arachni 0.2.2.2 → 0.2.3

data/CHANGELOG.md

@@ -1,7 +1,24 @@
 
 # ChangeLog
 
-## Version 0.2.2.2 _(Under development)_
+## Version 0.2.3 _(Under development)_
+- WebUI
+   - Added connection cache for XMLRPC server instances to remove HTTPS handshake overhead and take advantage of keep-alive support.
+   - Added initial support for management of multiple Dispatchers.
+- XMLRPC Client->Dispatch Server
+   - Updated to always use SSL [Issue #28]
+   - Added per instance authentication tokens [Issue #28]
+- Modules
+   - Audit
+      - Path traversal: added double encoded traversals [Issue #29]
+- Reports
+   - HTML
+      - Fixed "invalid byte sequence in UTF-8" using iconv [Issue #27]
+      - Added false positive reporting. Data are encrypted using 256bit AES (with AES primitives encrypted using RSA) and sent over HTTPS. [Issue #30]
+   - Metareport
+      - Fixed bug caused by not explicitly closed file handle.
+
+## Version 0.2.2.2 _(March 22, 2011)_
 - Added "arachni_web_autostart" under bin -- Automatically starts all systems required by the WebUI and makes shutting down everything easier too (Original by: Brandon Potter <bpotter8705@gmail.com>)
 - Overrided Nokogiri to revert to UTF-8 when it comes across an unknown charset instead of throwing exceptions
 - Dependency versions are now defined explicitly [Issue #23]

data/README.md

@@ -1,15 +1,49 @@
 # Arachni - Web Application Security Scanner Framework
-**Version**:     0.2.2.2<br/>
-**Homepage**:     [http://arachni.segfault.gr](http://arachni.segfault.gr)<br/>
-**Blog**:         [http://trainofthought.segfault.gr/category/projects/arachni/](http://trainofthought.segfault.gr/category/projects/arachni/)<br/>
-**Github page**:  [http://github.com/zapotek/arachni](http://github.com/zapotek/arachni)<br/>
-**Documentation**:     [http://github.com/Zapotek/arachni/wiki](http://github.com/Zapotek/arachni/wiki)<br/>
-**Code Documentation**:     [http://zapotek.github.com/arachni/](http://zapotek.github.com/arachni/)<br/>
-**Google Group**: [http://groups.google.com/group/arachni](http://groups.google.com/group/arachni)<br/>
-**Author**:       [Tasos](mailto:tasos.laskos@gmail.com) "[Zapotek](mailto:zapotek@segfault.gr)" [Laskos](mailto:tasos.laskos@gmail.com)<br/>
-**Twitter**:      [http://twitter.com/Zap0tek](http://twitter.com/Zap0tek)<br/>
-**Copyright**:    2010-2011<br/>
-**License**:      [GNU General Public License v2](file.LICENSE.html)
+<table>
+    <tr>
+        <th>Version</th>
+        <td>0.2.3</td>
+    </tr>
+    <tr>
+        <th>Homepage</th>
+        <td><a href="http://arachni.segfault.gr">http://arachni.segfault.gr</a></td>
+    </tr>
+    <tr>
+        <th>Blog</th>
+        <td><a href="http://trainofthought.segfault.gr/category/projects/arachni/">http://trainofthought.segfault.gr/category/projects/arachni/</a></td>
+    <tr>
+        <th>Github page</th>
+        <td><a href="http://github.com/zapotek/arachni">http://github.com/zapotek/arachni</a></td>
+     <tr/>
+    <tr>
+        <th>Documentation</th>
+        <td><a href="http://github.com/Zapotek/arachni/wiki">http://github.com/Zapotek/arachni/wiki</a></td>
+    </tr>
+    <tr>
+        <th>Code Documentation</th>
+        <td><a href="http://zapotek.github.com/arachni/">http://zapotek.github.com/arachni/</a></td>
+    </tr>
+    <tr>
+        <th>Google Group</th>
+        <td><a href="http://groups.google.com/group/arachni">http://groups.google.com/group/arachni</a></td>
+    </tr>
+    <tr>
+       <th>Author</th>
+       <td><a href="mailto:tasos.laskos@gmail.com">Tasos</a> <a href="mailto:zapotek@segfault.gr">Zapotek</a> <a href="mailto:tasos.laskos@gmail.com">Laskos</a></td>
+    </tr>
+    <tr>
+        <th>Twitter</th>
+        <td><a href="http://twitter.com/Zap0tek">@Zap0tek</a></td>
+    </tr>
+    <tr>
+        <th>Copyright</th>
+        <td>2010-2011</td>
+    </tr>
+    <tr>
+        <th>License</th>
+        <td><a href="file.LICENSE.html">GNU General Public License v2</a></td>
+    </tr>
+</table>
 
 ![Arachni logo](http://zapotek.github.com/arachni/logo.png)
 
@@ -186,136 +220,10 @@ Still, this can be an invaluable asset to Fuzzer modules.
 
 ## Usage
 
-### WebUI
+### [WebUI](https://github.com/Zapotek/arachni/wiki/Web-user-interface)
 
-The Web User Interface is basically a Sinatra app which acts as an Arachni XMLRPC client and connects to a running XMLRPC Dispatch server.
 
-#### Autostart
-
-There's an autostart script to start all systems that are required by the WebUI:
-    $ arachni_web_autostart
-
-**Note:**: _The "arachni_xmlrpcd" and "arachni_web" executables will need to be in your PATH._
-
-#### Manually
-
-You first need to start a Dispatcher like so:
-    $ arachni_xmlrpcd &
-
-Then start the WebUI by running:
-    $ arachni_web
-
-_If you get any permission errors then you probably installed the Gem using 'sudo', so use 'sudo' to start the servers too._
-
-And finally open up a browser window and visit: http://localhost:4567/
-
-#### Options
-
-You can see all available options using:
-    $ arachni_web -h
-
-#### Shutdown
-You can kill the WebUI by sending _Ctrl+C_ to the console from which you started it.
-
-However, in order to kill the Dispatcher (and all the processes in its pool) you will need to _killall -9 arachni_xmlrpcd_ (or _killall -9 ruby_ depending on your setup) or hunt them down manually.
-This inconvenience is by design; it guarantees that Arachni instances will be available (and usable) instantly and that running scans will continue unaffected even if the dispatcher has (for some reason) died.
-
-#### Parallel scans
-As you might have guessed by the use of the word _pool_ in the previous paragraph, the WebUI allows you to run as many scans as you wish at the same time.
-Of course, the amount of parallel scans you'll be able to perform will be limited by your available resources (Network bandwidth/RAM/CPU).
-
-Should you shutdown the WebUI while a scan is running you'll be able to re-attach to the running process and view its progress or (if the scan has already finished) grab the report the next time you visit the WebUI.
-In most cases, you won't even need to re-attach to a process in order to get the report of the finished scan, the WebUI's zombie reaper will grab and save the report for you.
-
-#### General
-In cases where the Dispatcher is started with its default settings on localhost (like the above example) the WebUI will connect to it automatically.
-
-However, if you see an error message informing you that the WebUI could not find a dispatcher to connect to then you probably visited the WebUI before it had a chance to connect to the Dispatcher, you can just click on the "Dispatcher" tab to force it to try again; if the error does not re-appear then it connected successfully.
-
-If you get a scary "Broken pipe" exception a simple refresh will solve the problem.
-
-#### Remote deployment
-As noted above, the WebUI is, in essence, a user-friendly Arachni XMLRPC client, this means that you can start a Dispatcher on a remote host and manage it via the WebUI.
-Simple as that really.
-
-#### Encryption & Authentication
-WebUI-client (browser) and XMLRPC Client-Dispatch server authentication takes place using SSL certificate/key pairs.
-
-These are the 3 basic models:
-
- - No encryption & no authentication -- Default behavior
- - Encryption & no authentication    -- Just enable SSL in the WebUI configuration file (_conf/webui.yaml_) and the Dispatcher and all components will generate their own certificate/key pairs and disable peer verification.
- - Encryption & authentication       -- Enable SSL and use your own cert/key pairs to authenticate clients to the WebUI and vice verse, and authenticate the XMLRPC clients controlled by the WebUI to the Dispatcher and vice versa.
-
-However, you can go even further and create combinations specific to each component.
-
-*Beware:* This interface is brand new so if you encounter any issues please do report them.
-
-### Command line interface
-
-The command-line interface is the oldest, most tested and thus more reliable.
-
-#### Help
-In order to see everything Arachni has to offer execute:
-    $ arachni -h
-
-Or visit the Wiki.
-
-#### Examples
-You can simply run Arachni like so:
-
-    $ arachni http://test.com
-
-which will load all modules and audit all forms, links and cookies.
-
-In the following example all modules will be run against <i>http://test.com</i>, auditing links/forms/cookies and following subdomains --with verbose output enabled.<br/>
-The results of the audit will be saved in the the file <i>test.com.afr</i>.
-
-    $ arachni -fv http://test.com --report=afr:outfile=test.com.afr
-
-The Arachni Framework Report (.afr) file can later be loaded by Arachni to create a report, like so:
-
-    $ arachni --repload=test.com.afr --report=html:outfile=my_report.html
-
-or any other report type as shown by:
-
-    $ arachni --lsrep
-
-#### You can make module loading easier by using wildcards (*) and exclusions (-).
-
-To load all _xss_ modules using a wildcard:
-    $ arachni http://example.net --mods=xss_*
-
-To load all _audit_ modules using a wildcard:
-    $ arachni http://example.net --mods=audit*
-
-To exclude only the _csrf_ module:
-    $ arachni http://example.net --mods=*,-csrf
-
-Or you can mix and match; to run everything but the _xss_ modules:
-    $ arachni http://example.net --mods=*,-xss_*
-
-For a full explanation of all available options you can consult the [User Guide](http://github.com/Zapotek/arachni/wiki/User-guide).
-
-#### Performing a comprehensive scan quickly
-
-Arachni comes with a preconfigured profile (_profiles/comprehensive.afp_) for a comprehensive audit.
-This profile loads all modules, audits links/forms/cookies and loads the HealthMap and Content-Types plugins.
-
-You can use it like so:
-    $ arachni --load-profile=profiles/comprehensive.afp http://example.net
-
-#### Performing a full scan quickly
-
-The _full_ profile adds header auditing to the _comprehensive_ profile.
-
-_NOTICE: Auditing headers can increase scan time by an order of magnitude (depending on the website) and may be considered over-the-top in most scenarios._
-
-You can use it like so:
-    $ arachni --load-profile=profiles/full.afp http://example.net
-
-
-_If you installed the Gem then you'll have to look for the "profiles" directory in your gems path._
+### [Command line interface](https://github.com/Zapotek/arachni/wiki/Command-line-user-interface)
 
 ## Installation
 
@@ -330,6 +238,7 @@ If you decide to go the CDE route you can skip the rest, you're done.
 ### Gem
 
 To install the Gem or work with the source code you'll also need the following system libraries:
+
     $ sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev libsqlite3-dev
 
 You will also need to have Ruby 1.9.2 installed *including* the dev package/headers.<br/>
@@ -337,11 +246,13 @@ The prefered ways to accomplish this is by either using [RVM](http://rvm.beginre
 
 
 To install Arachni:
+
     $ gem install arachni
 
 ### Source
 
 If you want to clone the repository and work with the source code then you'll need to run the following to install all gem dependencies and Arachni:
+
     $ rake install
 
 

data/bin/arachni_web

@@ -21,6 +21,7 @@ options = Arachni::Options.instance
 
 options.dir            = Hash.new
 options.dir['root']    = File.expand_path( cwd + '/../' ) + '/'
+options.dir['data']    = options.dir['root'] + 'data/'
 options.dir['modules'] = options.dir['root'] + 'modules/'
 options.dir['reports'] = options.dir['root'] + 'reports/'
 options.dir['plugins'] = options.dir['root'] + 'plugins/'

data/data/crypto/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvyhiZE8Npa3GIlstM/N5
+pVfvP4cHeMJ/n5psnnDyF8/BK9bNawB8z4+7pXZJgvlD8E18ewsM9UZvekaBTdF8
+wGsAYHPV50H/pVn+e6foQPB/txGR7oSKdUKoTswPj2hDPnbPAUSLhLfYhXzFz0HW
+OZJKQt14qeOsYiMNYKrvAUGlwvhEPDLSEDhIvy7udX9ZFODt6X4Pm3lJwnydmdIY
+SgnB8QdL0A1bnj91TO0Ey+lF+MkK3bZ0mtCgsQ0yYtZsVeHaYmu0YnmdsNyX2wMK
+ElZlnLemhmLbKLnQXsR2dL54kpkjW6liN2HUEDi8K5Mv9aOCRorDJqn77kUzF8fn
+WQIDAQAB
+-----END PUBLIC KEY-----

data/getoptslong.rb

@@ -63,6 +63,7 @@ options = Arachni::Options.instance
 
 options.dir            = Hash.new
 options.dir['root']    = File.dirname( File.expand_path(__FILE__) ) + '/'
+options.dir['data']    = options.dir['root'] + 'data/'
 options.dir['modules'] = options.dir['root'] + 'modules/'
 options.dir['reports'] = options.dir['root'] + 'reports/'
 options.dir['plugins'] = options.dir['root'] + 'plugins/'

data/lib/arachni.rb

@@ -11,6 +11,6 @@
 module Arachni
 
     # the universal system version
-    VERSION      = '0.2.2.2'
+    VERSION      = '0.2.3'
 
 end

data/lib/crypto/rsa_aes_cbc.rb

@@ -0,0 +1,98 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+require 'openssl'
+require "yaml"
+require "base64"
+
+#
+# Simple hybrid crypto class using RSA for public key encryption and AES with CBC
+# for bulk data encryption/decryption.
+#
+# RSA is used to encrypt the AES primitives which are used to encrypt the plaintext.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class RSA_AES_CBC
+
+    #
+    # If only encryption is required the private key parameter can be omitted.
+    #
+    # @param  [String]  public_pem   location of the Public key in PEM format
+    # @param  [String]  private_pem  location of the Private key in PEM format
+    #
+    def initialize( public_pem, private_pem = nil )
+        @public_pem  = public_pem
+        @private_pem = private_pem
+    end
+
+    #
+    # Encrypts data and returns a Base64 representation of the ciphertext
+    # and AES CBC primitives encrypted using the public key.
+    #
+    # @param  [String]  data
+    #
+    # @return  [String]   Base64 representation of the ciphertext
+    #                       and AES CBC primitives encrypted using the public key.
+    #
+    def encrypt( data )
+        rsa = OpenSSL::PKey::RSA.new( File.read( @public_pem ) )
+
+        # encrypt with 256 bit AES with CBC
+        aes = OpenSSL::Cipher::Cipher.new( 'aes-256-cbc' )
+        aes.encrypt
+
+        # use random key and IV
+        aes.key = key = aes.random_key
+        aes.iv  = iv  = aes.random_iv
+
+        # this will hold all primitives and ciphertext
+        primitives = {}
+
+        primitives['ciphertext'] = aes.update( data )
+        primitives['ciphertext'] << aes.final
+
+        primitives['key'] = rsa.public_encrypt( key )
+        primitives['iv']  = rsa.public_encrypt( iv )
+
+        # serialize everything and base64 encode it
+        Base64.encode64( primitives.to_yaml )
+    end
+
+    #
+    # Decrypts data.
+    #
+    # @param  [String]  data
+    #
+    # @return  [String]   plaintext
+    #
+    def decrypt( data )
+        rsa = OpenSSL::PKey::RSA.new( File.read( @private_pem ) )
+
+        # decrypt with 256 bit AES with CBC
+        aes = OpenSSL::Cipher::Cipher.new( 'aes-256-cbc' )
+        aes.decrypt
+
+        # unencode and unserialize to get the primitives and ciphertext
+        primitives = YAML::load( Base64.decode64( data ) )
+
+        aes.key = rsa.private_decrypt( primitives['key'] )
+        aes.iv  = rsa.private_decrypt( primitives['iv'] )
+
+        plaintext = aes.update( primitives['ciphertext'] )
+        plaintext << aes.final
+
+        return plaintext
+    end
+
+end

data/lib/rpc/xml/client/base.rb

@@ -22,16 +22,21 @@ module Client
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class Base
 
-    def initialize( opts, url )
+    def initialize( opts, url, token = nil )
 
         @opts = opts
 
+        url        = URI( url )
+        url.scheme = 'https'
+
         # start the XMLRPC client
-        @server = ::XMLRPC::Client.new2( url )
+        @server = ::XMLRPC::Client.new2( url.to_s )
+
+        @server.cookie = 'token=' + token + ';' if token
 
         # there'll be a HELL of lot of output so things might get..laggy.
         # a big timeout is required to avoid Timeout exceptions...

data/lib/rpc/xml/client/instance.rb

@@ -25,7 +25,7 @@ module Client
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.1
+# @version: 0.1.2
 #
 class Instance < Base
 
@@ -70,8 +70,8 @@ class Instance < Base
 
     end
 
-    def initialize( opts, url )
-        super( opts, url )
+    def initialize( opts, url, token = nil )
+        super( opts, url, token )
 
         @opts      = OptsMapper.new( @server, 'opts' )
         @framework = Mapper.new( @server, 'framework' )

data/lib/rpc/xml/server/base.rb

@@ -10,6 +10,8 @@
 
 require 'socket'
 require 'sys/proctable'
+require 'webrick'
+require 'cgi'
 
 module Arachni
 module RPC
@@ -22,11 +24,30 @@ module Server
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class Base
 
-    def initialize( opts )
+    #
+    # This one doesn't add much new functionality,
+    # it just checks for a cookie token before processing each request.
+    #
+    # If it can't find a valid token then it returns nothing.
+    #
+    class WebServ < ::WEBrick::HTTPServer
+
+        def service( req, res )
+
+            if @config[:Token]
+                return if @config[:Token] != ::CGI.parse( req.cookies.join )['token'][0]
+            end
+
+            super( req, res )
+        end
+
+    end
+
+    def initialize( opts, token = nil )
 
         pkey = ::OpenSSL::PKey::RSA.new( File.read( opts.ssl_pkey ) )         if opts.ssl_pkey
         cert = ::OpenSSL::X509::Certificate.new( File.read( opts.ssl_cert ) ) if opts.ssl_cert
@@ -37,14 +58,15 @@ class Base
             verification = ::OpenSSL::SSL::VERIFY_NONE
         end
 
-        @server = ::WEBrick::HTTPServer.new(
+        @server = WebServ.new(
             :Port            => opts.rpc_port,
-            :SSLEnable       => opts.ssl  || false,
+            :SSLEnable       => true,
             :SSLVerifyClient => verification,
             :SSLCertName     => [ [ "CN", ::WEBrick::Utils::getservername ] ],
             :SSLCertificate  => cert,
             :SSLPrivateKey   => pkey,
-            :SSLCACertificateFile => opts.ssl_ca
+            :SSLCACertificateFile => opts.ssl_ca,
+            :Token           => token
         )
 
         print_status( 'Initing XMLRPC Server...' )

data/lib/rpc/xml/server/dispatcher.rb

@@ -39,7 +39,7 @@ module Server
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.1
+# @version: 0.1.2
 #
 class Dispatcher < Base
 
@@ -221,10 +221,6 @@ class Dispatcher < Base
     (All SSL options will be honored by the dispatched XMLRPC instances as well.)
     (Do *not* use encrypted keys!)
 
-    --ssl                       use SSL?
-                                   (If you want encryption without authentication
-                                    you can skip rest of the SSL options.)
-
     --ssl-pkey   <file>         location of the SSL private key (.pem)
                                     (Used to verify the server to the clients.)
 
@@ -252,10 +248,11 @@ USAGE
 
                 # get an available port for the child
                 @opts.rpc_port = avail_port( )
+                @token         = secret()
 
                 pid = Kernel.fork {
                     exception_jail {
-                        server = Arachni::RPC::XML::Server::Instance.new( @opts )
+                        server = Arachni::RPC::XML::Server::Instance.new( @opts, @token )
                         trap( "INT", "IGNORE" )
                         server.run
                     }
@@ -271,6 +268,7 @@ USAGE
                     "Port: #{@opts.rpc_port} - Owner: #{owner}" )
 
                 @pool << {
+                    'token' => @token,
                     'pid'   => pid,
                     'port'  => @opts.rpc_port,
                     'owner' => owner,
@@ -279,6 +277,7 @@ USAGE
 
                 # let the child go about his business
                 Process.detach( pid )
+                @token = nil
             }
         }
 
@@ -331,6 +330,15 @@ USAGE
         range[ rand( 65535 - 1025 ) ]
     end
 
+    def secret
+      secret = ''
+      1000.times {
+          secret += rand( 1000 ).to_s
+      }
+
+      return Digest::MD5.hexdigest( secret )
+    end
+
     #
     # Checks whether the port number is available
     #

data/lib/rpc/xml/server/instance.rb

@@ -35,7 +35,7 @@ module Server
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.3
+# @version: 0.1.4
 #
 class Instance < Base
 
@@ -52,13 +52,13 @@ class Instance < Base
     #
     # @param    [Options]    opts
     #
-    def initialize( opts )
+    def initialize( opts, token )
 
         prep_framework
         banner
 
         @opts = opts
-        super( @opts )
+        super( @opts, token )
 
         if @opts.debug
             debug!

data/lib/ui/web/dispatcher_manager.rb

@@ -0,0 +1,98 @@
+=begin
+                  Arachni
+  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+
+  This is free software; you can copy and distribute and modify
+  this program under the term of the GPL v2.0 License
+  (See LICENSE file for details)
+
+=end
+
+require 'datamapper'
+
+module Arachni
+module UI
+module Web
+
+#
+#
+# Provides nice little wrapper for the Arachni::Report::Manager while also handling<br/>
+# conversions, storing etc.
+#
+# @author: Tasos "Zapotek" Laskos
+#                                      <tasos.laskos@gmail.com>
+#                                      <zapotek@segfault.gr>
+# @version: 0.1
+#
+class DispatcherManager
+
+    class Dispatcher
+        include DataMapper::Resource
+
+        property :id,           Serial
+        property :url,          String
+    end
+
+
+    def initialize( opts, settings )
+        @opts     = opts
+        @settings = settings
+
+        DataMapper::setup( :default, "sqlite3://#{@settings.db}/default.db" )
+        DataMapper.finalize
+
+        Dispatcher.auto_upgrade!
+    end
+
+    def new( opts )
+        Dispatcher.create( :url => opts[:url] )
+    end
+
+    def connect( url )
+        @@cache ||= {}
+
+        begin
+            if @@cache[url] && @@cache[url].alive?
+                return @@cache[url]
+            elsif ( tmp = Arachni::RPC::XML::Client::Dispatcher.new( @opts, url ) ) &&
+                  tmp.alive?
+                return @@cache[url] = tmp
+            end
+        rescue Exception => e
+          return nil
+        end
+    end
+
+    def alive?( url )
+        begin
+            return connect( url ).alive?
+        rescue
+            return false
+        end
+    end
+
+    #
+    # Returns the paths of all saved report files as an array
+    #
+    # @return    [Array]
+    #
+    def all( *args )
+        Dispatcher.all( *args )
+    end
+
+    def delete_all
+        all.each {
+            |report|
+            delete( report.id )
+        }
+        all.destroy
+    end
+
+    def delete( id )
+        Dispatcher.get( id ).destroy
+    end
+
+end
+end
+end
+end