arachni 0.4.0.4 → 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ACKNOWLEDGMENTS.md +2 -2
- data/AUTHORS.md +1 -4
- data/CHANGELOG.md +102 -3
- data/CONTRIBUTORS.md +4 -1
- data/EXPLOITATION.md +6 -6
- data/Gemfile +3 -0
- data/HACKING.md +29 -10
- data/LICENSE.md +176 -339
- data/NOTICE +12 -0
- data/README.md +160 -119
- data/Rakefile +83 -45
- data/arachni.gemspec +124 -0
- data/bin/arachni +14 -8
- data/bin/arachni_console +52 -0
- data/bin/arachni_rpc +14 -8
- data/bin/arachni_rpcd +15 -9
- data/bin/arachni_rpcd_monitor +14 -8
- data/bin/arachni_script +41 -0
- data/bin/arachni_web +18 -19
- data/bin/arachni_web_autostart +17 -18
- data/external/metasploit/plugins/arachni.rb +7 -9
- data/external/metasploit/{LICENSE → plugins/arachni/LICENSE} +0 -0
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_exec.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_path_traversal.rb +2 -2
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_eval.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_include.rb +1 -1
- data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_sqlmap.rb +2 -2
- data/external/scripts/LICENSE.tpl +174 -0
- data/external/scripts/README.md +95 -0
- data/external/scripts/README.tpl +30 -0
- data/external/scripts/build.sh +631 -0
- data/external/scripts/build_all.sh +29 -0
- data/external/scripts/build_and_package.sh +100 -0
- data/external/scripts/cross_build_and_package.sh +20 -0
- data/external/scripts/installer.sh.tpl +166 -0
- data/external/scripts/lib/readlink_f.sh +40 -0
- data/external/scripts/package.sh +134 -0
- data/external/scripts/push_nightlies.sh +125 -0
- data/extras/placeholder +0 -0
- data/gfx/README.md +18 -0
- data/gfx/compiled/banner.png +0 -0
- data/gfx/compiled/favicon.ico +0 -0
- data/gfx/compiled/icon.png +0 -0
- data/gfx/compiled/logo.png +0 -0
- data/gfx/compiled/spider.png +0 -0
- data/gfx/font/Beneath_the_Surface.ttf +0 -0
- data/gfx/font/bts_readme.txt +14 -0
- data/gfx/source/banner.svg +999 -0
- data/gfx/source/icon.svg +627 -0
- data/gfx/source/logo.svg +672 -0
- data/gfx/source/spider.png +0 -0
- data/gfx/source/spider.svg +277 -0
- data/lib/arachni.rb +30 -5
- data/lib/arachni/audit_store.rb +111 -143
- data/lib/arachni/banner.rb +37 -0
- data/lib/arachni/bloom_filter.rb +74 -0
- data/lib/arachni/cache.rb +21 -0
- data/lib/arachni/cache/base.rb +170 -0
- data/lib/arachni/cache/least_cost_replacement.rb +89 -0
- data/lib/arachni/cache/least_recently_used.rb +73 -0
- data/lib/arachni/cache/random_replacement.rb +52 -0
- data/lib/arachni/component/manager.rb +391 -0
- data/lib/arachni/component/options.rb +38 -0
- data/lib/arachni/component/options/address.rb +41 -0
- data/lib/arachni/component/options/base.rb +126 -0
- data/lib/arachni/component/options/bool.rb +55 -0
- data/lib/arachni/component/options/enum.rb +51 -0
- data/lib/arachni/component/options/float.rb +45 -0
- data/lib/arachni/component/options/int.rb +44 -0
- data/lib/arachni/component/options/path.rb +36 -0
- data/lib/arachni/component/options/port.rb +37 -0
- data/lib/arachni/component/options/string.rb +44 -0
- data/lib/arachni/component/options/url.rb +42 -0
- data/lib/arachni/crypto/rsa_aes_cbc.rb +14 -8
- data/lib/arachni/database.rb +4 -4
- data/lib/arachni/database/base.rb +14 -8
- data/lib/arachni/database/hash.rb +21 -12
- data/lib/arachni/database/queue.rb +15 -9
- data/lib/arachni/element/base.rb +147 -0
- data/lib/arachni/element/capabilities/auditable.rb +623 -0
- data/lib/arachni/element/capabilities/auditable/rdiff.rb +243 -0
- data/lib/arachni/element/capabilities/auditable/taint.rb +141 -0
- data/lib/arachni/element/capabilities/auditable/timeout.rb +330 -0
- data/lib/arachni/element/capabilities/body.rb +19 -0
- data/lib/arachni/element/capabilities/mutable.rb +286 -0
- data/lib/arachni/element/capabilities/path.rb +19 -0
- data/lib/arachni/element/capabilities/refreshable.rb +48 -0
- data/lib/arachni/element/capabilities/server.rb +19 -0
- data/lib/arachni/element/cookie.rb +1043 -0
- data/lib/arachni/element/form.rb +1364 -0
- data/lib/arachni/element/header.rb +87 -0
- data/lib/arachni/element/link.rb +227 -0
- data/lib/arachni/exceptions.rb +12 -34
- data/lib/arachni/framework.rb +345 -436
- data/lib/arachni/http.rb +445 -409
- data/lib/arachni/http/cookie_jar.rb +163 -0
- data/lib/arachni/issue.rb +102 -65
- data/lib/arachni/mixins/observable.rb +25 -28
- data/lib/arachni/mixins/progress_bar.rb +11 -5
- data/lib/arachni/mixins/terminal.rb +17 -11
- data/lib/arachni/module.rb +4 -4
- data/lib/arachni/module/auditor.rb +270 -793
- data/lib/arachni/module/base.rb +107 -101
- data/lib/arachni/module/element_db.rb +54 -59
- data/lib/arachni/module/key_filler.rb +35 -35
- data/lib/arachni/module/manager.rb +178 -68
- data/lib/arachni/module/output.rb +25 -30
- data/lib/arachni/module/trainer.rb +85 -156
- data/lib/arachni/module/utilities.rb +29 -138
- data/lib/arachni/options.rb +496 -162
- data/lib/arachni/page.rb +186 -0
- data/lib/arachni/parser.rb +392 -2
- data/lib/arachni/plugin.rb +4 -4
- data/lib/arachni/plugin/base.rb +113 -44
- data/lib/arachni/plugin/manager.rb +120 -54
- data/lib/arachni/report.rb +4 -4
- data/lib/arachni/report/base.rb +59 -44
- data/lib/arachni/report/manager.rb +33 -32
- data/lib/arachni/rpc/client.rb +2 -0
- data/lib/arachni/rpc/client/base.rb +31 -18
- data/lib/arachni/rpc/client/dispatcher.rb +24 -11
- data/lib/arachni/rpc/client/instance.rb +24 -11
- data/lib/arachni/rpc/server/base.rb +12 -9
- data/lib/arachni/rpc/server/dispatcher.rb +161 -164
- data/lib/arachni/rpc/server/dispatcher/handler.rb +164 -0
- data/lib/arachni/rpc/server/{node.rb → dispatcher/node.rb} +86 -104
- data/lib/arachni/rpc/server/distributor.rb +432 -0
- data/lib/arachni/rpc/server/framework.rb +266 -758
- data/lib/arachni/rpc/server/instance.rb +38 -53
- data/lib/arachni/rpc/server/module/manager.rb +17 -20
- data/lib/arachni/rpc/server/output.rb +73 -179
- data/lib/arachni/rpc/server/plugin/manager.rb +58 -24
- data/lib/arachni/ruby.rb +6 -4
- data/lib/arachni/ruby/array.rb +30 -9
- data/lib/arachni/ruby/enumerable.rb +29 -0
- data/lib/arachni/ruby/object.rb +47 -12
- data/lib/arachni/ruby/string.rb +69 -24
- data/lib/arachni/ruby/webrick.rb +31 -0
- data/lib/arachni/session.rb +279 -0
- data/lib/arachni/spider.rb +295 -149
- data/lib/arachni/typhoeus/hydra.rb +18 -4
- data/lib/arachni/typhoeus/request.rb +52 -65
- data/lib/arachni/typhoeus/response.rb +62 -22
- data/lib/arachni/typhoeus/utils.rb +25 -0
- data/lib/arachni/ui/cli/cli.rb +331 -298
- data/lib/arachni/ui/cli/output.rb +105 -77
- data/lib/arachni/ui/foo/output.rb +116 -0
- data/lib/arachni/ui/rpc/dispatcher_monitor.rb +5 -12
- data/lib/arachni/ui/rpc/rpc.rb +43 -48
- data/lib/arachni/ui/web/addon_manager.rb +18 -13
- data/lib/arachni/ui/web/addons/sample.rb +14 -8
- data/lib/arachni/ui/web/addons/scheduler.rb +14 -8
- data/lib/arachni/ui/web/addons/scheduler/views/index.erb +1 -1
- data/lib/arachni/ui/web/addons/scheduler/views/options.erb +0 -3
- data/lib/arachni/ui/web/dispatcher_manager.rb +14 -9
- data/lib/arachni/ui/web/instance_manager.rb +14 -8
- data/lib/arachni/ui/web/log.rb +14 -10
- data/lib/arachni/ui/web/output_stream.rb +11 -5
- data/lib/arachni/ui/web/report_manager.rb +14 -10
- data/lib/arachni/ui/web/scheduler.rb +16 -11
- data/lib/arachni/ui/web/server.rb +62 -56
- data/lib/arachni/ui/web/server/public/style.css +1 -1
- data/lib/arachni/ui/web/server/views/addon.erb +1 -1
- data/lib/arachni/ui/web/server/views/dispatchers.erb +3 -3
- data/lib/arachni/ui/web/server/views/dispatchers_edit.erb +2 -2
- data/lib/arachni/ui/web/server/views/error.erb +1 -1
- data/lib/arachni/ui/web/server/views/home.erb +2 -2
- data/lib/arachni/ui/web/server/views/instance.erb +6 -6
- data/lib/arachni/ui/web/server/views/layout.erb +4 -4
- data/lib/arachni/ui/web/server/views/settings.erb +13 -8
- data/lib/arachni/ui/web/server/views/welcome.erb +1 -1
- data/lib/arachni/ui/web/utilities.rb +24 -35
- data/lib/arachni/uri.rb +619 -0
- data/lib/arachni/utilities.rb +316 -0
- data/lib/arachni/version.rb +12 -6
- data/lib/version +1 -0
- data/modules/audit/code_injection.rb +64 -81
- data/modules/audit/code_injection_timing.rb +57 -75
- data/modules/audit/csrf.rb +87 -185
- data/modules/audit/ldapi.rb +42 -67
- data/modules/audit/os_cmd_injection.rb +53 -71
- data/modules/audit/os_cmd_injection/payloads.txt +1 -1
- data/modules/audit/os_cmd_injection_timing.rb +54 -75
- data/modules/audit/os_cmd_injection_timing/payloads.txt +1 -3
- data/modules/audit/path_traversal.rb +84 -110
- data/modules/audit/response_splitting.rb +41 -53
- data/modules/audit/rfi.rb +68 -76
- data/modules/audit/session_fixation.rb +86 -0
- data/modules/audit/sqli.rb +51 -77
- data/modules/audit/sqli/regexp_ids.txt +5 -19
- data/modules/audit/sqli/regexp_ignore.txt +2 -0
- data/modules/audit/sqli_blind_rdiff.rb +51 -62
- data/modules/audit/sqli_blind_timing.rb +53 -73
- data/modules/audit/trainer.rb +21 -58
- data/modules/audit/unvalidated_redirect.rb +41 -51
- data/modules/audit/xpath.rb +38 -69
- data/modules/audit/xpath/errors.txt +2 -3
- data/modules/audit/xss.rb +65 -69
- data/modules/audit/xss_event.rb +50 -69
- data/modules/audit/xss_path.rb +63 -89
- data/modules/audit/xss_script_tag.rb +53 -66
- data/modules/audit/xss_tag.rb +46 -65
- data/modules/audit/xss_uri.rb +22 -24
- data/modules/recon/allowed_methods.rb +46 -62
- data/modules/recon/backdoors.rb +39 -66
- data/modules/recon/backup_files.rb +49 -79
- data/modules/recon/common_directories.rb +39 -63
- data/modules/recon/common_directories/directories.txt +0 -5
- data/modules/recon/common_files.rb +34 -63
- data/modules/recon/directory_listing.rb +66 -116
- data/modules/recon/grep/captcha.rb +34 -41
- data/modules/recon/grep/credit_card.rb +57 -68
- data/modules/recon/grep/cvs_svn_users.rb +40 -50
- data/modules/recon/grep/emails.rb +34 -41
- data/modules/recon/grep/html_objects.rb +30 -33
- data/modules/recon/grep/http_only_cookies.rb +57 -0
- data/modules/recon/grep/insecure_cookies.rb +55 -0
- data/modules/recon/grep/mixed_resource.rb +93 -0
- data/modules/recon/grep/private_ip.rb +34 -32
- data/modules/recon/grep/ssn.rb +33 -31
- data/modules/recon/grep/unencrypted_password_forms.rb +84 -0
- data/modules/recon/htaccess_limit.rb +38 -54
- data/modules/recon/http_put.rb +48 -62
- data/modules/recon/interesting_responses.rb +77 -79
- data/modules/recon/webdav.rb +53 -79
- data/modules/recon/xst.rb +44 -63
- data/modules/test2.rb +46 -0
- data/path_extractors/anchors.rb +17 -15
- data/path_extractors/forms.rb +17 -15
- data/path_extractors/frames.rb +17 -18
- data/path_extractors/generic.rb +52 -55
- data/path_extractors/links.rb +16 -14
- data/path_extractors/meta_refresh.rb +33 -18
- data/path_extractors/scripts.rb +17 -15
- data/plugins/autologin.rb +60 -85
- data/plugins/beep_notify.rb +25 -27
- data/plugins/cookie_collector.rb +28 -45
- data/plugins/defaults/autothrottle.rb +43 -51
- data/plugins/defaults/content_types.rb +63 -52
- data/plugins/defaults/healthmap.rb +45 -62
- data/plugins/defaults/{metamodules → meta}/remedies/discovery.rb +34 -69
- data/plugins/defaults/meta/remedies/manual_verification.rb +61 -0
- data/plugins/defaults/meta/remedies/timing_attacks.rb +108 -0
- data/plugins/defaults/meta/uniformity.rb +81 -0
- data/plugins/defaults/profiler.rb +68 -115
- data/plugins/defaults/resolver.rb +33 -28
- data/plugins/email_notify.rb +60 -62
- data/plugins/form_dicattack.rb +67 -121
- data/plugins/http_dicattack.rb +51 -65
- data/plugins/libnotify.rb +37 -41
- data/plugins/proxy.rb +407 -152
- data/plugins/proxy/panel/403_forbidden.html.erb +11 -0
- data/plugins/proxy/panel/404_not_found.html.erb +6 -0
- data/plugins/proxy/panel/css/bootstrap.min.css +9 -0
- data/plugins/proxy/panel/css/panel.css +30 -0
- data/plugins/proxy/panel/help.html.erb +66 -0
- data/plugins/proxy/panel/img/glyphicons-halflings-white.png +0 -0
- data/plugins/proxy/panel/img/glyphicons-halflings.png +0 -0
- data/plugins/proxy/panel/img/record.png +0 -0
- data/plugins/proxy/panel/inspect.html.erb +7 -0
- data/plugins/proxy/panel/js/bootstrap.min.js +6 -0
- data/plugins/proxy/panel/js/jquery.min.js +2 -0
- data/plugins/proxy/panel/js/panel.js +39 -0
- data/plugins/proxy/panel/layout.html.erb +25 -0
- data/plugins/proxy/panel/page_accordion.html.erb +67 -0
- data/plugins/proxy/panel/page_twin_accordion.html.erb +18 -0
- data/plugins/proxy/panel/panel.html.erb +63 -0
- data/plugins/proxy/panel/shutdown_message.html.erb +7 -0
- data/plugins/proxy/panel/verify_login_check.html.erb +31 -0
- data/plugins/proxy/panel/verify_login_final.html.erb +26 -0
- data/plugins/proxy/panel/verify_login_sequence.html.erb +45 -0
- data/plugins/proxy/server.rb +175 -47
- data/plugins/proxy/ssl-interceptor-cert.pem +34 -0
- data/plugins/proxy/ssl-interceptor-pkey.pem +51 -0
- data/plugins/rescan.rb +27 -28
- data/plugins/script.rb +53 -0
- data/plugins/vector_feed.rb +226 -0
- data/plugins/waf_detector.rb +70 -73
- data/reports/afr.rb +23 -24
- data/reports/ap.rb +25 -36
- data/reports/html.rb +109 -163
- data/reports/html/default.erb +13 -12
- data/reports/html/default/configuration.erb +21 -21
- data/reports/html/default/css/main.css +350 -350
- data/reports/html/default/issues.erb +1 -1
- data/reports/html/default/js/charts.js +2 -2
- data/reports/html/default/js/helpers.js +0 -42
- data/reports/html/default/js/init.js +0 -1
- data/reports/html/default/sitemap.erb +2 -2
- data/reports/html/default/summary.erb +4 -4
- data/reports/html/default/summary_issue.erb +1 -1
- data/reports/json.rb +26 -28
- data/reports/marshal.rb +23 -25
- data/reports/metareport.rb +65 -98
- data/reports/plugin_formatters/html/autologin.rb +34 -41
- data/reports/plugin_formatters/html/content_types.rb +46 -52
- data/reports/plugin_formatters/html/cookie_collector.rb +41 -47
- data/reports/plugin_formatters/html/discovery.rb +36 -41
- data/reports/plugin_formatters/html/form_dicattack.rb +28 -34
- data/reports/plugin_formatters/html/healthmap.rb +48 -55
- data/reports/plugin_formatters/html/http_dicattack.rb +28 -34
- data/reports/plugin_formatters/html/profiler.rb +26 -30
- data/reports/plugin_formatters/html/profiler/template.erb +7 -7
- data/reports/plugin_formatters/html/resolver.rb +44 -52
- data/reports/plugin_formatters/html/timing_attacks.rb +42 -44
- data/reports/plugin_formatters/html/uniformity.rb +37 -42
- data/reports/plugin_formatters/html/waf_detector.rb +26 -34
- data/reports/plugin_formatters/stdout/autologin.rb +28 -40
- data/reports/plugin_formatters/stdout/content_types.rb +36 -53
- data/reports/plugin_formatters/stdout/cookie_collector.rb +28 -41
- data/reports/plugin_formatters/stdout/discovery.rb +27 -37
- data/reports/plugin_formatters/stdout/form_dicattack.rb +22 -35
- data/reports/plugin_formatters/stdout/healthmap.rb +40 -57
- data/reports/plugin_formatters/stdout/http_dicattack.rb +22 -36
- data/reports/plugin_formatters/stdout/profiler.rb +55 -74
- data/reports/plugin_formatters/stdout/resolver.rb +18 -34
- data/reports/plugin_formatters/stdout/timing_attacks.rb +27 -39
- data/reports/plugin_formatters/stdout/uniformity.rb +32 -44
- data/reports/plugin_formatters/stdout/waf_detector.rb +20 -32
- data/reports/plugin_formatters/xml/autologin.rb +27 -49
- data/reports/plugin_formatters/xml/content_types.rb +41 -66
- data/reports/plugin_formatters/xml/cookie_collector.rb +29 -49
- data/reports/plugin_formatters/xml/discovery.rb +23 -41
- data/reports/plugin_formatters/xml/form_dicattack.rb +22 -40
- data/reports/plugin_formatters/xml/healthmap.rb +44 -63
- data/reports/plugin_formatters/xml/http_dicattack.rb +22 -41
- data/reports/plugin_formatters/xml/profiler.rb +65 -89
- data/reports/plugin_formatters/xml/resolver.rb +21 -41
- data/reports/plugin_formatters/xml/timing_attacks.rb +27 -45
- data/reports/plugin_formatters/xml/uniformity.rb +36 -55
- data/reports/plugin_formatters/xml/waf_detector.rb +23 -42
- data/reports/stdout.rb +120 -121
- data/reports/txt.rb +29 -45
- data/reports/xml.rb +109 -148
- data/reports/xml/buffer.rb +66 -79
- data/reports/yaml.rb +26 -28
- data/rpcd_handlers/placeholder +0 -0
- data/spec/arachni/audit_store_spec.rb +223 -0
- data/spec/arachni/bloom_filter_spec.rb +76 -0
- data/spec/arachni/cache/base_spec.rb +275 -0
- data/spec/arachni/cache/least_cost_replacement_spec.rb +58 -0
- data/spec/arachni/cache/least_recently_used_spec.rb +91 -0
- data/spec/arachni/cache/random_replacement_spec.rb +43 -0
- data/spec/arachni/component/manager_spec.rb +448 -0
- data/spec/arachni/component/options/address_spec.rb +32 -0
- data/spec/arachni/component/options/base_spec.rb +105 -0
- data/spec/arachni/component/options/bool_spec.rb +67 -0
- data/spec/arachni/component/options/enum_spec.rb +51 -0
- data/spec/arachni/component/options/float_spec.rb +42 -0
- data/spec/arachni/component/options/int_spec.rb +46 -0
- data/spec/arachni/component/options/path_spec.rb +32 -0
- data/spec/arachni/component/options/port_spec.rb +38 -0
- data/spec/arachni/component/options/string_spec.rb +38 -0
- data/spec/arachni/component/options/url_spec.rb +36 -0
- data/spec/arachni/crypto/rsa_aes_cbc_spec.rb +31 -0
- data/spec/arachni/database/hash_spec.rb +217 -0
- data/spec/arachni/database/queue_spec.rb +52 -0
- data/spec/arachni/element/base_spec.rb +127 -0
- data/spec/arachni/element/body_spec.rb +9 -0
- data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +47 -0
- data/spec/arachni/element/capabilities/auditable/taint_spec.rb +110 -0
- data/spec/arachni/element/capabilities/auditable/timeout_spec.rb +107 -0
- data/spec/arachni/element/capabilities/mutable_spec.rb +261 -0
- data/spec/arachni/element/cookie_spec.rb +362 -0
- data/spec/arachni/element/form_spec.rb +668 -0
- data/spec/arachni/element/header_spec.rb +49 -0
- data/spec/arachni/element/link_spec.rb +220 -0
- data/spec/arachni/element/path_spec.rb +9 -0
- data/spec/arachni/element/server_spec.rb +9 -0
- data/spec/arachni/framework_spec.rb +860 -0
- data/spec/arachni/http/cookie_jar_spec.rb +267 -0
- data/spec/arachni/http_spec.rb +991 -0
- data/spec/arachni/issue_spec.rb +307 -0
- data/spec/arachni/mixins/observable_spec.rb +59 -0
- data/spec/arachni/mixins/progress_bar_spec.rb +41 -0
- data/spec/arachni/module/auditor_spec.rb +506 -0
- data/spec/arachni/module/element_db_spec.rb +131 -0
- data/spec/arachni/module/key_filler.rb +15 -0
- data/spec/arachni/module/manager_spec.rb +154 -0
- data/spec/arachni/module/trainer_spec.rb +102 -0
- data/spec/arachni/module/utilities_spec.rb +30 -0
- data/spec/arachni/module/utilities_spec/read_file.txt +3 -0
- data/spec/arachni/options_spec.rb +555 -0
- data/spec/arachni/page_spec.rb +290 -0
- data/spec/arachni/parser_spec.rb +508 -0
- data/spec/arachni/plugin/manager_spec.rb +174 -0
- data/spec/arachni/report/base_spec.rb +53 -0
- data/spec/arachni/report/manager_spec.rb +82 -0
- data/spec/arachni/rpc/client/base_spec.rb +157 -0
- data/spec/arachni/rpc/client/dispatcher_spec.rb +40 -0
- data/spec/arachni/rpc/client/instance_spec.rb +92 -0
- data/spec/arachni/rpc/server/base_spec.rb +40 -0
- data/spec/arachni/rpc/server/dispatcher/handler.rb +120 -0
- data/spec/arachni/rpc/server/dispatcher/node_spec.rb +220 -0
- data/spec/arachni/rpc/server/dispatcher_spec.rb +136 -0
- data/spec/arachni/rpc/server/distributor_spec.rb +628 -0
- data/spec/arachni/rpc/server/framework_hpg_spec.rb +321 -0
- data/spec/arachni/rpc/server/framework_simple_spec.rb +453 -0
- data/spec/arachni/rpc/server/instance_spec.rb +81 -0
- data/spec/arachni/rpc/server/modules/manager_spec.rb +79 -0
- data/spec/arachni/rpc/server/options_spec.rb +124 -0
- data/spec/arachni/rpc/server/output_spec.rb +238 -0
- data/spec/arachni/rpc/server/plugin/manager_spec.rb +86 -0
- data/spec/arachni/ruby/array_spec.rb +103 -0
- data/spec/arachni/ruby/enumerable_spec.rb +37 -0
- data/spec/arachni/ruby/object_spec.rb +38 -0
- data/spec/arachni/ruby/string_spec.rb +77 -0
- data/spec/arachni/ruby/webrick_spec.rb +15 -0
- data/spec/arachni/session_spec.rb +308 -0
- data/spec/arachni/spider_spec.rb +383 -0
- data/spec/arachni/typhoeus/hydra_spec.rb +14 -0
- data/spec/arachni/typhoeus/requrest_spec.rb +58 -0
- data/spec/arachni/typhoeus/response_spec.rb +78 -0
- data/spec/arachni/uri_spec.rb +462 -0
- data/spec/arachni/utilities_spec.rb +297 -0
- data/spec/fixtures/auditstore.afr +2959 -0
- data/spec/fixtures/cookies.txt +9 -0
- data/spec/fixtures/modules/test.rb +58 -0
- data/spec/fixtures/modules/test2.rb +46 -0
- data/spec/fixtures/modules/test3.rb +46 -0
- data/spec/fixtures/passwords.txt +17 -0
- data/spec/fixtures/plugins/bad.rb +46 -0
- data/spec/fixtures/plugins/defaults/default.rb +45 -0
- data/spec/fixtures/plugins/distributable.rb +42 -0
- data/spec/fixtures/plugins/loop.rb +32 -0
- data/spec/fixtures/plugins/wait.rb +34 -0
- data/spec/fixtures/plugins/with_options.rb +31 -0
- data/spec/fixtures/reports/base_spec/plugin_formatters/with_formatters/foobar.rb +21 -0
- data/spec/fixtures/reports/base_spec/with_formatters.rb +23 -0
- data/spec/fixtures/reports/base_spec/with_outfile.rb +24 -0
- data/spec/fixtures/reports/base_spec/without_outfile.rb +20 -0
- data/spec/fixtures/reports/manager_spec/afr.rb +21 -0
- data/spec/fixtures/reports/manager_spec/foo.rb +26 -0
- data/spec/fixtures/rescan.afr.tpl +145 -0
- data/spec/fixtures/rpcd_handlers/echo.rb +68 -0
- data/spec/fixtures/run_mod/body.rb +58 -0
- data/spec/fixtures/run_mod/cookies.rb +58 -0
- data/spec/fixtures/run_mod/empty.rb +58 -0
- data/spec/fixtures/run_mod/flch.rb +63 -0
- data/spec/fixtures/run_mod/forms.rb +58 -0
- data/spec/fixtures/run_mod/headers.rb +58 -0
- data/spec/fixtures/run_mod/links.rb +58 -0
- data/spec/fixtures/run_mod/nil.rb +57 -0
- data/spec/fixtures/run_mod/path.rb +58 -0
- data/spec/fixtures/run_mod/server.rb +58 -0
- data/spec/fixtures/script_plugin.rb +1 -0
- data/spec/fixtures/taint_module/taint.rb +48 -0
- data/spec/fixtures/usernames.txt +13 -0
- data/spec/fixtures/wait_module/wait.rb +48 -0
- data/spec/helpers/auditor.rb +9 -0
- data/spec/helpers/misc.rb +41 -0
- data/spec/helpers/processes.rb +112 -0
- data/spec/helpers/requires.rb +8 -0
- data/spec/helpers/server.rb +54 -0
- data/spec/logs/Dispatcher - 2752-13830.log +49 -0
- data/spec/logs/Dispatcher - 2766-8238.log +35 -0
- data/spec/logs/Dispatcher - 2808-9029.log +31 -0
- data/spec/logs/Dispatcher - 2854-8571.log +26 -0
- data/spec/logs/Dispatcher - 2888-10411.log +20 -0
- data/spec/logs/Dispatcher - 2922-14464.log +13 -0
- data/spec/logs/Dispatcher - 2957-15255.log +19 -0
- data/spec/logs/Dispatcher - 3216-14203.log +35 -0
- data/spec/logs/Dispatcher - 3305-8622.log +43 -0
- data/spec/logs/Dispatcher - 3340-15426.log +35 -0
- data/spec/logs/Dispatcher - 3399-12586.log +40 -0
- data/spec/logs/Dispatcher - 3433-14149.log +26 -0
- data/spec/logs/Dispatcher - 3582-6198.log +27 -0
- data/spec/logs/Dispatcher - 3616-11169.log +13 -0
- data/spec/logs/Dispatcher - 3849-9016.log +7 -0
- data/spec/logs/output_spec.log +4 -0
- data/spec/logs/placeholder +0 -0
- data/spec/modules/audit/code_injection_spec.rb +25 -0
- data/spec/modules/audit/code_injection_timing_spec.rb +24 -0
- data/spec/modules/audit/csrf_spec.rb +38 -0
- data/spec/modules/audit/ldapi_spec.rb +19 -0
- data/spec/modules/audit/os_cmd_injection_spec.rb +24 -0
- data/spec/modules/audit/os_cmd_injection_timing_spec.rb +24 -0
- data/spec/modules/audit/path_traversal_spec.rb +23 -0
- data/spec/modules/audit/response_splitting_spec.rb +19 -0
- data/spec/modules/audit/rfi_spec.rb +19 -0
- data/spec/modules/audit/session_fixation_spec.rb +23 -0
- data/spec/modules/audit/sqli_blind_rdiff_spec.rb +19 -0
- data/spec/modules/audit/sqli_blind_timing_spec.rb +23 -0
- data/spec/modules/audit/sqli_spec.rb +24 -0
- data/spec/modules/audit/trainer_spec.rb +25 -0
- data/spec/modules/audit/unvalidated_redirect_spec.rb +24 -0
- data/spec/modules/audit/xpath_spec.rb +25 -0
- data/spec/modules/audit/xss_event_spec.rb +19 -0
- data/spec/modules/audit/xss_path_spec.rb +19 -0
- data/spec/modules/audit/xss_script_tag_spec.rb +19 -0
- data/spec/modules/audit/xss_spec.rb +24 -0
- data/spec/modules/audit/xss_tag_spec.rb +19 -0
- data/spec/modules/recon/allowed_methods_spec.rb +19 -0
- data/spec/modules/recon/backdoors_spec.rb +19 -0
- data/spec/modules/recon/backup_files_spec.rb +19 -0
- data/spec/modules/recon/common_directories_spec.rb +19 -0
- data/spec/modules/recon/common_files_spec.rb +19 -0
- data/spec/modules/recon/directory_listing_spec.rb +19 -0
- data/spec/modules/recon/grep/captcha_spec.rb +19 -0
- data/spec/modules/recon/grep/credit_card_spec.rb +19 -0
- data/spec/modules/recon/grep/cvs_svn_users_spec.rb +19 -0
- data/spec/modules/recon/grep/emails_spec.rb +19 -0
- data/spec/modules/recon/grep/html_objects_spec.rb +19 -0
- data/spec/modules/recon/grep/http_only_cookies_spec.rb +19 -0
- data/spec/modules/recon/grep/insecure_cookies_spec.rb +19 -0
- data/spec/modules/recon/grep/mixed_resource_spec.rb +20 -0
- data/spec/modules/recon/grep/private_ip_spec.rb +26 -0
- data/spec/modules/recon/grep/ssn_spec.rb +19 -0
- data/spec/modules/recon/grep/unencrypted_password_forms_spec.rb +19 -0
- data/spec/modules/recon/htaccess_limit_spec.rb +19 -0
- data/spec/modules/recon/http_put_spec.rb +19 -0
- data/spec/modules/recon/interesting_responses_spec.rb +27 -0
- data/spec/modules/recon/webdav_spec.rb +19 -0
- data/spec/modules/recon/xst_spec.rb +19 -0
- data/spec/path_extractors/anchors_spec.rb +19 -0
- data/spec/path_extractors/forms_spec.rb +19 -0
- data/spec/path_extractors/frames_spec.rb +20 -0
- data/spec/path_extractors/generic_spec.rb +28 -0
- data/spec/path_extractors/links_spec.rb +19 -0
- data/spec/path_extractors/meta_refresh_spec.rb +24 -0
- data/spec/path_extractors/scripts_spec.rb +19 -0
- data/spec/pems/cacert.pem +39 -0
- data/spec/pems/client/cert.pem +39 -0
- data/spec/pems/client/foo-cert.pem +39 -0
- data/spec/pems/client/foo-key.pem +51 -0
- data/spec/pems/client/key.pem +51 -0
- data/spec/pems/server/cert.pem +39 -0
- data/spec/pems/server/key.pem +51 -0
- data/spec/plugins/autologin_spec.rb +76 -0
- data/spec/plugins/autothrottle_spec.rb +45 -0
- data/spec/plugins/content_types_spec.rb +93 -0
- data/spec/plugins/cookie_collector_spec.rb +32 -0
- data/spec/plugins/form_dicattack_spec.rb +60 -0
- data/spec/plugins/healthmap_spec.rb +40 -0
- data/spec/plugins/http_dicattack_spec.rb +40 -0
- data/spec/plugins/meta/remedies/discovery_spec.rb +15 -0
- data/spec/plugins/meta/remedies/manual_verification_spec.rb +28 -0
- data/spec/plugins/meta/remedies/timing_attacks_spec.rb +30 -0
- data/spec/plugins/meta/uniformity_spec.rb +83 -0
- data/spec/plugins/profiler_spec.rb +82 -0
- data/spec/plugins/rescan_spec.rb +26 -0
- data/spec/plugins/resolver_spec.rb +16 -0
- data/spec/plugins/script_spec.rb +12 -0
- data/spec/plugins/vector_feed_spec.rb +155 -0
- data/spec/plugins/waf_detector_spec.rb +41 -0
- data/spec/reports/afr_spec.rb +13 -0
- data/spec/reports/ap_spec.rb +9 -0
- data/spec/reports/html_spec.rb +13 -0
- data/spec/reports/json_spec.rb +17 -0
- data/spec/reports/marshal_spec.rb +13 -0
- data/spec/reports/stdout_spec.rb +9 -0
- data/spec/reports/txt_spec.rb +8 -0
- data/spec/reports/xml_spec.rb +13 -0
- data/spec/reports/yaml_spec.rb +13 -0
- data/spec/servers/arachni/element/capabilities/auditable/rdiff.rb +36 -0
- data/spec/servers/arachni/element/capabilities/auditable/taint.rb +10 -0
- data/spec/servers/arachni/element/capabilities/auditable/timeout.rb +30 -0
- data/spec/servers/arachni/element/cookie.rb +37 -0
- data/spec/servers/arachni/element/form.rb +93 -0
- data/spec/servers/arachni/element/header.rb +22 -0
- data/spec/servers/arachni/element/link.rb +26 -0
- data/spec/servers/arachni/framework.rb +54 -0
- data/spec/servers/arachni/http.rb +140 -0
- data/spec/servers/arachni/http_auth.rb +9 -0
- data/spec/servers/arachni/module/auditor.rb +135 -0
- data/spec/servers/arachni/module/trainer.rb +40 -0
- data/spec/servers/arachni/parser.rb +70 -0
- data/spec/servers/arachni/rpc/server/framework_hpg.rb +21 -0
- data/spec/servers/arachni/rpc/server/framework_simple.rb +30 -0
- data/spec/servers/arachni/session.rb +110 -0
- data/spec/servers/arachni/spider.rb +148 -0
- data/spec/servers/modules/audit/code_injection.rb +140 -0
- data/spec/servers/modules/audit/code_injection_timing.rb +110 -0
- data/spec/servers/modules/audit/csrf.rb +80 -0
- data/spec/servers/modules/audit/ldapi.rb +73 -0
- data/spec/servers/modules/audit/os_cmd_injection.rb +140 -0
- data/spec/servers/modules/audit/os_cmd_injection_timing.rb +111 -0
- data/spec/servers/modules/audit/path_traversal.rb +176 -0
- data/spec/servers/modules/audit/response_splitting.rb +114 -0
- data/spec/servers/modules/audit/rfi.rb +113 -0
- data/spec/servers/modules/audit/session_fixation.rb +87 -0
- data/spec/servers/modules/audit/sqli.rb +118 -0
- data/spec/servers/modules/audit/sqli/coldfusion +1 -0
- data/spec/servers/modules/audit/sqli/db2 +4 -0
- data/spec/servers/modules/audit/sqli/emc +2 -0
- data/spec/servers/modules/audit/sqli/informix +3 -0
- data/spec/servers/modules/audit/sqli/interbase +2 -0
- data/spec/servers/modules/audit/sqli/jdbc +0 -0
- data/spec/servers/modules/audit/sqli/mssql +26 -0
- data/spec/servers/modules/audit/sqli/mysql +13 -0
- data/spec/servers/modules/audit/sqli/oracle +6 -0
- data/spec/servers/modules/audit/sqli/postgresql +7 -0
- data/spec/servers/modules/audit/sqli/sqlite +4 -0
- data/spec/servers/modules/audit/sqli/sybase +0 -0
- data/spec/servers/modules/audit/sqli_blind_rdiff.rb +74 -0
- data/spec/servers/modules/audit/sqli_blind_timing.rb +121 -0
- data/spec/servers/modules/audit/trainer_module.rb +160 -0
- data/spec/servers/modules/audit/unvalidated_redirect.rb +115 -0
- data/spec/servers/modules/audit/xpath.rb +111 -0
- data/spec/servers/modules/audit/xpath/dotnet +5 -0
- data/spec/servers/modules/audit/xpath/general +13 -0
- data/spec/servers/modules/audit/xpath/java +3 -0
- data/spec/servers/modules/audit/xpath/libxml2 +2 -0
- data/spec/servers/modules/audit/xpath/php +2 -0
- data/spec/servers/modules/audit/xss.rb +152 -0
- data/spec/servers/modules/audit/xss_event.rb +80 -0
- data/spec/servers/modules/audit/xss_path.rb +44 -0
- data/spec/servers/modules/audit/xss_script_tag.rb +73 -0
- data/spec/servers/modules/audit/xss_tag.rb +139 -0
- data/spec/servers/modules/module_server.rb +14 -0
- data/spec/servers/modules/recon/allowed_methods.rb +5 -0
- data/spec/servers/modules/recon/backdoors.rb +4 -0
- data/spec/servers/modules/recon/backup_files.rb +28 -0
- data/spec/servers/modules/recon/common_directories.rb +6 -0
- data/spec/servers/modules/recon/common_files.rb +6 -0
- data/spec/servers/modules/recon/directory_listing.rb +30 -0
- data/spec/servers/modules/recon/grep/captcha.rb +27 -0
- data/spec/servers/modules/recon/grep/credit_card.rb +28 -0
- data/spec/servers/modules/recon/grep/cvs_svn_users.rb +23 -0
- data/spec/servers/modules/recon/grep/emails.rb +21 -0
- data/spec/servers/modules/recon/grep/html_objects.rb +7 -0
- data/spec/servers/modules/recon/grep/http_only_cookies.rb +21 -0
- data/spec/servers/modules/recon/grep/insecure_cookies.rb +21 -0
- data/spec/servers/modules/recon/grep/mixed_resource.rb +83 -0
- data/spec/servers/modules/recon/grep/private_ip.rb +18 -0
- data/spec/servers/modules/recon/grep/ssn.rb +5 -0
- data/spec/servers/modules/recon/grep/unencrypted_password_forms.rb +33 -0
- data/spec/servers/modules/recon/htaccess_limit.rb +8 -0
- data/spec/servers/modules/recon/http_put.rb +7 -0
- data/spec/servers/modules/recon/interesting_responses.rb +5 -0
- data/spec/servers/modules/recon/webdav.rb +25 -0
- data/spec/servers/modules/recon/xst.rb +6 -0
- data/spec/servers/plugins/autologin.rb +38 -0
- data/spec/servers/plugins/autothrottle.rb +8 -0
- data/spec/servers/plugins/content_types.rb +17 -0
- data/spec/servers/plugins/cookie_collector.rb +20 -0
- data/spec/servers/plugins/form_dicattack.rb +28 -0
- data/spec/servers/plugins/healthmap.rb +16 -0
- data/spec/servers/plugins/http_dicattack.rb +9 -0
- data/spec/servers/plugins/http_dicattack_secure.rb +9 -0
- data/spec/servers/plugins/http_dicattack_unprotected.rb +5 -0
- data/spec/servers/plugins/meta/remedies/discovery.rb +7 -0
- data/spec/servers/plugins/meta/remedies/timing_attacks.rb +29 -0
- data/spec/servers/plugins/profiler.rb +82 -0
- data/spec/servers/plugins/rescan.rb +31 -0
- data/spec/servers/plugins/waf_detector.rb +33 -0
- data/spec/shared/component.rb +43 -0
- data/spec/shared/element/capabilities/auditable.rb +729 -0
- data/spec/shared/element/capabilities/refreshable.rb +56 -0
- data/spec/shared/module.rb +162 -0
- data/spec/shared/path_extractor.rb +47 -0
- data/spec/shared/plugin.rb +50 -0
- data/spec/shared/reports.rb +47 -0
- data/spec/spec_helper.rb +53 -0
- metadata +870 -323
- data/extras/modules/recon/raft_dirs.rb +0 -108
- data/extras/modules/recon/raft_dirs/raft-large-directories.txt +0 -62290
- data/extras/modules/recon/raft_files.rb +0 -110
- data/extras/modules/recon/raft_files/raft-large-files.txt +0 -37037
- data/extras/modules/recon/svn_digger_dirs.rb +0 -108
- data/extras/modules/recon/svn_digger_dirs/Licence.txt +0 -674
- data/extras/modules/recon/svn_digger_dirs/ReadMe-Arachni.txt +0 -4
- data/extras/modules/recon/svn_digger_dirs/ReadMe.txt +0 -6
- data/extras/modules/recon/svn_digger_dirs/all-dirs.txt +0 -5960
- data/extras/modules/recon/svn_digger_files.rb +0 -114
- data/extras/modules/recon/svn_digger_files/Licence.txt +0 -674
- data/extras/modules/recon/svn_digger_files/ReadMe-Arachni.txt +0 -4
- data/extras/modules/recon/svn_digger_files/ReadMe.txt +0 -6
- data/extras/modules/recon/svn_digger_files/all-extensionless.txt +0 -25419
- data/extras/modules/recon/svn_digger_files/all.txt +0 -43135
- data/lib/arachni/component_manager.rb +0 -293
- data/lib/arachni/component_options.rb +0 -425
- data/lib/arachni/parser/auditable.rb +0 -606
- data/lib/arachni/parser/elements.rb +0 -315
- data/lib/arachni/parser/page.rb +0 -168
- data/lib/arachni/parser/parser.rb +0 -866
- data/lib/arachni/rpc/server/options.rb +0 -95
- data/lib/arachni/ui/web/addons/autodeploy.rb +0 -207
- data/lib/arachni/ui/web/addons/autodeploy/lib/manager.rb +0 -398
- data/lib/arachni/ui/web/addons/autodeploy/views/index.erb +0 -291
- data/modules/recon/mixed_resource.rb +0 -100
- data/modules/recon/unencrypted_password_forms.rb +0 -107
- data/path_extractors/sitemap.rb +0 -31
- data/plugins/defaults/metamodules/remedies/manual_verification.rb +0 -65
- data/plugins/defaults/metamodules/remedies/timing_attacks.rb +0 -134
- data/plugins/defaults/metamodules/uniformity.rb +0 -99
- data/reports/metareport/arachni_metareport.rb +0 -174
- data/reports/plugin_formatters/stdout/metamodules.rb +0 -82
@@ -22,12 +22,12 @@
|
|
22
22
|
</p>
|
23
23
|
|
24
24
|
<p>
|
25
|
-
You can find more information about setting up Dispatchers <a href="https://github.com/
|
25
|
+
You can find more information about setting up Dispatchers <a href="https://github.com/Arachni/arachni/wiki/RPC-server">here</a>.
|
26
26
|
</p>
|
27
27
|
|
28
28
|
</div>
|
29
29
|
|
30
|
-
<button onclick="$('#help').dialog( { height: 530, width: 500 } );"
|
30
|
+
<button onclick="$('#help').dialog( { height: 530, width: 500 } );">Help</button>
|
31
31
|
|
32
32
|
<div id="page-intro">
|
33
33
|
<h2>Edit Dispatchers</h2>
|
@@ -14,11 +14,11 @@
|
|
14
14
|
This allows scan-time to be severely decreased, by as much as n times less under ideal circumstances, where n equals the number of running instances.
|
15
15
|
</p>
|
16
16
|
<p>
|
17
|
-
You can find more info <a href="https://github.com/
|
17
|
+
You can find more info <a href="https://github.com/Arachni/arachni/wiki/Web-user-interface#wiki-usage_start-a-scan_hpg">here</a>.
|
18
18
|
</p>
|
19
19
|
</div>
|
20
20
|
|
21
|
-
<button style='display: inline' onclick="$('#help').dialog( { height: 530, width: 500 } );return false;"
|
21
|
+
<button style='display: inline' onclick="$('#help').dialog( { height: 530, width: 500 } );return false;">Help</button>
|
22
22
|
|
23
23
|
<form action="/scan" method="post" style='display: inline' >
|
24
24
|
|
@@ -99,13 +99,13 @@
|
|
99
99
|
}
|
100
100
|
|
101
101
|
function showReport( html ){
|
102
|
-
document.getElementById( 'control_buttons' ).innerHTML = ""
|
103
|
-
document.getElementById( 'page_header' ).innerHTML = "Report"
|
102
|
+
document.getElementById( 'control_buttons' ).innerHTML = "";
|
103
|
+
document.getElementById( 'page_header' ).innerHTML = "Report";
|
104
104
|
document.getElementById( 'page_description' ).innerHTML =
|
105
105
|
"The scan has completed succesfully, you can review the results using this report.<br/>" +
|
106
|
-
"This report has been saved and you can view or export it in various format via the Reports tab."
|
106
|
+
"This report has been saved and you can view or export it in various format via the Reports tab.";
|
107
107
|
|
108
|
-
document.getElementById( 'scan_data' ).innerHTML = "<iframe class='report' src=" + html + "></iframe>"
|
108
|
+
document.getElementById( 'scan_data' ).innerHTML = "<iframe class='report' src=" + html + "></iframe>";
|
109
109
|
}
|
110
110
|
|
111
111
|
function setStats( stats ){
|
@@ -129,8 +129,8 @@
|
|
129
129
|
' - ' + stats.instances[i].progress + '%' +
|
130
130
|
' - Est. remaining time: ' + stats.instances[i].eta + '</strong> <br/>';
|
131
131
|
|
132
|
-
status = stats.instances[i].status
|
133
|
-
if( status == '
|
132
|
+
status = stats.instances[i].status;
|
133
|
+
if( status == 'auditing' ) {
|
134
134
|
page = stats.instances[i].current_page;
|
135
135
|
|
136
136
|
elem.innerHTML += 'Currently auditing: ' + '<a href="' +
|
@@ -85,10 +85,10 @@
|
|
85
85
|
<div class="footer-box">
|
86
86
|
<h4>Help</h4>
|
87
87
|
<ul>
|
88
|
-
<li><a href="https://github.com/
|
89
|
-
<li><a href="http://github.com/
|
88
|
+
<li><a href="https://github.com/Arachni/arachni/wiki/Web-user-interface">WebUI User Guide</a></li>
|
89
|
+
<li><a href="http://github.com/Arachni/arachni/wiki">Wiki</a></li>
|
90
90
|
<li><a href="http://groups.google.com/group/arachni">Google Group</a></li>
|
91
|
-
<li><a href="https://github.com/
|
91
|
+
<li><a href="https://github.com/Arachni/arachni/issues">Found a bug?</a></li>
|
92
92
|
|
93
93
|
</ul>
|
94
94
|
</div>
|
@@ -100,7 +100,7 @@
|
|
100
100
|
<li><a href="http://arachni.segfault.gr">Homepage</a></li>
|
101
101
|
<li><a href="http://trainofthought.segfault.gr/category/projects/arachni/">News straight from the developer's blog</a></li>
|
102
102
|
<li><a href="http://twitter.com/Zap0tek">Developer's Twitter feed</a></li>
|
103
|
-
<li><a href="https://github.com/
|
103
|
+
<li><a href="https://github.com/Arachni/arachni/tree/experimental">The bleeding edge, Arachni's experimental branch</a></li>
|
104
104
|
</ul>
|
105
105
|
</div>
|
106
106
|
|
@@ -1,12 +1,12 @@
|
|
1
1
|
<div id='help' style='display: none' title="Help">
|
2
2
|
<h2>Settings</h2>
|
3
3
|
<p>
|
4
|
-
These settings have the same effect as their <a href="https://github.com/
|
4
|
+
These settings have the same effect as their <a href="https://github.com/Arachni/arachni/wiki/Command-line-user-interface">Command Line Interface</a> counterparts.
|
5
5
|
</p>
|
6
6
|
|
7
7
|
</div>
|
8
8
|
|
9
|
-
<button onclick="$('#help').dialog( { height: 530, width: 500 } );"
|
9
|
+
<button onclick="$('#help').dialog( { height: 530, width: 500 } );">Help</button>
|
10
10
|
|
11
11
|
<script type="text/javascript">
|
12
12
|
$(function() {
|
@@ -57,6 +57,10 @@
|
|
57
57
|
Cookies to exclude: <textarea rows="2" cols="20" name="exclude_cookies"><%=session['opts']['settings']['exclude_cookies']%></textarea>
|
58
58
|
<br/>(Newline separated)
|
59
59
|
</p>
|
60
|
+
<p>
|
61
|
+
Input vectors (parameters) to exclude (by name): <textarea rows="2" cols="20" name="exclude_vectors"><%=session['opts']['settings']['exclude_vectors']%></textarea>
|
62
|
+
<br/>(Newline separated)
|
63
|
+
</p>
|
60
64
|
</fieldset>
|
61
65
|
|
62
66
|
<fieldset>
|
@@ -67,12 +71,13 @@
|
|
67
71
|
<div id="slider"></div>
|
68
72
|
<br/>
|
69
73
|
</p>
|
70
|
-
<p>
|
71
|
-
HTTP harvest last: <input type="checkbox" name="http_harvest_last" <% if session['opts']['settings']['http_harvest_last'] == true %> checked="checked" <% end %> />
|
72
|
-
</p>
|
73
74
|
<p>
|
74
75
|
Cookie jar: <input type="file" name="cookiejar" size="25" />
|
75
76
|
</p>
|
77
|
+
<p>
|
78
|
+
Cookie string: <input name="cookie_string" size="50" value="<%=session['opts']['settings']['cookie_string']%>"/>
|
79
|
+
<br/>(In the form of: <pre style='display: inline'>cookie_name=cookie_value; cookie_name_2=cookie_value_2;</pre>)
|
80
|
+
</p>
|
76
81
|
<p>
|
77
82
|
User agent: <input name="user_agent" value="<%=session['opts']['settings']['user_agent']%>"/>
|
78
83
|
</p>
|
@@ -80,16 +85,16 @@
|
|
80
85
|
Authorized by: <input name="authed_by" value="<%=session['opts']['settings']['authed_by']%>"/>
|
81
86
|
</p>
|
82
87
|
<p>
|
83
|
-
Proxy address: <input name="
|
88
|
+
Proxy address: <input name="proxy_host" value="<%=session['opts']['settings']['proxy_host']%>"/>
|
84
89
|
</p>
|
85
90
|
<p>
|
86
91
|
Proxy port: <input name="proxy_port" value="<%=session['opts']['settings']['proxy_port']%>"/>
|
87
92
|
</p>
|
88
93
|
<p>
|
89
|
-
Proxy username: <input name="
|
94
|
+
Proxy username: <input name="proxy_username" value="<%=session['opts']['settings']['proxy_username']%>"/>
|
90
95
|
</p>
|
91
96
|
<p>
|
92
|
-
Proxy password: <input name="
|
97
|
+
Proxy password: <input name="proxy_password" value="<%=session['opts']['settings']['proxy_password']%>"/>
|
93
98
|
</p>
|
94
99
|
<p>
|
95
100
|
Proxy type:
|
@@ -7,7 +7,7 @@
|
|
7
7
|
<h2>General</h2>
|
8
8
|
<p>
|
9
9
|
The WebUI may empty your fridge, drink all your coffee, eat your puppy, slash your tires and/or burn down your house.<br/>
|
10
|
-
Nevertheless, I'd appreciate it if you gave it a shot and <a href="https://github.com/
|
10
|
+
Nevertheless, I'd appreciate it if you gave it a shot and <a href="https://github.com/Arachni/arachni/issues">let me know</a> if you find anything wrong with it.
|
11
11
|
</p>
|
12
12
|
|
13
13
|
<h2>What it is</h2>
|
@@ -1,11 +1,17 @@
|
|
1
1
|
=begin
|
2
|
-
|
3
|
-
Copyright (c) 2010-2012 Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
2
|
+
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
|
4
3
|
|
5
|
-
|
6
|
-
|
7
|
-
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
8
7
|
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
9
15
|
=end
|
10
16
|
|
11
17
|
module Arachni
|
@@ -15,10 +21,10 @@ module Web
|
|
15
21
|
#
|
16
22
|
# General utility methods.
|
17
23
|
#
|
18
|
-
# @author
|
24
|
+
# @author Tasos "Zapotek" Laskos
|
19
25
|
# <tasos.laskos@gmail.com>
|
20
|
-
#
|
21
|
-
# @version
|
26
|
+
#
|
27
|
+
# @version 0.1
|
22
28
|
#
|
23
29
|
module Utilities
|
24
30
|
|
@@ -32,7 +38,7 @@ module Utilities
|
|
32
38
|
# @see CGI.escapeHTML
|
33
39
|
#
|
34
40
|
def escape( str )
|
35
|
-
CGI.escapeHTML( str )
|
41
|
+
CGI.escapeHTML( str || '' )
|
36
42
|
end
|
37
43
|
|
38
44
|
#
|
@@ -45,7 +51,7 @@ module Utilities
|
|
45
51
|
# @see CGI.unescapeHTML
|
46
52
|
#
|
47
53
|
def unescape( str )
|
48
|
-
CGI.unescapeHTML( str )
|
54
|
+
CGI.unescapeHTML( str || '' )
|
49
55
|
end
|
50
56
|
|
51
57
|
#
|
@@ -98,24 +104,6 @@ module Utilities
|
|
98
104
|
Time.new( year, month, day, hour, minute )
|
99
105
|
end
|
100
106
|
|
101
|
-
#
|
102
|
-
# Constructs an instance URL by port using its dispatcher's url.
|
103
|
-
#
|
104
|
-
# @param [Integer] port
|
105
|
-
# @param [String] dispatcher_url URL of the dispatcher
|
106
|
-
# @param [Bool] no_scheme include scheme in the URL?
|
107
|
-
#
|
108
|
-
# @return [String]
|
109
|
-
#
|
110
|
-
def port_to_url( port, dispatcher_url, no_scheme = nil )
|
111
|
-
uri = URI( dispatcher_url )
|
112
|
-
uri.port = port.to_i
|
113
|
-
uri = uri.to_s
|
114
|
-
|
115
|
-
uri = remove_proto( uri ) if no_scheme
|
116
|
-
return uri
|
117
|
-
end
|
118
|
-
|
119
107
|
#
|
120
108
|
# Removes the protocol from URL string.
|
121
109
|
#
|
@@ -124,13 +112,14 @@ module Utilities
|
|
124
112
|
# @return [String]
|
125
113
|
#
|
126
114
|
def remove_proto( url )
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
|
133
|
-
|
115
|
+
url
|
116
|
+
#begin
|
117
|
+
# url = URI.parse( url )
|
118
|
+
# scheme = url.scheme + '://'
|
119
|
+
# escape( url.to_s.gsub( scheme, '' ) )
|
120
|
+
#rescue
|
121
|
+
# return url
|
122
|
+
#end
|
134
123
|
end
|
135
124
|
|
136
125
|
end
|
data/lib/arachni/uri.rb
ADDED
@@ -0,0 +1,619 @@
|
|
1
|
+
=begin
|
2
|
+
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
15
|
+
=end
|
16
|
+
|
17
|
+
require 'uri'
|
18
|
+
require 'addressable/uri'
|
19
|
+
|
20
|
+
module Arachni
|
21
|
+
|
22
|
+
#
|
23
|
+
# Helper method which parses a URL using {Arachni::URI.parse}.
|
24
|
+
#
|
25
|
+
# @see Arachni::URI.parse
|
26
|
+
#
|
27
|
+
def self.URI( uri )
|
28
|
+
Arachni::URI.parse( uri )
|
29
|
+
end
|
30
|
+
|
31
|
+
#
|
32
|
+
# The URI class automatically normalizes the URLs it is passed to parse
|
33
|
+
# while maintaining compatibility with Ruby's URI core classes by delegating
|
34
|
+
# missing method to it -- thus, you can treat it like a Ruby URI and enjoy some
|
35
|
+
# extra perks along the line.
|
36
|
+
#
|
37
|
+
# It also provides *cached* (to maintain low-latency) helper class methods to
|
38
|
+
# ease common operations such as:
|
39
|
+
# * {.normalize normalization}
|
40
|
+
# * parsing to {.parse Arachni::URI} (see also {.URI}), {.ruby_parse ::URI} or {.cheap_parse Hash} objects.
|
41
|
+
# * conversion to {.to_absolute absolute URLs}
|
42
|
+
#
|
43
|
+
# @author Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
44
|
+
#
|
45
|
+
class URI
|
46
|
+
include UI::Output
|
47
|
+
extend UI::Output
|
48
|
+
|
49
|
+
include Utilities
|
50
|
+
extend Utilities
|
51
|
+
|
52
|
+
CACHE_SIZES = {
|
53
|
+
parse: 600,
|
54
|
+
ruby_parse: 600,
|
55
|
+
cheap_parse: 600,
|
56
|
+
normalize: 1000,
|
57
|
+
to_absolute: 1000
|
58
|
+
}
|
59
|
+
|
60
|
+
CACHE = {
|
61
|
+
parser: ::URI::Parser.new,
|
62
|
+
ruby_parse: Cache::RandomReplacement.new( CACHE_SIZES[:ruby_parse] ),
|
63
|
+
parse: Cache::RandomReplacement.new( CACHE_SIZES[:parse] ),
|
64
|
+
cheap_parse: Cache::RandomReplacement.new( CACHE_SIZES[:cheap_parse] ),
|
65
|
+
normalize: Cache::RandomReplacement.new( CACHE_SIZES[:normalize] ),
|
66
|
+
to_absolute: Cache::RandomReplacement.new( CACHE_SIZES[:to_absolute] )
|
67
|
+
}
|
68
|
+
|
69
|
+
# @return [URI::Parser] cached URI parser
|
70
|
+
def self.parser
|
71
|
+
CACHE[__method__]
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# URL encodes a string.
|
76
|
+
#
|
77
|
+
# @param [String] string
|
78
|
+
# @param [String, Regexp] bad_characters
|
79
|
+
# Class of characters to encode -- if +String+ is passed,
|
80
|
+
# it should formatted as a regexp (for +Regexp.new+).
|
81
|
+
#
|
82
|
+
# @return [String] encoded string
|
83
|
+
#
|
84
|
+
def self.encode( string, bad_characters = nil )
|
85
|
+
Addressable::URI.encode_component( *[string, bad_characters].compact )
|
86
|
+
end
|
87
|
+
|
88
|
+
#
|
89
|
+
# URL decodes a string.
|
90
|
+
#
|
91
|
+
# @param [String] string
|
92
|
+
#
|
93
|
+
# @return [String]
|
94
|
+
#
|
95
|
+
def self.decode( string )
|
96
|
+
Addressable::URI.unencode( string )
|
97
|
+
end
|
98
|
+
|
99
|
+
#
|
100
|
+
# Iteratively {.decode URL decodes} a +String+ until there are no more characters to
|
101
|
+
# be unescaped.
|
102
|
+
#
|
103
|
+
# @param [String] string
|
104
|
+
#
|
105
|
+
# @return [String]
|
106
|
+
#
|
107
|
+
def self.deep_decode( string )
|
108
|
+
string = decode( string ) while string =~ /%[a-fA-F0-9]{2}/
|
109
|
+
end
|
110
|
+
|
111
|
+
#
|
112
|
+
# Cached version of {URI#initialize}, if there's a chance that the same
|
113
|
+
# URL will be needed to be parsed multiple times you should use this method.
|
114
|
+
#
|
115
|
+
# *ATTENTION*: This method's results are cached for performance reasons.
|
116
|
+
# If you plan on doing something destructive with its return value duplicate
|
117
|
+
# it first because there may be references to it elsewhere.
|
118
|
+
#
|
119
|
+
# @see URI#initialize
|
120
|
+
#
|
121
|
+
def self.parse( url )
|
122
|
+
return url if !url || url.is_a?( Arachni::URI )
|
123
|
+
CACHE[__method__][url] ||= begin
|
124
|
+
new( url )
|
125
|
+
rescue => e
|
126
|
+
print_error "Failed to parse '#{url}'."
|
127
|
+
#print_error "Error: #{e}"
|
128
|
+
#print_error_backtrace( e )
|
129
|
+
nil
|
130
|
+
end
|
131
|
+
end
|
132
|
+
|
133
|
+
#
|
134
|
+
# {.normalize Normalizes} +url+ and uses Ruby's core URI lib to parse it.
|
135
|
+
#
|
136
|
+
# *ATTENTION*: This method's results are cached for performance reasons.
|
137
|
+
# If you plan on doing something destructive with its return value duplicate
|
138
|
+
# it first because there may be references to it elsewhere.
|
139
|
+
#
|
140
|
+
# @param [String] url URL to parse
|
141
|
+
#
|
142
|
+
# @return [URI]
|
143
|
+
#
|
144
|
+
def self.ruby_parse( url )
|
145
|
+
return url if url.to_s.empty? || url.is_a?( ::URI )
|
146
|
+
CACHE[__method__][url] ||= begin
|
147
|
+
::URI::Generic.build( cheap_parse( url ) )
|
148
|
+
rescue
|
149
|
+
begin
|
150
|
+
parser.parse( normalize( url ).dup )
|
151
|
+
rescue => e
|
152
|
+
print_error "Failed to parse '#{url}'."
|
153
|
+
#print_error "Error: #{e}"
|
154
|
+
#print_error_backtrace( e )
|
155
|
+
nil
|
156
|
+
end
|
157
|
+
end
|
158
|
+
end
|
159
|
+
|
160
|
+
#
|
161
|
+
# Performs a parse that is less resource intensive than Ruby's URI lib's
|
162
|
+
# method while normalizing the URL (will also discard the fragment).
|
163
|
+
#
|
164
|
+
# *ATTENTION*: This method's results are cached for performance reasons.
|
165
|
+
# If you plan on doing something destructive with its return value duplicate
|
166
|
+
# it first because there may be references to it elsewhere.
|
167
|
+
#
|
168
|
+
# @param [String] url
|
169
|
+
#
|
170
|
+
# @return [Hash] URL components (frozen):
|
171
|
+
# Hash fields:
|
172
|
+
# * scheme -- HTTP or HTTPS
|
173
|
+
# * userinfo -- username:password
|
174
|
+
# * host
|
175
|
+
# * port
|
176
|
+
# * path
|
177
|
+
# * query
|
178
|
+
#
|
179
|
+
# The Hash is suitable for passing to +::URI::Generic.build+ -- if however
|
180
|
+
# you plan on doing that you'll be better off just using {.ruby_parse} which
|
181
|
+
# does the same thing and caches the results for some extra schnell.
|
182
|
+
#
|
183
|
+
def self.cheap_parse( url )
|
184
|
+
return if !url || url.empty?
|
185
|
+
|
186
|
+
cache = CACHE[__method__]
|
187
|
+
|
188
|
+
url = url.to_s.dup
|
189
|
+
c_url = url.to_s.dup
|
190
|
+
|
191
|
+
components = {
|
192
|
+
scheme: nil,
|
193
|
+
userinfo: nil,
|
194
|
+
host: nil,
|
195
|
+
port: nil,
|
196
|
+
path: nil,
|
197
|
+
query: nil
|
198
|
+
}
|
199
|
+
|
200
|
+
valid_schemes = %w(http https)
|
201
|
+
|
202
|
+
begin
|
203
|
+
if (v = cache[url]) && v == :err
|
204
|
+
return
|
205
|
+
elsif v
|
206
|
+
return v
|
207
|
+
end
|
208
|
+
|
209
|
+
# we're not smart enough for scheme-less URLs and if we're to go
|
210
|
+
# into heuristics then there's no reason to not just use Addressable's parser
|
211
|
+
if url.start_with?( '//' )
|
212
|
+
return cache[c_url] = addressable_parse( c_url ).freeze
|
213
|
+
end
|
214
|
+
|
215
|
+
url = url.encode( 'UTF-8', undef: :replace, invalid: :replace )
|
216
|
+
|
217
|
+
# remove the fragment if there is one
|
218
|
+
url = url.split( '#', 2 )[0...-1].join if url.include?( '#' )
|
219
|
+
|
220
|
+
url = html_decode( url )
|
221
|
+
|
222
|
+
dupped_url = url.dup
|
223
|
+
has_path = true
|
224
|
+
|
225
|
+
splits = url.split( ':' )
|
226
|
+
if !splits.empty? && valid_schemes.include?( splits.first.downcase )
|
227
|
+
splits = url.split( '://', 2 )
|
228
|
+
components[:scheme] = splits.shift
|
229
|
+
components[:scheme].downcase! if components[:scheme]
|
230
|
+
|
231
|
+
if url = splits.shift
|
232
|
+
splits = url.split( '?' ).first.split( '@', 2 )
|
233
|
+
|
234
|
+
if splits.size > 1
|
235
|
+
components[:userinfo] = splits.first
|
236
|
+
url = splits.shift
|
237
|
+
end
|
238
|
+
|
239
|
+
if !splits.empty?
|
240
|
+
splits = splits.last.split( '/', 2 )
|
241
|
+
url = splits.last
|
242
|
+
|
243
|
+
splits = splits.first.split( ':', 2 )
|
244
|
+
if splits.size == 2
|
245
|
+
host = splits.first
|
246
|
+
components[:port] = Integer( splits.last ) if splits.last && !splits.last.empty?
|
247
|
+
components[:port] = nil if components[:port] == 80
|
248
|
+
url.gsub!( ':' + components[:port].to_s, '' )
|
249
|
+
else
|
250
|
+
host = splits.last
|
251
|
+
end
|
252
|
+
|
253
|
+
if components[:host] = host
|
254
|
+
url.gsub!( host, '' )
|
255
|
+
components[:host].downcase!
|
256
|
+
end
|
257
|
+
else
|
258
|
+
has_path = false
|
259
|
+
end
|
260
|
+
else
|
261
|
+
has_path = false
|
262
|
+
end
|
263
|
+
end
|
264
|
+
|
265
|
+
if has_path
|
266
|
+
splits = url.split( '?', 2 )
|
267
|
+
if components[:path] = splits.shift
|
268
|
+
components[:path] = '/' + components[:path] if components[:scheme]
|
269
|
+
components[:path].gsub!( /\/+/, '/' )
|
270
|
+
components[:path] =
|
271
|
+
encode( decode( components[:path] ),
|
272
|
+
Addressable::URI::CharacterClasses::PATH )
|
273
|
+
end
|
274
|
+
|
275
|
+
if c_url.include?( '?' ) && !(query = dupped_url.split( '?', 2 ).last).empty?
|
276
|
+
components[:query] =
|
277
|
+
encode( decode( query ),
|
278
|
+
Addressable::URI::CharacterClasses::QUERY )
|
279
|
+
end
|
280
|
+
end
|
281
|
+
|
282
|
+
components[:path] ||= components[:scheme] ? '/' : nil
|
283
|
+
|
284
|
+
cache[c_url] = components.inject({}) do |h, (k, val)|
|
285
|
+
h.merge!( Hash[{ k => val.freeze }] )
|
286
|
+
end.freeze
|
287
|
+
rescue => e
|
288
|
+
begin
|
289
|
+
print_error "Failed to fast-parse '#{c_url}', falling back to slow-parse."
|
290
|
+
#print_error "Error: #{e}"
|
291
|
+
#print_error_backtrace( e )
|
292
|
+
|
293
|
+
cache[c_url] = addressable_parse( c_url ).freeze
|
294
|
+
rescue => ex
|
295
|
+
print_error "Failed to parse '#{c_url}'."
|
296
|
+
#print_error "Error: #{ex}"
|
297
|
+
#print_error_backtrace( ex )
|
298
|
+
|
299
|
+
cache[c_url] = :err
|
300
|
+
nil
|
301
|
+
end
|
302
|
+
end
|
303
|
+
end
|
304
|
+
|
305
|
+
#
|
306
|
+
# Performs a parse using the +URI::Addressable+ lib while normalizing the
|
307
|
+
# URL (will also discard the fragment).
|
308
|
+
#
|
309
|
+
# This method is not cached and solely exists as a fallback used by {.cheap_parse}.
|
310
|
+
#
|
311
|
+
# @param [String] url
|
312
|
+
#
|
313
|
+
# @return [Hash] URL components:
|
314
|
+
# Hash fields:
|
315
|
+
# * scheme -- HTTP or HTTPS
|
316
|
+
# * userinfo -- username:password
|
317
|
+
# * host
|
318
|
+
# * port
|
319
|
+
# * path
|
320
|
+
# * query
|
321
|
+
#
|
322
|
+
# The Hash is suitable for passing to +::URI::Generic.build+ -- if however
|
323
|
+
# you plan on doing that you'll be better off just using {.ruby_parse} which
|
324
|
+
# does the same thing and caches the results for some extra schnell.
|
325
|
+
#
|
326
|
+
def self.addressable_parse( url )
|
327
|
+
u = Addressable::URI.parse( html_decode( url.to_s ) ).normalize
|
328
|
+
u.fragment = nil
|
329
|
+
h = u.to_hash
|
330
|
+
|
331
|
+
h[:path].gsub!( /\/+/, '/' ) if h[:path]
|
332
|
+
if h[:user]
|
333
|
+
h[:userinfo] = h.delete( :user )
|
334
|
+
h[:userinfo] << ":#{h.delete( :password )}" if h[:password]
|
335
|
+
end
|
336
|
+
h
|
337
|
+
end
|
338
|
+
|
339
|
+
#
|
340
|
+
# {.normalize Normalizes} and converts a +relative+ URL to an absolute one
|
341
|
+
# by merging in with a +reference+ URL.
|
342
|
+
#
|
343
|
+
# Pretty much a cached version of {#to_absolute}.
|
344
|
+
#
|
345
|
+
# *ATTENTION*: This method's results are cached for performance reasons.
|
346
|
+
# If you plan on doing something destructive with its return value duplicate
|
347
|
+
# it first because there may be references to it elsewhere.
|
348
|
+
#
|
349
|
+
# @param [String] relative
|
350
|
+
# @param [String] reference absolute url to use as a reference
|
351
|
+
#
|
352
|
+
# @return [String] absolute URL (frozen)
|
353
|
+
#
|
354
|
+
def self.to_absolute( relative, reference = Options.instance.url.to_s )
|
355
|
+
return reference if !relative || relative.empty?
|
356
|
+
key = relative + ' :: ' + reference
|
357
|
+
|
358
|
+
cache = CACHE[__method__]
|
359
|
+
begin
|
360
|
+
if (v = cache[key]) && v == :err
|
361
|
+
return
|
362
|
+
elsif v
|
363
|
+
return v
|
364
|
+
end
|
365
|
+
|
366
|
+
parsed_ref = parse( reference )
|
367
|
+
|
368
|
+
# scheme-less URLs are expensive to parse so let's resolve the issue here
|
369
|
+
relative = "#{parsed_ref.scheme}:#{relative}" if relative.start_with?( '//' )
|
370
|
+
|
371
|
+
cache[key] = parse( relative ).to_absolute( parsed_ref ).to_s.freeze
|
372
|
+
rescue# => e
|
373
|
+
#ap relative
|
374
|
+
#ap e
|
375
|
+
#ap e.backtrace
|
376
|
+
cache[key] = :err
|
377
|
+
nil
|
378
|
+
end
|
379
|
+
end
|
380
|
+
|
381
|
+
#
|
382
|
+
# Uses {.cheap_parse} to parse and normalize the URL and then converts
|
383
|
+
# it to a common +String+ format.
|
384
|
+
#
|
385
|
+
# *ATTENTION*: This method's results are cached for performance reasons.
|
386
|
+
# If you plan on doing something destructive with its return value duplicate
|
387
|
+
# it first because there may be references to it elsewhere.
|
388
|
+
#
|
389
|
+
# @param [String] url
|
390
|
+
#
|
391
|
+
# @return [String] normalized URL (frozen)
|
392
|
+
#
|
393
|
+
def self.normalize( url )
|
394
|
+
return if !url || url.empty?
|
395
|
+
|
396
|
+
cache = CACHE[__method__]
|
397
|
+
|
398
|
+
url = url.to_s.strip.dup
|
399
|
+
c_url = url.to_s.strip.dup
|
400
|
+
|
401
|
+
begin
|
402
|
+
if (v = cache[url]) && v == :err
|
403
|
+
return
|
404
|
+
elsif v
|
405
|
+
return v
|
406
|
+
end
|
407
|
+
|
408
|
+
components = cheap_parse( url )
|
409
|
+
|
410
|
+
#ap components
|
411
|
+
normalized = ''
|
412
|
+
normalized << components[:scheme] + '://' if components[:scheme]
|
413
|
+
|
414
|
+
if components[:userinfo]
|
415
|
+
normalized << components[:userinfo]
|
416
|
+
normalized << '@'
|
417
|
+
end
|
418
|
+
|
419
|
+
if components[:host]
|
420
|
+
normalized << components[:host]
|
421
|
+
normalized << ':' + components[:port].to_s if components[:port]
|
422
|
+
end
|
423
|
+
|
424
|
+
normalized << components[:path] if components[:path]
|
425
|
+
normalized << '?' + components[:query] if components[:query]
|
426
|
+
|
427
|
+
cache[c_url] = normalized.freeze
|
428
|
+
rescue => e
|
429
|
+
print_error "Failed to normalize '#{c_url}'."
|
430
|
+
#print_error "Error: #{e}"
|
431
|
+
#print_error_backtrace( e )
|
432
|
+
|
433
|
+
cache[c_url] = :err
|
434
|
+
nil
|
435
|
+
end
|
436
|
+
end
|
437
|
+
|
438
|
+
#
|
439
|
+
# {.normalize Normalizes} and parses the provided URL.
|
440
|
+
#
|
441
|
+
# Will discard the fragment component, if there is one.
|
442
|
+
#
|
443
|
+
# @param [Arachni::URI, String, URI, Hash] url
|
444
|
+
# +String+ URL to parse, +URI+ to convert, or a +Hash+ holding URL components
|
445
|
+
# (for +::URI::Generic.build+). Also accepts {Arachni::URI} for convenience.
|
446
|
+
#
|
447
|
+
def initialize( url )
|
448
|
+
@arachni_opts = Options.instance
|
449
|
+
|
450
|
+
@parsed_url = case url
|
451
|
+
when String
|
452
|
+
self.class.ruby_parse( url )
|
453
|
+
|
454
|
+
when ::URI
|
455
|
+
url.dup
|
456
|
+
|
457
|
+
when Hash
|
458
|
+
::URI::Generic.build( url )
|
459
|
+
|
460
|
+
when Arachni::URI
|
461
|
+
self.parsed_url = url.parsed_url.dup
|
462
|
+
|
463
|
+
else
|
464
|
+
to_string = url.to_s rescue ''
|
465
|
+
msg = "Argument must either be String, URI or Hash"
|
466
|
+
msg << " -- #{url.class.name} '#{to_string}' passed."
|
467
|
+
fail TypeError.new( msg )
|
468
|
+
end
|
469
|
+
fail 'Failed to parse URL.' if !@parsed_url
|
470
|
+
end
|
471
|
+
|
472
|
+
def ==( other )
|
473
|
+
to_s == other.to_s
|
474
|
+
end
|
475
|
+
|
476
|
+
#
|
477
|
+
# Converts self into an absolute URL using +reference+ to fill in the missing data.
|
478
|
+
#
|
479
|
+
# @param [Arachni::URI, URI, String] reference absolute URL
|
480
|
+
#
|
481
|
+
# @return [Arachni::URI] self as an absolute URL
|
482
|
+
#
|
483
|
+
def to_absolute( reference )
|
484
|
+
absolute = case reference
|
485
|
+
when Arachni::URI
|
486
|
+
reference.parsed_url
|
487
|
+
when ::URI
|
488
|
+
reference
|
489
|
+
else
|
490
|
+
self.class.new( reference.to_s ).parsed_url
|
491
|
+
end.merge( @parsed_url )
|
492
|
+
|
493
|
+
self.class.new( absolute )
|
494
|
+
end
|
495
|
+
|
496
|
+
# @return [String] the URL up to its path component
|
497
|
+
# (no resource name, query, fragment, etc)
|
498
|
+
def up_to_path
|
499
|
+
uri_path = path.dup
|
500
|
+
|
501
|
+
uri_path = File.dirname( uri_path ) if !File.extname( path ).empty?
|
502
|
+
|
503
|
+
uri_path << '/' if uri_path[-1] != '/'
|
504
|
+
|
505
|
+
uri_str = scheme + "://" + host
|
506
|
+
uri_str << ':' + port.to_s if port && port != 80
|
507
|
+
uri_str << uri_path
|
508
|
+
end
|
509
|
+
|
510
|
+
# @return [String] domain_name.tld
|
511
|
+
def domain
|
512
|
+
s = host.split( '.' )
|
513
|
+
return s.first if s.size == 1
|
514
|
+
return host if s.size == 2
|
515
|
+
|
516
|
+
s[1..-1].join( '.' )
|
517
|
+
end
|
518
|
+
|
519
|
+
#
|
520
|
+
# Checks if self exceeds a given directory depth.
|
521
|
+
#
|
522
|
+
# @param [Integer] depth depth to check for
|
523
|
+
#
|
524
|
+
# @return [Bool] +true+ if self is deeper than +depth+, +false+ otherwise
|
525
|
+
#
|
526
|
+
def too_deep?( depth )
|
527
|
+
depth > 0 && (depth + 1) <= path.count( '/' )
|
528
|
+
end
|
529
|
+
|
530
|
+
#
|
531
|
+
# Checks if self should be excluded based on the provided +patterns+.
|
532
|
+
#
|
533
|
+
# @param [Array<Regexp,String>] patterns
|
534
|
+
#
|
535
|
+
# @return [Bool] +true+ if self matches a pattern, +false+ otherwise
|
536
|
+
#
|
537
|
+
def exclude?( patterns )
|
538
|
+
fail TypeError.new( 'Array<Regexp,String> expected, got nil instead' ) if patterns.nil?
|
539
|
+
ensure_patterns( patterns ).each { |pattern| return true if to_s =~ pattern }
|
540
|
+
false
|
541
|
+
end
|
542
|
+
|
543
|
+
#
|
544
|
+
# Checks if self should be included based on the provided +patterns+.
|
545
|
+
#
|
546
|
+
# @param [Array<Regexp,String>] patterns
|
547
|
+
#
|
548
|
+
# @return [Bool] +true+ if self matches a pattern (or +patterns+ are +nil+ or empty),
|
549
|
+
# +false+ otherwise
|
550
|
+
#
|
551
|
+
def include?( patterns )
|
552
|
+
fail TypeError.new( 'Array<Regexp,String> expected, got nil instead' ) if patterns.nil?
|
553
|
+
|
554
|
+
rules = ensure_patterns( patterns )
|
555
|
+
return true if !rules || rules.empty?
|
556
|
+
|
557
|
+
rules.each { |pattern| return true if to_s =~ pattern }
|
558
|
+
false
|
559
|
+
end
|
560
|
+
|
561
|
+
#
|
562
|
+
# @param [Bool] include_subdomain Match subdomains too?
|
563
|
+
# If true will compare full hostnames, otherwise will discard subdomains.
|
564
|
+
#
|
565
|
+
# @param [Arachni::URI, URI, Hash, String] other URL to compare it to
|
566
|
+
#
|
567
|
+
# @return [Bool] +true+ if self is in the same domain as the +other+ URL,
|
568
|
+
# false otherwise
|
569
|
+
#
|
570
|
+
def in_domain?( include_subdomain, other )
|
571
|
+
return true if !other
|
572
|
+
|
573
|
+
other = self.class.new( other ) if !other.is_a?( Arachni::URI )
|
574
|
+
include_subdomain ? other.host == host : other.domain == domain
|
575
|
+
end
|
576
|
+
|
577
|
+
# @return [String] URL
|
578
|
+
def to_s
|
579
|
+
@parsed_url.to_s
|
580
|
+
end
|
581
|
+
|
582
|
+
protected
|
583
|
+
|
584
|
+
def parsed_url
|
585
|
+
@parsed_url
|
586
|
+
end
|
587
|
+
|
588
|
+
def parsed_url=( url )
|
589
|
+
@parsed_url = url
|
590
|
+
end
|
591
|
+
|
592
|
+
private
|
593
|
+
|
594
|
+
def ensure_patterns( arr )
|
595
|
+
if arr.is_a?( Array )
|
596
|
+
arr
|
597
|
+
else
|
598
|
+
[arr].flatten
|
599
|
+
end.compact.map { |p| p.is_a?( Regexp ) ? p : Regexp.new( p.to_s ) }
|
600
|
+
end
|
601
|
+
|
602
|
+
#
|
603
|
+
# Delegates unimplemented methods to Ruby's +URI::Generic+ class for
|
604
|
+
# compatibility.
|
605
|
+
#
|
606
|
+
def method_missing( sym, *args, &block )
|
607
|
+
if @parsed_url.respond_to?( sym )
|
608
|
+
@parsed_url.send( sym, *args, &block )
|
609
|
+
else
|
610
|
+
super
|
611
|
+
end
|
612
|
+
end
|
613
|
+
|
614
|
+
def respond_to?( sym )
|
615
|
+
super || @parsed_url.respond_to?( sym )
|
616
|
+
end
|
617
|
+
|
618
|
+
end
|
619
|
+
end
|