arachni 0.2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/ACKNOWLEDGMENTS.md +14 -0
- data/AUTHORS.md +6 -0
- data/CHANGELOG.md +162 -0
- data/CONTRIBUTORS.md +10 -0
- data/EXPLOITATION.md +429 -0
- data/HACKING.md +101 -0
- data/LICENSE.md +341 -0
- data/README.md +350 -0
- data/Rakefile +86 -0
- data/bin/arachni +22 -0
- data/bin/arachni_web +77 -0
- data/bin/arachni_xmlrpc +21 -0
- data/bin/arachni_xmlrpcd +82 -0
- data/bin/arachni_xmlrpcd_monitor +74 -0
- data/conf/README.webui.yaml.txt +44 -0
- data/conf/webui.yaml +11 -0
- data/external/metasploit/LICENSE +24 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_exec.rb +142 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_path_traversal.rb +113 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_eval.rb +150 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_php_include.rb +141 -0
- data/external/metasploit/modules/exploits/unix/webapp/arachni_sqlmap.rb +92 -0
- data/external/metasploit/plugins/arachni.rb +536 -0
- data/getoptslong.rb +241 -0
- data/lib/anemone.rb +2 -0
- data/lib/anemone/cookie_store.rb +35 -0
- data/lib/anemone/core.rb +371 -0
- data/lib/anemone/exceptions.rb +5 -0
- data/lib/anemone/http.rb +144 -0
- data/lib/anemone/page.rb +337 -0
- data/lib/anemone/page_store.rb +160 -0
- data/lib/anemone/storage.rb +34 -0
- data/lib/anemone/storage/base.rb +75 -0
- data/lib/anemone/storage/exceptions.rb +15 -0
- data/lib/anemone/storage/mongodb.rb +89 -0
- data/lib/anemone/storage/pstore.rb +50 -0
- data/lib/anemone/storage/redis.rb +90 -0
- data/lib/anemone/storage/tokyo_cabinet.rb +57 -0
- data/lib/anemone/tentacle.rb +40 -0
- data/lib/arachni.rb +16 -0
- data/lib/audit_store.rb +346 -0
- data/lib/component_manager.rb +293 -0
- data/lib/component_options.rb +395 -0
- data/lib/exceptions.rb +76 -0
- data/lib/framework.rb +637 -0
- data/lib/http.rb +809 -0
- data/lib/issue.rb +302 -0
- data/lib/module.rb +4 -0
- data/lib/module/auditor.rb +455 -0
- data/lib/module/base.rb +188 -0
- data/lib/module/element_db.rb +158 -0
- data/lib/module/key_filler.rb +87 -0
- data/lib/module/manager.rb +87 -0
- data/lib/module/output.rb +68 -0
- data/lib/module/trainer.rb +240 -0
- data/lib/module/utilities.rb +110 -0
- data/lib/options.rb +547 -0
- data/lib/parser.rb +2 -0
- data/lib/parser/auditable.rb +522 -0
- data/lib/parser/elements.rb +296 -0
- data/lib/parser/page.rb +149 -0
- data/lib/parser/parser.rb +717 -0
- data/lib/plugin.rb +4 -0
- data/lib/plugin/base.rb +110 -0
- data/lib/plugin/manager.rb +162 -0
- data/lib/report.rb +4 -0
- data/lib/report/base.rb +119 -0
- data/lib/report/manager.rb +92 -0
- data/lib/rpc/xml/client/base.rb +71 -0
- data/lib/rpc/xml/client/dispatcher.rb +49 -0
- data/lib/rpc/xml/client/instance.rb +88 -0
- data/lib/rpc/xml/server/base.rb +90 -0
- data/lib/rpc/xml/server/dispatcher.rb +357 -0
- data/lib/rpc/xml/server/framework.rb +206 -0
- data/lib/rpc/xml/server/instance.rb +191 -0
- data/lib/rpc/xml/server/module/manager.rb +46 -0
- data/lib/rpc/xml/server/options.rb +124 -0
- data/lib/rpc/xml/server/output.rb +299 -0
- data/lib/rpc/xml/server/plugin/manager.rb +58 -0
- data/lib/ruby.rb +5 -0
- data/lib/ruby/object.rb +32 -0
- data/lib/ruby/string.rb +74 -0
- data/lib/ruby/xmlrpc/server.rb +27 -0
- data/lib/spider.rb +200 -0
- data/lib/typhoeus/request.rb +91 -0
- data/lib/typhoeus/response.rb +34 -0
- data/lib/ui/cli/cli.rb +744 -0
- data/lib/ui/cli/output.rb +279 -0
- data/lib/ui/web/log.rb +82 -0
- data/lib/ui/web/output_stream.rb +94 -0
- data/lib/ui/web/report_manager.rb +222 -0
- data/lib/ui/web/server.rb +903 -0
- data/lib/ui/web/server/db/placeholder +0 -0
- data/lib/ui/web/server/public/banner.png +0 -0
- data/lib/ui/web/server/public/bodybg-small.png +0 -0
- data/lib/ui/web/server/public/bodybg.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
- data/lib/ui/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +573 -0
- data/lib/ui/web/server/public/favicon.ico +0 -0
- data/lib/ui/web/server/public/footer.jpg +0 -0
- data/lib/ui/web/server/public/icons/error.png +0 -0
- data/lib/ui/web/server/public/icons/info.png +0 -0
- data/lib/ui/web/server/public/icons/ok.png +0 -0
- data/lib/ui/web/server/public/icons/status.png +0 -0
- data/lib/ui/web/server/public/js/jquery-1.4.4.min.js +167 -0
- data/lib/ui/web/server/public/js/jquery-ui-1.8.9.custom.min.js +781 -0
- data/lib/ui/web/server/public/logo.png +0 -0
- data/lib/ui/web/server/public/nav-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-right.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-left.jpg +0 -0
- data/lib/ui/web/server/public/nav-selected-right.jpg +0 -0
- data/lib/ui/web/server/public/reports/placeholder +1 -0
- data/lib/ui/web/server/public/sidebar-bottom.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-h4.jpg +0 -0
- data/lib/ui/web/server/public/sidebar-top.jpg +0 -0
- data/lib/ui/web/server/public/spider.png +0 -0
- data/lib/ui/web/server/public/style.css +604 -0
- data/lib/ui/web/server/tmp/placeholder +0 -0
- data/lib/ui/web/server/views/dispatcher.erb +85 -0
- data/lib/ui/web/server/views/dispatcher_error.erb +14 -0
- data/lib/ui/web/server/views/error.erb +1 -0
- data/lib/ui/web/server/views/flash.erb +18 -0
- data/lib/ui/web/server/views/home.erb +14 -0
- data/lib/ui/web/server/views/instance.erb +213 -0
- data/lib/ui/web/server/views/layout.erb +95 -0
- data/lib/ui/web/server/views/log.erb +40 -0
- data/lib/ui/web/server/views/modules.erb +71 -0
- data/lib/ui/web/server/views/options.erb +23 -0
- data/lib/ui/web/server/views/output_results.erb +51 -0
- data/lib/ui/web/server/views/plugins.erb +42 -0
- data/lib/ui/web/server/views/report_formats.erb +30 -0
- data/lib/ui/web/server/views/reports.erb +55 -0
- data/lib/ui/web/server/views/settings.erb +120 -0
- data/lib/ui/web/server/views/welcome.erb +38 -0
- data/lib/ui/xmlrpc/dispatcher_monitor.rb +204 -0
- data/lib/ui/xmlrpc/xmlrpc.rb +843 -0
- data/logs/placeholder +0 -0
- data/metamodules/autothrottle.rb +74 -0
- data/metamodules/timeout_notice.rb +118 -0
- data/metamodules/uniformity.rb +98 -0
- data/modules/audit/code_injection.rb +136 -0
- data/modules/audit/code_injection_timing.rb +115 -0
- data/modules/audit/code_injection_timing/payloads.txt +4 -0
- data/modules/audit/csrf.rb +301 -0
- data/modules/audit/ldapi.rb +103 -0
- data/modules/audit/ldapi/errors.txt +26 -0
- data/modules/audit/os_cmd_injection.rb +103 -0
- data/modules/audit/os_cmd_injection/payloads.txt +2 -0
- data/modules/audit/os_cmd_injection_timing.rb +104 -0
- data/modules/audit/os_cmd_injection_timing/payloads.txt +3 -0
- data/modules/audit/path_traversal.rb +141 -0
- data/modules/audit/response_splitting.rb +105 -0
- data/modules/audit/rfi.rb +193 -0
- data/modules/audit/sqli.rb +120 -0
- data/modules/audit/sqli/regexp_ids.txt +90 -0
- data/modules/audit/sqli_blind_rdiff.rb +321 -0
- data/modules/audit/sqli_blind_timing.rb +103 -0
- data/modules/audit/sqli_blind_timing/payloads.txt +51 -0
- data/modules/audit/trainer.rb +89 -0
- data/modules/audit/unvalidated_redirect.rb +90 -0
- data/modules/audit/xpath.rb +104 -0
- data/modules/audit/xpath/errors.txt +26 -0
- data/modules/audit/xss.rb +99 -0
- data/modules/audit/xss_event.rb +134 -0
- data/modules/audit/xss_path.rb +125 -0
- data/modules/audit/xss_script_tag.rb +112 -0
- data/modules/audit/xss_tag.rb +112 -0
- data/modules/audit/xss_uri.rb +125 -0
- data/modules/recon/allowed_methods.rb +104 -0
- data/modules/recon/backdoors.rb +131 -0
- data/modules/recon/backdoors/filenames.txt +16 -0
- data/modules/recon/backup_files.rb +177 -0
- data/modules/recon/backup_files/extensions.txt +28 -0
- data/modules/recon/common_directories.rb +138 -0
- data/modules/recon/common_directories/directories.txt +265 -0
- data/modules/recon/common_files.rb +138 -0
- data/modules/recon/common_files/filenames.txt +17 -0
- data/modules/recon/directory_listing.rb +171 -0
- data/modules/recon/grep/captcha.rb +62 -0
- data/modules/recon/grep/credit_card.rb +85 -0
- data/modules/recon/grep/cvs_svn_users.rb +73 -0
- data/modules/recon/grep/emails.rb +59 -0
- data/modules/recon/grep/html_objects.rb +53 -0
- data/modules/recon/grep/private_ip.rb +54 -0
- data/modules/recon/grep/ssn.rb +53 -0
- data/modules/recon/htaccess_limit.rb +82 -0
- data/modules/recon/http_put.rb +95 -0
- data/modules/recon/interesting_responses.rb +118 -0
- data/modules/recon/unencrypted_password_forms.rb +119 -0
- data/modules/recon/webdav.rb +126 -0
- data/modules/recon/xst.rb +107 -0
- data/path_extractors/anchors.rb +35 -0
- data/path_extractors/forms.rb +35 -0
- data/path_extractors/frames.rb +38 -0
- data/path_extractors/generic.rb +39 -0
- data/path_extractors/links.rb +35 -0
- data/path_extractors/meta_refresh.rb +39 -0
- data/path_extractors/scripts.rb +37 -0
- data/path_extractors/sitemap.rb +31 -0
- data/plugins/autologin.rb +137 -0
- data/plugins/content_types.rb +90 -0
- data/plugins/cookie_collector.rb +99 -0
- data/plugins/form_dicattack.rb +185 -0
- data/plugins/healthmap.rb +94 -0
- data/plugins/http_dicattack.rb +133 -0
- data/plugins/metamodules.rb +118 -0
- data/plugins/proxy.rb +248 -0
- data/plugins/proxy/server.rb +66 -0
- data/plugins/waf_detector.rb +184 -0
- data/profiles/comprehensive.afp +74 -0
- data/profiles/full.afp +75 -0
- data/reports/afr.rb +59 -0
- data/reports/ap.rb +55 -0
- data/reports/html.rb +179 -0
- data/reports/html/default.erb +967 -0
- data/reports/metareport.rb +139 -0
- data/reports/metareport/arachni_metareport.rb +174 -0
- data/reports/plugin_formatters/html/content_types.rb +82 -0
- data/reports/plugin_formatters/html/cookie_collector.rb +66 -0
- data/reports/plugin_formatters/html/form_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/healthmap.rb +76 -0
- data/reports/plugin_formatters/html/http_dicattack.rb +54 -0
- data/reports/plugin_formatters/html/metaformatters/timeout_notice.rb +65 -0
- data/reports/plugin_formatters/html/metaformatters/uniformity.rb +71 -0
- data/reports/plugin_formatters/html/metamodules.rb +93 -0
- data/reports/plugin_formatters/html/waf_detector.rb +54 -0
- data/reports/plugin_formatters/stdout/content_types.rb +73 -0
- data/reports/plugin_formatters/stdout/cookie_collector.rb +61 -0
- data/reports/plugin_formatters/stdout/form_dicattack.rb +52 -0
- data/reports/plugin_formatters/stdout/healthmap.rb +72 -0
- data/reports/plugin_formatters/stdout/http_dicattack.rb +53 -0
- data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +55 -0
- data/reports/plugin_formatters/stdout/metaformatters/uniformity.rb +68 -0
- data/reports/plugin_formatters/stdout/metamodules.rb +89 -0
- data/reports/plugin_formatters/stdout/waf_detector.rb +48 -0
- data/reports/plugin_formatters/xml/content_types.rb +91 -0
- data/reports/plugin_formatters/xml/cookie_collector.rb +70 -0
- data/reports/plugin_formatters/xml/form_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/healthmap.rb +82 -0
- data/reports/plugin_formatters/xml/http_dicattack.rb +57 -0
- data/reports/plugin_formatters/xml/metaformatters/timeout_notice.rb +67 -0
- data/reports/plugin_formatters/xml/metaformatters/uniformity.rb +82 -0
- data/reports/plugin_formatters/xml/metamodules.rb +91 -0
- data/reports/plugin_formatters/xml/waf_detector.rb +58 -0
- data/reports/stdout.rb +182 -0
- data/reports/txt.rb +77 -0
- data/reports/xml.rb +231 -0
- data/reports/xml/buffer.rb +98 -0
- metadata +516 -0
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# HTML formatter for the results of the FormDicattack plugin
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class FormDicattack < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
return ERB.new( tpl ).result( binding )
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def tpl
|
|
38
|
+
%q{
|
|
39
|
+
<h3>Form dictionary attacker</h3>
|
|
40
|
+
<blockquote><%=@description%></blockquote>
|
|
41
|
+
|
|
42
|
+
<h4>Credentials</h4>
|
|
43
|
+
<strong>Username</strong>: <%=CGI.escapeHTML(@results[:username])%> <br/>
|
|
44
|
+
<strong>Password</strong>: <%=CGI.escapeHTML(@results[:password])%>
|
|
45
|
+
}
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# HTML formatter for the results of the HealthMap plugin
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class HealthMap < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
return ERB.new( tpl ).result( binding )
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def tpl
|
|
38
|
+
%q{
|
|
39
|
+
<style type="text/css">
|
|
40
|
+
a.safe {
|
|
41
|
+
color: blue
|
|
42
|
+
}
|
|
43
|
+
a.unsafe {
|
|
44
|
+
color: red
|
|
45
|
+
}
|
|
46
|
+
</style>
|
|
47
|
+
|
|
48
|
+
<h3>Healthmap</h3>
|
|
49
|
+
<blockquote><%=@description%></blockquote>
|
|
50
|
+
|
|
51
|
+
<h4>Results</h4>
|
|
52
|
+
<% @results[:map].each do |entry| %>
|
|
53
|
+
<% state = entry.keys[0]%>
|
|
54
|
+
<% url = entry.values[0]%>
|
|
55
|
+
|
|
56
|
+
<a class="<%=state%>" href="<%=CGI.escapeHTML(url)%>"><%=CGI.escapeHTML(url)%></a> <br/>
|
|
57
|
+
<%end%>
|
|
58
|
+
|
|
59
|
+
<br/>
|
|
60
|
+
|
|
61
|
+
<h5>Stats</h5>
|
|
62
|
+
<strong>Total</strong>: <%=@results[:total]%> <br/>
|
|
63
|
+
<strong>Safe</strong>: <%=@results[:safe]%> <br/>
|
|
64
|
+
<strong>Unsafe</strong>: <%=@results[:unsafe]%> <br/>
|
|
65
|
+
<strong>Issue percentage</strong>: <%=@results[:issue_percentage]%>%
|
|
66
|
+
}
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
end
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
end
|
|
76
|
+
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# XML formatter for the results of the HTTPDicattack plugin
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class HTTPDicattack < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
return ERB.new( tpl ).result( binding )
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def tpl
|
|
38
|
+
%q{
|
|
39
|
+
<h3>HTTP dictionary attacker</h3>
|
|
40
|
+
<blockquote><%=@description%></blockquote>
|
|
41
|
+
|
|
42
|
+
<h4>Credentials</h4>
|
|
43
|
+
<strong>Username</strong>: <%=CGI.escapeHTML(@results[:username])%> <br/>
|
|
44
|
+
<strong>Password</strong>: <%=CGI.escapeHTML(@results[:password])%>
|
|
45
|
+
}
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
end
|
|
54
|
+
end
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
class MetaModules
|
|
19
|
+
|
|
20
|
+
module MetaFormatters
|
|
21
|
+
|
|
22
|
+
#
|
|
23
|
+
# HTML formatter for the results of the TimeoutNotice metamodule
|
|
24
|
+
#
|
|
25
|
+
# @author: Tasos "Zapotek" Laskos
|
|
26
|
+
# <tasos.laskos@gmail.com>
|
|
27
|
+
# <zapotek@segfault.gr>
|
|
28
|
+
# @version: 0.1
|
|
29
|
+
#
|
|
30
|
+
class TimeoutNotice < Arachni::Plugin::Formatter
|
|
31
|
+
|
|
32
|
+
def initialize( metadata )
|
|
33
|
+
@results = metadata[:results]
|
|
34
|
+
@description = metadata[:description]
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def run
|
|
38
|
+
return ERB.new( tpl ).result( binding )
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
def tpl
|
|
42
|
+
%q{
|
|
43
|
+
<h4>Timeout notice</h4>
|
|
44
|
+
<blockquote><pre><%=::Arachni::Reports::HTML.prep_description(@description)%></pre></blockquote>
|
|
45
|
+
|
|
46
|
+
<ul>
|
|
47
|
+
<%@results.each do |issue| %>
|
|
48
|
+
<li>
|
|
49
|
+
<a href="#issue_<%=issue['index']%>">
|
|
50
|
+
<%=issue['name']%> at <%=issue['url']%> in <%=issue['elem']%> variable '<%=issue['var']%>' using <%=issue['method']%>
|
|
51
|
+
</a>
|
|
52
|
+
</li>
|
|
53
|
+
<%end%>
|
|
54
|
+
</ul>
|
|
55
|
+
}
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
end
|
|
62
|
+
end
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
end
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
module Reports
|
|
13
|
+
|
|
14
|
+
class HTML
|
|
15
|
+
module PluginFormatters
|
|
16
|
+
|
|
17
|
+
class MetaModules
|
|
18
|
+
module MetaFormatters
|
|
19
|
+
|
|
20
|
+
#
|
|
21
|
+
# HTML formatter for the results of the Uniformity metamodule
|
|
22
|
+
#
|
|
23
|
+
# @author: Tasos "Zapotek" Laskos
|
|
24
|
+
# <tasos.laskos@gmail.com>
|
|
25
|
+
# <zapotek@segfault.gr>
|
|
26
|
+
# @version: 0.1
|
|
27
|
+
#
|
|
28
|
+
class Uniformity < Arachni::Plugin::Formatter
|
|
29
|
+
|
|
30
|
+
def initialize( metadata )
|
|
31
|
+
@results = metadata[:results]
|
|
32
|
+
@description = metadata[:description]
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def run
|
|
36
|
+
return ERB.new( tpl ).result( binding )
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def tpl
|
|
40
|
+
%q{
|
|
41
|
+
<h4>Uniformity (Lack of centralised sanitization)</h4>
|
|
42
|
+
<blockquote><pre><%=::Arachni::Reports::HTML.prep_description(@description)%></pre></blockquote>
|
|
43
|
+
|
|
44
|
+
<ul>
|
|
45
|
+
<%@results['uniformals'].each_pair do |id, uniformal| %>
|
|
46
|
+
<% issue = uniformal['issue'] %>
|
|
47
|
+
<li>
|
|
48
|
+
<%=issue['name']%> in <%=issue['elem']%> variable '<%=issue['var']%>' using <%=issue['method']%> at the following pages:
|
|
49
|
+
<ul>
|
|
50
|
+
|
|
51
|
+
<%@results['pages'][id].each_with_index do |url, i|%>
|
|
52
|
+
<li>
|
|
53
|
+
<a href="#issue_<%=uniformal['indices'][i]%>"><%=url%></a>
|
|
54
|
+
</li>
|
|
55
|
+
<%end%>
|
|
56
|
+
|
|
57
|
+
</ul>
|
|
58
|
+
</li>
|
|
59
|
+
<%end%>
|
|
60
|
+
</ul>
|
|
61
|
+
}
|
|
62
|
+
end
|
|
63
|
+
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
end
|
|
71
|
+
end
|
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# XML formatter for the results of the MetaModules plugin
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class MetaModules
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
|
|
35
|
+
metaresults = format_meta_results( @results ).values
|
|
36
|
+
return ERB.new( tpl ).result( binding )
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def tpl
|
|
40
|
+
%q{
|
|
41
|
+
<h3>Metamodules</h3>
|
|
42
|
+
<blockquote><pre><%=::Arachni::Reports::HTML.prep_description(@description)%></pre></blockquote>
|
|
43
|
+
|
|
44
|
+
<%metaresults.each do |html|%>
|
|
45
|
+
<%=html%>
|
|
46
|
+
<%end%>
|
|
47
|
+
}
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
#
|
|
51
|
+
# Runs plugin formatters for the running report and returns a hash
|
|
52
|
+
# with the prepared/formatted results.
|
|
53
|
+
#
|
|
54
|
+
# @param [AuditStore#plugins] plugins plugin data/results
|
|
55
|
+
#
|
|
56
|
+
def format_meta_results( plugins )
|
|
57
|
+
|
|
58
|
+
ancestor = self.class.ancestors[0]
|
|
59
|
+
|
|
60
|
+
# add the PluginFormatters module to the report
|
|
61
|
+
eval( "module MetaFormatters end" )
|
|
62
|
+
|
|
63
|
+
# prepare the directory of the formatters for the running report
|
|
64
|
+
lib = File.dirname( __FILE__ ) + '/metaformatters/'
|
|
65
|
+
|
|
66
|
+
@@formatters ||= {}
|
|
67
|
+
# initialize a new component manager to handle the plugin formatters
|
|
68
|
+
@@formatters[ancestor] ||= ::Arachni::Report::FormatterManager.new( lib, ancestor.const_get( 'MetaFormatters' ) )
|
|
69
|
+
|
|
70
|
+
# load all the formatters
|
|
71
|
+
@@formatters[ancestor].load( ['*'] ) if @@formatters[ancestor].empty?
|
|
72
|
+
|
|
73
|
+
# run the formatters and gather the formatted data they return
|
|
74
|
+
formatted = {}
|
|
75
|
+
@@formatters[ancestor].each_pair {
|
|
76
|
+
|name, formatter|
|
|
77
|
+
plugin_results = plugins[name]
|
|
78
|
+
next if !plugin_results || plugin_results[:results].empty?
|
|
79
|
+
|
|
80
|
+
formatted[name] = formatter.new( plugin_results.deep_clone ).run
|
|
81
|
+
}
|
|
82
|
+
|
|
83
|
+
return formatted
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
|
|
87
|
+
end
|
|
88
|
+
|
|
89
|
+
end
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
end
|
|
93
|
+
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
=begin
|
|
2
|
+
Arachni
|
|
3
|
+
Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
4
|
+
|
|
5
|
+
This is free software; you can copy and distribute and modify
|
|
6
|
+
this program under the term of the GPL v2.0 License
|
|
7
|
+
(See LICENSE file for details)
|
|
8
|
+
|
|
9
|
+
=end
|
|
10
|
+
|
|
11
|
+
module Arachni
|
|
12
|
+
|
|
13
|
+
module Reports
|
|
14
|
+
|
|
15
|
+
class HTML
|
|
16
|
+
module PluginFormatters
|
|
17
|
+
|
|
18
|
+
#
|
|
19
|
+
# HTML formatter for the results of the WAF Detector plugin
|
|
20
|
+
#
|
|
21
|
+
# @author: Tasos "Zapotek" Laskos
|
|
22
|
+
# <tasos.laskos@gmail.com>
|
|
23
|
+
# <zapotek@segfault.gr>
|
|
24
|
+
# @version: 0.1
|
|
25
|
+
#
|
|
26
|
+
class WAFDetector < Arachni::Plugin::Formatter
|
|
27
|
+
|
|
28
|
+
def initialize( plugin_data )
|
|
29
|
+
@results = plugin_data[:results]
|
|
30
|
+
@description = plugin_data[:description]
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def run
|
|
34
|
+
return ERB.new( tpl ).result( binding )
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
def tpl
|
|
38
|
+
%q{
|
|
39
|
+
<h3>WAF Detector</h3>
|
|
40
|
+
<blockquote><pre><%=::Arachni::Reports::HTML.prep_description(@description)%></pre></blockquote>
|
|
41
|
+
|
|
42
|
+
<h4>Result</h4>
|
|
43
|
+
<blockquote><%=@results[:msg]%></blockquote>
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
end
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
end
|
|
54
|
+
end
|