arachni 0.2.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. data/CHANGELOG.md +18 -1
  2. data/README.md +50 -139
  3. data/bin/arachni_web +1 -0
  4. data/data/crypto/public.pem +9 -0
  5. data/getoptslong.rb +1 -0
  6. data/lib/arachni.rb +1 -1
  7. data/lib/crypto/rsa_aes_cbc.rb +98 -0
  8. data/lib/rpc/xml/client/base.rb +8 -3
  9. data/lib/rpc/xml/client/instance.rb +3 -3
  10. data/lib/rpc/xml/server/base.rb +27 -5
  11. data/lib/rpc/xml/server/dispatcher.rb +14 -6
  12. data/lib/rpc/xml/server/instance.rb +3 -3
  13. data/lib/ui/web/dispatcher_manager.rb +98 -0
  14. data/lib/ui/web/server/views/{dispatcher.erb → dispatchers.erb} +31 -16
  15. data/lib/ui/web/server/views/dispatchers_edit.erb +42 -0
  16. data/lib/ui/web/server/views/home.erb +12 -1
  17. data/lib/ui/web/server/views/instance.erb +7 -7
  18. data/lib/ui/web/server/views/layout.erb +2 -2
  19. data/lib/ui/web/server/views/welcome.erb +3 -4
  20. data/lib/ui/web/server.rb +194 -105
  21. data/lib/ui/xmlrpc/dispatcher_monitor.rb +1 -5
  22. data/lib/ui/xmlrpc/xmlrpc.rb +2 -6
  23. data/modules/audit/path_traversal.rb +13 -6
  24. data/reports/html/default.erb +82 -27
  25. data/reports/html.rb +32 -1
  26. data/reports/metareport.rb +1 -0
  27. data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +2 -0
  28. metadata +7 -4
  29. data/lib/ui/web/server/public/reports/demo.testfire.net:Sun Mar 20 02:48:10 2011.afr +0 -104829
data/lib/ui/web/server/views/{dispatcher.erb → dispatchers.erb} RENAMED
@@ -1,23 +1,34 @@
1
1
 
2
2
  <div id="page-intro">
3
- <h2>Dispatcher</h2>
4
- <p>The dispatcher is the central magement system.
5
- It spawns an XMLRPC server per scan and provides statistics for all running server instances.<br/>
3
+ <h2>Dispatchers</h2>
4
+ <p>The dispatchers spawn an XMLRPC server per scan and provide statistics for all running server instances.<br/>
6
5
  This interface allows you to "Attach" to (see the output of), pause, resume and shutdown instances.
7
6
  </p>
8
7
 
9
- <% if !stats['running_jobs'].empty? %>
10
- <form action="/dispatcher/shutdown" method="post">
11
- <%= csrf_tag %>
12
- <input type="submit" value="Shut all down" />
13
- </form>
14
- <% end %>
8
+ <form action="/dispatchers/edit" method="get">
9
+ <input type="submit" value="Edit dispatchers" />
10
+ </form>
11
+
15
12
 
16
13
 
17
14
  </div>
18
15
  <%= erb :flash, {:layout => false} %>
19
16
 
20
- <% if !stats['running_jobs'].empty? %>
17
+ <% stats.each_pair do |d_url, dispatcher_stats| %>
18
+ <h2>
19
+ @<%=escape( d_url )%> - <%=dispatcher_stats['running_jobs'].size%> running scans,
20
+ <%=i=0;dispatcher_stats['running_jobs'].each{ |job| i+= proc_mem( job['proc']['rss'] ).to_i }; i.to_s%>MB RAM usage.
21
+ </h2>
22
+
23
+ <%if !dispatcher_stats['running_jobs'].empty? %>
24
+ <form action="/dispatchers/<%=sanitize_url( d_url.dup )%>/shutdown" method="post">
25
+ <%= csrf_tag %>
26
+ <input type="submit" value="Shutdown all" />
27
+ </form>
28
+ <%end%>
29
+
30
+
31
+ <% if !dispatcher_stats['running_jobs'].empty? %>
21
32
  <table>
22
33
  <tr>
23
34
  <th>PID</th>
@@ -30,7 +41,7 @@
30
41
  <th>Memory consumption</th>
31
42
  <th>Action</th>
32
43
  </tr>
33
- <% stats['running_jobs'].each do |job| %>
44
+ <% dispatcher_stats['running_jobs'].each do |job| %>
34
45
  <tr>
35
46
 
36
47
 
@@ -47,24 +58,24 @@
47
58
  <td><%=job['starttime'].to_time%></td>
48
59
  <td><%=job['currtime'].to_time%></td>
49
60
  <td><%=secs_to_hms( job['runtime'] )%></td>
50
- <td><%=proc_mem( job['proc']['rss'] )%></td>
61
+ <td><%=proc_mem( job['proc']['rss'] )%> MB</td>
51
62
 
52
63
  <td>
53
64
  <% if !( job['owner'] =~/WebUI helper/ ) %>
54
65
 
55
- <form action="/instance/<%=job['port']%>" method="get" target="_blank">
66
+ <form action="/instance/<%=port_to_url( job['port'], d_url, true )%>" method="get" target="_blank">
56
67
  <input type="submit" value="Attach" />
57
68
  </form>
58
69
 
59
70
  <%if !job['paused'] %>
60
- <form action="/dispatcher/<%=job['port']%>/pause" method="post">
71
+ <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/pause" method="post">
61
72
  <%= csrf_tag %>
62
73
  <input type="submit" value="Pause" />
63
74
  </form>
64
75
  <%end%>
65
76
 
66
77
  <%if job['paused'] %>
67
- <form action="/dispatcher/<%=job['port']%>/resume" method="post">
78
+ <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/resume" method="post">
68
79
  <%= csrf_tag %>
69
80
  <input type="submit" value="Resume" />
70
81
  </form>
@@ -72,7 +83,7 @@
72
83
 
73
84
  <% end %>
74
85
 
75
- <form action="/dispatcher/<%=job['port']%>/shutdown" method="post" <% if !( job['owner'] =~/WebUI helper/ ) %> target="_blank" <%end%> >
86
+ <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/shutdown" method="post">
76
87
  <%= csrf_tag %>
77
88
  <input type="submit" value="Shutdown" />
78
89
  </form>
@@ -83,3 +94,7 @@
83
94
  <% else %>
84
95
  <span class="notice"> There are no running scans at the moment.</span>
85
96
  <% end %>
97
+
98
+ <br/><br/>
99
+
100
+ <% end %>
data/lib/ui/web/server/views/dispatchers_edit.erb ADDED
@@ -0,0 +1,42 @@
1
+
2
+
3
+ <div id="page-intro">
4
+ <h2>Edit Dispatchers</h2>
5
+ <p>
6
+ This screen allows you to add and remove Dispatchers.
7
+ </p>
8
+ </div>
9
+
10
+ <%= erb :flash, {:layout => false} %>
11
+
12
+ <% if !dispatchers.all.empty? %>
13
+ <table>
14
+ <tr>
15
+ <th>Location</th>
16
+ <th>Alive?</th>
17
+ <th>Action</th>
18
+ </tr>
19
+ <% dispatchers.all.each do |dispatcher| %>
20
+ <tr>
21
+ <td><%=dispatcher['url']%></td>
22
+ <td><%=dispatchers.alive?( dispatcher['url'] ).to_s.capitalize%></td>
23
+ <td>
24
+ <form action="/dispatchers/<%=dispatcher['id']%>/delete" method="post">
25
+ <%= csrf_tag %>
26
+ <input type="submit" value="Delete" />
27
+ </form>
28
+ </td>
29
+ </tr>
30
+ <%end%>
31
+ </table>
32
+ <%else%>
33
+ <span class="notice"> There are no available Dispatchers at the moment. Add one if you want to start a scan.</span>
34
+ <br/><br/>
35
+ <%end%>
36
+
37
+ <form action="/dispatchers/add" method="post">
38
+ <%= csrf_tag %>
39
+ <label>URL:</label>
40
+ <input name="url" value="https://localhost:7331" />
41
+ <input type="submit" value="Add" />
42
+ </form>
data/lib/ui/web/server/views/home.erb CHANGED
@@ -2,10 +2,21 @@
2
2
  <form action="/scan" method="post">
3
3
 
4
4
  <%= csrf_tag %>
5
+
5
6
  <input type="submit" value="Launch Scan" />
6
7
 
7
8
  <div id="page-intro">
8
- <p> No need to configure anything, all you need to do is insert a URL and hit "Launch Scan"; Arachni will take care of the rest.</p>
9
+ Select a Dispatcher:
10
+ <select name="dispatcher">
11
+ <% dispatcher_stats.each_pair do |d_url, stats| %>
12
+ <% next if !dispatchers.alive?( d_url ) %>
13
+ <option value="<%=d_url%>">
14
+ @<%=escape( d_url )%> - <%=stats['running_jobs'].size%> running scans,
15
+ <%=i=0;stats['running_jobs'].each{ |job| i+= proc_mem( job['proc']['rss'] ).to_i }; i.to_s%>MB RAM usage.
16
+ </option>
17
+ <%end%>
18
+ </select>
19
+
9
20
  <h2>URL: <input name="url" value="<%=session['opts']['settings']['url']%>" size="50" /></h2>
10
21
  </div>
11
22
 
data/lib/ui/web/server/views/instance.erb CHANGED
@@ -1,6 +1,6 @@
1
1
 
2
2
  <div id="page-intro">
3
- <h2 id="page_header">Attached to instance on port <%=params['port']%></h2>
3
+ <h2 id="page_header">Attached to instance @<%=sanitize_url( params['url'] )%></h2>
4
4
  <p id="page_description">
5
5
  This page allows you to see what's going on at the other end of the wire (i.e. get status messages directly from the remote scanner).
6
6
  <br/>
@@ -11,20 +11,20 @@
11
11
  <%if !shutdown %>
12
12
 
13
13
  <%if !paused %>
14
- <form action="/instance/<%=params['port']%>/pause" method="post">
14
+ <form action="/instance/<%=sanitize_url( params['url'] )%>/pause" method="post">
15
15
  <%= csrf_tag %>
16
16
  <input type="submit" value="Pause" />
17
17
  </form>
18
18
  <%end%>
19
19
 
20
20
  <%if paused %>
21
- <form action="/instance/<%=params['port']%>/resume" method="post">
21
+ <form action="/instance/<%=sanitize_url( params['url'] )%>/resume" method="post">
22
22
  <%= csrf_tag %>
23
23
  <input type="submit" value="Resume" />
24
24
  </form>
25
25
  <%end%>
26
26
 
27
- <form action="/instance/<%=params['port']%>/shutdown" method="post" target="_blank">
27
+ <form action="/instance/<%=sanitize_url( params['url'] )%>/shutdown" method="post">
28
28
  <%= csrf_tag %>
29
29
  <input type="submit" value="Shutdown" />
30
30
  </form>
@@ -130,7 +130,7 @@
130
130
  }
131
131
 
132
132
  function updateProgressBar(){
133
- var stats_url = "/instance/<%= params['port'].to_i.to_s %>/stats.json";
133
+ var stats_url = "/instance/<%= escape( params['url'].to_s ) %>/stats.json";
134
134
  $.getJSON( stats_url, function(data) {
135
135
  if( data.stats == undefined ){ return }
136
136
  setStats( data.stats );
@@ -142,7 +142,7 @@
142
142
  function updateOutput() {
143
143
  if( !document.getElementById( 'output' ) ) return;
144
144
 
145
- var output_url = "/instance/<%= params['port'].to_i.to_s %>/output.json";
145
+ var output_url = "/instance/<%= escape( params['url'].to_s ) %>/output.json";
146
146
  $.getJSON( output_url, function(data) {
147
147
 
148
148
  if( data.status == 'finished' ){
@@ -163,7 +163,7 @@
163
163
  function updateResults() {
164
164
  if( !document.getElementById( 'output_results' ) ) return;
165
165
 
166
- var output_results_url = "/instance/<%= params['port'].to_i.to_s %>/output_results.json";
166
+ var output_results_url = "/instance/<%= escape( params['url'].to_s ) %>/output_results.json";
167
167
  $.getJSON( output_results_url, function(data) {
168
168
  document.getElementById( 'output_results' ).innerHTML = data.data;
169
169
  });
data/lib/ui/web/server/views/layout.erb CHANGED
@@ -1,7 +1,7 @@
1
1
  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2
2
  <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
3
3
  <head>
4
- <title>Arachni - Web Application Security Scanner Framework</title>
4
+ <title><%=title%></title>
5
5
  <link rel="shortcut icon" href="/favicon.ico" />
6
6
 
7
7
  <link type="text/css" href="/css/smoothness/jquery-ui-1.8.9.custom.css" rel="Stylesheet" />
@@ -37,7 +37,7 @@
37
37
  <li <% if selected_tab?( 'plugins' )%>class="selected" <%end%>><a href="/plugins">Plugins</a></li>
38
38
  <li <% if selected_tab?( 'settings' )%>class="selected" <%end%>><a href="/settings">Settings</a></li>
39
39
  <li <% if selected_tab?( 'reports' )%>class="selected" <%end%>><a href="/reports">Reports [<%=report_count%>]</a></li>
40
- <li <% if selected_tab?( 'dispatcher' )%>class="selected" <%end%>><a href="/dispatcher">Dispatcher</a></li>
40
+ <li <% if selected_tab?( 'dispatchers' )%>class="selected" <%end%>><a href="/dispatchers">Dispatchers</a></li>
41
41
  <li <% if selected_tab?( 'log' )%>class="selected" <%end%>><a href="/log">Log</a></li>
42
42
  </ul>
43
43
  </div>
data/lib/ui/web/server/views/welcome.erb CHANGED
@@ -6,8 +6,7 @@
6
6
 
7
7
  <h2>General</h2>
8
8
  <p>
9
- This is the first version of this UI, scratch that, it's not even a real version..hence the "pre".<br/>
10
- In the software world this means that the WebUI may empty your fridge, drink all your coffee, eat your puppy, slash your tires and/or burn down your house.<br/>
9
+ The WebUI may empty your fridge, drink all your coffee, eat your puppy, slash your tires and/or burn down your house.<br/>
11
10
  Nevertheless, I'd appreciate it if you gave it a shot and <a href="https://github.com/Zapotek/arachni/issues">let me know</a> if you find anything wrong with it.
12
11
  </p>
13
12
 
@@ -18,6 +17,7 @@
18
17
  <li>make working with Arachni easier</li>
19
18
  <li>make report management easier</li>
20
19
  <li>run and manage multiple scans at the same time <em>(each scan will try its best for maximum bandwidth utilization so it'll be like lions fighting in a cage -- make sure you have sufficient resources)</em></li>
20
+ <li>work with and manage multiple Dispatchers</li>
21
21
  </ul>
22
22
  </p>
23
23
 
@@ -25,9 +25,8 @@
25
25
  <p>
26
26
  It isn't:
27
27
  <ul>
28
- <li>stable</li>
28
+ <li>too stable</li>
29
29
  <li>a way to make Arachni's goodies available to multiple users <em>(you could but it wouldn't be safe)</em></li>
30
- <li>a way to work with and manage multiple Dispatchers <em>(you can clear your session cookies to force the WebUI to ask you for a new Dispatcher to connect to but there are no guarantees)</em></li>
31
30
  </ul>
32
31
  </p>
33
32