arachni 0.2.2.2 → 0.2.3

data/reports/html/default.erb

@@ -22,6 +22,9 @@
   <script type="text/javascript">
   //<![CDATA[
 
+      var configuration = <%=js_multiline( conf )%>
+      var email_address;
+
       if( typeof jQuery == 'undefined' ) {
           alert( "Could not load the necessary JavaScript libraries -- the presentation and functionality of the report will be crippled.\n" +
             "Make sure that your internet connection is working and try refreshing the page." );
@@ -31,6 +34,46 @@
           return document.getElementById(id)
       }
 
+      function report_fp( i ) {
+
+          if( !email_address ) {
+              email_address = prompt( "Please enter your e-mail address:", "")
+          }
+
+          if( !email_address )
+              return false;
+
+          // get some values from elements on the page:
+          var $form = $( "#false_positive_" + i ),
+              issue = $form.find( 'input[name="issue"]' ).val(),
+              module = $form.find( 'input[name="module"]' ).val(),
+              url = $form.find( 'input[name="url"]' ).val();
+
+          // Send the data using post and put the results in a div
+         $.post( "<%=REPORT_FP_URL%>",
+              { email_address: email_address, url: url, module: module, issue: issue, configuration: configuration } ,
+              function( ) {
+                  $( "#fp_report_msg" ).html( "Done!" )
+              }
+          );
+
+          $(function() {
+                var fp_txt = '<p>Please wait while the data is being transferred...</p>';
+				$( "#fp_report_msg" ).html( fp_txt );
+
+          	    $( "#fp_report_msg" ).dialog({
+			    modal: true,
+			    buttons: {
+				    Ok: function() {
+					    $( this ).dialog( "close" );
+                        $( "#fp_report_msg" ).html( fp_txt );
+				    }
+			    }
+		      });
+	      });
+
+      }
+
       function toggleElem( id ){
 
             if( getElem(id).style.display == 'none' ||
@@ -568,10 +611,12 @@
 
 <body>
 
+<div id="fp_report_msg" class="hidden" title="Reporting a false positive."></div>
+
     <div id="contentreport">
         <header>
-            <h1>Report for <%=CGI.escapeHTML(@audit_store.options['url'])%> (Generated on <strong><%=Time.now%></strong>)</h1>
-            <span style="float: right">Found a false positive? <a href="<%=CGI.escapeHTML(REPORT_FP)%>">Report it here</a>.</span>
+            <h1>Report for <%=escapeHTML(@audit_store.options['url'])%> (Generated on <strong><%=Time.now%></strong>)</h1>
+            <span style="float: right">Found a false positive? <a href="<%=escapeHTML(REPORT_FP)%>">Report it here</a>.</span>
         </header>
 
         <nav>
@@ -646,7 +691,7 @@
             <h3>Runtime options</h3>
 
             <strong>URL:</strong> <%=@audit_store.options['url']%><br />
-            <strong>User agent:</strong> <%=::CGI.escapeHTML( @audit_store.options['user_agent'] )%><br />
+            <strong>User agent:</strong> <%=escapeHTML( @audit_store.options['user_agent'] )%><br />
 
             <p>&nbsp;</p>
 
@@ -696,7 +741,7 @@
                             <% if !@audit_store.options['exclude'].empty?%>
                             <% @audit_store.options['exclude'].each do |rule|%>
 
-                                <li><%=CGI.escapeHTML( rule )%></li>
+                                <li><%=escapeHTML( rule )%></li>
 
                             <%end%>
                             <% else %>
@@ -711,7 +756,7 @@
                             <% if !@audit_store.options['include'].empty?%>
                             <% @audit_store.options['include'].each do |rule|%>
 
-                                <li><%=CGI.escapeHTML( rule )%></li>
+                                <li><%=escapeHTML( rule )%></li>
 
                             <%end%>
                             <% else %>
@@ -726,7 +771,7 @@
                             <% if !@audit_store.options['redundant'].empty?%>
                             <% @audit_store.options['redundant'].each do |rule|%>
 
-                                <li><%=CGI.escapeHTML( rule['regexp'] )%> - Count: <%=rule['count']%></li>
+                                <li><%=escapeHTML( rule['regexp'] )%> - Count: <%=rule['count']%></li>
 
                             <%end%>
                             <% else %>
@@ -742,7 +787,7 @@
                         <ul>
                         <% if @audit_store.options['cookies'] && !@audit_store.options['cookies'].empty?%>
                         <% @audit_store.options['cookies'].each_pair do |name, val|%>
-                            <li><%=CGI.escapeHTML( name )%> = <%=CGI.escapeHTML( val )%></li>
+                            <li><%=escapeHTML( name )%> = <%=escapeHTML( val )%></li>
                         <%end%>
                         <% else %>
                             <li>N/A</li>
@@ -772,19 +817,29 @@
             <div class="issue">
 
                 <h3 id="issue_<%=idx%>">
-                    <a href="#issue_<%=idx%>">[<%=idx%>] <%=CGI.escapeHTML(issue.name)%></a>
+                    <a href="#issue_<%=idx%>">[<%=idx%>] <%=escapeHTML(issue.name)%></a>
                 </h3>
 
+                <p>
+                    <form name="false_positive_<%=j%>" id="false_positive_<%=i%>">
+                        <input type="hidden" name="module" value="<%=escapeHTML(issue.internal_modname)%>" />
+                        <input type="hidden" name="url" value="<%=escapeHTML(issue.url)%>" />
+                        <input type="hidden" name="issue" value="<%=@crypto_issues[i]%>" />
+                        <input onclick="javascript:report_fp( <%=i%> );" type="button" value="Report false positive" />
+                    </form>
+                </p>
+
+
                 <div class="left">
                     <ul>
-                    <li><strong>Module name</strong>: <%=CGI.escapeHTML(issue.mod_name)%> <br/>
-                    (Internal module name: <strong><%=CGI.escapeHTML(issue.internal_modname)%></strong>)</li>
+                    <li><strong>Module name</strong>: <%=escapeHTML(issue.mod_name)%> <br/>
+                    (Internal module name: <strong><%=escapeHTML(issue.internal_modname)%></strong>)</li>
 
                     <% if issue.var %>
-                    <li><strong>Affected variable</strong>: <%=CGI.escapeHTML(issue.var)%></li>
+                    <li><strong>Affected variable</strong>: <%=escapeHTML(issue.var)%></li>
                     <%end%>
 
-                    <li><strong>Affected URL</strong>: <a href="<%=CGI.escapeHTML(issue.url)%>"><%= CGI.escapeHTML(issue.url)%></a> </li>
+                    <li><strong>Affected URL</strong>: <a href="<%=escapeHTML(issue.url)%>"><%=escapeHTML(issue.url)%></a> </li>
                     <li><strong>HTML Element</strong>: <%=issue.elem%></li>
                     <li><strong>Requires manual verification?</strong>: <%=issue.verification ? 'Yes' : 'No'%></li>
                     <hr/>
@@ -805,7 +860,7 @@
                             <% if issue.references && !issue.references.empty? %>
                             <% issue.references.each_pair do |source, url| %>
 
-                            <li><%=CGI.escapeHTML(source)%> - <a target="_blank" href="<%=url%>"><%=url%></a></li>
+                            <li><%=escapeHTML(source)%> - <a target="_blank" href="<%=url%>"><%=url%></a></li>
 
                             <%end%>
                             <%else%>
@@ -819,20 +874,20 @@
                 <div class="right">
                     <p>
                         <h3>Description</h3>
-                        <blockquote><p><%=CGI.escapeHTML(issue.description)%></p></blockquote>
+                        <blockquote><p><%=escapeHTML(issue.description)%></p></blockquote>
                     </p>
 
                     <% if issue.remedy_guidance && !issue.remedy_guidance.empty? %>
                     <p>
                         <h3>Remedial guidance</h3>
-                        <blockquote><p><%=CGI.escapeHTML(issue.remedy_guidance)%></p></blockquote>
+                        <blockquote><p><%=escapeHTML(issue.remedy_guidance)%></p></blockquote>
                     </p>
                     <%end%>
 
                     <% if issue.remedy_code && !issue.remedy_code.empty? %>
                     <p>
                         <h3>Remedial code</h3>
-                        <pre class="code notice"><%=CGI.escapeHTML(issue.remedy_code)%></pre>
+                        <pre class="code notice"><%=escapeHTML(issue.remedy_code)%></pre>
                     </p>
                     <%end%>
 
@@ -851,13 +906,13 @@
                     </h5>
 
                     <strong>Affected URL</strong>:
-                    <p class="notice"><a href="<%=CGI.escapeHTML(variation['url'])%>"><%=CGI.escapeHTML(variation['url'])%></a></p>
+                    <p class="notice"><a href="<%=escapeHTML(variation['url'])%>"><%=escapeHTML(variation['url'])%></a></p>
 
                     <% if (variation['response'] && !variation['response'].empty?) && variation['regexp_match'] %>
 
                     <div class="hidden" id="inspection-dialog_<%=var_idx%>_<%=idx%>" title="Relevant content is shown in red.">
-                        <% match = CGI.escapeHTML( variation['regexp_match'] )%>
-                        <pre> <%=CGI.escapeHTML( variation['response'] ).gsub( match, '<strong style="color: red">' + match + '</strong>' ) %> </pre>
+                        <% match = escapeHTML( variation['regexp_match'] )%>
+                        <pre> <%=escapeHTML( variation['response'] ).gsub( match, '<strong style="color: red">' + match + '</strong>' ) %> </pre>
                     </div>
 
                     <form style="display:inline" action="#">
@@ -871,7 +926,7 @@
                     <form style="display:inline" action="<%=issue.url%>" target="_blank" method="<%=issue.method.downcase%>">
                     <% if variation['opts'][:combo]%>
                     <%variation['opts'][:combo].each_pair do |name, value|%>
-                        <input type="hidden" name="<%=CGI.escapeHTML(name)%>" value="<%=CGI.escapeHTML( value )%>" />
+                        <input type="hidden" name="<%=escapeHTML(name)%>" value="<%=escapeHTML( value )%>" />
                     <%end%>
                     <%end%>
                         <input type="submit" value="Replay" />
@@ -884,25 +939,25 @@
 
                         <% if variation['injected'] %>
                         <strong>Injected value</strong>:
-                        <pre> <%=CGI.escapeHTML(variation['injected'])%> </pre>
+                        <pre> <%=escapeHTML(variation['injected'])%> </pre>
                         <br/>
                         <%end%>
 
                         <% if variation['id'] %>
                         <strong>ID</strong>:
-                        <pre><%=CGI.escapeHTML(variation['id'])%></pre>
+                        <pre><%=escapeHTML(variation['id'])%></pre>
                         <br/>
                         <%end%>
 
                         <% if variation['regexp'] %>
                         <strong>Regular expression</strong>:
-                        <pre><%=CGI.escapeHTML(variation['regexp'])%></pre>
+                        <pre><%=escapeHTML(variation['regexp'])%></pre>
                         <br/>
                         <%end%>
 
                         <% if variation['regexp_match'] %>
                         <strong>Matched by the regular expression</strong>:
-                        <pre><%=CGI.escapeHTML(variation['regexp_match'])%> </pre>
+                        <pre><%=escapeHTML(variation['regexp_match'])%> </pre>
                         <%end%>
 
                         <br/>
@@ -918,12 +973,12 @@
                             <tr>
                                 <td>
                                     <% if variation['headers']['request'].is_a?( Hash ) %>
-                                    <pre class="notice"><% variation['headers']['request'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
+                                    <pre class="notice"><% variation['headers']['request'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + escapeHTML(val) + "\n"%><%end%></pre>
                                     <%end%>
                                 </td>
                                 <td>
                                     <% if variation['headers']['response'].is_a?( Hash ) %>
-                                    <pre class="notice"><% variation['headers']['response'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + CGI.escapeHTML(val) + "\n"%><%end%></pre>
+                                    <pre class="notice"><% variation['headers']['response'].each_pair do |name, val| %><strong><%=name%></strong><%="\t" + escapeHTML(val) + "\n"%><%end%></pre>
                                     <%end%>
                                 </td>
                             </tr>
@@ -960,7 +1015,7 @@
             <p> &nbsp; </p>
             <h3><%=@audit_store.sitemap.size%> pages</h3>
             <% @audit_store.sitemap.each do |url| %>
-              <a href="<%=CGI.escapeHTML(url)%>"><%=CGI.escapeHTML(url)%></a><br/>
+              <a href="<%=escapeHTML(url)%>"><%=escapeHTML(url)%></a><br/>
               <%end%>
 
         </section>

data/reports/html.rb

@@ -14,6 +14,8 @@ require 'cgi'
 
 module Arachni
 
+require Options.instance.dir['lib'] + 'crypto/rsa_aes_cbc'
+
 module Reports
 
 #
@@ -22,10 +24,12 @@ module Reports
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2
+# @version: 0.2.1
 #
 class HTML < Arachni::Report::Base
 
+    REPORT_FP_URL = "https://arachni.segfault.gr/false_positive"
+
     #
     # @param [AuditStore]  audit_store
     # @param [Hash]   options    options passed to the report
@@ -33,6 +37,8 @@ class HTML < Arachni::Report::Base
     def initialize( audit_store, options )
         @audit_store   = audit_store
         @options       = options
+
+        @crypto = RSA_AES_CBC.new( Options.instance.dir['data'] + 'crypto/public.pem' )
     end
 
     #
@@ -49,6 +55,12 @@ class HTML < Arachni::Report::Base
 
         @plugins = format_plugin_results( @audit_store.plugins )
 
+        conf = {}
+        conf['options']  = @audit_store.options
+        conf['version']  = @audit_store.version
+        conf['revision'] = @audit_store.revision
+        conf = @crypto.encrypt( conf.to_yaml )
+
         __save( @options['outfile'], report.result( binding ) )
 
         print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
@@ -71,6 +83,21 @@ class HTML < Arachni::Report::Base
 
     private
 
+    def js_multiline( str )
+      "\"" + str.gsub( "\n", '\n' ) + "\"";
+    end
+
+    def escapeHTML( str )
+        # carefully escapes HTML and converts to UTF-8
+        # while removing invalid character sequences
+        begin
+            return CGI.escapeHTML( str )
+        rescue
+            ic = Iconv.new( 'UTF-8//IGNORE', 'UTF-8' )
+            return CGI.escapeHTML( ic.iconv( str + ' ' )[0..-2] )
+        end
+    end
+
     def self.prep_description( str )
         placeholder =  '--' + rand( 1000 ).to_s + '--'
         cstr = str.gsub( /^\s*$/xm, placeholder )
@@ -114,9 +141,13 @@ class HTML < Arachni::Report::Base
         @total_severities = 0
         @total_elements   = 0
         @total_verifications = 0
+
+        @crypto_issues = []
         @audit_store.issues.each_with_index {
             |issue, i|
 
+            @crypto_issues << @crypto.encrypt( issue.to_yaml )
+
             @graph_data[:severities][issue.severity] ||= 0
             @graph_data[:severities][issue.severity] += 1
             @total_severities += 1

data/reports/metareport.rb

@@ -99,6 +99,7 @@ class Metareport < Arachni::Report::Base
 
         outfile = File.new( @options['outfile'], 'w')
         YAML.dump( msf, outfile )
+        outfile.close
 
         print_status( 'Saved in \'' + @options['outfile'] + '\'.' )
     end

data/reports/plugin_formatters/stdout/metaformatters/timeout_notice.rb

@@ -43,6 +43,8 @@ module MetaFormatters
                 |issue|
                 print_ok( "[\##{issue['index']}] #{issue['name']} at #{issue['url']} in #{issue['elem']} variable '#{issue['var']}' using #{issue['method']}." )
             }
+
+            print_line
         end
 
     end

metadata

@@ -2,7 +2,7 @@
 name: arachni
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.2.2.2
+  version: 0.2.3
 platform: ruby
 authors: 
 - Tasos Laskos
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-22 00:00:00 +00:00
+date: 2011-05-22 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -176,6 +176,7 @@ files:
 - CONTRIBUTORS.md
 - EXPLOITATION.md
 - HACKING.md
+- data/crypto/public.pem
 - lib/nokogiri/xml/node.rb
 - lib/module.rb
 - lib/module/trainer.rb
@@ -211,6 +212,7 @@ files:
 - lib/plugin/manager.rb
 - lib/arachni.rb
 - lib/framework.rb
+- lib/crypto/rsa_aes_cbc.rb
 - lib/http.rb
 - lib/spider.rb
 - lib/audit_store.rb
@@ -264,7 +266,6 @@ files:
 - lib/ui/web/server/public/spider.png
 - lib/ui/web/server/public/banner.png
 - lib/ui/web/server/public/bodybg-small.png
-- lib/ui/web/server/public/reports/demo.testfire.net:Sun Mar 20 02:48:10 2011.afr
 - lib/ui/web/server/public/reports/placeholder
 - lib/ui/web/server/public/icons/status.png
 - lib/ui/web/server/public/icons/info.png
@@ -277,7 +278,6 @@ files:
 - lib/ui/web/server/views/dispatcher_error.erb
 - lib/ui/web/server/views/instance.erb
 - lib/ui/web/server/views/log.erb
-- lib/ui/web/server/views/dispatcher.erb
 - lib/ui/web/server/views/flash.erb
 - lib/ui/web/server/views/report_formats.erb
 - lib/ui/web/server/views/modules.erb
@@ -285,14 +285,17 @@ files:
 - lib/ui/web/server/views/layout.erb
 - lib/ui/web/server/views/output_results.erb
 - lib/ui/web/server/views/options.erb
+- lib/ui/web/server/views/dispatchers.erb
 - lib/ui/web/server/views/error.erb
 - lib/ui/web/server/views/home.erb
 - lib/ui/web/server/views/welcome.erb
 - lib/ui/web/server/views/reports.erb
+- lib/ui/web/server/views/dispatchers_edit.erb
 - lib/ui/web/server/views/settings.erb
 - lib/ui/web/report_manager.rb
 - lib/ui/web/server.rb
 - lib/ui/web/log.rb
+- lib/ui/web/dispatcher_manager.rb
 - lib/ui/web/output_stream.rb
 - lib/parser/auditable.rb
 - lib/parser/parser.rb