RubyGems - arachni - Versions diffs - 0.3 → 0.4 - Mend

arachni 0.3 → 0.4

Files changed (348) hide show

data/ACKNOWLEDGMENTS.md +1 -1
data/CHANGELOG.md +146 -0
data/CONTRIBUTORS.md +1 -0
data/HACKING.md +3 -3
data/README.md +81 -49
data/Rakefile +11 -14
data/bin/arachni +4 -8
data/bin/arachni_rpc +17 -0
data/bin/arachni_rpcd +18 -0
data/bin/arachni_rpcd_monitor +18 -0
data/bin/arachni_web +25 -48
data/bin/arachni_web_autostart +3 -3
data/conf/README.webui.yaml.txt +7 -21
data/external/metasploit/plugins/arachni.rb +0 -7
data/extras/modules/recon/raft_dirs.rb +108 -0
data/extras/modules/recon/raft_dirs/raft-large-directories.txt +62290 -0
data/extras/modules/recon/raft_files.rb +110 -0
data/extras/modules/recon/raft_files/raft-large-files.txt +37037 -0
data/extras/modules/recon/svn_digger_dirs.rb +108 -0
data/extras/modules/recon/svn_digger_dirs/Licence.txt +674 -0
data/extras/modules/recon/svn_digger_dirs/ReadMe-Arachni.txt +4 -0
data/extras/modules/recon/svn_digger_dirs/ReadMe.txt +6 -0
data/extras/modules/recon/svn_digger_dirs/all-dirs.txt +5960 -0
data/extras/modules/recon/svn_digger_files.rb +114 -0
data/extras/modules/recon/svn_digger_files/Licence.txt +674 -0
data/extras/modules/recon/svn_digger_files/ReadMe-Arachni.txt +4 -0
data/extras/modules/recon/svn_digger_files/ReadMe.txt +6 -0
data/extras/modules/recon/svn_digger_files/all-extensionless.txt +25419 -0
data/extras/modules/recon/svn_digger_files/all.txt +43135 -0
data/lib/arachni.rb +2 -7
data/lib/{audit_store.rb → arachni/audit_store.rb} +68 -60
data/lib/{component_manager.rb → arachni/component_manager.rb} +8 -8
data/lib/{component_options.rb → arachni/component_options.rb} +34 -4
data/lib/{crypto → arachni/crypto}/rsa_aes_cbc.rb +1 -2
data/lib/arachni/database.rb +4 -0
data/lib/arachni/database/base.rb +125 -0
data/lib/arachni/database/hash.rb +384 -0
data/lib/arachni/database/queue.rb +93 -0
data/lib/{exceptions.rb → arachni/exceptions.rb} +1 -1
data/lib/arachni/framework.rb +899 -0
data/lib/{http.rb → arachni/http.rb} +63 -166
data/lib/{issue.rb → arachni/issue.rb} +46 -17
data/lib/{mixins → arachni/mixins}/observable.rb +1 -1
data/lib/arachni/mixins/progress_bar.rb +81 -0
data/lib/arachni/mixins/terminal.rb +106 -0
data/lib/{module.rb → arachni/module.rb} +0 -0
data/lib/{module → arachni/module}/auditor.rb +250 -86
data/lib/{module → arachni/module}/base.rb +8 -18
data/lib/{module → arachni/module}/element_db.rb +10 -2
data/lib/{module → arachni/module}/key_filler.rb +1 -1
data/lib/arachni/module/manager.rb +145 -0
data/lib/{module → arachni/module}/output.rb +6 -1
data/lib/{module → arachni/module}/trainer.rb +48 -52
data/lib/{module → arachni/module}/utilities.rb +66 -15
data/lib/{nokogiri → arachni/nokogiri}/xml/node.rb +0 -0
data/lib/arachni/options.rb +986 -0
data/lib/{parser.rb → arachni/parser.rb} +0 -0
data/lib/{parser → arachni/parser}/auditable.rb +111 -32
data/lib/{parser → arachni/parser}/elements.rb +28 -20
data/lib/{parser → arachni/parser}/page.rb +20 -3
data/lib/{parser → arachni/parser}/parser.rb +100 -63
data/lib/{plugin.rb → arachni/plugin.rb} +0 -0
data/lib/{plugin → arachni/plugin}/base.rb +43 -6
data/lib/{plugin → arachni/plugin}/manager.rb +40 -13
data/lib/{report.rb → arachni/report.rb} +0 -0
data/lib/{report → arachni/report}/base.rb +43 -2
data/lib/{report → arachni/report}/manager.rb +7 -18
data/lib/arachni/rpc/client/base.rb +42 -0
data/lib/{rpc/xml → arachni/rpc}/client/dispatcher.rb +12 -13
data/lib/arachni/rpc/client/instance.rb +62 -0
data/lib/arachni/rpc/server/base.rb +51 -0
data/lib/arachni/rpc/server/dispatcher.rb +438 -0
data/lib/arachni/rpc/server/framework.rb +1163 -0
data/lib/arachni/rpc/server/instance.rb +184 -0
data/lib/{rpc/xml → arachni/rpc}/server/module/manager.rb +8 -5
data/lib/arachni/rpc/server/node.rb +267 -0
data/lib/{rpc/xml → arachni/rpc}/server/options.rb +6 -35
data/lib/{rpc/xml → arachni/rpc}/server/output.rb +29 -3
data/lib/{rpc/xml → arachni/rpc}/server/plugin/manager.rb +5 -6
data/lib/{ruby.rb → arachni/ruby.rb} +1 -2
data/lib/arachni/ruby/array.rb +31 -0
data/lib/{ruby → arachni/ruby}/object.rb +1 -1
data/lib/{ruby → arachni/ruby}/string.rb +1 -1
data/lib/{spider.rb → arachni/spider.rb} +83 -110
data/lib/arachni/typhoeus/hydra.rb +7 -0
data/lib/{typhoeus → arachni/typhoeus}/request.rb +11 -9
data/lib/{typhoeus → arachni/typhoeus}/response.rb +4 -0
data/lib/{ui → arachni/ui}/cli/cli.rb +154 -84
data/lib/{ui → arachni/ui}/cli/output.rb +57 -19
data/lib/{ui/xmlrpc → arachni/ui/rpc}/dispatcher_monitor.rb +11 -10
data/lib/{ui/xmlrpc/xmlrpc.rb → arachni/ui/rpc/rpc.rb} +102 -158
data/lib/{ui → arachni/ui}/web/addon_manager.rb +23 -3
data/lib/arachni/ui/web/addons/autodeploy.rb +207 -0
data/lib/{ui → arachni/ui}/web/addons/autodeploy/lib/manager.rb +142 -35
data/lib/arachni/ui/web/addons/autodeploy/views/index.erb +291 -0
data/lib/{ui → arachni/ui}/web/addons/sample.rb +1 -1
data/lib/{ui → arachni/ui}/web/addons/sample/views/index.erb +0 -0
data/lib/{ui → arachni/ui}/web/addons/scheduler.rb +30 -22
data/lib/{ui → arachni/ui}/web/addons/scheduler/views/index.erb +56 -22
data/lib/{ui → arachni/ui}/web/addons/scheduler/views/options.erb +0 -0
data/lib/arachni/ui/web/dispatcher_manager.rb +274 -0
data/lib/arachni/ui/web/instance_manager.rb +69 -0
data/lib/{ui → arachni/ui}/web/log.rb +1 -1
data/lib/arachni/ui/web/output_stream.rb +54 -0
data/lib/{ui → arachni/ui}/web/report_manager.rb +48 -54
data/lib/{ui → arachni/ui}/web/scheduler.rb +42 -47
data/lib/arachni/ui/web/server.rb +1197 -0
data/lib/{ui → arachni/ui}/web/server/db/placeholder +0 -0
data/lib/{ui → arachni/ui}/web/server/public/banner.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/bodybg-small.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/bodybg.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/pbar-ani.gif +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_flat_0_aaaaaa_40x100.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_flat_75_ffffff_40x100.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_glass_55_fbf9ee_1x400.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_glass_65_ffffff_1x400.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_glass_75_dadada_1x400.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_glass_75_e6e6e6_1x400.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_glass_95_fef1ec_1x400.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-bg_highlight-soft_75_cccccc_1x100.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-icons_222222_256x240.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-icons_2e83ff_256x240.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-icons_454545_256x240.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-icons_888888_256x240.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/images/ui-icons_cd0a0a_256x240.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/css/smoothness/jquery-ui-1.8.9.custom.css +0 -0
data/lib/{ui → arachni/ui}/web/server/public/favicon.ico +0 -0
data/lib/{ui → arachni/ui}/web/server/public/footer.jpg +0 -0
data/lib/{ui/web/server/public/icons/error.png → arachni/ui/web/server/public/icons/bad.png} +0 -0
data/lib/arachni/ui/web/server/public/icons/error.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/icons/info.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/icons/ok.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/icons/status.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/js/jquery-1.4.4.min.js +0 -0
data/lib/{ui → arachni/ui}/web/server/public/js/jquery-ui-1.8.9.custom.min.js +0 -0
data/lib/{ui → arachni/ui}/web/server/public/js/jquery-ui-timepicker.js +0 -0
data/lib/{ui → arachni/ui}/web/server/public/logo.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/nav-left.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/nav-right.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/nav-selected-left.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/nav-selected-right.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/plugins/sample/style.css +0 -0
data/lib/{ui/web/server/tmp → arachni/ui/web/server/public/reports}/placeholder +0 -0
data/lib/{ui → arachni/ui}/web/server/public/sidebar-bottom.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/sidebar-h4.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/sidebar-top.jpg +0 -0
data/lib/{ui → arachni/ui}/web/server/public/spider.png +0 -0
data/lib/{ui → arachni/ui}/web/server/public/style.css +3 -2
data/lib/arachni/ui/web/server/tmp/placeholder +0 -0
data/lib/{ui → arachni/ui}/web/server/views/addon.erb +0 -0
data/lib/{ui → arachni/ui}/web/server/views/addons.erb +0 -0
data/lib/{ui → arachni/ui}/web/server/views/dispatcher_error.erb +0 -0
data/lib/arachni/ui/web/server/views/dispatchers.erb +175 -0
data/lib/arachni/ui/web/server/views/dispatchers_edit.erb +71 -0
data/lib/arachni/ui/web/server/views/error.erb +22 -0
data/lib/{ui → arachni/ui}/web/server/views/flash.erb +2 -2
data/lib/arachni/ui/web/server/views/home.erb +60 -0
data/lib/{ui → arachni/ui}/web/server/views/instance.erb +55 -75
data/lib/arachni/ui/web/server/views/js/home.erb +32 -0
data/lib/{ui → arachni/ui}/web/server/views/layout.erb +2 -2
data/lib/{ui → arachni/ui}/web/server/views/log.erb +0 -0
data/lib/arachni/ui/web/server/views/module.erb +30 -0
data/lib/{ui → arachni/ui}/web/server/views/modules.erb +2 -22
data/lib/{ui → arachni/ui}/web/server/views/options.erb +0 -0
data/lib/{ui → arachni/ui}/web/server/views/output_results.erb +4 -4
data/lib/{ui → arachni/ui}/web/server/views/plugins.erb +23 -12
data/lib/{ui → arachni/ui}/web/server/views/report_formats.erb +1 -1
data/lib/{ui → arachni/ui}/web/server/views/reports.erb +1 -1
data/lib/{ui → arachni/ui}/web/server/views/settings.erb +59 -16
data/lib/{ui → arachni/ui}/web/server/views/welcome.erb +3 -1
data/lib/{ui → arachni/ui}/web/utilities.rb +8 -3
data/lib/arachni/version.rb +16 -0
data/modules/audit/code_injection.rb +11 -20
data/modules/audit/code_injection_timing.rb +2 -6
data/modules/audit/csrf.rb +8 -16
data/modules/audit/ldapi.rb +5 -11
data/modules/audit/os_cmd_injection.rb +5 -9
data/modules/audit/os_cmd_injection_timing.rb +4 -8
data/modules/audit/path_traversal.rb +7 -13
data/modules/audit/response_splitting.rb +8 -21
data/modules/audit/rfi.rb +6 -46
data/modules/audit/sqli.rb +5 -11
data/modules/audit/sqli/regexp_ids.txt +0 -6
data/modules/audit/sqli_blind_rdiff.rb +5 -10
data/modules/audit/sqli_blind_timing.rb +4 -9
data/modules/audit/trainer.rb +6 -12
data/modules/audit/unvalidated_redirect.rb +6 -17
data/modules/audit/xpath.rb +5 -12
data/modules/audit/xss.rb +37 -23
data/modules/audit/xss_event.rb +5 -10
data/modules/audit/xss_path.rb +47 -41
data/modules/audit/xss_script_tag.rb +5 -10
data/modules/audit/xss_tag.rb +5 -10
data/modules/audit/xss_uri.rb +17 -89
data/modules/recon/allowed_methods.rb +6 -15
data/modules/recon/backdoors.rb +12 -52
data/modules/recon/backup_files.rb +25 -88
data/modules/recon/common_directories.rb +8 -54
data/modules/recon/common_files.rb +7 -58
data/modules/recon/directory_listing.rb +6 -15
data/modules/recon/grep/captcha.rb +1 -1
data/modules/recon/grep/credit_card.rb +62 -27
data/modules/recon/grep/cvs_svn_users.rb +1 -1
data/modules/recon/grep/emails.rb +1 -1
data/modules/recon/grep/html_objects.rb +1 -1
data/modules/recon/grep/private_ip.rb +1 -1
data/modules/recon/grep/ssn.rb +9 -9
data/modules/recon/htaccess_limit.rb +6 -14
data/modules/recon/http_put.rb +7 -15
data/modules/recon/interesting_responses.rb +7 -13
data/modules/recon/mixed_resource.rb +100 -0
data/modules/recon/unencrypted_password_forms.rb +8 -20
data/modules/recon/webdav.rb +6 -16
data/modules/recon/xst.rb +7 -13
data/path_extractors/anchors.rb +1 -1
data/path_extractors/forms.rb +1 -1
data/path_extractors/frames.rb +1 -1
data/path_extractors/generic.rb +47 -3
data/path_extractors/links.rb +1 -1
data/path_extractors/meta_refresh.rb +1 -1
data/path_extractors/scripts.rb +3 -4
data/path_extractors/sitemap.rb +1 -1
data/plugins/autologin.rb +9 -18
data/plugins/beep_notify.rb +51 -0
data/plugins/cookie_collector.rb +12 -12
data/plugins/defaults/autothrottle.rb +86 -0
data/plugins/{content_types.rb → defaults/content_types.rb} +25 -19
data/plugins/{healthmap.rb → defaults/healthmap.rb} +30 -18
data/plugins/defaults/metamodules/remedies/discovery.rb +164 -0
data/plugins/defaults/metamodules/remedies/manual_verification.rb +65 -0
data/{metamodules/timeout_notice.rb → plugins/defaults/metamodules/remedies/timing_attacks.rb} +26 -22
data/{metamodules → plugins/defaults/metamodules}/uniformity.rb +15 -14
data/plugins/{profiler.rb → defaults/profiler.rb} +19 -30
data/plugins/defaults/resolver.rb +55 -0
data/plugins/email_notify.rb +108 -0
data/plugins/form_dicattack.rb +8 -16
data/plugins/http_dicattack.rb +4 -12
data/plugins/libnotify.rb +86 -0
data/plugins/proxy.rb +8 -17
data/plugins/proxy/server.rb +3 -3
data/plugins/rescan.rb +60 -0
data/plugins/waf_detector.rb +5 -16
data/profiles/full.afp +3 -30
data/reports/afr.rb +2 -5
data/reports/ap.rb +3 -1
data/reports/html.rb +210 -68
data/reports/html/default.erb +72 -1014
data/reports/html/default/configuration.erb +126 -0
data/reports/html/default/css/jquery-ui.css +570 -0
data/reports/html/default/css/jquery.jqplot.min.css +1 -0
data/reports/html/default/css/main.css +391 -0
data/reports/html/default/issue.erb +189 -0
data/reports/html/default/issues.erb +65 -0
data/reports/html/default/js/charts.js +146 -0
data/reports/html/default/js/helpers.js +95 -0
data/reports/html/default/js/init.js +73 -0
data/reports/html/default/js/lib/jqplot.barRenderer.min.js +57 -0
data/reports/html/default/js/lib/jqplot.categoryAxisRenderer.min.js +57 -0
data/reports/html/default/js/lib/jqplot.cursor.min.js +57 -0
data/reports/html/default/js/lib/jqplot.pieRenderer.min.js +57 -0
data/reports/html/default/js/lib/jqplot.pointLabels.min.js +57 -0
data/reports/html/default/js/lib/jquery-ui.min.js +404 -0
data/reports/html/default/js/lib/jquery.jqplot.min.js +57 -0
data/reports/html/default/js/lib/jquery.min.js +167 -0
data/reports/html/default/plugins.erb +22 -0
data/reports/html/default/search.erb +8 -0
data/reports/html/default/sitemap.erb +15 -0
data/reports/html/default/summary.erb +68 -0
data/reports/html/default/summary_issue.erb +19 -0
data/reports/json.rb +51 -0
data/reports/marshal.rb +49 -0
data/reports/metareport.rb +4 -6
data/reports/metareport/arachni_metareport.rb +1 -1
data/reports/plugin_formatters/html/autologin.rb +30 -41
data/reports/plugin_formatters/html/content_types.rb +1 -10
data/reports/plugin_formatters/html/cookie_collector.rb +36 -44
data/reports/plugin_formatters/html/discovery.rb +50 -0
data/reports/plugin_formatters/html/form_dicattack.rb +24 -32
data/reports/plugin_formatters/html/healthmap.rb +45 -54
data/reports/plugin_formatters/html/http_dicattack.rb +24 -32
data/reports/plugin_formatters/html/profiler.rb +17 -48
data/reports/plugin_formatters/html/profiler/template.erb +6 -99
data/reports/plugin_formatters/html/resolver.rb +63 -0
data/reports/plugin_formatters/html/{metaformatters/timeout_notice.rb → timing_attacks.rb} +7 -19
data/reports/plugin_formatters/html/{metaformatters/uniformity.rb → uniformity.rb} +5 -17
data/reports/plugin_formatters/html/waf_detector.rb +24 -32
data/reports/plugin_formatters/stdout/autologin.rb +30 -35
data/reports/plugin_formatters/stdout/content_types.rb +41 -46
data/reports/plugin_formatters/stdout/cookie_collector.rb +33 -38
data/reports/plugin_formatters/stdout/discovery.rb +47 -0
data/reports/plugin_formatters/stdout/form_dicattack.rb +27 -32
data/reports/plugin_formatters/stdout/healthmap.rb +47 -51
data/reports/plugin_formatters/stdout/http_dicattack.rb +27 -32
data/reports/plugin_formatters/stdout/metamodules.rb +48 -55
data/reports/plugin_formatters/stdout/profiler.rb +60 -65
data/reports/plugin_formatters/stdout/resolver.rb +45 -0
data/reports/plugin_formatters/stdout/{metaformatters/timeout_notice.rb → timing_attacks.rb} +6 -14
data/reports/plugin_formatters/stdout/{metaformatters/uniformity.rb → uniformity.rb} +6 -14
data/reports/plugin_formatters/stdout/waf_detector.rb +23 -28
data/reports/plugin_formatters/xml/autologin.rb +36 -41
data/reports/plugin_formatters/xml/content_types.rb +47 -52
data/reports/plugin_formatters/xml/cookie_collector.rb +39 -44
data/reports/plugin_formatters/xml/discovery.rb +54 -0
data/reports/plugin_formatters/xml/form_dicattack.rb +22 -27
data/reports/plugin_formatters/xml/healthmap.rb +53 -58
data/reports/plugin_formatters/xml/http_dicattack.rb +22 -27
data/reports/plugin_formatters/xml/profiler.rb +61 -77
data/reports/plugin_formatters/xml/resolver.rb +53 -0
data/reports/plugin_formatters/xml/{metaformatters/timeout_notice.rb → timing_attacks.rb} +3 -15
data/reports/plugin_formatters/xml/{metaformatters/uniformity.rb → uniformity.rb} +4 -14
data/reports/plugin_formatters/xml/waf_detector.rb +23 -28
data/reports/stdout.rb +1 -1
data/reports/txt.rb +2 -5
data/reports/xml.rb +2 -5
data/reports/xml/buffer.rb +6 -2
data/reports/yaml.rb +49 -0
metadata +419 -278
data/bin/arachni_xmlrpc +0 -21
data/bin/arachni_xmlrpcd +0 -82
data/bin/arachni_xmlrpcd_monitor +0 -74
data/getoptslong.rb +0 -242
data/lib/anemone.rb +0 -2
data/lib/framework.rb +0 -673
data/lib/module/manager.rb +0 -111
data/lib/options.rb +0 -547
data/lib/rpc/xml/client/base.rb +0 -76
data/lib/rpc/xml/client/instance.rb +0 -88
data/lib/rpc/xml/server/base.rb +0 -112
data/lib/rpc/xml/server/dispatcher.rb +0 -386
data/lib/rpc/xml/server/framework.rb +0 -206
data/lib/rpc/xml/server/instance.rb +0 -191
data/lib/ruby/xmlrpc/server.rb +0 -27
data/lib/ui/web/addons/autodeploy.rb +0 -172
data/lib/ui/web/addons/autodeploy/views/index.erb +0 -124
data/lib/ui/web/dispatcher_manager.rb +0 -165
data/lib/ui/web/instance_manager.rb +0 -87
data/lib/ui/web/output_stream.rb +0 -94
data/lib/ui/web/server.rb +0 -925
data/lib/ui/web/server/public/reports/placeholder +0 -1
data/lib/ui/web/server/views/dispatchers.erb +0 -100
data/lib/ui/web/server/views/dispatchers_edit.erb +0 -42
data/lib/ui/web/server/views/error.erb +0 -1
data/lib/ui/web/server/views/home.erb +0 -25
data/metamodules/autothrottle.rb +0 -74
data/plugins/metamodules.rb +0 -118
data/profiles/comprehensive.afp +0 -74
data/reports/plugin_formatters/html/metamodules.rb +0 -93
data/reports/plugin_formatters/xml/metamodules.rb +0 -91

data/lib/{parser.rb → arachni/parser.rb} RENAMED

File without changes

data/lib/{parser → arachni/parser}/auditable.rb RENAMED

@@ -53,6 +53,13 @@ class Auditable
         @auditor
     end
+    def override_instance_scope!
+        @override_instance_scope = true
+    end
+    def override_instance_scope?
+        @override_instance_scope ||= false
+    end
     #
     # Delegate output related methods to the auditor
@@ -142,6 +149,7 @@ class Auditable
         injection_sets( injection_str, opts ).each {
             |elem|
+            elem.auditor( get_auditor )
             opts[:altered] = elem.altered.dup
             return if skip?( elem )
@@ -168,11 +176,14 @@ class Auditable
     end
     #
-    # Injectes the injecton_str in self's values according to formatting options
-    # and returns an array of hashes in the form of:
-    #  <altered_variable>   => <new element>
+    # Injects the injecton_str in self's values according to formatting options
+    # and returns an array of Element permutations.
     #
     # @param    [String]  injection_str  the string to inject
+    # @param    [Hash]    opts           formatting and permutation options
+    #                                       * :skip_orig => skip submission with default/original values (for {Arachni::Parser::Element::Form} elements)
+    #                                       * :format => {Format}
+    #                                       * :param_flip => flip injection value and input name
     #
     # @return    [Array]
     #
@@ -224,13 +235,51 @@ class Auditable
         }
-        if opts[:param_flip]
+        if opts[:param_flip] #&& !self.is_a?( Arachni::Parser::Element::Cookie )
             elem = self.dup
+            # when under HPG mode element auditing is strictly regulated
+            # and when we flip params we essentially create a new element
+            # which won't be on the whitelist
+            elem.override_instance_scope!
             elem.altered = 'Parameter flip'
             elem.auditable[injection_str] = seed
             var_combo << elem
         end
+        # if there are two password type fields in the form there's a good
+        # chance that it's a 'please retype your password' thing so make sure
+        # that we have a variation which has identical password values
+        if self.is_a?( Arachni::Parser::Element::Form )
+            chash = hash.dup
+            chash = Arachni::Module::KeyFiller.fill( chash )
+            delem = self.dup
+            add = false
+            @raw['auditable'].each {
+                |input|
+                if input['type'] == 'password'
+                    delem.altered = input['name']
+                    opts[:format].each {
+                        |format|
+                        chash[input['name']] =
+                            format_str( injection_str, chash[input['name']], format )
+                    }
+                    add = true
+                end
+            } if @raw['auditable']
+            if add
+                delem.auditable = chash
+                var_combo << delem
+            end
+        end
         print_debug_injection_set( var_combo, opts )
         return var_combo
@@ -258,6 +307,34 @@ class Auditable
         return "Auditing #{self.type} variable '" + altered + "' of " + @action
     end
+    #
+    # Returns am audit identifier string to be registered using {#audited}.
+    #
+    # @param  [Hash]  input
+    # @param  [Hash]  opts
+    #
+    # @return  [String]
+    #
+    def audit_id( injection_str = '', opts = {} )
+        vars = auditable.keys.sort.to_s
+        str = ''
+        str += !opts[:no_auditor] ? "#{@auditor.class.info[:name]}:" : ''
+        str += "#{@action}:" + "#{self.type}:#{vars}"
+        str += "=#{injection_str.to_s}" if !opts[:no_injection_str]
+        str += ":timeout=#{opts[:timeout]}" if !opts[:no_timeout]
+        return str
+    end
+    def self.restrict_to_elements!( elements )
+        @@restrict_to_elements = Set.new
+        elements.each {
+            |elem|
+            @@restrict_to_elements << elem
+        }
+    end
     private
@@ -297,7 +374,7 @@ class Auditable
             # make sure that we have a response before continuing
             if !res
-                print_error( 'Failed to get responses, backing out... ' )
+                print_error( 'Failed to get response, backing out...' )
                 next
             else
                 print_status( 'Analyzing response #' + res.request.id.to_s + '...' )  if elem.opts && !elem.opts[:silent]
@@ -353,6 +430,8 @@ class Auditable
     end
     def match_regexp_and_log( regexp, res, opts )
+        regexp = regexp.is_a?( Regexp ) ? regexp :
+            Regexp.new( regexp.to_s, Regexp::IGNORECASE )
         match_data = res.body.scan( regexp )[0]
         match_data = match_data.to_s
@@ -380,35 +459,36 @@ class Auditable
     end
     #
-    # Returns am audit identifier string to be registered using {#audited}.
-    #
-    # @param  [Hash]  input
-    # @param  [Hash]  opts
+    # Checks whether or not an audit has been already performed.
     #
-    # @return  [String]
+    # @param  [String]  elem_audit_id  a string returned by {#audit_id}
     #
-    def audit_id( injection_str, opts = {} )
-        vars = auditable.keys.sort.to_s
+    def audited?( elem_audit_id )
-        timeout = opts[:timeout] || ''
-        return "#{@auditor.class.info[:name]}:" +
-          "#{@action}:" + "#{self.type}:" +
-          "#{vars}=#{injection_str.to_s}:timeout=#{timeout}"
-    end
+        opts = {
+            :no_auditor => true,
+            :no_timeout => true,
+            :no_injection_str => true
+        }
-    #
-    # Checks whether or not an audit has been already performed.
-    #
-    # @param  [String]  audit_id  a string returned by {#audit_id}
-    #
-    def audited?( audit_id )
-      ret =  @@audited.include?( audit_id )
+        @@restrict_to_elements ||= Set.new
+        if @@audited.include?( elem_audit_id )
+            msg = 'Skipping, already audited: ' + elem_audit_id
+            ret = true
+        elsif !get_auditor.override_instance_scope? && !override_instance_scope? &&
+            !@@restrict_to_elements.empty? &&
+            !@@restrict_to_elements.include?( audit_id( nil, opts ) )
+            msg = 'Skipping, out of instance scope.'
+            ret = true
+        else
+            msg = 'Current audit ID: ' + elem_audit_id
+            ret = false
+        end
-      msg = 'Current audit ID: ' if !ret
-      msg = 'Skipping, already audited: ' if ret
-      print_debug( msg + audit_id )
+        print_debug( msg )
-      return ret
+        return ret
     end
     #
@@ -441,8 +521,7 @@ class Auditable
         append = default_str if ( format & Format::APPEND )   != 0
         semicolon = append = null = ''   if ( format & Format::STRAIGHT ) != 0
-        return semicolon + append + injection_str + null
+        return semicolon + append + injection_str.to_s + null
     end
     def print_debug_injection_set( var_combo, opts )
@@ -504,8 +583,8 @@ class Auditable
           print_debug( "|--> Combo: " )
           combo.each {
-              |combo|
-              print_debug( "|------> " + combo.to_s )
+              |c_combo|
+              print_debug( "|------> " + c_combo.to_s )
           }
         }

data/lib/{parser → arachni/parser}/elements.rb RENAMED

@@ -1,6 +1,6 @@
 =begin
                   Arachni
-  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
   This is free software; you can copy and distribute and modify
   this program under the term of the GPL v2.0 License
@@ -78,7 +78,7 @@ class Base < Arachni::Element::Auditable
     #
     def initialize( url, raw = {} )
         @raw   = raw.dup
-        @url   = url.dup
+        @url   = url.to_s
     end
     #
@@ -104,6 +104,10 @@ class Base < Arachni::Element::Auditable
     end
+    def dup
+        self.class.new( @url.dup, @raw.dup )
+    end
 end
 class Link < Base
@@ -111,10 +115,10 @@ class Link < Base
     def initialize( url, raw = {} )
         super( url, raw )
-        @action = @raw['href']
+        @action = @raw['href'] || @raw[:href] || @raw['action'] || @raw[:action]
         @method = 'get'
-        @auditable = @raw['vars']
+        @auditable = @raw['vars'] || @raw[:vars] || @raw['inputs'] || @raw[:inputs]
         @orig      = @auditable.deep_clone
         @orig.freeze
     end
@@ -131,14 +135,18 @@ class Link < Base
         Arachni::Module::Auditor::Element::LINK
     end
-    def audit_id( injection_str, opts = {} )
+    def audit_id( injection_str = '', opts = {} )
         vars = auditable.keys.sort.to_s
-        url = URI( @auditor.page.url ).merge( URI( @action ).path ).to_s
+        url = @action.gsub( /\?.*/, '' )
+        str = ''
+        str += !opts[:no_auditor] ? "#{@auditor.class.info[:name]}:" : ''
-        timeout = opts[:timeout] || ''
-        return "#{@auditor.class.info[:name]}:" +
-          "#{url}:" + "#{self.type}:" +
-          "#{vars}=#{injection_str.to_s}:timeout=#{timeout}"
+        str += "#{url}:" + "#{self.type}:#{vars}"
+        str += "=#{injection_str.to_s}" if !opts[:no_injection_str]
+        str += ":timeout=#{opts[:timeout]}" if !opts[:no_timeout]
+        return str
     end
@@ -155,17 +163,15 @@ class Form < Base
     def initialize( url, raw = {} )
         super( url, raw )
-        @action = @raw['attrs']['action']
-        @method = @raw['attrs']['method']
+        @action = @raw['action'] || @raw[:action] || @raw['attrs']['action']
+        @method = @raw['method'] || @raw[:method] || @raw['attrs']['method']
-        @auditable = simple['auditable'] || {}
+        @auditable = @raw[:inputs] || @raw['inputs'] || simple['auditable'] || {}
         @orig      = @auditable.deep_clone
         @orig.freeze
     end
     def http_request( url, opts )
         params   = opts[:params]
         altered  = opts[:altered]
@@ -203,7 +209,6 @@ class Form < Base
     end
     def id
         id = simple['attrs'].to_s
         auditable.map {
@@ -213,12 +218,10 @@ class Form < Base
         }
         return id
     end
     def simple
-        form = Hash.new
+        form = {}
         return form if !@raw || !@raw['auditable'] || @raw['auditable'].empty?
@@ -248,7 +251,12 @@ class Cookie < Base
         @action = @url
         @method = 'cookie'
-        @auditable = { @raw['name'] => @raw['value'] }
+        if @raw['name']
+            @auditable = { @raw['name'] => @raw['value'] }
+        else
+            @auditable = @raw
+        end
         @simple = @auditable.dup
         @auditable.reject! {
             |cookie|

data/lib/{parser → arachni/parser}/page.rb RENAMED

@@ -1,6 +1,6 @@
 =begin
                   Arachni
-  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
   This is free software; you can copy and distribute and modify
   this program under the term of the GPL v2.0 License
@@ -19,7 +19,7 @@ class Parser
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2.1
+# @version: 0.2.2
 #
 class Page
@@ -90,12 +90,29 @@ class Page
     #
     attr_accessor :cookiejar
+    def self.from_http_response( res, opts )
+        page = Arachni::Parser.new( opts, res ).run
+        page.url = Arachni::Module::Utilities.url_sanitize( res.effective_url )
+        return page
+    end
     def initialize( opts = {} )
+        @forms = []
+        @links = []
+        @cookies = []
+        @headers = []
+        @cookiejar = {}
+        @paths = []
+        @response_headers = {}
+        @query_vars       = {}
         opts.each {
             |k, v|
             send( "#{k}=", v )
         }
     end
     def body

data/lib/{parser → arachni/parser}/parser.rb RENAMED

@@ -1,6 +1,6 @@
 =begin
                   Arachni
-  Copyright (c) 2010-2011 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
+  Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
   This is free software; you can copy and distribute and modify
   this program under the term of the GPL v2.0 License
@@ -50,33 +50,33 @@ class Parser
     include Arachni::Module::Utilities
     module Extractors
-    #
-    # Base Spider parser class for modules.
-    #
-    # The aim of such modules is to extract paths from a webpage for the Spider to follow.
-    #
-    #
-    # @author: Tasos "Zapotek" Laskos
-    #                                      <tasos.laskos@gmail.com>
-    #                                      <zapotek@segfault.gr>
-    # @version: 0.1
-    # @abstract
-    #
-    class Paths
         #
-        # This method must be implemented by all modules and must return an array
-        # of paths as plain strings
+        # Base Spider parser class for modules.
         #
-        # @param    [Nokogiri]  Nokogiri document
+        # The aim of such modules is to extract paths from a webpage for the Spider to follow.
         #
-        # @return   [Array<String>]  paths
         #
-        def run( doc )
+        # @author: Tasos "Zapotek" Laskos
+        #                                      <tasos.laskos@gmail.com>
+        #                                      <zapotek@segfault.gr>
+        # @version: 0.1
+        # @abstract
+        #
+        class Paths
+            #
+            # This method must be implemented by all modules and must return an array
+            # of paths as plain strings
+            #
+            # @param    [Nokogiri]  Nokogiri document
+            #
+            # @return   [Array<String>]  paths
+            #
+            def run( doc )
+            end
         end
     end
-    end
     #
     # @return    [String]    the url of the page
@@ -99,9 +99,13 @@ class Parser
     def initialize( opts, res )
         @opts = opts
+        @code = res.code
         @url  = url_sanitize( res.effective_url )
         @html = res.body
         @response_headers = res.headers_hash
+        @doc   = nil
+        @paths = nil
     end
     #
@@ -112,9 +116,9 @@ class Parser
     def run
         # non text files won't contain any auditable elements
-        type = Arachni::HTTP.content_type( @response_headers )
-        if type.is_a?( String) && !type.substring?( 'text' )
+        if !text?
             return Page.new( {
+                :code        => @code,
                 :url         => @url,
                 :query_vars  => link_vars( @url ),
                 :html        => @html,
@@ -151,6 +155,7 @@ class Parser
         end
         return Page.new( {
+            :code        => @code,
             :url         => @url,
             :query_vars  => link_vars( @url ),
             :html        => @html,
@@ -165,6 +170,12 @@ class Parser
     end
+    def text?
+        type = Arachni::HTTP.content_type( @response_headers )
+        return false if !type
+        return type.to_s.substring?( 'text' )
+    end
     def doc
       return @doc if @doc
       @doc = Nokogiri::HTML( @html ) if @html rescue nil
@@ -303,7 +314,7 @@ class Parser
             else
                 action = url_sanitize( elements[i]['attrs']['action'] )
             end
-            action = URI.escape( action ).to_s
+            action = uri_encode( action ).to_s
             elements[i]['attrs']['action'] = to_absolute( action.clone ).to_s
@@ -314,10 +325,7 @@ class Parser
                     elements[i]['attrs']['method'].downcase
             end
-            url = URI.parse( URI.escape( elements[i]['attrs']['action'] ) )
-            if !in_domain?( url )
-                next
-            end
+            next if skip?( elements[i]['attrs']['action'] )
             elements[i]['textarea'] = form_textareas( form )
             elements[i]['select']   = form_selects( form )
@@ -361,9 +369,7 @@ class Parser
             link['href'] = to_absolute( link['href'] )
             if !link['href'] then next end
-            if( exclude?( link['href'] ) ) then next end
-            if( !include?( link['href'] ) ) then next end
-            if !in_domain?( URI.parse( link['href'] ) ) then next end
+            next if skip?( link['href'] )
             link['vars'] = {}
             link_vars( link['href'] ).each_pair {
@@ -405,16 +411,20 @@ class Parser
                 k, v = elem['content'].split( ';' )[0].split( '=', 2 )
                 cookies_arr << Element::Cookie.new( @url, { 'name' => k, 'value' => v } )
             }
-        rescue
+        rescue Exception => e
+            # ap e
+            # ap e.backtrace
         end
         # don't ask me why....
-        if @response_headers.to_s.substring?( 'set-cookie' )
+        if @response_headers.to_s.downcase.substring?( 'set-cookie' )
             begin
                 cookies << ::WEBrick::Cookie.parse_set_cookies( @response_headers['Set-Cookie'].to_s )
                 cookies << ::WEBrick::Cookie.parse_set_cookies( @response_headers['set-cookie'].to_s )
-            rescue
+            rescue Exception => e
+                # ap e
+                # ap e.backtrace
                 return cookies_arr
             end
         end
@@ -457,15 +467,7 @@ class Parser
       @paths = []
       return @paths if !doc
-      run_extractors( ).each {
-          |path|
-          next if path.nil? or path.empty?
-          abs = to_absolute( path ) rescue next
-          @paths << abs if in_domain?( abs )
-      }
-      @paths.uniq!
+      @paths = run_extractors
       return @paths
     end
@@ -508,28 +510,37 @@ class Parser
     def to_absolute( link )
         begin
-            if URI.parse( link ).host
+            link = normalize_url( link )
+            if uri_parser.parse( link ).host
                 return link
             end
         rescue Exception => e
-            return nil if link.nil?
+            # ap e
+            # ap e.backtrace
+            return nil
         end
-        # remove anchor
-        link = URI.encode( link.to_s.gsub( /#[a-zA-Z0-9_-]*$/,'' ) )
+        begin
+            # remove anchor
+            link = uri_encode( link.to_s.gsub( /#[a-zA-Z0-9_-]*$/,'' ) )
-        if url = base
-            base_url = URI( url )
-        else
-            base_url = URI( @url )
-        end
+            if url = base
+                base_url = uri_parser.parse( url )
+            else
+                base_url = uri_parser.parse( @url )
+            end
-        relative = URI( link )
-        absolute = base_url.merge( relative )
+            relative = uri_parser.parse( link )
+            absolute = base_url.merge( relative )
-        absolute.path = '/' if absolute.path && absolute.path.empty?
+            absolute.path = '/' if absolute.path && absolute.path.empty?
-        return absolute.to_s
+            return absolute.to_s
+        rescue Exception => e
+            # ap e
+            # ap e.backtrace
+            return nil
+        end
     end
@@ -543,11 +554,20 @@ class Parser
     end
+    def too_deep?( url )
+        if @opts.depth_limit > 0 && (@opts.depth_limit + 1) <= URI(url.to_s).path.count( '/' )
+            return true
+        else
+            return false
+        end
+    end
     #
     # Returns +true+ if *uri* is in the same domain as the page, returns
     # +false+ otherwise
     #
     def in_domain?( uri )
         curi = URI.parse( normalize_url( uri.to_s ) )
         if( @opts.follow_subdomains )
@@ -589,11 +609,24 @@ class Parser
         @opts.include.each {
             |pattern|
+            pattern = Regexp.new( pattern ) if pattern.is_a?( String )
             return true if url.to_s =~ pattern
         }
         return false
     end
+    def skip?( path )
+        return true if !path
+        begin
+            return true if !include?( path )
+            return true if exclude?( path )
+            return true if too_deep?( path )
+            return true if !in_domain?( path )
+        rescue
+            true
+        end
+    end
     private
@@ -603,20 +636,20 @@ class Parser
     # @return   [Array]   paths
     #
     def run_extractors
-        lib = @opts.dir['root'] + 'path_extractors/'
         begin
-            @@manager ||= ::Arachni::ComponentManager.new( lib, Extractors )
+            @@manager ||=
+                ::Arachni::ComponentManager.new( @opts.dir['path_extractors'], Extractors )
             return @@manager.available.map {
                 |name|
                 @@manager[name].new.run( doc )
-            }.flatten.uniq
+            }.flatten.uniq.compact.
+            map { |path| to_absolute( url_sanitize( path ) ) }.
+            reject { |path| skip?( path ) }
         rescue ::Exception => e
             print_error( e.to_s )
-            print_debug_backtrace( e )
+            print_error_backtrace( e )
         end
     end
@@ -641,7 +674,11 @@ class Parser
         i = new_arr.size
         selects.each {
             |select|
-            select['attrs']['value'] = select['options'][0]['value']
+            begin
+                select['attrs']['value'] = select['options'][0]['value']
+            rescue
+            end
             new_arr << select['attrs']
         }