RubyGems - arachni - Versions diffs - 0.2.2.2 → 0.2.3 - Mend

arachni 0.2.2.2 → 0.2.3

Files changed (29) hide show

data/CHANGELOG.md +18 -1
data/README.md +50 -139
data/bin/arachni_web +1 -0
data/data/crypto/public.pem +9 -0
data/getoptslong.rb +1 -0
data/lib/arachni.rb +1 -1
data/lib/crypto/rsa_aes_cbc.rb +98 -0
data/lib/rpc/xml/client/base.rb +8 -3
data/lib/rpc/xml/client/instance.rb +3 -3
data/lib/rpc/xml/server/base.rb +27 -5
data/lib/rpc/xml/server/dispatcher.rb +14 -6
data/lib/rpc/xml/server/instance.rb +3 -3
data/lib/ui/web/dispatcher_manager.rb +98 -0
data/lib/ui/web/server/views/{dispatcher.erb → dispatchers.erb} +31 -16
data/lib/ui/web/server/views/dispatchers_edit.erb +42 -0
data/lib/ui/web/server/views/home.erb +12 -1
data/lib/ui/web/server/views/instance.erb +7 -7
data/lib/ui/web/server/views/layout.erb +2 -2
data/lib/ui/web/server/views/welcome.erb +3 -4
data/lib/ui/web/server.rb +194 -105
data/lib/ui/xmlrpc/dispatcher_monitor.rb +1 -5
data/lib/ui/xmlrpc/xmlrpc.rb +2 -6
data/modules/audit/path_traversal.rb +13 -6
data/reports/html/default.erb +82 -27
data/reports/html.rb +32 -1
data/reports/metareport.rb +1 -0
data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb +2 -0
metadata +7 -4
data/lib/ui/web/server/public/reports/demo.testfire.net:Sun Mar 20 02:48:10 2011.afr +0 -104829

data/lib/ui/web/server/views/{dispatcher.erb → dispatchers.erb} RENAMED Viewed

@@ -1,23 +1,34 @@
         <div id="page-intro">
-            <h2>Dispatcher</h2>
-            <p>The dispatcher is the central magement system.
-                It spawns an XMLRPC server per scan and provides statistics for all running server instances.<br/>
+            <h2>Dispatchers</h2>
+            <p>The dispatchers spawn an XMLRPC server per scan and provide statistics for all running server instances.<br/>
                 This interface allows you to "Attach" to (see the output of), pause, resume and shutdown instances.
             </p>
-            <% if !stats['running_jobs'].empty? %>
-                <form action="/dispatcher/shutdown" method="post">
-                    <%= csrf_tag %>
-                    <input type="submit" value="Shut all down" />
-                </form>
-            <% end %>
+            <form action="/dispatchers/edit" method="get">
+                <input type="submit" value="Edit dispatchers" />
+            </form>
         </div>
         <%= erb :flash, {:layout => false} %>
-        <% if !stats['running_jobs'].empty? %>
+        <% stats.each_pair do |d_url, dispatcher_stats| %>
+        <h2>
+            @<%=escape( d_url )%> - <%=dispatcher_stats['running_jobs'].size%> running scans,
+             <%=i=0;dispatcher_stats['running_jobs'].each{ |job| i+= proc_mem( job['proc']['rss'] ).to_i }; i.to_s%>MB RAM usage.
+        </h2>
+        <%if !dispatcher_stats['running_jobs'].empty? %>
+        <form action="/dispatchers/<%=sanitize_url( d_url.dup )%>/shutdown" method="post">
+            <%= csrf_tag %>
+            <input type="submit" value="Shutdown all" />
+        </form>
+        <%end%>
+        <% if !dispatcher_stats['running_jobs'].empty? %>
         <table>
             <tr>
                 <th>PID</th>
@@ -30,7 +41,7 @@
                 <th>Memory consumption</th>
                 <th>Action</th>
             </tr>
-        <% stats['running_jobs'].each do |job| %>
+        <% dispatcher_stats['running_jobs'].each do |job| %>
             <tr>
@@ -47,24 +58,24 @@
                 <td><%=job['starttime'].to_time%></td>
                 <td><%=job['currtime'].to_time%></td>
                 <td><%=secs_to_hms( job['runtime'] )%></td>
-                <td><%=proc_mem( job['proc']['rss'] )%></td>
+                <td><%=proc_mem( job['proc']['rss'] )%> MB</td>
                 <td>
                     <% if !( job['owner'] =~/WebUI helper/ ) %>
-                    <form action="/instance/<%=job['port']%>" method="get" target="_blank">
+                    <form action="/instance/<%=port_to_url( job['port'], d_url, true )%>" method="get" target="_blank">
                         <input type="submit" value="Attach" />
                     </form>
                     <%if !job['paused'] %>
-                    <form action="/dispatcher/<%=job['port']%>/pause" method="post">
+                    <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/pause" method="post">
                         <%= csrf_tag %>
                         <input type="submit" value="Pause" />
                     </form>
                     <%end%>
                     <%if job['paused'] %>
-                    <form action="/dispatcher/<%=job['port']%>/resume" method="post">
+                    <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/resume" method="post">
                         <%= csrf_tag %>
                         <input type="submit" value="Resume" />
                     </form>
@@ -72,7 +83,7 @@
                     <% end %>
-                    <form action="/dispatcher/<%=job['port']%>/shutdown" method="post" <% if !( job['owner'] =~/WebUI helper/ ) %> target="_blank" <%end%> >
+                    <form action="/dispatchers/<%=port_to_url( job['port'], d_url, true )%>/shutdown" method="post">
                         <%= csrf_tag %>
                         <input type="submit" value="Shutdown" />
                     </form>
@@ -83,3 +94,7 @@
         <% else %>
         <span class="notice"> There are no running scans at the moment.</span>
         <% end %>
+        <br/><br/>
+        <% end %>

data/lib/ui/web/server/views/dispatchers_edit.erb ADDED Viewed

@@ -0,0 +1,42 @@
+        <div id="page-intro">
+            <h2>Edit Dispatchers</h2>
+            <p>
+                This screen allows you to add and remove Dispatchers.
+            </p>
+        </div>
+        <%= erb :flash, {:layout => false} %>
+        <% if !dispatchers.all.empty? %>
+        <table>
+            <tr>
+                <th>Location</th>
+                <th>Alive?</th>
+                <th>Action</th>
+            </tr>
+            <% dispatchers.all.each do |dispatcher| %>
+            <tr>
+                <td><%=dispatcher['url']%></td>
+                <td><%=dispatchers.alive?( dispatcher['url'] ).to_s.capitalize%></td>
+                <td>
+                    <form action="/dispatchers/<%=dispatcher['id']%>/delete" method="post">
+                        <%= csrf_tag %>
+                        <input type="submit" value="Delete" />
+                    </form>
+                </td>
+            </tr>
+            <%end%>
+        </table>
+        <%else%>
+        <span class="notice"> There are no available Dispatchers at the moment. Add one if you want to start a scan.</span>
+        <br/><br/>
+        <%end%>
+        <form action="/dispatchers/add" method="post">
+            <%= csrf_tag %>
+            <label>URL:</label>
+            <input name="url" value="https://localhost:7331" />
+            <input type="submit" value="Add" />
+        </form>

data/lib/ui/web/server/views/home.erb CHANGED Viewed

@@ -2,10 +2,21 @@
         <form action="/scan" method="post">
             <%= csrf_tag %>
             <input type="submit" value="Launch Scan" />
             <div id="page-intro">
-                <p> No need to configure anything, all you need to do is insert a URL and hit "Launch Scan"; Arachni will take care of the rest.</p>
+                Select a Dispatcher:
+                <select name="dispatcher">
+                <% dispatcher_stats.each_pair do |d_url, stats| %>
+                    <% next if !dispatchers.alive?( d_url ) %>
+                    <option value="<%=d_url%>">
+                        @<%=escape( d_url )%> - <%=stats['running_jobs'].size%> running scans,
+                         <%=i=0;stats['running_jobs'].each{ |job| i+= proc_mem( job['proc']['rss'] ).to_i }; i.to_s%>MB RAM usage.
+                    </option>
+                <%end%>
+                </select>
                 <h2>URL: <input name="url" value="<%=session['opts']['settings']['url']%>" size="50" /></h2>
             </div>

data/lib/ui/web/server/views/instance.erb CHANGED Viewed

@@ -1,6 +1,6 @@
         <div id="page-intro">
-            <h2 id="page_header">Attached to instance on port <%=params['port']%></h2>
+            <h2 id="page_header">Attached to instance @<%=sanitize_url( params['url'] )%></h2>
             <p id="page_description">
                 This page allows you to see what's going on at the other end of the wire (i.e. get status messages directly from the remote scanner).
                 <br/>
@@ -11,20 +11,20 @@
                 <%if !shutdown %>
                 <%if !paused %>
-                    <form action="/instance/<%=params['port']%>/pause" method="post">
+                    <form action="/instance/<%=sanitize_url( params['url'] )%>/pause" method="post">
                         <%= csrf_tag %>
                         <input type="submit" value="Pause" />
                     </form>
                 <%end%>
                 <%if paused %>
-                <form action="/instance/<%=params['port']%>/resume" method="post">
+                <form action="/instance/<%=sanitize_url( params['url'] )%>/resume" method="post">
                     <%= csrf_tag %>
                     <input type="submit" value="Resume" />
                 </form>
                 <%end%>
-                <form action="/instance/<%=params['port']%>/shutdown" method="post" target="_blank">
+                <form action="/instance/<%=sanitize_url( params['url'] )%>/shutdown" method="post">
                     <%= csrf_tag %>
                     <input type="submit" value="Shutdown" />
                 </form>
@@ -130,7 +130,7 @@
                 }
                 function updateProgressBar(){
-                    var stats_url = "/instance/<%= params['port'].to_i.to_s %>/stats.json";
+                    var stats_url = "/instance/<%= escape( params['url'].to_s ) %>/stats.json";
                     $.getJSON( stats_url, function(data) {
                         if( data.stats == undefined ){ return }
                         setStats( data.stats );
@@ -142,7 +142,7 @@
                 function updateOutput() {
                     if( !document.getElementById( 'output' ) ) return;
-                    var output_url = "/instance/<%= params['port'].to_i.to_s %>/output.json";
+                    var output_url = "/instance/<%= escape( params['url'].to_s ) %>/output.json";
                     $.getJSON( output_url, function(data) {
                         if( data.status == 'finished' ){
@@ -163,7 +163,7 @@
                 function updateResults() {
                     if( !document.getElementById( 'output_results' ) ) return;
-                    var output_results_url = "/instance/<%= params['port'].to_i.to_s %>/output_results.json";
+                    var output_results_url = "/instance/<%= escape( params['url'].to_s ) %>/output_results.json";
                     $.getJSON( output_results_url, function(data) {
                         document.getElementById( 'output_results' ).innerHTML = data.data;
                     });

data/lib/ui/web/server/views/layout.erb CHANGED Viewed

@@ -1,7 +1,7 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" dir="ltr">
   <head>
-    <title>Arachni - Web Application Security Scanner Framework</title>
+    <title><%=title%></title>
     <link rel="shortcut icon" href="/favicon.ico" />
     <link type="text/css" href="/css/smoothness/jquery-ui-1.8.9.custom.css" rel="Stylesheet" />
@@ -37,7 +37,7 @@
                     <li <% if selected_tab?( 'plugins' )%>class="selected" <%end%>><a href="/plugins">Plugins</a></li>
                     <li <% if selected_tab?( 'settings' )%>class="selected" <%end%>><a href="/settings">Settings</a></li>
                     <li <% if selected_tab?( 'reports' )%>class="selected" <%end%>><a href="/reports">Reports [<%=report_count%>]</a></li>
-                    <li <% if selected_tab?( 'dispatcher' )%>class="selected" <%end%>><a href="/dispatcher">Dispatcher</a></li>
+                    <li <% if selected_tab?( 'dispatchers' )%>class="selected" <%end%>><a href="/dispatchers">Dispatchers</a></li>
                     <li <% if selected_tab?( 'log' )%>class="selected" <%end%>><a href="/log">Log</a></li>
                 </ul>
             </div>

data/lib/ui/web/server/views/welcome.erb CHANGED Viewed

@@ -6,8 +6,7 @@
             <h2>General</h2>
             <p>
-                This is the first version of this UI, scratch that, it's not even a real version..hence the "pre".<br/>
-                In the software world this means that the WebUI may empty your fridge, drink all your coffee, eat your puppy, slash your tires and/or burn down your house.<br/>
+                The WebUI may empty your fridge, drink all your coffee, eat your puppy, slash your tires and/or burn down your house.<br/>
                 Nevertheless, I'd appreciate it if you gave it a shot and <a href="https://github.com/Zapotek/arachni/issues">let me know</a> if you find anything wrong with it.
             </p>
@@ -18,6 +17,7 @@
                     <li>make working with Arachni easier</li>
                     <li>make report management easier</li>
                     <li>run and manage multiple scans at the same time <em>(each scan will try its best for maximum bandwidth utilization so it'll be like lions fighting in a cage -- make sure you have sufficient resources)</em></li>
+                    <li>work with and manage multiple Dispatchers</li>
                 </ul>
             </p>
@@ -25,9 +25,8 @@
             <p>
                 It isn't:
                 <ul>
-                    <li>stable</li>
+                    <li>too stable</li>
                     <li>a way to make Arachni's goodies available to multiple users <em>(you could but it wouldn't be safe)</em></li>
-                    <li>a way to work with and manage multiple Dispatchers <em>(you can clear your session cookies to force the WebUI to ask you for a new Dispatcher to connect to but there are no guarantees)</em></li>
                 </ul>
             </p>