arachni 0.4.0.4 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (688) hide show
  1. data/ACKNOWLEDGMENTS.md +2 -2
  2. data/AUTHORS.md +1 -4
  3. data/CHANGELOG.md +102 -3
  4. data/CONTRIBUTORS.md +4 -1
  5. data/EXPLOITATION.md +6 -6
  6. data/Gemfile +3 -0
  7. data/HACKING.md +29 -10
  8. data/LICENSE.md +176 -339
  9. data/NOTICE +12 -0
  10. data/README.md +160 -119
  11. data/Rakefile +83 -45
  12. data/arachni.gemspec +124 -0
  13. data/bin/arachni +14 -8
  14. data/bin/arachni_console +52 -0
  15. data/bin/arachni_rpc +14 -8
  16. data/bin/arachni_rpcd +15 -9
  17. data/bin/arachni_rpcd_monitor +14 -8
  18. data/bin/arachni_script +41 -0
  19. data/bin/arachni_web +18 -19
  20. data/bin/arachni_web_autostart +17 -18
  21. data/external/metasploit/plugins/arachni.rb +7 -9
  22. data/external/metasploit/{LICENSE → plugins/arachni/LICENSE} +0 -0
  23. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_exec.rb +1 -1
  24. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_path_traversal.rb +2 -2
  25. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_eval.rb +1 -1
  26. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_include.rb +1 -1
  27. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_sqlmap.rb +2 -2
  28. data/external/scripts/LICENSE.tpl +174 -0
  29. data/external/scripts/README.md +95 -0
  30. data/external/scripts/README.tpl +30 -0
  31. data/external/scripts/build.sh +631 -0
  32. data/external/scripts/build_all.sh +29 -0
  33. data/external/scripts/build_and_package.sh +100 -0
  34. data/external/scripts/cross_build_and_package.sh +20 -0
  35. data/external/scripts/installer.sh.tpl +166 -0
  36. data/external/scripts/lib/readlink_f.sh +40 -0
  37. data/external/scripts/package.sh +134 -0
  38. data/external/scripts/push_nightlies.sh +125 -0
  39. data/extras/placeholder +0 -0
  40. data/gfx/README.md +18 -0
  41. data/gfx/compiled/banner.png +0 -0
  42. data/gfx/compiled/favicon.ico +0 -0
  43. data/gfx/compiled/icon.png +0 -0
  44. data/gfx/compiled/logo.png +0 -0
  45. data/gfx/compiled/spider.png +0 -0
  46. data/gfx/font/Beneath_the_Surface.ttf +0 -0
  47. data/gfx/font/bts_readme.txt +14 -0
  48. data/gfx/source/banner.svg +999 -0
  49. data/gfx/source/icon.svg +627 -0
  50. data/gfx/source/logo.svg +672 -0
  51. data/gfx/source/spider.png +0 -0
  52. data/gfx/source/spider.svg +277 -0
  53. data/lib/arachni.rb +30 -5
  54. data/lib/arachni/audit_store.rb +111 -143
  55. data/lib/arachni/banner.rb +37 -0
  56. data/lib/arachni/bloom_filter.rb +74 -0
  57. data/lib/arachni/cache.rb +21 -0
  58. data/lib/arachni/cache/base.rb +170 -0
  59. data/lib/arachni/cache/least_cost_replacement.rb +89 -0
  60. data/lib/arachni/cache/least_recently_used.rb +73 -0
  61. data/lib/arachni/cache/random_replacement.rb +52 -0
  62. data/lib/arachni/component/manager.rb +391 -0
  63. data/lib/arachni/component/options.rb +38 -0
  64. data/lib/arachni/component/options/address.rb +41 -0
  65. data/lib/arachni/component/options/base.rb +126 -0
  66. data/lib/arachni/component/options/bool.rb +55 -0
  67. data/lib/arachni/component/options/enum.rb +51 -0
  68. data/lib/arachni/component/options/float.rb +45 -0
  69. data/lib/arachni/component/options/int.rb +44 -0
  70. data/lib/arachni/component/options/path.rb +36 -0
  71. data/lib/arachni/component/options/port.rb +37 -0
  72. data/lib/arachni/component/options/string.rb +44 -0
  73. data/lib/arachni/component/options/url.rb +42 -0
  74. data/lib/arachni/crypto/rsa_aes_cbc.rb +14 -8
  75. data/lib/arachni/database.rb +4 -4
  76. data/lib/arachni/database/base.rb +14 -8
  77. data/lib/arachni/database/hash.rb +21 -12
  78. data/lib/arachni/database/queue.rb +15 -9
  79. data/lib/arachni/element/base.rb +147 -0
  80. data/lib/arachni/element/capabilities/auditable.rb +623 -0
  81. data/lib/arachni/element/capabilities/auditable/rdiff.rb +243 -0
  82. data/lib/arachni/element/capabilities/auditable/taint.rb +141 -0
  83. data/lib/arachni/element/capabilities/auditable/timeout.rb +330 -0
  84. data/lib/arachni/element/capabilities/body.rb +19 -0
  85. data/lib/arachni/element/capabilities/mutable.rb +286 -0
  86. data/lib/arachni/element/capabilities/path.rb +19 -0
  87. data/lib/arachni/element/capabilities/refreshable.rb +48 -0
  88. data/lib/arachni/element/capabilities/server.rb +19 -0
  89. data/lib/arachni/element/cookie.rb +1043 -0
  90. data/lib/arachni/element/form.rb +1364 -0
  91. data/lib/arachni/element/header.rb +87 -0
  92. data/lib/arachni/element/link.rb +227 -0
  93. data/lib/arachni/exceptions.rb +12 -34
  94. data/lib/arachni/framework.rb +345 -436
  95. data/lib/arachni/http.rb +445 -409
  96. data/lib/arachni/http/cookie_jar.rb +163 -0
  97. data/lib/arachni/issue.rb +102 -65
  98. data/lib/arachni/mixins/observable.rb +25 -28
  99. data/lib/arachni/mixins/progress_bar.rb +11 -5
  100. data/lib/arachni/mixins/terminal.rb +17 -11
  101. data/lib/arachni/module.rb +4 -4
  102. data/lib/arachni/module/auditor.rb +270 -793
  103. data/lib/arachni/module/base.rb +107 -101
  104. data/lib/arachni/module/element_db.rb +54 -59
  105. data/lib/arachni/module/key_filler.rb +35 -35
  106. data/lib/arachni/module/manager.rb +178 -68
  107. data/lib/arachni/module/output.rb +25 -30
  108. data/lib/arachni/module/trainer.rb +85 -156
  109. data/lib/arachni/module/utilities.rb +29 -138
  110. data/lib/arachni/options.rb +496 -162
  111. data/lib/arachni/page.rb +186 -0
  112. data/lib/arachni/parser.rb +392 -2
  113. data/lib/arachni/plugin.rb +4 -4
  114. data/lib/arachni/plugin/base.rb +113 -44
  115. data/lib/arachni/plugin/manager.rb +120 -54
  116. data/lib/arachni/report.rb +4 -4
  117. data/lib/arachni/report/base.rb +59 -44
  118. data/lib/arachni/report/manager.rb +33 -32
  119. data/lib/arachni/rpc/client.rb +2 -0
  120. data/lib/arachni/rpc/client/base.rb +31 -18
  121. data/lib/arachni/rpc/client/dispatcher.rb +24 -11
  122. data/lib/arachni/rpc/client/instance.rb +24 -11
  123. data/lib/arachni/rpc/server/base.rb +12 -9
  124. data/lib/arachni/rpc/server/dispatcher.rb +161 -164
  125. data/lib/arachni/rpc/server/dispatcher/handler.rb +164 -0
  126. data/lib/arachni/rpc/server/{node.rb → dispatcher/node.rb} +86 -104
  127. data/lib/arachni/rpc/server/distributor.rb +432 -0
  128. data/lib/arachni/rpc/server/framework.rb +266 -758
  129. data/lib/arachni/rpc/server/instance.rb +38 -53
  130. data/lib/arachni/rpc/server/module/manager.rb +17 -20
  131. data/lib/arachni/rpc/server/output.rb +73 -179
  132. data/lib/arachni/rpc/server/plugin/manager.rb +58 -24
  133. data/lib/arachni/ruby.rb +6 -4
  134. data/lib/arachni/ruby/array.rb +30 -9
  135. data/lib/arachni/ruby/enumerable.rb +29 -0
  136. data/lib/arachni/ruby/object.rb +47 -12
  137. data/lib/arachni/ruby/string.rb +69 -24
  138. data/lib/arachni/ruby/webrick.rb +31 -0
  139. data/lib/arachni/session.rb +279 -0
  140. data/lib/arachni/spider.rb +295 -149
  141. data/lib/arachni/typhoeus/hydra.rb +18 -4
  142. data/lib/arachni/typhoeus/request.rb +52 -65
  143. data/lib/arachni/typhoeus/response.rb +62 -22
  144. data/lib/arachni/typhoeus/utils.rb +25 -0
  145. data/lib/arachni/ui/cli/cli.rb +331 -298
  146. data/lib/arachni/ui/cli/output.rb +105 -77
  147. data/lib/arachni/ui/foo/output.rb +116 -0
  148. data/lib/arachni/ui/rpc/dispatcher_monitor.rb +5 -12
  149. data/lib/arachni/ui/rpc/rpc.rb +43 -48
  150. data/lib/arachni/ui/web/addon_manager.rb +18 -13
  151. data/lib/arachni/ui/web/addons/sample.rb +14 -8
  152. data/lib/arachni/ui/web/addons/scheduler.rb +14 -8
  153. data/lib/arachni/ui/web/addons/scheduler/views/index.erb +1 -1
  154. data/lib/arachni/ui/web/addons/scheduler/views/options.erb +0 -3
  155. data/lib/arachni/ui/web/dispatcher_manager.rb +14 -9
  156. data/lib/arachni/ui/web/instance_manager.rb +14 -8
  157. data/lib/arachni/ui/web/log.rb +14 -10
  158. data/lib/arachni/ui/web/output_stream.rb +11 -5
  159. data/lib/arachni/ui/web/report_manager.rb +14 -10
  160. data/lib/arachni/ui/web/scheduler.rb +16 -11
  161. data/lib/arachni/ui/web/server.rb +62 -56
  162. data/lib/arachni/ui/web/server/public/style.css +1 -1
  163. data/lib/arachni/ui/web/server/views/addon.erb +1 -1
  164. data/lib/arachni/ui/web/server/views/dispatchers.erb +3 -3
  165. data/lib/arachni/ui/web/server/views/dispatchers_edit.erb +2 -2
  166. data/lib/arachni/ui/web/server/views/error.erb +1 -1
  167. data/lib/arachni/ui/web/server/views/home.erb +2 -2
  168. data/lib/arachni/ui/web/server/views/instance.erb +6 -6
  169. data/lib/arachni/ui/web/server/views/layout.erb +4 -4
  170. data/lib/arachni/ui/web/server/views/settings.erb +13 -8
  171. data/lib/arachni/ui/web/server/views/welcome.erb +1 -1
  172. data/lib/arachni/ui/web/utilities.rb +24 -35
  173. data/lib/arachni/uri.rb +619 -0
  174. data/lib/arachni/utilities.rb +316 -0
  175. data/lib/arachni/version.rb +12 -6
  176. data/lib/version +1 -0
  177. data/modules/audit/code_injection.rb +64 -81
  178. data/modules/audit/code_injection_timing.rb +57 -75
  179. data/modules/audit/csrf.rb +87 -185
  180. data/modules/audit/ldapi.rb +42 -67
  181. data/modules/audit/os_cmd_injection.rb +53 -71
  182. data/modules/audit/os_cmd_injection/payloads.txt +1 -1
  183. data/modules/audit/os_cmd_injection_timing.rb +54 -75
  184. data/modules/audit/os_cmd_injection_timing/payloads.txt +1 -3
  185. data/modules/audit/path_traversal.rb +84 -110
  186. data/modules/audit/response_splitting.rb +41 -53
  187. data/modules/audit/rfi.rb +68 -76
  188. data/modules/audit/session_fixation.rb +86 -0
  189. data/modules/audit/sqli.rb +51 -77
  190. data/modules/audit/sqli/regexp_ids.txt +5 -19
  191. data/modules/audit/sqli/regexp_ignore.txt +2 -0
  192. data/modules/audit/sqli_blind_rdiff.rb +51 -62
  193. data/modules/audit/sqli_blind_timing.rb +53 -73
  194. data/modules/audit/trainer.rb +21 -58
  195. data/modules/audit/unvalidated_redirect.rb +41 -51
  196. data/modules/audit/xpath.rb +38 -69
  197. data/modules/audit/xpath/errors.txt +2 -3
  198. data/modules/audit/xss.rb +65 -69
  199. data/modules/audit/xss_event.rb +50 -69
  200. data/modules/audit/xss_path.rb +63 -89
  201. data/modules/audit/xss_script_tag.rb +53 -66
  202. data/modules/audit/xss_tag.rb +46 -65
  203. data/modules/audit/xss_uri.rb +22 -24
  204. data/modules/recon/allowed_methods.rb +46 -62
  205. data/modules/recon/backdoors.rb +39 -66
  206. data/modules/recon/backup_files.rb +49 -79
  207. data/modules/recon/common_directories.rb +39 -63
  208. data/modules/recon/common_directories/directories.txt +0 -5
  209. data/modules/recon/common_files.rb +34 -63
  210. data/modules/recon/directory_listing.rb +66 -116
  211. data/modules/recon/grep/captcha.rb +34 -41
  212. data/modules/recon/grep/credit_card.rb +57 -68
  213. data/modules/recon/grep/cvs_svn_users.rb +40 -50
  214. data/modules/recon/grep/emails.rb +34 -41
  215. data/modules/recon/grep/html_objects.rb +30 -33
  216. data/modules/recon/grep/http_only_cookies.rb +57 -0
  217. data/modules/recon/grep/insecure_cookies.rb +55 -0
  218. data/modules/recon/grep/mixed_resource.rb +93 -0
  219. data/modules/recon/grep/private_ip.rb +34 -32
  220. data/modules/recon/grep/ssn.rb +33 -31
  221. data/modules/recon/grep/unencrypted_password_forms.rb +84 -0
  222. data/modules/recon/htaccess_limit.rb +38 -54
  223. data/modules/recon/http_put.rb +48 -62
  224. data/modules/recon/interesting_responses.rb +77 -79
  225. data/modules/recon/webdav.rb +53 -79
  226. data/modules/recon/xst.rb +44 -63
  227. data/modules/test2.rb +46 -0
  228. data/path_extractors/anchors.rb +17 -15
  229. data/path_extractors/forms.rb +17 -15
  230. data/path_extractors/frames.rb +17 -18
  231. data/path_extractors/generic.rb +52 -55
  232. data/path_extractors/links.rb +16 -14
  233. data/path_extractors/meta_refresh.rb +33 -18
  234. data/path_extractors/scripts.rb +17 -15
  235. data/plugins/autologin.rb +60 -85
  236. data/plugins/beep_notify.rb +25 -27
  237. data/plugins/cookie_collector.rb +28 -45
  238. data/plugins/defaults/autothrottle.rb +43 -51
  239. data/plugins/defaults/content_types.rb +63 -52
  240. data/plugins/defaults/healthmap.rb +45 -62
  241. data/plugins/defaults/{metamodules → meta}/remedies/discovery.rb +34 -69
  242. data/plugins/defaults/meta/remedies/manual_verification.rb +61 -0
  243. data/plugins/defaults/meta/remedies/timing_attacks.rb +108 -0
  244. data/plugins/defaults/meta/uniformity.rb +81 -0
  245. data/plugins/defaults/profiler.rb +68 -115
  246. data/plugins/defaults/resolver.rb +33 -28
  247. data/plugins/email_notify.rb +60 -62
  248. data/plugins/form_dicattack.rb +67 -121
  249. data/plugins/http_dicattack.rb +51 -65
  250. data/plugins/libnotify.rb +37 -41
  251. data/plugins/proxy.rb +407 -152
  252. data/plugins/proxy/panel/403_forbidden.html.erb +11 -0
  253. data/plugins/proxy/panel/404_not_found.html.erb +6 -0
  254. data/plugins/proxy/panel/css/bootstrap.min.css +9 -0
  255. data/plugins/proxy/panel/css/panel.css +30 -0
  256. data/plugins/proxy/panel/help.html.erb +66 -0
  257. data/plugins/proxy/panel/img/glyphicons-halflings-white.png +0 -0
  258. data/plugins/proxy/panel/img/glyphicons-halflings.png +0 -0
  259. data/plugins/proxy/panel/img/record.png +0 -0
  260. data/plugins/proxy/panel/inspect.html.erb +7 -0
  261. data/plugins/proxy/panel/js/bootstrap.min.js +6 -0
  262. data/plugins/proxy/panel/js/jquery.min.js +2 -0
  263. data/plugins/proxy/panel/js/panel.js +39 -0
  264. data/plugins/proxy/panel/layout.html.erb +25 -0
  265. data/plugins/proxy/panel/page_accordion.html.erb +67 -0
  266. data/plugins/proxy/panel/page_twin_accordion.html.erb +18 -0
  267. data/plugins/proxy/panel/panel.html.erb +63 -0
  268. data/plugins/proxy/panel/shutdown_message.html.erb +7 -0
  269. data/plugins/proxy/panel/verify_login_check.html.erb +31 -0
  270. data/plugins/proxy/panel/verify_login_final.html.erb +26 -0
  271. data/plugins/proxy/panel/verify_login_sequence.html.erb +45 -0
  272. data/plugins/proxy/server.rb +175 -47
  273. data/plugins/proxy/ssl-interceptor-cert.pem +34 -0
  274. data/plugins/proxy/ssl-interceptor-pkey.pem +51 -0
  275. data/plugins/rescan.rb +27 -28
  276. data/plugins/script.rb +53 -0
  277. data/plugins/vector_feed.rb +226 -0
  278. data/plugins/waf_detector.rb +70 -73
  279. data/reports/afr.rb +23 -24
  280. data/reports/ap.rb +25 -36
  281. data/reports/html.rb +109 -163
  282. data/reports/html/default.erb +13 -12
  283. data/reports/html/default/configuration.erb +21 -21
  284. data/reports/html/default/css/main.css +350 -350
  285. data/reports/html/default/issues.erb +1 -1
  286. data/reports/html/default/js/charts.js +2 -2
  287. data/reports/html/default/js/helpers.js +0 -42
  288. data/reports/html/default/js/init.js +0 -1
  289. data/reports/html/default/sitemap.erb +2 -2
  290. data/reports/html/default/summary.erb +4 -4
  291. data/reports/html/default/summary_issue.erb +1 -1
  292. data/reports/json.rb +26 -28
  293. data/reports/marshal.rb +23 -25
  294. data/reports/metareport.rb +65 -98
  295. data/reports/plugin_formatters/html/autologin.rb +34 -41
  296. data/reports/plugin_formatters/html/content_types.rb +46 -52
  297. data/reports/plugin_formatters/html/cookie_collector.rb +41 -47
  298. data/reports/plugin_formatters/html/discovery.rb +36 -41
  299. data/reports/plugin_formatters/html/form_dicattack.rb +28 -34
  300. data/reports/plugin_formatters/html/healthmap.rb +48 -55
  301. data/reports/plugin_formatters/html/http_dicattack.rb +28 -34
  302. data/reports/plugin_formatters/html/profiler.rb +26 -30
  303. data/reports/plugin_formatters/html/profiler/template.erb +7 -7
  304. data/reports/plugin_formatters/html/resolver.rb +44 -52
  305. data/reports/plugin_formatters/html/timing_attacks.rb +42 -44
  306. data/reports/plugin_formatters/html/uniformity.rb +37 -42
  307. data/reports/plugin_formatters/html/waf_detector.rb +26 -34
  308. data/reports/plugin_formatters/stdout/autologin.rb +28 -40
  309. data/reports/plugin_formatters/stdout/content_types.rb +36 -53
  310. data/reports/plugin_formatters/stdout/cookie_collector.rb +28 -41
  311. data/reports/plugin_formatters/stdout/discovery.rb +27 -37
  312. data/reports/plugin_formatters/stdout/form_dicattack.rb +22 -35
  313. data/reports/plugin_formatters/stdout/healthmap.rb +40 -57
  314. data/reports/plugin_formatters/stdout/http_dicattack.rb +22 -36
  315. data/reports/plugin_formatters/stdout/profiler.rb +55 -74
  316. data/reports/plugin_formatters/stdout/resolver.rb +18 -34
  317. data/reports/plugin_formatters/stdout/timing_attacks.rb +27 -39
  318. data/reports/plugin_formatters/stdout/uniformity.rb +32 -44
  319. data/reports/plugin_formatters/stdout/waf_detector.rb +20 -32
  320. data/reports/plugin_formatters/xml/autologin.rb +27 -49
  321. data/reports/plugin_formatters/xml/content_types.rb +41 -66
  322. data/reports/plugin_formatters/xml/cookie_collector.rb +29 -49
  323. data/reports/plugin_formatters/xml/discovery.rb +23 -41
  324. data/reports/plugin_formatters/xml/form_dicattack.rb +22 -40
  325. data/reports/plugin_formatters/xml/healthmap.rb +44 -63
  326. data/reports/plugin_formatters/xml/http_dicattack.rb +22 -41
  327. data/reports/plugin_formatters/xml/profiler.rb +65 -89
  328. data/reports/plugin_formatters/xml/resolver.rb +21 -41
  329. data/reports/plugin_formatters/xml/timing_attacks.rb +27 -45
  330. data/reports/plugin_formatters/xml/uniformity.rb +36 -55
  331. data/reports/plugin_formatters/xml/waf_detector.rb +23 -42
  332. data/reports/stdout.rb +120 -121
  333. data/reports/txt.rb +29 -45
  334. data/reports/xml.rb +109 -148
  335. data/reports/xml/buffer.rb +66 -79
  336. data/reports/yaml.rb +26 -28
  337. data/rpcd_handlers/placeholder +0 -0
  338. data/spec/arachni/audit_store_spec.rb +223 -0
  339. data/spec/arachni/bloom_filter_spec.rb +76 -0
  340. data/spec/arachni/cache/base_spec.rb +275 -0
  341. data/spec/arachni/cache/least_cost_replacement_spec.rb +58 -0
  342. data/spec/arachni/cache/least_recently_used_spec.rb +91 -0
  343. data/spec/arachni/cache/random_replacement_spec.rb +43 -0
  344. data/spec/arachni/component/manager_spec.rb +448 -0
  345. data/spec/arachni/component/options/address_spec.rb +32 -0
  346. data/spec/arachni/component/options/base_spec.rb +105 -0
  347. data/spec/arachni/component/options/bool_spec.rb +67 -0
  348. data/spec/arachni/component/options/enum_spec.rb +51 -0
  349. data/spec/arachni/component/options/float_spec.rb +42 -0
  350. data/spec/arachni/component/options/int_spec.rb +46 -0
  351. data/spec/arachni/component/options/path_spec.rb +32 -0
  352. data/spec/arachni/component/options/port_spec.rb +38 -0
  353. data/spec/arachni/component/options/string_spec.rb +38 -0
  354. data/spec/arachni/component/options/url_spec.rb +36 -0
  355. data/spec/arachni/crypto/rsa_aes_cbc_spec.rb +31 -0
  356. data/spec/arachni/database/hash_spec.rb +217 -0
  357. data/spec/arachni/database/queue_spec.rb +52 -0
  358. data/spec/arachni/element/base_spec.rb +127 -0
  359. data/spec/arachni/element/body_spec.rb +9 -0
  360. data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +47 -0
  361. data/spec/arachni/element/capabilities/auditable/taint_spec.rb +110 -0
  362. data/spec/arachni/element/capabilities/auditable/timeout_spec.rb +107 -0
  363. data/spec/arachni/element/capabilities/mutable_spec.rb +261 -0
  364. data/spec/arachni/element/cookie_spec.rb +362 -0
  365. data/spec/arachni/element/form_spec.rb +668 -0
  366. data/spec/arachni/element/header_spec.rb +49 -0
  367. data/spec/arachni/element/link_spec.rb +220 -0
  368. data/spec/arachni/element/path_spec.rb +9 -0
  369. data/spec/arachni/element/server_spec.rb +9 -0
  370. data/spec/arachni/framework_spec.rb +860 -0
  371. data/spec/arachni/http/cookie_jar_spec.rb +267 -0
  372. data/spec/arachni/http_spec.rb +991 -0
  373. data/spec/arachni/issue_spec.rb +307 -0
  374. data/spec/arachni/mixins/observable_spec.rb +59 -0
  375. data/spec/arachni/mixins/progress_bar_spec.rb +41 -0
  376. data/spec/arachni/module/auditor_spec.rb +506 -0
  377. data/spec/arachni/module/element_db_spec.rb +131 -0
  378. data/spec/arachni/module/key_filler.rb +15 -0
  379. data/spec/arachni/module/manager_spec.rb +154 -0
  380. data/spec/arachni/module/trainer_spec.rb +102 -0
  381. data/spec/arachni/module/utilities_spec.rb +30 -0
  382. data/spec/arachni/module/utilities_spec/read_file.txt +3 -0
  383. data/spec/arachni/options_spec.rb +555 -0
  384. data/spec/arachni/page_spec.rb +290 -0
  385. data/spec/arachni/parser_spec.rb +508 -0
  386. data/spec/arachni/plugin/manager_spec.rb +174 -0
  387. data/spec/arachni/report/base_spec.rb +53 -0
  388. data/spec/arachni/report/manager_spec.rb +82 -0
  389. data/spec/arachni/rpc/client/base_spec.rb +157 -0
  390. data/spec/arachni/rpc/client/dispatcher_spec.rb +40 -0
  391. data/spec/arachni/rpc/client/instance_spec.rb +92 -0
  392. data/spec/arachni/rpc/server/base_spec.rb +40 -0
  393. data/spec/arachni/rpc/server/dispatcher/handler.rb +120 -0
  394. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +220 -0
  395. data/spec/arachni/rpc/server/dispatcher_spec.rb +136 -0
  396. data/spec/arachni/rpc/server/distributor_spec.rb +628 -0
  397. data/spec/arachni/rpc/server/framework_hpg_spec.rb +321 -0
  398. data/spec/arachni/rpc/server/framework_simple_spec.rb +453 -0
  399. data/spec/arachni/rpc/server/instance_spec.rb +81 -0
  400. data/spec/arachni/rpc/server/modules/manager_spec.rb +79 -0
  401. data/spec/arachni/rpc/server/options_spec.rb +124 -0
  402. data/spec/arachni/rpc/server/output_spec.rb +238 -0
  403. data/spec/arachni/rpc/server/plugin/manager_spec.rb +86 -0
  404. data/spec/arachni/ruby/array_spec.rb +103 -0
  405. data/spec/arachni/ruby/enumerable_spec.rb +37 -0
  406. data/spec/arachni/ruby/object_spec.rb +38 -0
  407. data/spec/arachni/ruby/string_spec.rb +77 -0
  408. data/spec/arachni/ruby/webrick_spec.rb +15 -0
  409. data/spec/arachni/session_spec.rb +308 -0
  410. data/spec/arachni/spider_spec.rb +383 -0
  411. data/spec/arachni/typhoeus/hydra_spec.rb +14 -0
  412. data/spec/arachni/typhoeus/requrest_spec.rb +58 -0
  413. data/spec/arachni/typhoeus/response_spec.rb +78 -0
  414. data/spec/arachni/uri_spec.rb +462 -0
  415. data/spec/arachni/utilities_spec.rb +297 -0
  416. data/spec/fixtures/auditstore.afr +2959 -0
  417. data/spec/fixtures/cookies.txt +9 -0
  418. data/spec/fixtures/modules/test.rb +58 -0
  419. data/spec/fixtures/modules/test2.rb +46 -0
  420. data/spec/fixtures/modules/test3.rb +46 -0
  421. data/spec/fixtures/passwords.txt +17 -0
  422. data/spec/fixtures/plugins/bad.rb +46 -0
  423. data/spec/fixtures/plugins/defaults/default.rb +45 -0
  424. data/spec/fixtures/plugins/distributable.rb +42 -0
  425. data/spec/fixtures/plugins/loop.rb +32 -0
  426. data/spec/fixtures/plugins/wait.rb +34 -0
  427. data/spec/fixtures/plugins/with_options.rb +31 -0
  428. data/spec/fixtures/reports/base_spec/plugin_formatters/with_formatters/foobar.rb +21 -0
  429. data/spec/fixtures/reports/base_spec/with_formatters.rb +23 -0
  430. data/spec/fixtures/reports/base_spec/with_outfile.rb +24 -0
  431. data/spec/fixtures/reports/base_spec/without_outfile.rb +20 -0
  432. data/spec/fixtures/reports/manager_spec/afr.rb +21 -0
  433. data/spec/fixtures/reports/manager_spec/foo.rb +26 -0
  434. data/spec/fixtures/rescan.afr.tpl +145 -0
  435. data/spec/fixtures/rpcd_handlers/echo.rb +68 -0
  436. data/spec/fixtures/run_mod/body.rb +58 -0
  437. data/spec/fixtures/run_mod/cookies.rb +58 -0
  438. data/spec/fixtures/run_mod/empty.rb +58 -0
  439. data/spec/fixtures/run_mod/flch.rb +63 -0
  440. data/spec/fixtures/run_mod/forms.rb +58 -0
  441. data/spec/fixtures/run_mod/headers.rb +58 -0
  442. data/spec/fixtures/run_mod/links.rb +58 -0
  443. data/spec/fixtures/run_mod/nil.rb +57 -0
  444. data/spec/fixtures/run_mod/path.rb +58 -0
  445. data/spec/fixtures/run_mod/server.rb +58 -0
  446. data/spec/fixtures/script_plugin.rb +1 -0
  447. data/spec/fixtures/taint_module/taint.rb +48 -0
  448. data/spec/fixtures/usernames.txt +13 -0
  449. data/spec/fixtures/wait_module/wait.rb +48 -0
  450. data/spec/helpers/auditor.rb +9 -0
  451. data/spec/helpers/misc.rb +41 -0
  452. data/spec/helpers/processes.rb +112 -0
  453. data/spec/helpers/requires.rb +8 -0
  454. data/spec/helpers/server.rb +54 -0
  455. data/spec/logs/Dispatcher - 2752-13830.log +49 -0
  456. data/spec/logs/Dispatcher - 2766-8238.log +35 -0
  457. data/spec/logs/Dispatcher - 2808-9029.log +31 -0
  458. data/spec/logs/Dispatcher - 2854-8571.log +26 -0
  459. data/spec/logs/Dispatcher - 2888-10411.log +20 -0
  460. data/spec/logs/Dispatcher - 2922-14464.log +13 -0
  461. data/spec/logs/Dispatcher - 2957-15255.log +19 -0
  462. data/spec/logs/Dispatcher - 3216-14203.log +35 -0
  463. data/spec/logs/Dispatcher - 3305-8622.log +43 -0
  464. data/spec/logs/Dispatcher - 3340-15426.log +35 -0
  465. data/spec/logs/Dispatcher - 3399-12586.log +40 -0
  466. data/spec/logs/Dispatcher - 3433-14149.log +26 -0
  467. data/spec/logs/Dispatcher - 3582-6198.log +27 -0
  468. data/spec/logs/Dispatcher - 3616-11169.log +13 -0
  469. data/spec/logs/Dispatcher - 3849-9016.log +7 -0
  470. data/spec/logs/output_spec.log +4 -0
  471. data/spec/logs/placeholder +0 -0
  472. data/spec/modules/audit/code_injection_spec.rb +25 -0
  473. data/spec/modules/audit/code_injection_timing_spec.rb +24 -0
  474. data/spec/modules/audit/csrf_spec.rb +38 -0
  475. data/spec/modules/audit/ldapi_spec.rb +19 -0
  476. data/spec/modules/audit/os_cmd_injection_spec.rb +24 -0
  477. data/spec/modules/audit/os_cmd_injection_timing_spec.rb +24 -0
  478. data/spec/modules/audit/path_traversal_spec.rb +23 -0
  479. data/spec/modules/audit/response_splitting_spec.rb +19 -0
  480. data/spec/modules/audit/rfi_spec.rb +19 -0
  481. data/spec/modules/audit/session_fixation_spec.rb +23 -0
  482. data/spec/modules/audit/sqli_blind_rdiff_spec.rb +19 -0
  483. data/spec/modules/audit/sqli_blind_timing_spec.rb +23 -0
  484. data/spec/modules/audit/sqli_spec.rb +24 -0
  485. data/spec/modules/audit/trainer_spec.rb +25 -0
  486. data/spec/modules/audit/unvalidated_redirect_spec.rb +24 -0
  487. data/spec/modules/audit/xpath_spec.rb +25 -0
  488. data/spec/modules/audit/xss_event_spec.rb +19 -0
  489. data/spec/modules/audit/xss_path_spec.rb +19 -0
  490. data/spec/modules/audit/xss_script_tag_spec.rb +19 -0
  491. data/spec/modules/audit/xss_spec.rb +24 -0
  492. data/spec/modules/audit/xss_tag_spec.rb +19 -0
  493. data/spec/modules/recon/allowed_methods_spec.rb +19 -0
  494. data/spec/modules/recon/backdoors_spec.rb +19 -0
  495. data/spec/modules/recon/backup_files_spec.rb +19 -0
  496. data/spec/modules/recon/common_directories_spec.rb +19 -0
  497. data/spec/modules/recon/common_files_spec.rb +19 -0
  498. data/spec/modules/recon/directory_listing_spec.rb +19 -0
  499. data/spec/modules/recon/grep/captcha_spec.rb +19 -0
  500. data/spec/modules/recon/grep/credit_card_spec.rb +19 -0
  501. data/spec/modules/recon/grep/cvs_svn_users_spec.rb +19 -0
  502. data/spec/modules/recon/grep/emails_spec.rb +19 -0
  503. data/spec/modules/recon/grep/html_objects_spec.rb +19 -0
  504. data/spec/modules/recon/grep/http_only_cookies_spec.rb +19 -0
  505. data/spec/modules/recon/grep/insecure_cookies_spec.rb +19 -0
  506. data/spec/modules/recon/grep/mixed_resource_spec.rb +20 -0
  507. data/spec/modules/recon/grep/private_ip_spec.rb +26 -0
  508. data/spec/modules/recon/grep/ssn_spec.rb +19 -0
  509. data/spec/modules/recon/grep/unencrypted_password_forms_spec.rb +19 -0
  510. data/spec/modules/recon/htaccess_limit_spec.rb +19 -0
  511. data/spec/modules/recon/http_put_spec.rb +19 -0
  512. data/spec/modules/recon/interesting_responses_spec.rb +27 -0
  513. data/spec/modules/recon/webdav_spec.rb +19 -0
  514. data/spec/modules/recon/xst_spec.rb +19 -0
  515. data/spec/path_extractors/anchors_spec.rb +19 -0
  516. data/spec/path_extractors/forms_spec.rb +19 -0
  517. data/spec/path_extractors/frames_spec.rb +20 -0
  518. data/spec/path_extractors/generic_spec.rb +28 -0
  519. data/spec/path_extractors/links_spec.rb +19 -0
  520. data/spec/path_extractors/meta_refresh_spec.rb +24 -0
  521. data/spec/path_extractors/scripts_spec.rb +19 -0
  522. data/spec/pems/cacert.pem +39 -0
  523. data/spec/pems/client/cert.pem +39 -0
  524. data/spec/pems/client/foo-cert.pem +39 -0
  525. data/spec/pems/client/foo-key.pem +51 -0
  526. data/spec/pems/client/key.pem +51 -0
  527. data/spec/pems/server/cert.pem +39 -0
  528. data/spec/pems/server/key.pem +51 -0
  529. data/spec/plugins/autologin_spec.rb +76 -0
  530. data/spec/plugins/autothrottle_spec.rb +45 -0
  531. data/spec/plugins/content_types_spec.rb +93 -0
  532. data/spec/plugins/cookie_collector_spec.rb +32 -0
  533. data/spec/plugins/form_dicattack_spec.rb +60 -0
  534. data/spec/plugins/healthmap_spec.rb +40 -0
  535. data/spec/plugins/http_dicattack_spec.rb +40 -0
  536. data/spec/plugins/meta/remedies/discovery_spec.rb +15 -0
  537. data/spec/plugins/meta/remedies/manual_verification_spec.rb +28 -0
  538. data/spec/plugins/meta/remedies/timing_attacks_spec.rb +30 -0
  539. data/spec/plugins/meta/uniformity_spec.rb +83 -0
  540. data/spec/plugins/profiler_spec.rb +82 -0
  541. data/spec/plugins/rescan_spec.rb +26 -0
  542. data/spec/plugins/resolver_spec.rb +16 -0
  543. data/spec/plugins/script_spec.rb +12 -0
  544. data/spec/plugins/vector_feed_spec.rb +155 -0
  545. data/spec/plugins/waf_detector_spec.rb +41 -0
  546. data/spec/reports/afr_spec.rb +13 -0
  547. data/spec/reports/ap_spec.rb +9 -0
  548. data/spec/reports/html_spec.rb +13 -0
  549. data/spec/reports/json_spec.rb +17 -0
  550. data/spec/reports/marshal_spec.rb +13 -0
  551. data/spec/reports/stdout_spec.rb +9 -0
  552. data/spec/reports/txt_spec.rb +8 -0
  553. data/spec/reports/xml_spec.rb +13 -0
  554. data/spec/reports/yaml_spec.rb +13 -0
  555. data/spec/servers/arachni/element/capabilities/auditable/rdiff.rb +36 -0
  556. data/spec/servers/arachni/element/capabilities/auditable/taint.rb +10 -0
  557. data/spec/servers/arachni/element/capabilities/auditable/timeout.rb +30 -0
  558. data/spec/servers/arachni/element/cookie.rb +37 -0
  559. data/spec/servers/arachni/element/form.rb +93 -0
  560. data/spec/servers/arachni/element/header.rb +22 -0
  561. data/spec/servers/arachni/element/link.rb +26 -0
  562. data/spec/servers/arachni/framework.rb +54 -0
  563. data/spec/servers/arachni/http.rb +140 -0
  564. data/spec/servers/arachni/http_auth.rb +9 -0
  565. data/spec/servers/arachni/module/auditor.rb +135 -0
  566. data/spec/servers/arachni/module/trainer.rb +40 -0
  567. data/spec/servers/arachni/parser.rb +70 -0
  568. data/spec/servers/arachni/rpc/server/framework_hpg.rb +21 -0
  569. data/spec/servers/arachni/rpc/server/framework_simple.rb +30 -0
  570. data/spec/servers/arachni/session.rb +110 -0
  571. data/spec/servers/arachni/spider.rb +148 -0
  572. data/spec/servers/modules/audit/code_injection.rb +140 -0
  573. data/spec/servers/modules/audit/code_injection_timing.rb +110 -0
  574. data/spec/servers/modules/audit/csrf.rb +80 -0
  575. data/spec/servers/modules/audit/ldapi.rb +73 -0
  576. data/spec/servers/modules/audit/os_cmd_injection.rb +140 -0
  577. data/spec/servers/modules/audit/os_cmd_injection_timing.rb +111 -0
  578. data/spec/servers/modules/audit/path_traversal.rb +176 -0
  579. data/spec/servers/modules/audit/response_splitting.rb +114 -0
  580. data/spec/servers/modules/audit/rfi.rb +113 -0
  581. data/spec/servers/modules/audit/session_fixation.rb +87 -0
  582. data/spec/servers/modules/audit/sqli.rb +118 -0
  583. data/spec/servers/modules/audit/sqli/coldfusion +1 -0
  584. data/spec/servers/modules/audit/sqli/db2 +4 -0
  585. data/spec/servers/modules/audit/sqli/emc +2 -0
  586. data/spec/servers/modules/audit/sqli/informix +3 -0
  587. data/spec/servers/modules/audit/sqli/interbase +2 -0
  588. data/spec/servers/modules/audit/sqli/jdbc +0 -0
  589. data/spec/servers/modules/audit/sqli/mssql +26 -0
  590. data/spec/servers/modules/audit/sqli/mysql +13 -0
  591. data/spec/servers/modules/audit/sqli/oracle +6 -0
  592. data/spec/servers/modules/audit/sqli/postgresql +7 -0
  593. data/spec/servers/modules/audit/sqli/sqlite +4 -0
  594. data/spec/servers/modules/audit/sqli/sybase +0 -0
  595. data/spec/servers/modules/audit/sqli_blind_rdiff.rb +74 -0
  596. data/spec/servers/modules/audit/sqli_blind_timing.rb +121 -0
  597. data/spec/servers/modules/audit/trainer_module.rb +160 -0
  598. data/spec/servers/modules/audit/unvalidated_redirect.rb +115 -0
  599. data/spec/servers/modules/audit/xpath.rb +111 -0
  600. data/spec/servers/modules/audit/xpath/dotnet +5 -0
  601. data/spec/servers/modules/audit/xpath/general +13 -0
  602. data/spec/servers/modules/audit/xpath/java +3 -0
  603. data/spec/servers/modules/audit/xpath/libxml2 +2 -0
  604. data/spec/servers/modules/audit/xpath/php +2 -0
  605. data/spec/servers/modules/audit/xss.rb +152 -0
  606. data/spec/servers/modules/audit/xss_event.rb +80 -0
  607. data/spec/servers/modules/audit/xss_path.rb +44 -0
  608. data/spec/servers/modules/audit/xss_script_tag.rb +73 -0
  609. data/spec/servers/modules/audit/xss_tag.rb +139 -0
  610. data/spec/servers/modules/module_server.rb +14 -0
  611. data/spec/servers/modules/recon/allowed_methods.rb +5 -0
  612. data/spec/servers/modules/recon/backdoors.rb +4 -0
  613. data/spec/servers/modules/recon/backup_files.rb +28 -0
  614. data/spec/servers/modules/recon/common_directories.rb +6 -0
  615. data/spec/servers/modules/recon/common_files.rb +6 -0
  616. data/spec/servers/modules/recon/directory_listing.rb +30 -0
  617. data/spec/servers/modules/recon/grep/captcha.rb +27 -0
  618. data/spec/servers/modules/recon/grep/credit_card.rb +28 -0
  619. data/spec/servers/modules/recon/grep/cvs_svn_users.rb +23 -0
  620. data/spec/servers/modules/recon/grep/emails.rb +21 -0
  621. data/spec/servers/modules/recon/grep/html_objects.rb +7 -0
  622. data/spec/servers/modules/recon/grep/http_only_cookies.rb +21 -0
  623. data/spec/servers/modules/recon/grep/insecure_cookies.rb +21 -0
  624. data/spec/servers/modules/recon/grep/mixed_resource.rb +83 -0
  625. data/spec/servers/modules/recon/grep/private_ip.rb +18 -0
  626. data/spec/servers/modules/recon/grep/ssn.rb +5 -0
  627. data/spec/servers/modules/recon/grep/unencrypted_password_forms.rb +33 -0
  628. data/spec/servers/modules/recon/htaccess_limit.rb +8 -0
  629. data/spec/servers/modules/recon/http_put.rb +7 -0
  630. data/spec/servers/modules/recon/interesting_responses.rb +5 -0
  631. data/spec/servers/modules/recon/webdav.rb +25 -0
  632. data/spec/servers/modules/recon/xst.rb +6 -0
  633. data/spec/servers/plugins/autologin.rb +38 -0
  634. data/spec/servers/plugins/autothrottle.rb +8 -0
  635. data/spec/servers/plugins/content_types.rb +17 -0
  636. data/spec/servers/plugins/cookie_collector.rb +20 -0
  637. data/spec/servers/plugins/form_dicattack.rb +28 -0
  638. data/spec/servers/plugins/healthmap.rb +16 -0
  639. data/spec/servers/plugins/http_dicattack.rb +9 -0
  640. data/spec/servers/plugins/http_dicattack_secure.rb +9 -0
  641. data/spec/servers/plugins/http_dicattack_unprotected.rb +5 -0
  642. data/spec/servers/plugins/meta/remedies/discovery.rb +7 -0
  643. data/spec/servers/plugins/meta/remedies/timing_attacks.rb +29 -0
  644. data/spec/servers/plugins/profiler.rb +82 -0
  645. data/spec/servers/plugins/rescan.rb +31 -0
  646. data/spec/servers/plugins/waf_detector.rb +33 -0
  647. data/spec/shared/component.rb +43 -0
  648. data/spec/shared/element/capabilities/auditable.rb +729 -0
  649. data/spec/shared/element/capabilities/refreshable.rb +56 -0
  650. data/spec/shared/module.rb +162 -0
  651. data/spec/shared/path_extractor.rb +47 -0
  652. data/spec/shared/plugin.rb +50 -0
  653. data/spec/shared/reports.rb +47 -0
  654. data/spec/spec_helper.rb +53 -0
  655. metadata +870 -323
  656. data/extras/modules/recon/raft_dirs.rb +0 -108
  657. data/extras/modules/recon/raft_dirs/raft-large-directories.txt +0 -62290
  658. data/extras/modules/recon/raft_files.rb +0 -110
  659. data/extras/modules/recon/raft_files/raft-large-files.txt +0 -37037
  660. data/extras/modules/recon/svn_digger_dirs.rb +0 -108
  661. data/extras/modules/recon/svn_digger_dirs/Licence.txt +0 -674
  662. data/extras/modules/recon/svn_digger_dirs/ReadMe-Arachni.txt +0 -4
  663. data/extras/modules/recon/svn_digger_dirs/ReadMe.txt +0 -6
  664. data/extras/modules/recon/svn_digger_dirs/all-dirs.txt +0 -5960
  665. data/extras/modules/recon/svn_digger_files.rb +0 -114
  666. data/extras/modules/recon/svn_digger_files/Licence.txt +0 -674
  667. data/extras/modules/recon/svn_digger_files/ReadMe-Arachni.txt +0 -4
  668. data/extras/modules/recon/svn_digger_files/ReadMe.txt +0 -6
  669. data/extras/modules/recon/svn_digger_files/all-extensionless.txt +0 -25419
  670. data/extras/modules/recon/svn_digger_files/all.txt +0 -43135
  671. data/lib/arachni/component_manager.rb +0 -293
  672. data/lib/arachni/component_options.rb +0 -425
  673. data/lib/arachni/parser/auditable.rb +0 -606
  674. data/lib/arachni/parser/elements.rb +0 -315
  675. data/lib/arachni/parser/page.rb +0 -168
  676. data/lib/arachni/parser/parser.rb +0 -866
  677. data/lib/arachni/rpc/server/options.rb +0 -95
  678. data/lib/arachni/ui/web/addons/autodeploy.rb +0 -207
  679. data/lib/arachni/ui/web/addons/autodeploy/lib/manager.rb +0 -398
  680. data/lib/arachni/ui/web/addons/autodeploy/views/index.erb +0 -291
  681. data/modules/recon/mixed_resource.rb +0 -100
  682. data/modules/recon/unencrypted_password_forms.rb +0 -107
  683. data/path_extractors/sitemap.rb +0 -31
  684. data/plugins/defaults/metamodules/remedies/manual_verification.rb +0 -65
  685. data/plugins/defaults/metamodules/remedies/timing_attacks.rb +0 -134
  686. data/plugins/defaults/metamodules/uniformity.rb +0 -99
  687. data/reports/metareport/arachni_metareport.rb +0 -174
  688. data/reports/plugin_formatters/stdout/metamodules.rb +0 -82
@@ -0,0 +1,82 @@
1
+ require 'sinatra'
2
+ require 'sinatra/contrib'
3
+
4
+ def get_variations( str )
5
+ cookies['stuff'] = str
6
+ headers 'My-Header' => str
7
+
8
+ <<-HTML
9
+ #{str}
10
+
11
+ <a href='/?name=#{str}'>Stuff</a>
12
+
13
+ <form name='form_name'>
14
+ <input name='blah' value='#{str}' />
15
+ </form>
16
+ HTML
17
+ end
18
+
19
+ get '/' do
20
+ <<-HTML
21
+ <a href="/link?input=default">Link</a>
22
+ <a href="/form">Form</a>
23
+ <a href="/cookie">Cookie</a>
24
+ <a href="/header">Header</a>
25
+ HTML
26
+ end
27
+
28
+ get "/link" do
29
+ <<-HTML
30
+ <a href="/link/append?input=default">Link</a>
31
+ HTML
32
+ end
33
+
34
+ get "/link/append" do
35
+ default = 'default'
36
+ return if !params['input'].start_with?( default )
37
+
38
+ get_variations( params['input'].split( default ).last )
39
+ end
40
+
41
+ get "/form" do
42
+ <<-HTML
43
+ <form method='post' name='myform' action="/form/append">
44
+ <input name='input' value='default' />
45
+ </form>
46
+ HTML
47
+ end
48
+
49
+ post "/form/append" do
50
+ default = 'default'
51
+ return if !params['input'] || !params['input'].start_with?( default )
52
+
53
+ get_variations( params['input'].split( default ).last )
54
+ end
55
+
56
+
57
+ get "/cookie" do
58
+ <<-HTML
59
+ <a href="/cookie/append">Cookie</a>
60
+ HTML
61
+ end
62
+
63
+ get "/cookie/append" do
64
+ default = 'cookie value'
65
+ cookies['cookie2'] ||= default
66
+ return if !cookies['cookie2'].start_with?( default )
67
+
68
+ get_variations( cookies['cookie2'].split( default ).last )
69
+ end
70
+
71
+ get "/header" do
72
+ <<-HTML
73
+ <a href="/header/append">Header</a>
74
+ HTML
75
+ end
76
+
77
+ get "/header/append" do
78
+ default = 'arachni_user'
79
+ return if !env['HTTP_USER_AGENT'] || !env['HTTP_USER_AGENT'].start_with?( default )
80
+
81
+ get_variations( env['HTTP_USER_AGENT'].split( default ).last )
82
+ end
@@ -0,0 +1,31 @@
1
+ require 'sinatra'
2
+
3
+ get '/' do
4
+ <<HTML
5
+ <a href='/1'></a>
6
+ <a href='/2'></a>
7
+ HTML
8
+ end
9
+
10
+ get '/2' do
11
+ <<HTML
12
+ <a href='/3'></a>
13
+ <a href='/4'></a>
14
+ HTML
15
+ end
16
+
17
+ get '/3' do
18
+ <<HTML
19
+ <a href='/5'></a>
20
+ HTML
21
+ end
22
+
23
+ get '/4' do
24
+ <<HTML
25
+ <a href='/6?input=d'></a>
26
+ HTML
27
+ end
28
+
29
+ get '/6' do
30
+ params['input']
31
+ end
@@ -0,0 +1,33 @@
1
+ require 'sinatra'
2
+
3
+ def normal_response
4
+ 'Usual response...normal stuff'
5
+ end
6
+
7
+ def rejected
8
+ 'Piss off!'
9
+ end
10
+
11
+ def random
12
+ (0..100).map{ rand( 9999 ).to_s }.join
13
+ end
14
+
15
+ @@request_cnt ||= 0
16
+
17
+ get '/positive' do
18
+ params.to_s.include?( 'script' ) ? rejected : normal_response
19
+ end
20
+
21
+ get '/negative' do
22
+ normal_response
23
+ end
24
+
25
+ get '/inconclusive' do
26
+ @@request_cnt += 1
27
+
28
+ if params.empty?
29
+ normal_response
30
+ else
31
+ @@request_cnt % 2 == 0 ? rejected : normal_response
32
+ end
33
+ end
@@ -0,0 +1,43 @@
1
+ shared_examples_for "component" do
2
+
3
+ before( :all ) { Arachni::Options.reset }
4
+ after( :all ) { framework.reset }
5
+
6
+ def self.use_https
7
+ before( :all ) { options.url.gsub!( 'http', 'https' ) }
8
+ end
9
+
10
+ def name
11
+ self.class.description
12
+ end
13
+
14
+ def url
15
+ @url ||= server_url_for( name ) + '/'
16
+ rescue
17
+ raise "Could not find server for '#{name}' component."
18
+ end
19
+
20
+ def framework
21
+ @f ||= Arachni::Framework.new
22
+ end
23
+
24
+ def session
25
+ framework.session
26
+ end
27
+
28
+ def http
29
+ framework.http
30
+ end
31
+
32
+ def options
33
+ framework.opts
34
+ end
35
+
36
+ def yaml_load( yaml )
37
+ YAML.load yaml.gsub( '__URL__', url )
38
+ end
39
+
40
+ def run
41
+ framework.run
42
+ end
43
+ end
@@ -0,0 +1,729 @@
1
+ shared_examples_for 'auditable' do |options = {}|
2
+
3
+ let( :auditable ) { described_class }
4
+ let( :opts ) do
5
+ {
6
+ single_input: false,
7
+ url: nil
8
+ }.merge( options )
9
+ end
10
+
11
+ def load( yaml )
12
+ YAML.load( yaml )
13
+ end
14
+
15
+ before :all do
16
+ @url = opts[:url]
17
+ @auditor = Auditor.new
18
+
19
+ @auditable = auditable.new( @url + '/submit', 'param' => 'val' )
20
+ @auditable.auditor = @auditor
21
+
22
+ @orphan = auditable.new( @url + '/submit', 'param' => 'val' )
23
+
24
+ # will sleep 2 secs before each response
25
+ @sleep = auditable.new( @url + '/sleep', 'param' => 'val' )
26
+ @sleep.auditor = @auditor
27
+
28
+ @orig = auditable.new( @url, 'param' => 'val' )
29
+
30
+ @seed = 'my_seed'
31
+ @default_input_value = @auditable.auditable['param']
32
+ end
33
+
34
+ describe '#has_inputs?' do
35
+ before do
36
+ @has_inputs = auditable.new( @url, { 'param' => 'val', 'param2' => 'val2' } )
37
+ @keys = @has_inputs.auditable.keys
38
+ @sym_keys = @keys.map( &:to_sym )
39
+
40
+ @non_existent_keys = @keys.map { |k| "#{k}1" }
41
+ @non_existent_sym_keys = @sym_keys.map { |k| "#{k}1".to_sym }
42
+ end
43
+ context 'when the given inputs are' do
44
+ context 'Variable arguments' do
45
+ context 'when it has the given inputs' do
46
+ it 'should return true' do
47
+ @keys.each do |k|
48
+ @has_inputs.has_inputs?( k.to_s.to_sym ).should be_true
49
+ @has_inputs.has_inputs?( k.to_s ).should be_true
50
+ end
51
+
52
+ @has_inputs.has_inputs?( *@sym_keys ).should be_true
53
+ @has_inputs.has_inputs?( *@keys ).should be_true
54
+ end
55
+ end
56
+ context 'when it does not have the given inputs' do
57
+ it 'should return false' do
58
+ @has_inputs.has_inputs?( *@non_existent_sym_keys ).should be_false
59
+ @has_inputs.has_inputs?( *@non_existent_keys ).should be_false
60
+
61
+ @has_inputs.has_inputs?( @non_existent_keys.first ).should be_false
62
+ end
63
+ end
64
+ end
65
+
66
+ context Array do
67
+ context 'when it has the given inputs' do
68
+ it 'should return true' do
69
+ @has_inputs.has_inputs?( @sym_keys ).should be_true
70
+ @has_inputs.has_inputs?( @keys ).should be_true
71
+ end
72
+ end
73
+ context 'when it does not have the given inputs' do
74
+ it 'should return false' do
75
+ @has_inputs.has_inputs?( @non_existent_sym_keys ).should be_false
76
+ @has_inputs.has_inputs?( @non_existent_keys ).should be_false
77
+ end
78
+ end
79
+ end
80
+
81
+ context Hash do
82
+ context 'when it has the given inputs (names and values)' do
83
+ it 'should return true' do
84
+ hash = @has_inputs.auditable.
85
+ inject( {} ) { |h, (k, v)| h[k] = v; h}
86
+
87
+ hash_sym = @has_inputs.auditable.
88
+ inject( {} ) { |h, (k, v)| h[k.to_sym] = v; h}
89
+
90
+ @has_inputs.has_inputs?( hash_sym ).should be_true
91
+ @has_inputs.has_inputs?( hash ).should be_true
92
+ end
93
+ end
94
+ context 'when it does not have the given inputs' do
95
+ it 'should return false' do
96
+ hash = @has_inputs.auditable.
97
+ inject( {} ) { |h, (k, v)| h[k] = "#{v}1"; h}
98
+
99
+ hash_sym = @has_inputs.auditable.
100
+ inject( {} ) { |h, (k, v)| h[k.to_sym] = "#{v}1"; h}
101
+
102
+ @has_inputs.has_inputs?( hash_sym ).should be_false
103
+ @has_inputs.has_inputs?( hash ).should be_false
104
+ end
105
+ end
106
+ end
107
+ end
108
+ end
109
+
110
+ describe '#auditable' do
111
+ it 'should return a frozen hash of auditable inputs' do
112
+ @auditable.auditable.should == { 'param' => 'val' }
113
+
114
+ raised = false
115
+ begin
116
+ @auditable.auditable['stuff'] = true
117
+ rescue
118
+ raised = true
119
+ end
120
+
121
+ @auditable.auditable.should == { 'param' => 'val' }
122
+
123
+ raised.should be_true
124
+ end
125
+ end
126
+
127
+ describe '#auditable=' do
128
+ it 'should assign a hash of auditable inputs' do
129
+ @auditable.auditable.should == { 'param' => 'val' }
130
+
131
+ a = @auditable.dup
132
+ a.auditable = { 'param1' => 'val1' }
133
+ a.auditable.should == { 'param1' => 'val1' }
134
+ a.should_not == @auditable
135
+ end
136
+
137
+ it 'should convert all inputs to strings' do
138
+ e = auditable.new( @url, { 'key' => nil } )
139
+ e.auditable.should == { 'key' => '' }
140
+ end
141
+ end
142
+
143
+ describe '#update' do
144
+ it 'should update the auditable inputs using the given hash and return self' do
145
+ a = @auditable.dup
146
+
147
+ updates = if opts[:single_input]
148
+ { 'param' => 'val1' }
149
+ else
150
+ { 'param' => 'val1', 'another_param' => 'val3' }
151
+ end
152
+ a.update( updates )
153
+
154
+ a.auditable.should == updates
155
+ a.hash.should_not == @auditable.hash
156
+
157
+ c = a.dup
158
+ cupdates = { 'param' => '' }
159
+ a.update( cupdates )
160
+ a.auditable.should == updates.merge( cupdates )
161
+ c.should_not == a
162
+
163
+ if !opts[:single_input]
164
+ c = a.dup
165
+ c.update( stuff: '1' ).update( other_stuff: '2' )
166
+ c['stuff'].should == '1'
167
+ c['other_stuff'].should == '2'
168
+ end
169
+ end
170
+
171
+ it 'should convert all inputs to strings' do
172
+ e = auditable.new( @url, 'key' => 'stuff' )
173
+ e.update( { 'key' => nil } )
174
+ e.auditable.should == { 'key' => '' }
175
+ end
176
+ end
177
+
178
+ describe '#changes' do
179
+ it 'should return the changes the inputs have sustained' do
180
+ if !opts[:single_input]
181
+ [
182
+ { 'param' => 'val1', 'another_param' => 'val3' },
183
+ { 'another_param' => 'val3' },
184
+ { 'new stuff' => 'houa!' },
185
+ { 'new stuff' => 'houa!' },
186
+ {}
187
+ ].each do |updates|
188
+ a = @auditable.dup
189
+ a.update( updates )
190
+ a.changes.should == updates
191
+ end
192
+ else
193
+ [
194
+ { 'param' => 'val1' },
195
+ { 'param' => 'val3' },
196
+ {}
197
+ ].each do |updates|
198
+ a = @auditable.dup
199
+ a.update( updates )
200
+ a.changes.should == updates
201
+ end
202
+ end
203
+ end
204
+ end
205
+
206
+ describe '#[]' do
207
+ it 'should serve as a reader to the #auditable hash' do
208
+ e = auditable.new( @url, { 'key' => 'stuff', 'key2' => 'val' } )
209
+ e['key'].should == 'stuff'
210
+ end
211
+ end
212
+
213
+ describe '#[]=' do
214
+ it 'should serve as a writer to the #auditable hash' do
215
+ e = auditable.new( @url, { 'key' => 'stuff', 'key2' => 'val' } )
216
+ h = e.hash
217
+
218
+ e['key'] = 'val2'
219
+
220
+ h.should_not == e.hash
221
+
222
+ e['key'].should == e.auditable['key']
223
+ e['key'].should == 'val2'
224
+ end
225
+ end
226
+
227
+ describe '#orig' do
228
+ it 'should be the same as auditable' do
229
+ @orig.orig.should == @orig.auditable
230
+ end
231
+ it 'should be frozen' do
232
+ orig_auditable = @orig.auditable.dup
233
+ is_frozen = false
234
+ begin
235
+ @orig.orig['ff'] = 'ffss'
236
+ rescue RuntimeError
237
+ is_frozen = true
238
+ end
239
+ is_frozen.should be_true
240
+ @orig.orig.should == orig_auditable
241
+ end
242
+ context 'when auditable has been modified' do
243
+ it 'should return original input name/vals' do
244
+ orig_auditable = @orig.auditable.dup
245
+ @orig.auditable = {}
246
+ @orig.orig.should == orig_auditable
247
+ @orig.auditable = orig_auditable.dup
248
+ end
249
+ end
250
+ it 'should be aliased to #original' do
251
+ @orig.orig.should == @orig.original
252
+ end
253
+ end
254
+
255
+ describe '#reset' do
256
+ it 'should return the auditable inputs to their original state' do
257
+ orig = @orig.auditable.dup
258
+ @orig.update( orig.keys.first => 'value' )
259
+ (@orig.auditable != orig).should be_true
260
+ @orig.reset
261
+ @orig.auditable.should == orig
262
+ end
263
+ end
264
+
265
+ describe '#remove_auditor' do
266
+ it 'should remove the auditor' do
267
+ @orig.auditor = :some_auditor
268
+ @orig.auditor.should == :some_auditor
269
+ @orig.remove_auditor
270
+ @orig.auditor.should be_nil
271
+ end
272
+ end
273
+
274
+ describe '#orphan?' do
275
+ context 'when it has no auditor' do
276
+ it 'should return true' do
277
+ @orphan.orphan?.should be_true
278
+ end
279
+ end
280
+ context 'when it has an auditor' do
281
+ it 'should return true' do
282
+ @auditable.orphan?.should be_false
283
+ end
284
+ end
285
+ end
286
+
287
+ describe '#submit' do
288
+ it 'should submit the element along with its auditable inputs' do
289
+ submitted = nil
290
+
291
+ @auditable.submit do |res|
292
+ submitted = load( res.body )
293
+ end
294
+
295
+ @auditor.http.run
296
+ @auditable.auditable.should == submitted
297
+ end
298
+
299
+ context 'when it has no auditor' do
300
+ it 'should revert to the HTTP interface singleton' do
301
+ submitted = nil
302
+
303
+ @orphan.submit do |res|
304
+ submitted = load( res.body )
305
+ end
306
+
307
+ @orphan.http.run
308
+ @orphan.auditable.should == submitted
309
+ end
310
+ end
311
+ end
312
+
313
+ describe '#audit' do
314
+
315
+ before( :each ) { Arachni::Element::Capabilities::Auditable.reset }
316
+
317
+ context 'when the exclude_vectors option is set' do
318
+ it 'should skip those vectors by name' do
319
+ e = auditable.new( @url + '/submit', 'include_this' => 'param', 'exclude_this' => 'param' )
320
+
321
+ Arachni::Options.exclude_vectors << 'exclude_this'
322
+ Arachni::Options.exclude_vectors << Arachni::Element::Form::ORIGINAL_VALUES
323
+
324
+ audited = []
325
+ e.audit( @seed ) { |_, _, elem| audited << elem.altered }.should be_true
326
+ e.http.run
327
+
328
+ audited.uniq.should == %w(include_this)
329
+ end
330
+ end
331
+ context 'when called with no opts' do
332
+ it 'should use the defaults' do
333
+ cnt = 0
334
+ @auditable.audit( @seed ) { cnt += 1 }
335
+ @auditor.http.run
336
+ cnt.should == 4
337
+ end
338
+ end
339
+
340
+ context 'when it has no auditor' do
341
+ it 'should revert to the HTTP interface singleton' do
342
+ cnt = 0
343
+ @orphan.audit( @seed ) { cnt += 1 }
344
+ @orphan.http.run
345
+ cnt.should == 4
346
+ end
347
+ end
348
+
349
+ context 'when the action matches a #skip_path? rule' do
350
+ it 'should return immediately' do
351
+ ran = false
352
+ @auditable.audit( @seed ) { ran = true }
353
+ @auditor.http.run
354
+ ran.should be_true
355
+
356
+ Arachni::Element::Capabilities::Auditable.reset
357
+
358
+ opts = Arachni::Options.instance
359
+ opts.exclude << @auditable.action
360
+
361
+ ran = false
362
+ @auditable.audit( @seed ) { ran = true }
363
+ @auditor.http.run
364
+ ran.should be_false
365
+
366
+ opts.exclude.clear
367
+
368
+ Arachni::Element::Capabilities::Auditable.reset
369
+
370
+ ran = false
371
+ @auditable.audit( @seed ) { ran = true }
372
+ @auditor.http.run
373
+ ran.should be_true
374
+ end
375
+ end
376
+
377
+ context 'when the element has no auditable inputs' do
378
+ it 'should return immediately' do
379
+ e = auditable.new( @url + '/submit' )
380
+
381
+ ran = false
382
+ e.audit( @seed ) { ran = true }.should be_false
383
+ e.http.run
384
+
385
+ ran.should be_false
386
+ end
387
+ end
388
+
389
+ context 'when the auditor\'s #skip? method returns true for a mutation' do
390
+ it 'should be skipped' do
391
+
392
+ ran = false
393
+ @auditable.audit( @seed ) { ran = true }.should be_true
394
+ @auditor.http.run
395
+ ran.should be_true
396
+
397
+ Arachni::Element::Capabilities::Auditable.reset
398
+
399
+ def @auditor.skip?( elem )
400
+ true
401
+ end
402
+
403
+ ran = false
404
+ @auditable.audit( @seed ) { ran = true }.should be_true
405
+ @auditor.http.run
406
+ ran.should be_false
407
+
408
+ Arachni::Element::Capabilities::Auditable.reset
409
+
410
+ def @auditor.skip?( elem )
411
+ false
412
+ end
413
+
414
+ ran = false
415
+ @auditable.audit( @seed ) { ran = true }.should be_true
416
+ @auditor.http.run
417
+ ran.should be_true
418
+ end
419
+ end
420
+
421
+ context 'when the element\'s #skip? method returns true for a mutation' do
422
+ it 'should be skipped' do
423
+
424
+ ran = false
425
+ @auditable.audit( @seed ) { ran = true }.should be_true
426
+ @auditor.http.run
427
+ ran.should be_true
428
+
429
+ Arachni::Element::Capabilities::Auditable.reset
430
+
431
+ def @auditable.skip?( elem )
432
+ true
433
+ end
434
+
435
+ ran = false
436
+ @auditable.audit( @seed ) { ran = true }.should be_true
437
+ @auditor.http.run
438
+ ran.should be_false
439
+
440
+ Arachni::Element::Capabilities::Auditable.reset
441
+
442
+ def @auditable.skip?( elem )
443
+ false
444
+ end
445
+
446
+ ran = false
447
+ @auditable.audit( @seed ) { ran = true }.should be_true
448
+ @auditor.http.run
449
+ ran.should be_true
450
+ end
451
+ end
452
+
453
+ describe '.restrict_to_elements' do
454
+ after { Arachni::Element::Capabilities::Auditable.reset_instance_scope }
455
+
456
+ context 'when set' do
457
+ it 'should restrict the audit to the provided elements' do
458
+ scope_id_arr = [ @auditable.scope_audit_id ]
459
+ Arachni::Element::Capabilities::Auditable.restrict_to_elements( scope_id_arr )
460
+ performed = false
461
+ @sleep.audit( '' ){ performed = true }
462
+ @sleep.http.run
463
+ performed.should be_false
464
+
465
+ performed = false
466
+ @auditable.audit( '' ){ performed = true }
467
+ @auditable.http.run
468
+ performed.should be_true
469
+ end
470
+
471
+ describe '#override_instance_scope' do
472
+
473
+ after { @sleep.reset_scope_override }
474
+
475
+ context 'when called' do
476
+ it 'should override scope restrictions' do
477
+ scope_id_arr = [ @auditable.scope_audit_id ]
478
+ Arachni::Element::Capabilities::Auditable.restrict_to_elements( scope_id_arr )
479
+ performed = false
480
+ @sleep.audit( '' ){ performed = true }
481
+ @sleep.http.run
482
+ performed.should be_false
483
+
484
+ @sleep.override_instance_scope
485
+ performed = false
486
+ @sleep.audit( '' ){ performed = true }
487
+ @sleep.http.run
488
+ performed.should be_true
489
+ end
490
+
491
+ describe '#override_instance_scope?' do
492
+ it 'should return true' do
493
+ @sleep.override_instance_scope
494
+ @sleep.override_instance_scope?.should be_true
495
+ end
496
+ end
497
+ end
498
+
499
+ context 'when not called' do
500
+ describe '#override_instance_scope?' do
501
+ it 'should return false' do
502
+ @sleep.override_instance_scope?.should be_false
503
+ end
504
+ end
505
+ end
506
+ end
507
+ end
508
+
509
+ context 'when not set' do
510
+ it 'should not impose audit restrictions' do
511
+ performed = false
512
+ @sleep.audit( '' ){ performed = true }
513
+ @sleep.http.run
514
+ performed.should be_true
515
+
516
+ performed = false
517
+ @auditable.audit( '' ){ performed = true }
518
+ @auditable.http.run
519
+ performed.should be_true
520
+ end
521
+ end
522
+ end
523
+
524
+ context 'when called with option' do
525
+
526
+ describe :each_mutation do
527
+ it 'should be able to modify the element on the fly' do
528
+ submitted = nil
529
+ cnt = 0
530
+
531
+ each_mutation = proc do |mutation|
532
+ mutation.altered_value = 'houa!'
533
+ end
534
+
535
+ @auditable.audit( @seed, each_mutation: each_mutation,
536
+ format: [ Arachni::Module::Auditor::Format::STRAIGHT ] ) do |res, opts|
537
+ submitted = load( res.body )
538
+ cnt += 1
539
+ end
540
+
541
+ @auditor.http.run
542
+ cnt.should == 1
543
+ @auditable.auditable == submitted
544
+ end
545
+ context 'when it returns one or more elements of the same type' do
546
+ it 'should audit those elements too' do
547
+ injected = []
548
+ cnt = 0
549
+
550
+ each_mutation = proc do |mutation|
551
+ m = mutation.dup
552
+ m.altered_value = 'houa!'
553
+
554
+ c = mutation.dup
555
+ c.altered_value = 'houa2!'
556
+
557
+ [m, c]
558
+ end
559
+
560
+ @auditable.audit( @seed, each_mutation: each_mutation,
561
+ format: [ Arachni::Module::Auditor::Format::STRAIGHT ] ) do |res, opts|
562
+ injected << load( res.body ).values.first
563
+ cnt += 1
564
+ end
565
+
566
+ @auditor.http.run
567
+ cnt.should == 3
568
+ injected.sort.should == [ @seed, 'houa!', 'houa2!'].sort
569
+ end
570
+ end
571
+
572
+ end
573
+
574
+ describe :format do
575
+
576
+ describe 'Arachni::Module::Auditor::Format::STRAIGHT' do
577
+ it 'should inject the seed as is' do
578
+ injected = nil
579
+ cnt = 0
580
+ @auditable.audit( @seed,
581
+ format: [ Arachni::Module::Auditor::Format::STRAIGHT ] ){
582
+ |res, opts|
583
+ injected = load( res.body )[opts[:altered]]
584
+ cnt += 1
585
+ }
586
+ @auditor.http.run
587
+ cnt.should == 1
588
+ injected.should == @seed
589
+ end
590
+ end
591
+
592
+ describe 'Arachni::Module::Auditor::Format::APPEND' do
593
+ it 'should append the seed to the existing value of the input' do
594
+ injected = nil
595
+ cnt = 0
596
+ @auditable.audit( @seed,
597
+ format: [ Arachni::Module::Auditor::Format::APPEND ] ){
598
+ |res, opts|
599
+ injected = load( res.body )[opts[:altered]]
600
+ cnt += 1
601
+ }
602
+ @auditor.http.run
603
+ cnt.should == 1
604
+ injected.should == @default_input_value + @seed
605
+ end
606
+ end
607
+
608
+ describe 'Arachni::Module::Auditor::Format::NULL' do
609
+ it 'should terminate the seed with a null character',
610
+ if: described_class != Arachni::Element::Header do
611
+
612
+ injected = nil
613
+ cnt = 0
614
+ @auditable.audit( @seed,
615
+ format: [ Arachni::Module::Auditor::Format::NULL ] ){
616
+ |res, opts|
617
+ injected = load( res.body )[opts[:altered]]
618
+ cnt += 1
619
+ }
620
+ @auditor.http.run
621
+ cnt.should == 1
622
+ auditable.decode( injected ).should == @seed + "\0"
623
+ end
624
+ end
625
+
626
+ describe 'Arachni::Module::Auditor::Format::SEMICOLON' do
627
+ it 'should prepend the seed with a semicolon' do
628
+ injected = nil
629
+ cnt = 0
630
+
631
+ format = [ Arachni::Module::Auditor::Format::SEMICOLON ]
632
+ @auditable.audit( @seed, format: format ) do |res, opts|
633
+ injected = load( res.body )[opts[:altered]]
634
+ cnt += 1
635
+ end
636
+ @auditor.http.run
637
+ cnt.should == 1
638
+
639
+ auditable.decode( injected ).should == ";" + @seed
640
+ end
641
+ end
642
+ end
643
+
644
+ describe :redundant do
645
+ before do
646
+ @audit_opts = {
647
+ format: [ Arachni::Module::Auditor::Format::STRAIGHT ]
648
+ }
649
+ end
650
+
651
+ context true do
652
+ it 'should allow redundant audits' do
653
+ cnt = 0
654
+ 5.times do |i|
655
+ @auditable.audit( @seed, @audit_opts.merge( redundant: true )){
656
+ cnt += 1
657
+ }
658
+ end
659
+ @auditor.http.run
660
+ cnt.should == 5
661
+ end
662
+ end
663
+
664
+ context false do
665
+ it 'should not allow redundant requests/audits' do
666
+ cnt = 0
667
+ 5.times do |i|
668
+ @auditable.audit( @seed, @audit_opts.merge( redundant: false )){
669
+ cnt += 1
670
+ }
671
+ end
672
+ @auditor.http.run
673
+ cnt.should == 1
674
+ end
675
+ end
676
+
677
+ context 'default' do
678
+ it 'should not allow redundant requests/audits' do
679
+ cnt = 0
680
+ 5.times do |i|
681
+ @auditable.audit( @seed, @audit_opts ){ cnt += 1 }
682
+ end
683
+ @auditor.http.run
684
+ cnt.should == 1
685
+ end
686
+ end
687
+ end
688
+
689
+ describe :async do
690
+
691
+ context true do
692
+ it 'should perform all HTTP requests asynchronously' do
693
+ before = Time.now
694
+ @sleep.audit( @seed, async: true ){}
695
+ @auditor.http.run
696
+
697
+ # should take as long as the longest request
698
+ # and since we're doing this locally the longest
699
+ # request must take less than a second.
700
+ #
701
+ # so it should be 2 when converted into an Int
702
+ (Time.now - before).to_i.should == 2
703
+ end
704
+ end
705
+
706
+ context false do
707
+ it 'should perform all HTTP requests synchronously' do
708
+ before = Time.now
709
+ @sleep.audit( @seed, async: false ){}
710
+ @auditor.http.run
711
+
712
+ (Time.now - before).should > 4.0
713
+ end
714
+ end
715
+
716
+ context 'default' do
717
+ it 'should perform all HTTP requests asynchronously' do
718
+ before = Time.now
719
+ @sleep.audit( @seed ){}
720
+ @auditor.http.run
721
+
722
+ (Time.now - before).to_i.should == 2
723
+ end
724
+ end
725
+
726
+ end
727
+ end
728
+ end
729
+ end