arachni 0.2.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -22,6 +22,9 @@
22
22
  <script type="text/javascript">
23
23
  //<![CDATA[
24
24
 
25
+ var configuration = <%=js_multiline( conf )%>
26
+ var email_address;
27
+
25
28
  if( typeof jQuery == 'undefined' ) {
26
29
  alert( "Could not load the necessary JavaScript libraries -- the presentation and functionality of the report will be crippled.\n" +
27
30
  "Make sure that your internet connection is working and try refreshing the page." );
@@ -31,6 +34,46 @@
31
34
  return document.getElementById(id)
32
35
  }
33
36
 
37
+ function report_fp( i ) {
38
+
39
+ if( !email_address ) {
40
+ email_address = prompt( "Please enter your e-mail address:", "")
41
+ }
42
+
43
+ if( !email_address )
44
+ return false;
45
+
46
+ // get some values from elements on the page:
47
+ var $form = $( "#false_positive_" + i ),
48
+ issue = $form.find( 'input[name="issue"]' ).val(),
49
+ module = $form.find( 'input[name="module"]' ).val(),
50
+ url = $form.find( 'input[name="url"]' ).val();
51
+
52
+ // Send the data using post and put the results in a div
53
+ $.post( "<%=REPORT_FP_URL%>",
54
+ { email_address: email_address, url: url, module: module, issue: issue, configuration: configuration } ,
55
+ function( ) {
56
+ $( "#fp_report_msg" ).html( "Done!" )
57
+ }
58
+ );
59
+
60
+ $(function() {
61
+ var fp_txt = '<p>Please wait while the data is being transferred...</p>';
62
+ $( "#fp_report_msg" ).html( fp_txt );
63
+
64
+ $( "#fp_report_msg" ).dialog({
65
+ modal: true,
66
+ buttons: {
67
+ Ok: function() {
68
+ $( this ).dialog( "close" );
69
+ $( "#fp_report_msg" ).html( fp_txt );
70
+ }
71
+ }
72
+ });
73
+ });
74
+
75
+ }
76
+
34
77
  function toggleElem( id ){
35
78
 
36
79
  if( getElem(id).style.display == 'none' ||
@@ -568,10 +611,12 @@
568
611
 
569
612
  <body>
570
613
 
614
+ <div id="fp_report_msg" class="hidden" title="Reporting a false positive."></div>
615
+
571
616
  <div id="contentreport">
572
617
  <header>
573
- <h1>Report for <%=CGI.escapeHTML(@audit_store.options['url'])%> (Generated on <strong><%=Time.now%></strong>)</h1>
574
- <span style="float: right">Found a false positive? <a href="<%=CGI.escapeHTML(REPORT_FP)%>">Report it here</a>.</span>
618
+ <h1>Report for <%=escapeHTML(@audit_store.options['url'])%> (Generated on <strong><%=Time.now%></strong>)</h1>
619
+ <span style="float: right">Found a false positive? <a href="<%=escapeHTML(REPORT_FP)%>">Report it here</a>.</span>
575
620
  </header>
576
621
 
577
622
  <nav>
@@ -646,7 +691,7 @@
646
691
  <h3>Runtime options</h3>
647
692
 
648
693
  <strong>URL:</strong> <%=@audit_store.options['url']%><br />
649
- <strong>User agent:</strong> <%=::CGI.escapeHTML( @audit_store.options['user_agent'] )%><br />
694
+ <strong>User agent:</strong> <%=escapeHTML( @audit_store.options['user_agent'] )%><br />
650
695
 
651
696
  <p>&nbsp;</p>
652
697
 
@@ -696,7 +741,7 @@
696
741
  <% if !@audit_store.options['exclude'].empty?%>
697
742
  <% @audit_store.options['exclude'].each do |rule|%>
698
743
 
699
- <li><%=CGI.escapeHTML( rule )%></li>
744
+ <li><%=escapeHTML( rule )%></li>
700
745
 
701
746
  <%end%>
702
747
  <% else %>
@@ -711,7 +756,7 @@
711
756
  <% if !@audit_store.options['include'].empty?%>
712
757
  <% @audit_store.options['include'].each do |rule|%>
713
758
 
714
- <li><%=CGI.escapeHTML( rule )%></li>
759
+ <li><%=escapeHTML( rule )%></li>
715
760
 
716
761
  <%end%>
717
762
  <% else %>
@@ -726,7 +771,7 @@
726
771
  <% if !@audit_store.options['redundant'].empty?%>
727
772
  <% @audit_store.options['redundant'].each do |rule|%>
728
773
 
729
- <li><%=CGI.escapeHTML( rule['regexp'] )%> - Count: <%=rule['count']%></li>
774
+ <li><%=escapeHTML( rule['regexp'] )%> - Count: <%=rule['count']%></li>
730
775
 
731
776
  <%end%>
732
777
  <% else %>
@@ -742,7 +787,7 @@
742
787
  <ul>
743
788
  <% if @audit_store.options['cookies'] && !@audit_store.options['cookies'].empty?%>
744
789
  <% @audit_store.options['cookies'].each_pair do |name, val|%>
745
- <li><%=CGI.escapeHTML( name )%> = <%=CGI.escapeHTML( val )%></li>
790
+ <li><%=escapeHTML( name )%> = <%=escapeHTML( val )%></li>
746
791
  <%end%>
747
792
  <% else %>
748
793
  <li>N/A</li>
@@ -772,19 +817,29 @@
772
817
  <div class="issue">
773
818
 
774
819
  <h3 id="issue_<%=idx%>">
775
- <a href="#issue_<%=idx%>">[<%=idx%>] <%=CGI.escapeHTML(issue.name)%></a>
820
+ <a href="#issue_<%=idx%>">[<%=idx%>] <%=escapeHTML(issue.name)%></a>
776
821
  </h3>
777
822
 
823
+ <p>
824
+ <form name="false_positive_<%=j%>" id="false_positive_<%=i%>">
825
+ <input type="hidden" name="module" value="<%=escapeHTML(issue.internal_modname)%>" />
826
+ <input type="hidden" name="url" value="<%=escapeHTML(issue.url)%>" />
827
+ <input type="hidden" name="issue" value="<%=@crypto_issues[i]%>" />
828
+ <input onclick="javascript:report_fp( <%=i%> );" type="button" value="Report false positive" />
829
+ </form>
830
+ </p>
831
+
832
+
778
833
  <div class="left">
779
834
  <ul>
780
- <li><strong>Module name</strong>: <%=CGI.escapeHTML(issue.mod_name)%> <br/>
781
- (Internal module name: <strong><%=CGI.escapeHTML(issue.internal_modname)%></strong>)</li>
835
+ <li><strong>Module name</strong>: <%=escapeHTML(issue.mod_name)%> <br/>
836
+ (Internal module name: <strong><%=escapeHTML(issue.internal_modname)%></strong>)</li>
782
837
 
783
838
  <% if issue.var %>
784
- <li><strong>Affected variable</strong>: <%=CGI.escapeHTML(issue.var)%></li>
839
+ <li><strong>Affected variable</strong>: <%=escapeHTML(issue.var)%></li>
785
840
  <%end%>
786
841
 
787
- <li><strong>Affected URL</strong>: <a href="<%=CGI.escapeHTML(issue.url)%>"><%= CGI.escapeHTML(issue.url)%></a> </li>
842
+ <li><strong>Affected URL</strong>: <a href="<%=escapeHTML(issue.url)%>"><%=escapeHTML(issue.url)%></a> </li>
788
843
  <li><strong>HTML Element</strong>: <%=issue.elem%></li>
789
844
  <li><strong>Requires manual verification?</strong>: <%=issue.verification ? 'Yes' : 'No'%></li>
790
845
  <hr/>
@@ -805,7 +860,7 @@
805
860
  <% if issue.references && !issue.references.empty? %>
806
861
  <% issue.references.each_pair do |source, url| %>
807
862
 
808
- <li><%=CGI.escapeHTML(source)%> - <a target="_blank" href="<%=url%>"><%=url%></a></li>
863
+ <li><%=escapeHTML(source)%> - <a target="_blank" href="<%=url%>"><%=url%></a></li>
809
864
 
810
865
  <%end%>
811
866
  <%else%>
@@ -819,20 +874,20 @@
819
874
  <div class="right">
820
875
  <p>
821
876
  <h3>Description</h3>
822
- <blockquote><p><%=CGI.escapeHTML(issue.description)%></p></blockquote>
877
+ <blockquote><p><%=escapeHTML(issue.description)%></p></blockquote>
823
878
  </p>
824
879
 
825
880
  <% if issue.remedy_guidance && !issue.remedy_guidance.empty? %>
826
881
  <p>
827
882
  <h3>Remedial guidance</h3>
828
- <blockquote><p><%=CGI.escapeHTML(issue.remedy_guidance)%></p></blockquote>
883
+ <blockquote><p><%=escapeHTML(issue.remedy_guidance)%></p></blockquote>
829
884
  </p>
830
885
  <%end%>
831
886
 
832
887
  <% if issue.remedy_code && !issue.remedy_code.empty? %>
833
888
  <p>
834
889
  <h3>Remedial code</h3>
835
- <pre class="code notice"><%=CGI.escapeHTML(issue.remedy_code)%></pre>
890
+ <pre class="code notice"><%=escapeHTML(issue.remedy_code)%></pre>
836
891
  </p>
837
892
  <%end%>
838
893
 
@@ -851,13 +906,13 @@
851
906
  </h5>
852
907
 
853
908
  <strong>Affected URL</strong>:
854
- <p class="notice"><a href="<%=CGI.escapeHTML(variation['url'])%>"><%=CGI.escapeHTML(variation['url'])%></a></p>
909
+ <p class="notice"><a href="<%=escapeHTML(variation['url'])%>"><%=escapeHTML(variation['url'])%></a></p>
855
910
 
856
911
  <% if (variation['response'] && !variation['response'].empty?) && variation['regexp_match'] %>
857
912
 
858
913
  <div class="hidden" id="inspection-dialog_<%=var_idx%>_<%=idx%>" title="Relevant content is shown in red.">
859
- <% match = CGI.escapeHTML( variation['regexp_match'] )%>
860
- <pre> <%=CGI.escapeHTML( variation['response'] ).gsub( match, '<strong style="color: red">' + match + '</strong>' ) %> </pre>
914
+ <% match = escapeHTML( variation['regexp_match'] )%>
915
+ <pre> <%=escapeHTML( variation['response'] ).gsub( match, '<strong style="color: red">' + match + '</strong>' ) %> </pre>
861
916
  </div>
862
917
 
863
918
  <form style="display:inline" action="#">
@@ -871,7 +926,7 @@
871
926
  <form style="display:inline" action="<%=issue.url%>" target="_blank" method="<%=issue.method.downcase%>">
872
927
  <% if variation['opts'][:combo]%>
873
928
  <%variation['opts'][:combo].each_pair do |name, value|%>
874
- <input type="hidden" name="<%=CGI.escapeHTML(name)%>" value="<%=CGI.escapeHTML( value )%>" />
929
+ <input type="hidden" name="<%=escapeHTML(name)%>" value="<%=escapeHTML( value )%>" />
875
930
  <%end%>
876
931
  <%end%>
877
932
  <input type="submit" value="Replay" />
@@ -884,25 +939,25 @@
884
939
 
885
940
  <% if variation['injected'] %>
886
941
  <strong>Injected value</strong>:
887
- <pre> <%=CGI.escapeHTML(variation['injected'])%> </pre>
942
+ <pre> <%=escapeHTML(variation['injected'])%> </pre>
888
943
  <br/>
889
944
  <%end%>
890
945
 
891
946
  <% if variation['id'] %>
892
947
  <strong>ID</strong>:
893
- <pre><%=CGI.escapeHTML(variation['id'])%></pre>
948
+ <pre><%=escapeHTML(variation['id'])%></pre>
894
949
  <br/>
895
950
  <%end%>
896
951
 
897
952
  <% if variation['regexp'] %>
898
953
  <strong>Regular expression</strong>:
899
- <pre><%=CGI.escapeHTML(variation['regexp'])%></pre>
954
+ <pre><%=escapeHTML(variation['regexp'])%></pre>
900
955
  <br/>
901
956
  <%end%>
902
957
 
903
958
  <% if variation['regexp_match'] %>
904
959
  <strong>Matched by the regular expression</strong>:
905
- <pre><%=CGI.escapeHTML(variation['regexp_match'])%> </pre>
960
+ <pre><%=escapeHTML(variation['regexp_match'])%> </pre>
906
961
  <%end%>
907
962
 
908
963
  <br/>
@@ -918,12 +973,12 @@
918
973
  <tr>
919
974
  <td>
920
975
  <% if variation['headers']['request'].is_a?( Hash ) %>
921
- <pre class="notice"><% variation['headers']['request'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
976
+ <pre class="notice"><% variation['headers']['request'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + escapeHTML(val) + "\n"%><%end%></pre>
922
977
  <%end%>
923
978
  </td>
924
979
  <td>
925
980
  <% if variation['headers']['response'].is_a?( Hash ) %>
926
- <pre class="notice"><% variation['headers']['response'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
981
+ <pre class="notice"><% variation['headers']['response'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + escapeHTML(val) + "\n"%><%end%></pre>
927
982
  <%end%>
928
983
  </td>
929
984
  </tr>
@@ -960,7 +1015,7 @@
960
1015
  <p> &nbsp; </p>
961
1016
  <h3><%=@audit_store.sitemap.size%> pages</h3>
962
1017
  <% @audit_store.sitemap.each do |url| %>
963
- <a href="<%=CGI.escapeHTML(url)%>"><%=CGI.escapeHTML(url)%></a><br/>
1018
+ <a href="<%=escapeHTML(url)%>"><%=escapeHTML(url)%></a><br/>
964
1019
  <%end%>
965
1020
 
966
1021
  </section>
data/reports/html.rb CHANGED
@@ -14,6 +14,8 @@ require 'cgi'
14
14
 
15
15
  module Arachni
16
16
 
17
+ require Options.instance.dir['lib'] + 'crypto/rsa_aes_cbc'
18
+
17
19
  module Reports
18
20
 
19
21
  #
@@ -22,10 +24,12 @@ module Reports
22
24
  # @author: Tasos "Zapotek" Laskos
23
25
  # <tasos.laskos@gmail.com>
24
26
  # <zapotek@segfault.gr>
25
- # @version: 0.2
27
+ # @version: 0.2.1
26
28
  #
27
29
  class HTML < Arachni::Report::Base
28
30
 
31
+ REPORT_FP_URL = "https://arachni.segfault.gr/false_positive"
32
+
29
33
  #
30
34
  # @param [AuditStore] audit_store
31
35
  # @param [Hash] options options passed to the report
@@ -33,6 +37,8 @@ class HTML < Arachni::Report::Base
33
37
  def initialize( audit_store, options )
34
38
  @audit_store = audit_store
35
39
  @options = options
40
+
41
+ @crypto = RSA_AES_CBC.new( Options.instance.dir['data'] + 'crypto/public.pem' )
36
42
  end
37
43
 
38
44
  #
@@ -49,6 +55,12 @@ class HTML < Arachni::Report::Base
49
55
 
50
56
  @plugins = format_plugin_results( @audit_store.plugins )
51
57
 
58
+ conf = {}
59
+ conf['options'] = @audit_store.options
60
+ conf['version'] = @audit_store.version
61
+ conf['revision'] = @audit_store.revision
62
+ conf = @crypto.encrypt( conf.to_yaml )
63
+
52
64
  __save( @options['outfile'], report.result( binding ) )
53
65
 
54
66
  print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
@@ -71,6 +83,21 @@ class HTML < Arachni::Report::Base
71
83
 
72
84
  private
73
85
 
86
+ def js_multiline( str )
87
+ "\"" + str.gsub( "\n", '\n' ) + "\"";
88
+ end
89
+
90
+ def escapeHTML( str )
91
+ # carefully escapes HTML and converts to UTF-8
92
+ # while removing invalid character sequences
93
+ begin
94
+ return CGI.escapeHTML( str )
95
+ rescue
96
+ ic = Iconv.new( 'UTF-8//IGNORE', 'UTF-8' )
97
+ return CGI.escapeHTML( ic.iconv( str + ' ' )[0..-2] )
98
+ end
99
+ end
100
+
74
101
  def self.prep_description( str )
75
102
  placeholder = '--' + rand( 1000 ).to_s + '--'
76
103
  cstr = str.gsub( /^\s*$/xm, placeholder )
@@ -114,9 +141,13 @@ class HTML < Arachni::Report::Base
114
141
  @total_severities = 0
115
142
  @total_elements = 0
116
143
  @total_verifications = 0
144
+
145
+ @crypto_issues = []
117
146
  @audit_store.issues.each_with_index {
118
147
  |issue, i|
119
148
 
149
+ @crypto_issues << @crypto.encrypt( issue.to_yaml )
150
+
120
151
  @graph_data[:severities][issue.severity] ||= 0
121
152
  @graph_data[:severities][issue.severity] += 1
122
153
  @total_severities += 1
@@ -99,6 +99,7 @@ class Metareport < Arachni::Report::Base
99
99
 
100
100
  outfile = File.new( @options['outfile'], 'w')
101
101
  YAML.dump( msf, outfile )
102
+ outfile.close
102
103
 
103
104
  print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
104
105
  end
@@ -43,6 +43,8 @@ module MetaFormatters
43
43
  |issue|
44
44
  print_ok( "[\##{issue['index']}] #{issue['name']} at #{issue['url']} in #{issue['elem']} variable '#{issue['var']}' using #{issue['method']}." )
45
45
  }
46
+
47
+ print_line
46
48
  end
47
49
 
48
50
  end
metadata CHANGED
@@ -2,7 +2,7 @@
2
2
  name: arachni
3
3
  version: !ruby/object:Gem::Version
4
4
  prerelease:
5
- version: 0.2.2.2
5
+ version: 0.2.3
6
6
  platform: ruby
7
7
  authors:
8
8
  - Tasos Laskos
@@ -10,7 +10,7 @@ autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
12
 
13
- date: 2011-03-22 00:00:00 +00:00
13
+ date: 2011-05-22 00:00:00 +01:00
14
14
  default_executable:
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
@@ -176,6 +176,7 @@ files:
176
176
  - CONTRIBUTORS.md
177
177
  - EXPLOITATION.md
178
178
  - HACKING.md
179
+ - data/crypto/public.pem
179
180
  - lib/nokogiri/xml/node.rb
180
181
  - lib/module.rb
181
182
  - lib/module/trainer.rb
@@ -211,6 +212,7 @@ files:
211
212
  - lib/plugin/manager.rb
212
213
  - lib/arachni.rb
213
214
  - lib/framework.rb
215
+ - lib/crypto/rsa_aes_cbc.rb
214
216
  - lib/http.rb
215
217
  - lib/spider.rb
216
218
  - lib/audit_store.rb
@@ -264,7 +266,6 @@ files:
264
266
  - lib/ui/web/server/public/spider.png
265
267
  - lib/ui/web/server/public/banner.png
266
268
  - lib/ui/web/server/public/bodybg-small.png
267
- - lib/ui/web/server/public/reports/demo.testfire.net:Sun Mar 20 02:48:10 2011.afr
268
269
  - lib/ui/web/server/public/reports/placeholder
269
270
  - lib/ui/web/server/public/icons/status.png
270
271
  - lib/ui/web/server/public/icons/info.png
@@ -277,7 +278,6 @@ files:
277
278
  - lib/ui/web/server/views/dispatcher_error.erb
278
279
  - lib/ui/web/server/views/instance.erb
279
280
  - lib/ui/web/server/views/log.erb
280
- - lib/ui/web/server/views/dispatcher.erb
281
281
  - lib/ui/web/server/views/flash.erb
282
282
  - lib/ui/web/server/views/report_formats.erb
283
283
  - lib/ui/web/server/views/modules.erb
@@ -285,14 +285,17 @@ files:
285
285
  - lib/ui/web/server/views/layout.erb
286
286
  - lib/ui/web/server/views/output_results.erb
287
287
  - lib/ui/web/server/views/options.erb
288
+ - lib/ui/web/server/views/dispatchers.erb
288
289
  - lib/ui/web/server/views/error.erb
289
290
  - lib/ui/web/server/views/home.erb
290
291
  - lib/ui/web/server/views/welcome.erb
291
292
  - lib/ui/web/server/views/reports.erb
293
+ - lib/ui/web/server/views/dispatchers_edit.erb
292
294
  - lib/ui/web/server/views/settings.erb
293
295
  - lib/ui/web/report_manager.rb
294
296
  - lib/ui/web/server.rb
295
297
  - lib/ui/web/log.rb
298
+ - lib/ui/web/dispatcher_manager.rb
296
299
  - lib/ui/web/output_stream.rb
297
300
  - lib/parser/auditable.rb
298
301
  - lib/parser/parser.rb