
data/lib/anemone/exceptions.rb +5 -0
data/lib/anemone/http.rb +144 -0
data/lib/anemone/page.rb +337 -0
data/lib/anemone/page_store.rb +160 -0
data/lib/anemone/storage.rb +34 -0
data/lib/anemone/storage/base.rb +75 -0
data/lib/anemone/storage/exceptions.rb +15 -0
data/lib/anemone/storage/mongodb.rb +89 -0
data/lib/anemone/storage/pstore.rb +50 -0
data/lib/anemone/storage/redis.rb +90 -0
data/lib/anemone/storage/tokyo_cabinet.rb +57 -0
data/lib/anemone/tentacle.rb +40 -0
data/lib/arachni.rb +16 -0
data/lib/audit_store.rb +346 -0
data/lib/component_manager.rb +293 -0
data/lib/component_options.rb +395 -0
data/lib/exceptions.rb +76 -0
data/lib/framework.rb +637 -0
data/lib/http.rb +809 -0
data/lib/issue.rb +302 -0
data/lib/module.rb +4 -0
data/lib/module/auditor.rb +455 -0
data/lib/module/base.rb +188 -0
data/lib/module/element_db.rb +158 -0
data/lib/module/key_filler.rb +87 -0
data/lib/module/manager.rb +87 -0
data/lib/module/output.rb +68 -0
data/lib/module/trainer.rb +240 -0
data/lib/module/utilities.rb +110 -0
data/lib/options.rb +547 -0
data/lib/parser.rb +2 -0
data/lib/parser/auditable.rb +522 -0
data/lib/parser/elements.rb +296 -0
data/lib/parser/page.rb +149 -0
data/lib/parser/parser.rb +717 -0
data/lib/plugin.rb +4 -0
data/lib/plugin/base.rb +110 -0
data/lib/plugin/manager.rb +162 -0
data/lib/report.rb +4 -0
data/lib/report/base.rb +119 -0
data/lib/report/manager.rb +92 -0
data/lib/rpc/xml/client/base.rb +71 -0
data/lib/rpc/xml/client/dispatcher.rb +49 -0
data/lib/rpc/xml/client/instance.rb +88 -0
data/lib/rpc/xml/server/base.rb +90 -0
data/lib/rpc/xml/server/dispatcher.rb +357 -0
data/lib/rpc/xml/server/framework.rb +206 -0
data/lib/rpc/xml/server/instance.rb +191 -0
data/lib/rpc/xml/server/module/manager.rb +46 -0
data/lib/rpc/xml/server/options.rb +124 -0
data/lib/rpc/xml/server/output.rb +299 -0
data/lib/rpc/xml/server/plugin/manager.rb +58 -0
data/lib/ruby.rb +5 -0
data/lib/ruby/object.rb +32 -0
data/lib/ruby/string.rb +74 -0
data/lib/ruby/xmlrpc/server.rb +27 -0
data/lib/spider.rb +200 -0
data/lib/typhoeus/request.rb +91 -0
data/lib/typhoeus/response.rb +34 -0
data/lib/ui/cli/cli.rb +744 -0
data/lib/ui/cli/output.rb +279 -0
data/lib/ui/web/log.rb +82 -0
data/lib/ui/web/output_stream.rb +94 -0
data/lib/ui/web/report_manager.rb +222 -0
data/lib/ui/web/server.rb +903 -0
data/lib/ui/web/server/db/placeholder +0 -0
data/lib/ui/web/server/public/banner.png +0 -0
data/lib/ui/web/server/public/bodybg-small.png +0 -0
data/lib/ui/web/server/public/bodybg.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
data/lib/ui/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
data/lib/ui/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +573 -0
data/lib/ui/web/server/public/favicon.ico +0 -0
data/lib/ui/web/server/public/footer.jpg +0 -0
data/lib/ui/web/server/public/icons/error.png +0 -0
data/lib/ui/web/server/public/icons/info.png +0 -0
data/lib/ui/web/server/public/icons/ok.png +0 -0
data/lib/ui/web/server/public/icons/status.png +0 -0
data/lib/ui/web/server/public/js/jquery-1.4.4.min.js +167 -0
data/lib/ui/web/server/public/js/jquery-ui-1.8.9.custom.min.js +781 -0
data/lib/ui/web/server/public/logo.png +0 -0
data/lib/ui/web/server/public/nav-left.jpg +0 -0
data/lib/ui/web/server/public/nav-right.jpg +0 -0
data/lib/ui/web/server/public/nav-selected-left.jpg +0 -0
data/lib/ui/web/server/public/nav-selected-right.jpg +0 -0
data/lib/ui/web/server/public/reports/placeholder +1 -0
data/lib/ui/web/server/public/sidebar-bottom.jpg +0 -0
data/lib/ui/web/server/public/sidebar-h4.jpg +0 -0
data/lib/ui/web/server/public/sidebar-top.jpg +0 -0
data/lib/ui/web/server/public/spider.png +0 -0
data/lib/ui/web/server/public/style.css +604 -0
data/lib/ui/web/server/tmp/placeholder +0 -0
data/lib/ui/web/server/views/dispatcher.erb +85 -0
data/lib/ui/web/server/views/dispatcher_error.erb +14 -0
data/lib/ui/web/server/views/error.erb +1 -0
data/lib/ui/web/server/views/flash.erb +18 -0
data/lib/ui/web/server/views/home.erb +14 -0
data/lib/ui/web/server/views/instance.erb +213 -0
data/lib/ui/web/server/views/layout.erb +95 -0
data/lib/ui/web/server/views/log.erb +40 -0
data/lib/ui/web/server/views/modules.erb +71 -0
data/lib/ui/web/server/views/options.erb +23 -0
data/lib/ui/web/server/views/output_results.erb +51 -0
data/lib/ui/web/server/views/plugins.erb +42 -0
data/lib/ui/web/server/views/report_formats.erb +30 -0
data/lib/ui/web/server/views/reports.erb +55 -0
data/lib/ui/web/server/views/settings.erb +120 -0
data/lib/ui/web/server/views/welcome.erb +38 -0
data/lib/ui/xmlrpc/dispatcher_monitor.rb +204 -0
data/lib/ui/xmlrpc/xmlrpc.rb +843 -0
data/logs/placeholder +0 -0
data/metamodules/autothrottle.rb +74 -0
data/metamodules/timeout_notice.rb +118 -0
data/metamodules/uniformity.rb +98 -0
data/modules/audit/code_injection.rb +136 -0
data/modules/audit/code_injection_timing.rb +115 -0
data/modules/audit/code_injection_timing/payloads.txt +4 -0
data/modules/audit/csrf.rb +301 -0
data/modules/audit/ldapi.rb +103 -0
data/modules/audit/ldapi/errors.txt +26 -0
data/modules/audit/os_cmd_injection.rb +103 -0
data/modules/audit/os_cmd_injection/payloads.txt +2 -0
data/modules/audit/os_cmd_injection_timing.rb +104 -0
data/modules/audit/os_cmd_injection_timing/payloads.txt +3 -0
data/modules/audit/path_traversal.rb +141 -0
data/modules/audit/response_splitting.rb +105 -0
data/modules/audit/rfi.rb +193 -0
data/modules/audit/sqli.rb +120 -0
data/modules/audit/sqli/regexp_ids.txt +90 -0
data/modules/audit/sqli_blind_rdiff.rb +321 -0
data/modules/audit/sqli_blind_timing.rb +103 -0
data/modules/audit/sqli_blind_timing/payloads.txt +51 -0
data/modules/audit/trainer.rb +89 -0
data/modules/audit/unvalidated_redirect.rb +90 -0
data/modules/audit/xpath.rb +104 -0
data/modules/audit/xpath/errors.txt +26 -0
data/modules/audit/xss.rb +99 -0
data/modules/audit/xss_event.rb +134 -0
data/modules/audit/xss_path.rb +125 -0
data/modules/audit/xss_script_tag.rb +112 -0
data/modules/audit/xss_tag.rb +112 -0
data/modules/audit/xss_uri.rb +125 -0
data/modules/recon/allowed_methods.rb +104 -0
data/modules/recon/backdoors.rb +131 -0
data/modules/recon/backdoors/filenames.txt +16 -0
data/modules/recon/backup_files.rb +177 -0
data/modules/recon/backup_files/extensions.txt +28 -0
data/modules/recon/common_directories.rb +138 -0
data/modules/recon/common_directories/directories.txt +265 -0
data/modules/recon/common_files.rb +138 -0
data/modules/recon/common_files/filenames.txt +17 -0
data/modules/recon/directory_listing.rb +171 -0
data/modules/recon/grep/captcha.rb +62 -0
data/modules/recon/grep/credit_card.rb +85 -0
data/modules/recon/grep/cvs_svn_users.rb +73 -0
data/modules/recon/grep/emails.rb +59 -0
data/modules/recon/grep/html_objects.rb +53 -0
data/modules/recon/grep/private_ip.rb +54 -0
data/modules/recon/grep/ssn.rb +53 -0
data/modules/recon/htaccess_limit.rb +82 -0
data/modules/recon/http_put.rb +95 -0
data/modules/recon/interesting_responses.rb +118 -0
data/modules/recon/unencrypted_password_forms.rb +119 -0
data/modules/recon/webdav.rb +126 -0
data/modules/recon/xst.rb +107 -0
data/path_extractors/anchors.rb +35 -0
data/path_extractors/forms.rb +35 -0
data/path_extractors/frames.rb +38 -0
data/path_extractors/generic.rb +39 -0
data/path_extractors/links.rb +35 -0
data/path_extractors/meta_refresh.rb +39 -0
data/path_extractors/scripts.rb +37 -0
data/path_extractors/sitemap.rb +31 -0
data/plugins/autologin.rb +137 -0
data/plugins/content_types.rb +90 -0
data/plugins/cookie_collector.rb +99 -0
data/plugins/form_dicattack.rb +185 -0
data/plugins/healthmap.rb +94 -0
data/plugins/http_dicattack.rb +133 -0
data/plugins/metamodules.rb +118 -0
data/plugins/proxy.rb +248 -0
data/plugins/proxy/server.rb +66 -0
data/plugins/waf_detector.rb +184 -0
data/profiles/comprehensive.afp +74 -0
data/profiles/full.afp +75 -0
data/reports/afr.rb +59 -0
data/reports/ap.rb +55 -0
data/reports/html.rb +179 -0
data/reports/html/default.erb +967 -0
data/reports/metareport.rb +139 -0
data/reports/metareport/arachni_metareport.rb +174 -0
data/reports/plugin_formatters/html/content_types.rb +82 -0
data/reports/plugin_formatters/html/cookie_collector.rb +66 -0
data/reports/plugin_formatters/html/form_dicattack.rb +54 -0
data/reports/plugin_formatters/html/healthmap.rb +76 -0
data/reports/plugin_formatters/html/http_dicattack.rb +54 -0
data/reports/plugin_formatters/html/metaformatters/timeout_notice.rb +65 -0
data/reports/plugin_formatters/html/metaformatters/uniformity.rb +71 -0
data/reports/plugin_formatters/html/metamodules.rb +93 -0
data/reports/plugin_formatters/html/waf_detector.rb +54 -0
data/reports/plugin_formatters/stdout/content_types.rb +73 -0
data/reports/plugin_formatters/stdout/cookie_collector.rb +61 -0
data/reports/plugin_formatters/stdout/form_dicattack.rb +52 -0
data/reports/plugin_formatters/stdout/healthmap.rb +72 -0
data/reports/plugin_formatters/stdout/http_dicattack.rb +53 -0
data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +55 -0
data/reports/plugin_formatters/stdout/metaformatters/uniformity.rb +68 -0
data/reports/plugin_formatters/stdout/metamodules.rb +89 -0
data/reports/plugin_formatters/stdout/waf_detector.rb +48 -0
data/reports/plugin_formatters/xml/content_types.rb +91 -0
data/reports/plugin_formatters/xml/cookie_collector.rb +70 -0
data/reports/plugin_formatters/xml/form_dicattack.rb +57 -0
data/reports/plugin_formatters/xml/healthmap.rb +82 -0
data/reports/plugin_formatters/xml/http_dicattack.rb +57 -0
data/reports/plugin_formatters/xml/metaformatters/timeout_notice.rb +67 -0
data/reports/plugin_formatters/xml/metaformatters/uniformity.rb +82 -0
data/reports/plugin_formatters/xml/metamodules.rb +91 -0
data/reports/plugin_formatters/xml/waf_detector.rb +58 -0
data/reports/stdout.rb +182 -0
data/reports/txt.rb +77 -0
data/reports/xml.rb +231 -0
data/reports/xml/buffer.rb +98 -0
metadata +516 -0

data/profiles/comprehensive.afp ADDED

@@ -0,0 +1,74 @@
+--- !ruby/object:Arachni::Options
+audit_cookies: true
+audit_forms: true
+audit_links: true
+authed_by:
+dir:
+exclude: []
+exclude_cookies: []
+http_req_limit: 20
+include: []
+load_profile:
+lsmod: []
+lsplug: []
+lsrep: []
+mods:
+- interesting_responses
+- common_files
+- xst
+- http_put
+- webdav
+- directory_listing
+- allowed_methods
+- htaccess_limit
+- ssn
+- private_ip
+- emails
+- credit_card
+- cvs_svn_users
+- captcha
+- html_objects
+- unencrypted_password_forms
+- backdoors
+- backup_files
+- common_directories
+- trainer
+- os_cmd_injection
+- sqli
+- xss_script_tag
+- sqli_blind_rdiff
+- path_traversal
+- xss_event
+- xss_uri
+- sqli_blind_timing
+- code_injection
+- rfi
+- xss_tag
+- response_splitting
+- csrf
+- os_cmd_injection_timing
+- ldapi
+- code_injection_timing
+- xss_path
+- xpath
+- unvalidated_redirect
+- xss
+plugins:
+  healthmap: {}
+  content_types: {}
+redirect_limit: 20
+redundant: []
+reports:
+  stdout: {}
+save_profile:
+user_agent: Arachni/0.2.2

data/profiles/full.afp ADDED

@@ -0,0 +1,75 @@
+--- !ruby/object:Arachni::Options
+audit_cookies: true
+audit_forms: true
+audit_headers: true
+audit_links: true
+authed_by:
+dir:
+exclude: []
+exclude_cookies: []
+http_req_limit: 20
+include: []
+load_profile:
+lsmod: []
+lsplug: []
+lsrep: []
+mods:
+- interesting_responses
+- common_files
+- xst
+- http_put
+- webdav
+- directory_listing
+- allowed_methods
+- htaccess_limit
+- ssn
+- private_ip
+- emails
+- credit_card
+- cvs_svn_users
+- captcha
+- html_objects
+- unencrypted_password_forms
+- backdoors
+- backup_files
+- common_directories
+- trainer
+- os_cmd_injection
+- sqli
+- xss_script_tag
+- sqli_blind_rdiff
+- path_traversal
+- xss_event
+- xss_uri
+- sqli_blind_timing
+- code_injection
+- rfi
+- xss_tag
+- response_splitting
+- csrf
+- os_cmd_injection_timing
+- ldapi
+- code_injection_timing
+- xss_path
+- xpath
+- unvalidated_redirect
+- xss
+plugins:
+  healthmap: {}
+  content_types: {}
+redirect_limit: 20
+redundant: []
+reports:
+  stdout: {}
+save_profile:
+user_agent: Arachni/0.2.2

data/reports/afr.rb ADDED

@@ -0,0 +1,59 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+=end
+module Arachni
+module Reports
+#
+# Arachni Framework Report (.afr)
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class AFR < Arachni::Report::Base
+    #
+    # @param [AuditStore]  audit_store
+    # @param [Hash]   options    options passed to the report
+    #
+    def initialize( audit_store, options )
+        @audit_store   = audit_store
+        @options       = options
+    end
+    def run( )
+        print_line( )
+        print_status( 'Dumping audit results in \'' + @options['outfile']  + '\'.' )
+        @audit_store.save( @options['outfile'] )
+        print_status( 'Done!' )
+    end
+    def self.info
+        {
+            :name           => 'Arachni Framework Report',
+            :description    => %q{Saves the file in the default Arachni Framework Report (.afr) format.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1',
+            :options        => [
+                Arachni::OptString.new( 'outfile', [ false, 'Where to save the report.',
+                    Time.now.to_s + '.afr' ] ),
+            ]
+        }
+    end
+end
+end
+end

data/reports/ap.rb ADDED

@@ -0,0 +1,55 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+=end
+module Arachni
+module Reports
+#
+# Awesome prints an {AuditStore#to_h} hash.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class AP < Arachni::Report::Base
+    #
+    # @param [AuditStore]  audit_store
+    # @param [Hash]   options    options passed to the report
+    # @param [String]    outfile    where to save the report
+    #
+    def initialize( audit_store, options )
+        @audit_store   = audit_store
+    end
+    def run( )
+        print_line( )
+        print_status( 'Awesome printing AuditStore as a Hash...' )
+        ap @audit_store.to_h
+        print_status( 'Done!' )
+    end
+    def self.info
+        {
+            :name           => 'AP',
+            :description    => %q{Awesome prints an AuditStore hash.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.1'
+        }
+    end
+end
+end
+end

data/reports/html.rb ADDED

@@ -0,0 +1,179 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+=end
+require 'erb'
+require 'base64'
+require 'cgi'
+module Arachni
+module Reports
+#
+# Creates an HTML report of the audit.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.2
+#
+class HTML < Arachni::Report::Base
+    #
+    # @param [AuditStore]  audit_store
+    # @param [Hash]   options    options passed to the report
+    #
+    def initialize( audit_store, options )
+        @audit_store   = audit_store
+        @options       = options
+    end
+    #
+    # Runs the HTML report.
+    #
+    def run( )
+        print_line( )
+        print_status( 'Creating HTML report...' )
+        report = ERB.new( IO.read( @options['tpl'] ) )
+        __prepare_data
+        @plugins = format_plugin_results( @audit_store.plugins )
+        __save( @options['outfile'], report.result( binding ) )
+        print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
+    end
+    def self.info
+        {
+            :name           => 'HTML Report',
+            :description    => %q{Exports a report as an HTML document.},
+            :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
+            :version        => '0.2',
+            :options        => [
+                Arachni::OptPath.new( 'tpl', [ false, 'Template to use.',
+                    File.dirname( __FILE__ ) + '/html/default.erb' ] ),
+                Arachni::OptString.new( 'outfile', [ false, 'Where to save the report.',
+                    Time.now.to_s + '.html' ] ),
+            ]
+        }
+    end
+    private
+    def self.prep_description( str )
+        placeholder =  '--' + rand( 1000 ).to_s + '--'
+        cstr = str.gsub( /^\s*$/xm, placeholder )
+        cstr.gsub!( /^\s*/xm, '' )
+        cstr.gsub!( placeholder, "\n" )
+        cstr.chomp
+    end
+    def __save( outfile, out )
+        file = File.new( outfile, 'w' )
+        file.write( out )
+        file.close
+    end
+    def __prepare_data( )
+        @graph_data = {
+            :severities => {
+                Issue::Severity::HIGH => 0,
+                Issue::Severity::MEDIUM => 0,
+                Issue::Severity::LOW => 0,
+                Issue::Severity::INFORMATIONAL => 0,
+            },
+            :issues     => {},
+            :elements   => {
+                Issue::Element::FORM => 0,
+                Issue::Element::LINK => 0,
+                Issue::Element::COOKIE => 0,
+                Issue::Element::HEADER => 0,
+                Issue::Element::BODY => 0,
+                Issue::Element::PATH => 0,
+                Issue::Element::SERVER => 0,
+            },
+            :verification => {
+                'Yes' => 0,
+                'No'  => 0
+            }
+        }
+        @audit_store.issues.each_with_index {
+            |issue, i|
+            @graph_data[:severities][issue.severity] ||= 0
+            @graph_data[:severities][issue.severity] += 1
+            @total_severities ||= 0
+            @total_severities += 1
+            @graph_data[:issues][issue.name] ||= 0
+            @graph_data[:issues][issue.name] += 1
+            @graph_data[:elements][issue.elem] ||= 0
+            @graph_data[:elements][issue.elem] += 1
+            @total_elements ||= 0
+            @total_elements += 1
+            verification = issue.verification ? 'Yes' : 'No'
+            @graph_data[:verification][verification] ||= 0
+            @graph_data[:verification][verification] += 1
+            @total_verifications ||= 0
+            @total_verifications += 1
+            issue.variations.each_with_index {
+                |variation, j|
+                if( variation['response'] && !variation['response'].empty? )
+                    @audit_store.issues[i].variations[j]['escaped_response'] =
+                        Base64.encode64( variation['response'] ).gsub( /\n/, '' )
+                end
+                response = {}
+                if !variation['headers']['response'].is_a?( Hash )
+                    variation['headers']['response'].split( "\n" ).each {
+                        |line|
+                        field, value = line.split( ':', 2 )
+                        next if !value
+                        response[field] = value
+                    }
+                end
+                variation['headers']['response'] = response.dup
+            }
+        }
+        @graph_data[:severities].each {
+            |severity, cnt|
+            @graph_data[:severities][severity] = ((cnt/Float(@total_severities)) * 100).to_i
+        }
+        @graph_data[:elements].each {
+            |elem, cnt|
+            @graph_data[:elements][elem] = ((cnt/Float(@total_elements)) * 100).to_i
+        }
+        @graph_data[:verification].each {
+            |verification, cnt|
+            @graph_data[:verification][verification] = ((cnt/Float(@total_verifications)) * 100).to_i
+        }
+    end
+end
+end
+end

data/reports/html/default.erb ADDED

@@ -0,0 +1,967 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US" xml:lang="en-US">
+<head>
+  <title>Web Application Security Report - Arachni Framework</title>
+  <link rel="stylesheet" href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/themes/base/jquery-ui.css" type="text/css" media="all" />
+  <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js"></script>
+  <script src="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.8/jquery-ui.min.js" type="text/javascript"></script>
+  <script src="http://zapotek.github.com/arachni/charts/highcharts.js" type="text/javascript"></script>
+  <!--
+      Design by:
+        * Christos Chiotis <chris@survivetheinternet.com>
+        * Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+      Copyright (c) Arachni 2011.
+       -->
+  <script type="text/javascript">
+  //<![CDATA[
+      if( typeof jQuery == 'undefined' ) {
+          alert( "Could not load the necessary JavaScript libraries -- the presentation and functionality of the report will be crippled.\n" +
+            "Make sure that your internet connection is working and try refreshing the page." );
+      }
+      function getElem( id ){
+          return document.getElementById(id)
+      }
+      function toggleElem( id ){
+            if( getElem(id).style.display == 'none' ||
+                getElem(id).style.display == '' )
+            {
+                getElem(id).style.display    = 'block';
+                sign = '[-]';
+            } else {
+                getElem(id).style.display    = 'none';
+                sign = '[+]';
+            }
+            if( getElem(id + '_sign') ){
+                getElem(id + '_sign').innerHTML = sign;
+            }
+      }
+      function inspect( id ){
+          $( id ).dialog({
+              height: 500,
+              width: 1000,
+              modal: true
+          });
+      }
+      jQuery(function($){
+        tabs = function(options) {
+            var defaults = {
+                selector: '.tabs',
+                selectedClass: 'selected'
+            };
+            if(typeof options == 'string') defaults.selector = options;
+            var options = $.extend(defaults, options);
+            return $(options.selector).each(function(){
+                var obj = this;
+                var targets = Array();
+                function show(i){
+                    $.each(targets,function(index,value){
+                        $(value).hide();
+                    })
+                    $(targets[i]).fadeIn('fast');
+                    $(obj).children().removeClass(options.selectedClass);
+                    selected = $(obj).children().get(i);
+                    $(selected).addClass(options.selectedClass);
+                };
+                $('a',this).each(function(i){
+                    targets.push($(this).attr('href'));
+                    $(this).click(function(e){
+                        e.preventDefault();
+                        show(i);
+                    });
+                });
+                  show(0);
+            });
+        }
+        // initialize the function
+        // as a parameter we are sending a selector. For this particular script we must select the unordered (or ordered) list item element
+        tabs('nav ul');
+      });
+        var issues; // globally available
+        $(document).ready(function() {
+              issues = new Highcharts.Chart({
+                    chart: {
+                        renderTo: 'chart-issues',
+                        defaultSeriesType: 'column',
+                        backgroundColor: '#ccc'
+                    },
+                    title: {
+                        text: 'Issues by type'
+                    },
+                    xAxis: {
+                        categories: <%=@graph_data[:issues].keys.to_s %>
+                    },
+                    yAxis: {
+                        title: {
+                            text: ''
+                        }
+                    },
+                    series: [{
+                        data: <%=@graph_data[:issues].values.to_s %>
+                     }]
+                });
+           });
+            var severities;
+            $(document).ready(function() {
+               severities = new Highcharts.Chart({
+                  chart: {
+                     renderTo: 'chart-severities',
+                     backgroundColor: '#ccc'
+                  },
+                  title: {
+                     text: 'Severity levels'
+                  },
+                  tooltip: {
+                     formatter: function() {
+                        return '<b>'+ this.point.name +'</b>: '+ this.y +' %';
+                     }
+                  },
+                   series: [{
+                     type: 'pie',
+                     data: [
+                        <%@graph_data[:severities].each do |severity| %>
+                        <%=severity.to_s%>,
+                        <%end%>
+                     ]
+                  }]
+               });
+            });
+            var elements;
+            $(document).ready(function() {
+               elements = new Highcharts.Chart({
+                  chart: {
+                     renderTo: 'chart-elements',
+                     backgroundColor: '#ccc'
+                  },
+                  title: {
+                     text: 'Issues by elements'
+                  },
+                  tooltip: {
+                     formatter: function() {
+                        return '<b>'+ this.point.name +'</b>: '+ this.y +' %';
+                     }
+                  },
+                   series: [{
+                     type: 'pie',
+                     data: [
+                        <%@graph_data[:elements].each do |severity| %>
+                        <%=severity.to_s%>,
+                        <%end%>
+                     ]
+                  }]
+               });
+            });
+            var verification;
+            $(document).ready(function() {
+               elements = new Highcharts.Chart({
+                  chart: {
+                     renderTo: 'chart-verification',
+                     backgroundColor: '#ccc'
+                  },
+                  title: {
+                     text: 'Issues which require manual verification'
+                  },
+                  tooltip: {
+                     formatter: function() {
+                        return '<b>'+ this.point.name +'</b>: '+ this.y +' %';
+                     }
+                  },
+                   series: [{
+                     type: 'pie',
+                     data: [
+                        <%@graph_data[:verification].each do |severity| %>
+                        <%=severity.to_s%>,
+                        <%end%>
+                     ]
+                  }]
+               });
+            });
+  //]]>
+  </script>
+  <style type="text/css">
+  /*<![CDATA[*/
+    body {
+        background: #ddd;
+        margin:0;
+        padding:0;
+        font-family: Verdana, Geneva, sans-serif;
+        font-size: 12px;
+        color: #333;
+    }
+    .wrapper {
+        background: #ddd url('bodybg.png') repeat-x scroll top left;
+    }
+    .subpage {
+        background-image: url('bodybg-small.png');
+    }
+    * {
+        margin:0;
+        padding:0;
+    }
+    /** element defaults **/
+    table {
+        width: 100%;
+        text-align: left;
+    }
+    th, td {
+        padding: 10px 10px;
+    }
+    th {
+        color: #fff;
+        background: #2978A1 none repeat-x scroll -15px 0;
+    }
+    td {
+        color: #111;
+        vertical-align: top
+    }
+    code, blockquote {
+        display: block;
+        border-left: 5px solid #ddd;
+        padding: 10px;
+        margin-bottom: 20px;
+    }
+    code {
+        background-color: #ddd;
+        border: none;
+    }
+    blockquote {
+        border-left: 5px solid #333;
+    }
+    blockquote p {
+        font-style: italic;
+        font-family: Georgia, "Times New Roman", Times, serif;
+        margin: 0;
+        height: 1%;
+    }
+    p {
+        line-height: 1.9em;
+        margin-bottom: 20px;
+    }
+    a {
+        color: #256F94;
+        text-decoration: none
+    }
+    a:hover {
+        color: #BC6637;
+    }
+    a:focus {
+        outline: none;
+    }
+    fieldset {
+        display: block;
+        border: none;
+        border-top: 1px solid #ccc;
+    }
+    fieldset legend {
+        font-weight: bold;
+        font-size: 13px;
+        padding-right: 10px;
+        color: #666;
+    }
+    fieldset form {
+        padding-top: 15px;
+    }
+    fieldset p label {
+        float: left;
+        width: 150px;
+    }
+    form input, form select, form textarea {
+        padding: 5px;
+        color: #333333;
+        border: 1px solid #999;
+        font-family: Arial, Helvetica, sans-serif;
+        font-size: 12px;
+        -moz-border-radius: 5px;
+        -webkit-border-radius: 5px;
+    }
+    form input.formbutton {
+        border: none;
+        background: #FFFFFF url(bodybg.png) repeat-x scroll 0 -160px;
+        color: #ffffff;
+        font-weight: bold;
+        padding: 5px 10px;
+        font-size: 12px;
+        font-family: Tahoma, Geneva, sans-serif;
+        letter-spacing: 1px;
+        width: auto;
+        overflow: visible;
+        -moz-border-radius: 5px;
+        -webkit-border-radius: 5px;
+    }
+    form.searchform p {
+        margin: 5px 0;
+    }
+    form.searchform input.s {
+        border: 1px solid #000;
+    }
+    form.settings input, textarea {
+        float: right;
+        margin-right: 10px
+    }
+    .options input, textarea {
+        float: right;
+        margin-right: 10px
+    }
+    form.reset input {
+        float: left;
+    }
+    span.required {
+        font-family: Verdana, Arial, Helvetica, sans-serif;
+        color: #ff0000;
+    }
+    h1 {
+        color: #1F5D7C;
+        font-family: Arial, Helvetica, sans-serif;
+        font-size: 35px;
+    }
+    h2 {
+        color: #111;
+        font-family: Arial, Helvetica, sans-serif;
+        font-size: 28px;
+        letter-spacing: -0.5px;
+        padding: 0 0 5px;
+        margin: 0;
+        font-weight: normal;
+    }
+    h3 {
+        color: #BC6637;
+        font-family: Arial, Helvetica, sans-serif;
+        font-size: 18px;
+        font-weight: bold;
+        margin-bottom: 10px;
+    }
+    h4 {
+        padding-bottom: 10px;
+        font-size: 15px;
+        color: #666;
+    }
+    h5 {
+        padding-bottom: 10px;
+        font-size: 13px;
+        color: #666;
+    }
+    ul, ol {
+        margin: 0 0 35px 35px;
+    }
+    li {
+        padding-bottom: 5px;
+    }
+    li ol, li ul {
+        font-size: 1.0em;
+        margin-bottom: 0;
+        padding-top: 5px;
+    }
+    iframe {
+        border: 1px solid
+    }
+    .clear {
+        clear: both;
+    }
+    .notice {
+      color: #222;
+      background: #e3e4e3;
+      border: 1px solid #d5d5d5;
+      padding: 7px 10px;
+      display: block;
+      text-align: left
+      -moz-border-radius: 5px;
+      -webkit-border-radius: 5px;
+    }
+    .left {
+        float: left;
+        width: 49%;
+        padding-right: 5px
+    }
+    .right {
+        float: right;
+        width: 50%;
+        border-left: 1px
+    }
+    .variation{
+        display: none;
+        padding: 20px;
+        padding-left: 40px;
+        padding-top: 0px
+    }
+    .hidden {
+        display: none
+    }
+    .separator {
+        min-width: 100%;
+        border-bottom: 1px solid #333333
+    }
+    .ui-widget-bg { border-top: 1px dotted #aed0ea; font-size:9px;   }
+    .ui-widget-bar {position:absolute;zIndex:10;bottom:0;font-size:10px; }
+    .graphs li{
+         list-style-type:none;
+    }
+    /* Security Reports Style */
+    header, nav, article, section, footer, address {display:block;}
+    header{
+        height: 38px;
+        overflow:hidden;
+        background:#e1e1e1;
+        background:-webkit-gradient(linear, left top, left bottom, from(#cccccc), to(#e1e1e1));
+        background:-moz-linear-gradient(top,  #cccccc,  #e1e1e1);
+        padding:0 5px;
+        }
+    header h1{
+        line-height:32px;
+        font-size:14px;
+        text-shadow:#fff 0 1px 0;
+        text-align:center;
+        display: inline
+        }
+    nav{
+        height:34px;
+        overflow:hidden;
+        }
+    nav ul{
+        margin:0;
+        padding:0 5px;
+        width:100%;
+        height:34px;
+        -moz-box-shadow:inset -2px 2px 2px #999;
+        -webkit-box-shadow:inset -2px 2px 2px #999;
+        box-shadow:inset -2px 0px 2px #999;
+        background:#ddd;
+        }
+    nav li{
+        list-style:none;
+        float:left;
+        height:24px;
+        line-height:24px;
+        -moz-box-shadow:0 0 3px #888;
+        -webkit-box-shadow:0 0 3px #888;
+        box-shadow:0 0 3px #888;
+        -webkit-border-bottom-right-radius:3px;
+        -webkit-border-bottom-left-radius:3px;
+        -moz-border-radius-bottomright:3px;
+        -moz-border-radius-bottomleft:3px;
+        border-bottom-right-radius:3px;
+        border-bottom-left-radius:3px;
+        margin:0 2px;
+        width:200px;
+        overflow:hidden;
+        position:relative;
+        background:#ccc;
+        background:-webkit-gradient(linear, left top, left bottom, from(#ccc), to(#aaa));
+        background:-moz-linear-gradient(top,  #ccc,  #aaa);
+        }
+    nav li a, nav li a:visited, nav li a:hover{
+        list-style:none;
+        display:block;
+        position:absolute;
+        top:0;
+        left:-2px;
+        height:24px;
+        line-height:24px;
+        width:204px;
+        text-align:center;
+        color:#333;
+        font-size:13px;
+        text-shadow:#e8e8e8 0 1px 0;
+        -moz-box-shadow:inset 0 1px 1px #888;
+        -webkit-box-shadow:inset 0 1px 1px #888;
+        box-shadow:inset 0 1px 1px #888;
+        }
+    nav li.selected {background:#e1e1e1;background:-webkit-gradient(linear, left top, left bottom, from(#e1e1e1), to(#d1d1d1));background:-moz-linear-gradient(top,  #e1e1e1,  #d1d1d1);}
+    nav li.selected a {-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none;}
+    nav li a:focus {outline:none;}
+    /* style your sections here */
+    section {padding:20px;background:#ddd;}
+    section hr {margin:10px 0;}
+    section h2 {border-bottom:1px solid #444;margin:0 0 20px 0;padding:0 0 10px 0;}
+    section p.notice {
+      white-space: -moz-pre-wrap !important;  /* Mozilla, since 1999 */
+      white-space: -pre-wrap;      /* Opera 4-6 */
+      white-space: -o-pre-wrap;    /* Opera 7 */
+      white-space: pre-wrap;       /* css-3 */
+      word-wrap: break-word;       /* Internet Explorer 5.5+ */
+    }
+    section div.variations form input {cursor:pointer;}
+  /*]]>*/
+  </style>
+</head>
+<body>
+    <div id="contentreport">
+        <header>
+            <h1>Report for <%=CGI.escapeHTML(@audit_store.options['url'])%> (Generated on <strong><%=Time.now%></strong>)</h1>
+            <span style="float: right">Found a false positive? <a href="<%=CGI.escapeHTML(REPORT_FP)%>">Report it here</a>.</span>
+        </header>
+        <nav>
+            <ul>
+                <li><a href="#summary">Summary</a></li>
+                <li><a href="#issues">Issues</a></li>
+                <li><a href="#plugins">Plugin results</a></li>
+                <li><a href="#sitemap">Sitemap</a></li>
+                <li><a href="#configuration">Configuration</a></li>
+            </ul>
+        </nav>
+        <section class="tab" id="summary">
+            <h2>Summary</h2>
+            <h3>Charts</h3>
+            <div id="chart-issues" style="width: 1000px">
+            </div>
+            <p class="clear">&nbsp;</p>
+            <div id="chart-severities" style="width: 500px; float:left">
+            </div>
+            <div id="chart-elements" style="width: 450px">
+            </div>
+            <p class="clear">&nbsp;</p>
+            <div id="chart-verification" style="width: 333px">
+            </div>
+            <p class="clear">&nbsp;</p>
+            <p class="clear">&nbsp;</p>
+            <hr/>
+            <h3>Found <%=@audit_store.issues.size%> issues</h3>
+            <% @audit_store.issues.each_with_index do |issue, i| %>
+            <p>
+                <h5>[<%=i+1%>] <%= issue.name %> ( Severity: <%= issue.severity %> )</h5>
+                In <%= issue.elem %>
+                <% if issue.var%>
+                input <em><%= issue.var %></em>
+                <%end%>
+                <% if issue.method %>
+                using <%= issue.method %>
+                <%end%>
+                at <a href="<%= issue.url %>"><%= issue.url %></a>.
+            </p>
+            <%end%>
+        </section>
+        <section class="tab" id="configuration">
+            <h2>Configuration</h2>
+            <strong>Version</strong>: <%=@audit_store.version%><br />
+            <strong>Revision</strong>: <%=@audit_store.revision%><br />
+            <strong>Audit started on</strong>: <%=@audit_store.start_datetime%><br />
+            <strong>Audit finished on</strong>: <%=@audit_store.finish_datetime%><br />
+            <strong>Runtime</strong>: <%=@audit_store.delta_time%><br />
+            <p>&nbsp;</p>
+            <h3>Runtime options</h3>
+            <strong>URL:</strong> <%=@audit_store.options['url']%><br />
+            <strong>User agent:</strong> <%=::CGI.escapeHTML( @audit_store.options['user_agent'] )%><br />
+            <p>&nbsp;</p>
+            <table>
+                <tr>
+                    <th>Audited elements</th>
+                    <th>Modules</th>
+                    <th>Filters</th>
+                    <th>Cookies</th>
+                </tr>
+              <tr>
+                  <td>
+                      <ul>
+                        <% if @audit_store.options['audit_links']%>
+                        <li>Links</li>
+                        <%end%>
+                        <% if @audit_store.options['audit_forms']%>
+                        <li>Forms</li>
+                        <%end%>
+                        <% if @audit_store.options['audit_cookies']%>
+                        <li>Cookies</li>
+                        <%end%>
+                        <% if @audit_store.options['audit_headers']%>
+                        <li>Headers</li>
+                        <%end%>
+                    </ul>
+                </td>
+                <td>
+                    <ul>
+                    <% @audit_store.options['mods'].each do |mod|%>
+                        <li><%=mod%></li>
+                    <%end%>
+                    </ul>
+                </td>
+                <td>
+                    <ul>
+                        <li>Exclude:
+                            <ul>
+                            <% if !@audit_store.options['exclude'].empty?%>
+                            <% @audit_store.options['exclude'].each do |rule|%>
+                                <li><%=CGI.escapeHTML( rule )%></li>
+                            <%end%>
+                            <% else %>
+                                <li>N/A</li>
+                            <%end%>
+                            </ul>
+                        </li>
+                        <li>Include:
+                            <ul>
+                            <% if !@audit_store.options['include'].empty?%>
+                            <% @audit_store.options['include'].each do |rule|%>
+                                <li><%=CGI.escapeHTML( rule )%></li>
+                            <%end%>
+                            <% else %>
+                                <li>N/A</li>
+                            <%end%>
+                            </ul>
+                        </li>
+                        <li>Redundant:
+                            <ul>
+                            <% if !@audit_store.options['redundant'].empty?%>
+                            <% @audit_store.options['redundant'].each do |rule|%>
+                                <li><%=CGI.escapeHTML( rule['regexp'] )%> - Count: <%=rule['count']%></li>
+                            <%end%>
+                            <% else %>
+                                <li>N/A</li>
+                            <%end%>
+                                </ul>
+                            </li>
+                        </ul>
+                    </td>
+                    <td>
+                        <ul>
+                        <% if @audit_store.options['cookies'] && !@audit_store.options['cookies'].empty?%>
+                        <% @audit_store.options['cookies'].each_pair do |name, val|%>
+                            <li><%=CGI.escapeHTML( name )%> = <%=CGI.escapeHTML( val )%></li>
+                        <%end%>
+                        <% else %>
+                            <li>N/A</li>
+                        <%end%>
+                      </ul>
+                    </td>
+                </tr>
+            </table>
+        </section>
+        <section class="tab" id="issues">
+            <h2>Issues</h2>
+            <p> &nbsp; </p>
+            <% if @plugins['metamodules']%>
+            <div class="metamodules notice">
+                <%=@plugins['metamodules']%>
+            </div>
+            <hr/>
+            <%end%>
+            <% @audit_store.issues.each_with_index do |issue, i|%>
+            <%idx = i+1%>
+            <div class="issue">
+                <h3 id="issue_<%=idx%>">
+                    <a href="#issue_<%=idx%>">[<%=idx%>] <%=CGI.escapeHTML(issue.name)%></a>
+                </h3>
+                <div class="left">
+                    <ul>
+                    <li><strong>Module name</strong>: <%=CGI.escapeHTML(issue.mod_name)%> <br/>
+                    (Internal module name: <strong><%=CGI.escapeHTML(issue.internal_modname)%></strong>)</li>
+                    <% if issue.var %>
+                    <li><strong>Affected variable</strong>: <%=CGI.escapeHTML(issue.var)%></li>
+                    <%end%>
+                    <li><strong>Affected URL</strong>: <a href="<%=CGI.escapeHTML(issue.url)%>"><%= CGI.escapeHTML(issue.url)%></a> </li>
+                    <li><strong>HTML Element</strong>: <%=issue.elem%></li>
+                    <li><strong>Requires manual verification?</strong>: <%=issue.verification ? 'Yes' : 'No'%></li>
+                    <hr/>
+                    <% if issue.cwe %>
+                    <li><strong>CWE</strong>: <%=issue.cwe%><br/>
+                    (<a target="_blank" href="<%=issue.cwe_url%>"><%=issue.cwe_url%></a>)</li>
+                    <%end%>
+                    <li><strong>Severity</strong>: <%=issue.severity%></li>
+                    <li><strong>CVSSV2</strong>: <%=issue.cvssv2%></li>
+                    </ul>
+                    <p>
+                        <h3>References</h3>
+                        <ul>
+                            <% if issue.references && !issue.references.empty? %>
+                            <% issue.references.each_pair do |source, url| %>
+                            <li><%=CGI.escapeHTML(source)%> - <a target="_blank" href="<%=url%>"><%=url%></a></li>
+                            <%end%>
+                            <%else%>
+                                <li>N/A</li>
+                            <%end%>
+                        </ul>
+                    </p>
+                </div>
+                <div class="right">
+                    <p>
+                        <h3>Description</h3>
+                        <blockquote><p><%=CGI.escapeHTML(issue.description)%></p></blockquote>
+                    </p>
+                    <% if issue.remedy_guidance && !issue.remedy_guidance.empty? %>
+                    <p>
+                        <h3>Remedial guidance</h3>
+                        <blockquote><p><%=CGI.escapeHTML(issue.remedy_guidance)%></p></blockquote>
+                    </p>
+                    <%end%>
+                    <% if issue.remedy_code && !issue.remedy_code.empty? %>
+                    <p>
+                        <h3>Remedial code</h3>
+                        <pre class="code notice"><%=CGI.escapeHTML(issue.remedy_code)%></pre>
+                    </p>
+                    <%end%>
+                </div>
+                <div class="clear variations" style="display: block;">
+                    <% issue.variations.each_with_index do |variation, j| %>
+                    <% var_idx = j + 1%>
+                    <h5 class="variation_header">
+                        <a href='javascript:toggleElem( "var_<%=var_idx%>_<%=idx%>" )'>
+                            <span id="var_<%=var_idx%>_<%=idx%>_sign">[+]</span>
+                            Variation <%=var_idx%>
+                        </a>
+                    </h5>
+                    <strong>Affected URL</strong>:
+                    <p class="notice"><a href="<%=CGI.escapeHTML(variation['url'])%>"><%=CGI.escapeHTML(variation['url'])%></a></p>
+                    <% if (variation['response'] && !variation['response'].empty?) && variation['regexp_match'] %>
+                    <div class="hidden" id="inspection-dialog_<%=var_idx%>_<%=idx%>" title="Relevant content is shown in red.">
+                        <% match = CGI.escapeHTML( variation['regexp_match'] )%>
+                        <pre> <%=CGI.escapeHTML( variation['response'] ).gsub( match, '<strong style="color: red">' + match + '</strong>' ) %> </pre>
+                    </div>
+                    <form style="display:inline" action="#">
+                        <input onclick="javascript:inspect( '#inspection-dialog_<%=var_idx%>_<%=idx%>')" type="button" value="Inspect" />
+                    </form>
+                    <%end%>
+                    <% if issue.method && (issue.elem.downcase == 'form' || issue.elem.downcase == 'link' ) &&
+                        ( issue.method.downcase == 'get' || issue.method.downcase == 'post' ) %>
+                    <form style="display:inline" action="<%=issue.url%>" target="_blank" method="<%=issue.method.downcase%>">
+                    <% if variation['opts'][:combo]%>
+                    <%variation['opts'][:combo].each_pair do |name, value|%>
+                        <input type="hidden" name="<%=CGI.escapeHTML(name)%>" value="<%=CGI.escapeHTML( value )%>" />
+                    <%end%>
+                    <%end%>
+                        <input type="submit" value="Replay" />
+                    </form>
+                    <%end%>
+                    <br/><br/>
+                    <div class="variation" id="var_<%=var_idx%>_<%=idx%>">
+                        <% if variation['injected'] %>
+                        <strong>Injected value</strong>:
+                        <pre> <%=CGI.escapeHTML(variation['injected'])%> </pre>
+                        <br/>
+                        <%end%>
+                        <% if variation['id'] %>
+                        <strong>ID</strong>:
+                        <pre><%=CGI.escapeHTML(variation['id'])%></pre>
+                        <br/>
+                        <%end%>
+                        <% if variation['regexp'] %>
+                        <strong>Regular expression</strong>:
+                        <pre><%=CGI.escapeHTML(variation['regexp'])%></pre>
+                        <br/>
+                        <%end%>
+                        <% if variation['regexp_match'] %>
+                        <strong>Matched by the regular expression</strong>:
+                        <pre><%=CGI.escapeHTML(variation['regexp_match'])%> </pre>
+                        <%end%>
+                        <br/>
+                        <table>
+                            <tr>
+                                <th colspan="2" style="text-align: center">Headers</th>
+                            </tr>
+                            <tr>
+                                <th>Request</th>
+                                <th>Response</th>
+                            </tr>
+                            <tr>
+                                <td>
+                                    <% if variation['headers']['request'].is_a?( Hash ) %>
+                                    <pre class="notice"><% variation['headers']['request'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
+                                    <%end%>
+                                </td>
+                                <td>
+                                    <% if variation['headers']['response'].is_a?( Hash ) %>
+                                    <pre class="notice"><% variation['headers']['response'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
+                                    <%end%>
+                                </td>
+                            </tr>
+                        </table>
+                        <% if variation['escaped_response']%>
+                        <h5>HTML Response</h5>
+                        <iframe style="width: 100%; height: 400px" src="data:text/html;base64, <%=variation['escaped_response']%>"></iframe>
+                        <%end%>
+                    </div>
+                    <%end%>
+                </div>
+            </div>
+            <p class="clear separator">&nbsp;</p>
+            <%end%>
+        </section>
+        <section class="tab" id="plugins">
+            <h2>Plugin results</h2>
+            <p> &nbsp; </p>
+            <%@plugins.values.each do |plugin|%>
+            <p><%=plugin%></p>
+            <%end%>
+        </section>
+        <section class="tab" id="sitemap">
+            <h2>Sitemap</h2>
+            <p> &nbsp; </p>
+            <h3><%=@audit_store.sitemap.size%> pages</h3>
+            <% @audit_store.sitemap.each do |url| %>
+              <a href="<%=CGI.escapeHTML(url)%>"><%=CGI.escapeHTML(url)%></a><br/>
+              <%end%>
+        </section>
+        </div>
+    </body>
+</html>