arachni 0.4.0.4 → 0.4.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (688) hide show
  1. data/ACKNOWLEDGMENTS.md +2 -2
  2. data/AUTHORS.md +1 -4
  3. data/CHANGELOG.md +102 -3
  4. data/CONTRIBUTORS.md +4 -1
  5. data/EXPLOITATION.md +6 -6
  6. data/Gemfile +3 -0
  7. data/HACKING.md +29 -10
  8. data/LICENSE.md +176 -339
  9. data/NOTICE +12 -0
  10. data/README.md +160 -119
  11. data/Rakefile +83 -45
  12. data/arachni.gemspec +124 -0
  13. data/bin/arachni +14 -8
  14. data/bin/arachni_console +52 -0
  15. data/bin/arachni_rpc +14 -8
  16. data/bin/arachni_rpcd +15 -9
  17. data/bin/arachni_rpcd_monitor +14 -8
  18. data/bin/arachni_script +41 -0
  19. data/bin/arachni_web +18 -19
  20. data/bin/arachni_web_autostart +17 -18
  21. data/external/metasploit/plugins/arachni.rb +7 -9
  22. data/external/metasploit/{LICENSE → plugins/arachni/LICENSE} +0 -0
  23. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_exec.rb +1 -1
  24. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_path_traversal.rb +2 -2
  25. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_eval.rb +1 -1
  26. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_php_include.rb +1 -1
  27. data/external/metasploit/{modules → plugins/arachni/modules}/exploits/unix/webapp/arachni_sqlmap.rb +2 -2
  28. data/external/scripts/LICENSE.tpl +174 -0
  29. data/external/scripts/README.md +95 -0
  30. data/external/scripts/README.tpl +30 -0
  31. data/external/scripts/build.sh +631 -0
  32. data/external/scripts/build_all.sh +29 -0
  33. data/external/scripts/build_and_package.sh +100 -0
  34. data/external/scripts/cross_build_and_package.sh +20 -0
  35. data/external/scripts/installer.sh.tpl +166 -0
  36. data/external/scripts/lib/readlink_f.sh +40 -0
  37. data/external/scripts/package.sh +134 -0
  38. data/external/scripts/push_nightlies.sh +125 -0
  39. data/extras/placeholder +0 -0
  40. data/gfx/README.md +18 -0
  41. data/gfx/compiled/banner.png +0 -0
  42. data/gfx/compiled/favicon.ico +0 -0
  43. data/gfx/compiled/icon.png +0 -0
  44. data/gfx/compiled/logo.png +0 -0
  45. data/gfx/compiled/spider.png +0 -0
  46. data/gfx/font/Beneath_the_Surface.ttf +0 -0
  47. data/gfx/font/bts_readme.txt +14 -0
  48. data/gfx/source/banner.svg +999 -0
  49. data/gfx/source/icon.svg +627 -0
  50. data/gfx/source/logo.svg +672 -0
  51. data/gfx/source/spider.png +0 -0
  52. data/gfx/source/spider.svg +277 -0
  53. data/lib/arachni.rb +30 -5
  54. data/lib/arachni/audit_store.rb +111 -143
  55. data/lib/arachni/banner.rb +37 -0
  56. data/lib/arachni/bloom_filter.rb +74 -0
  57. data/lib/arachni/cache.rb +21 -0
  58. data/lib/arachni/cache/base.rb +170 -0
  59. data/lib/arachni/cache/least_cost_replacement.rb +89 -0
  60. data/lib/arachni/cache/least_recently_used.rb +73 -0
  61. data/lib/arachni/cache/random_replacement.rb +52 -0
  62. data/lib/arachni/component/manager.rb +391 -0
  63. data/lib/arachni/component/options.rb +38 -0
  64. data/lib/arachni/component/options/address.rb +41 -0
  65. data/lib/arachni/component/options/base.rb +126 -0
  66. data/lib/arachni/component/options/bool.rb +55 -0
  67. data/lib/arachni/component/options/enum.rb +51 -0
  68. data/lib/arachni/component/options/float.rb +45 -0
  69. data/lib/arachni/component/options/int.rb +44 -0
  70. data/lib/arachni/component/options/path.rb +36 -0
  71. data/lib/arachni/component/options/port.rb +37 -0
  72. data/lib/arachni/component/options/string.rb +44 -0
  73. data/lib/arachni/component/options/url.rb +42 -0
  74. data/lib/arachni/crypto/rsa_aes_cbc.rb +14 -8
  75. data/lib/arachni/database.rb +4 -4
  76. data/lib/arachni/database/base.rb +14 -8
  77. data/lib/arachni/database/hash.rb +21 -12
  78. data/lib/arachni/database/queue.rb +15 -9
  79. data/lib/arachni/element/base.rb +147 -0
  80. data/lib/arachni/element/capabilities/auditable.rb +623 -0
  81. data/lib/arachni/element/capabilities/auditable/rdiff.rb +243 -0
  82. data/lib/arachni/element/capabilities/auditable/taint.rb +141 -0
  83. data/lib/arachni/element/capabilities/auditable/timeout.rb +330 -0
  84. data/lib/arachni/element/capabilities/body.rb +19 -0
  85. data/lib/arachni/element/capabilities/mutable.rb +286 -0
  86. data/lib/arachni/element/capabilities/path.rb +19 -0
  87. data/lib/arachni/element/capabilities/refreshable.rb +48 -0
  88. data/lib/arachni/element/capabilities/server.rb +19 -0
  89. data/lib/arachni/element/cookie.rb +1043 -0
  90. data/lib/arachni/element/form.rb +1364 -0
  91. data/lib/arachni/element/header.rb +87 -0
  92. data/lib/arachni/element/link.rb +227 -0
  93. data/lib/arachni/exceptions.rb +12 -34
  94. data/lib/arachni/framework.rb +345 -436
  95. data/lib/arachni/http.rb +445 -409
  96. data/lib/arachni/http/cookie_jar.rb +163 -0
  97. data/lib/arachni/issue.rb +102 -65
  98. data/lib/arachni/mixins/observable.rb +25 -28
  99. data/lib/arachni/mixins/progress_bar.rb +11 -5
  100. data/lib/arachni/mixins/terminal.rb +17 -11
  101. data/lib/arachni/module.rb +4 -4
  102. data/lib/arachni/module/auditor.rb +270 -793
  103. data/lib/arachni/module/base.rb +107 -101
  104. data/lib/arachni/module/element_db.rb +54 -59
  105. data/lib/arachni/module/key_filler.rb +35 -35
  106. data/lib/arachni/module/manager.rb +178 -68
  107. data/lib/arachni/module/output.rb +25 -30
  108. data/lib/arachni/module/trainer.rb +85 -156
  109. data/lib/arachni/module/utilities.rb +29 -138
  110. data/lib/arachni/options.rb +496 -162
  111. data/lib/arachni/page.rb +186 -0
  112. data/lib/arachni/parser.rb +392 -2
  113. data/lib/arachni/plugin.rb +4 -4
  114. data/lib/arachni/plugin/base.rb +113 -44
  115. data/lib/arachni/plugin/manager.rb +120 -54
  116. data/lib/arachni/report.rb +4 -4
  117. data/lib/arachni/report/base.rb +59 -44
  118. data/lib/arachni/report/manager.rb +33 -32
  119. data/lib/arachni/rpc/client.rb +2 -0
  120. data/lib/arachni/rpc/client/base.rb +31 -18
  121. data/lib/arachni/rpc/client/dispatcher.rb +24 -11
  122. data/lib/arachni/rpc/client/instance.rb +24 -11
  123. data/lib/arachni/rpc/server/base.rb +12 -9
  124. data/lib/arachni/rpc/server/dispatcher.rb +161 -164
  125. data/lib/arachni/rpc/server/dispatcher/handler.rb +164 -0
  126. data/lib/arachni/rpc/server/{node.rb → dispatcher/node.rb} +86 -104
  127. data/lib/arachni/rpc/server/distributor.rb +432 -0
  128. data/lib/arachni/rpc/server/framework.rb +266 -758
  129. data/lib/arachni/rpc/server/instance.rb +38 -53
  130. data/lib/arachni/rpc/server/module/manager.rb +17 -20
  131. data/lib/arachni/rpc/server/output.rb +73 -179
  132. data/lib/arachni/rpc/server/plugin/manager.rb +58 -24
  133. data/lib/arachni/ruby.rb +6 -4
  134. data/lib/arachni/ruby/array.rb +30 -9
  135. data/lib/arachni/ruby/enumerable.rb +29 -0
  136. data/lib/arachni/ruby/object.rb +47 -12
  137. data/lib/arachni/ruby/string.rb +69 -24
  138. data/lib/arachni/ruby/webrick.rb +31 -0
  139. data/lib/arachni/session.rb +279 -0
  140. data/lib/arachni/spider.rb +295 -149
  141. data/lib/arachni/typhoeus/hydra.rb +18 -4
  142. data/lib/arachni/typhoeus/request.rb +52 -65
  143. data/lib/arachni/typhoeus/response.rb +62 -22
  144. data/lib/arachni/typhoeus/utils.rb +25 -0
  145. data/lib/arachni/ui/cli/cli.rb +331 -298
  146. data/lib/arachni/ui/cli/output.rb +105 -77
  147. data/lib/arachni/ui/foo/output.rb +116 -0
  148. data/lib/arachni/ui/rpc/dispatcher_monitor.rb +5 -12
  149. data/lib/arachni/ui/rpc/rpc.rb +43 -48
  150. data/lib/arachni/ui/web/addon_manager.rb +18 -13
  151. data/lib/arachni/ui/web/addons/sample.rb +14 -8
  152. data/lib/arachni/ui/web/addons/scheduler.rb +14 -8
  153. data/lib/arachni/ui/web/addons/scheduler/views/index.erb +1 -1
  154. data/lib/arachni/ui/web/addons/scheduler/views/options.erb +0 -3
  155. data/lib/arachni/ui/web/dispatcher_manager.rb +14 -9
  156. data/lib/arachni/ui/web/instance_manager.rb +14 -8
  157. data/lib/arachni/ui/web/log.rb +14 -10
  158. data/lib/arachni/ui/web/output_stream.rb +11 -5
  159. data/lib/arachni/ui/web/report_manager.rb +14 -10
  160. data/lib/arachni/ui/web/scheduler.rb +16 -11
  161. data/lib/arachni/ui/web/server.rb +62 -56
  162. data/lib/arachni/ui/web/server/public/style.css +1 -1
  163. data/lib/arachni/ui/web/server/views/addon.erb +1 -1
  164. data/lib/arachni/ui/web/server/views/dispatchers.erb +3 -3
  165. data/lib/arachni/ui/web/server/views/dispatchers_edit.erb +2 -2
  166. data/lib/arachni/ui/web/server/views/error.erb +1 -1
  167. data/lib/arachni/ui/web/server/views/home.erb +2 -2
  168. data/lib/arachni/ui/web/server/views/instance.erb +6 -6
  169. data/lib/arachni/ui/web/server/views/layout.erb +4 -4
  170. data/lib/arachni/ui/web/server/views/settings.erb +13 -8
  171. data/lib/arachni/ui/web/server/views/welcome.erb +1 -1
  172. data/lib/arachni/ui/web/utilities.rb +24 -35
  173. data/lib/arachni/uri.rb +619 -0
  174. data/lib/arachni/utilities.rb +316 -0
  175. data/lib/arachni/version.rb +12 -6
  176. data/lib/version +1 -0
  177. data/modules/audit/code_injection.rb +64 -81
  178. data/modules/audit/code_injection_timing.rb +57 -75
  179. data/modules/audit/csrf.rb +87 -185
  180. data/modules/audit/ldapi.rb +42 -67
  181. data/modules/audit/os_cmd_injection.rb +53 -71
  182. data/modules/audit/os_cmd_injection/payloads.txt +1 -1
  183. data/modules/audit/os_cmd_injection_timing.rb +54 -75
  184. data/modules/audit/os_cmd_injection_timing/payloads.txt +1 -3
  185. data/modules/audit/path_traversal.rb +84 -110
  186. data/modules/audit/response_splitting.rb +41 -53
  187. data/modules/audit/rfi.rb +68 -76
  188. data/modules/audit/session_fixation.rb +86 -0
  189. data/modules/audit/sqli.rb +51 -77
  190. data/modules/audit/sqli/regexp_ids.txt +5 -19
  191. data/modules/audit/sqli/regexp_ignore.txt +2 -0
  192. data/modules/audit/sqli_blind_rdiff.rb +51 -62
  193. data/modules/audit/sqli_blind_timing.rb +53 -73
  194. data/modules/audit/trainer.rb +21 -58
  195. data/modules/audit/unvalidated_redirect.rb +41 -51
  196. data/modules/audit/xpath.rb +38 -69
  197. data/modules/audit/xpath/errors.txt +2 -3
  198. data/modules/audit/xss.rb +65 -69
  199. data/modules/audit/xss_event.rb +50 -69
  200. data/modules/audit/xss_path.rb +63 -89
  201. data/modules/audit/xss_script_tag.rb +53 -66
  202. data/modules/audit/xss_tag.rb +46 -65
  203. data/modules/audit/xss_uri.rb +22 -24
  204. data/modules/recon/allowed_methods.rb +46 -62
  205. data/modules/recon/backdoors.rb +39 -66
  206. data/modules/recon/backup_files.rb +49 -79
  207. data/modules/recon/common_directories.rb +39 -63
  208. data/modules/recon/common_directories/directories.txt +0 -5
  209. data/modules/recon/common_files.rb +34 -63
  210. data/modules/recon/directory_listing.rb +66 -116
  211. data/modules/recon/grep/captcha.rb +34 -41
  212. data/modules/recon/grep/credit_card.rb +57 -68
  213. data/modules/recon/grep/cvs_svn_users.rb +40 -50
  214. data/modules/recon/grep/emails.rb +34 -41
  215. data/modules/recon/grep/html_objects.rb +30 -33
  216. data/modules/recon/grep/http_only_cookies.rb +57 -0
  217. data/modules/recon/grep/insecure_cookies.rb +55 -0
  218. data/modules/recon/grep/mixed_resource.rb +93 -0
  219. data/modules/recon/grep/private_ip.rb +34 -32
  220. data/modules/recon/grep/ssn.rb +33 -31
  221. data/modules/recon/grep/unencrypted_password_forms.rb +84 -0
  222. data/modules/recon/htaccess_limit.rb +38 -54
  223. data/modules/recon/http_put.rb +48 -62
  224. data/modules/recon/interesting_responses.rb +77 -79
  225. data/modules/recon/webdav.rb +53 -79
  226. data/modules/recon/xst.rb +44 -63
  227. data/modules/test2.rb +46 -0
  228. data/path_extractors/anchors.rb +17 -15
  229. data/path_extractors/forms.rb +17 -15
  230. data/path_extractors/frames.rb +17 -18
  231. data/path_extractors/generic.rb +52 -55
  232. data/path_extractors/links.rb +16 -14
  233. data/path_extractors/meta_refresh.rb +33 -18
  234. data/path_extractors/scripts.rb +17 -15
  235. data/plugins/autologin.rb +60 -85
  236. data/plugins/beep_notify.rb +25 -27
  237. data/plugins/cookie_collector.rb +28 -45
  238. data/plugins/defaults/autothrottle.rb +43 -51
  239. data/plugins/defaults/content_types.rb +63 -52
  240. data/plugins/defaults/healthmap.rb +45 -62
  241. data/plugins/defaults/{metamodules → meta}/remedies/discovery.rb +34 -69
  242. data/plugins/defaults/meta/remedies/manual_verification.rb +61 -0
  243. data/plugins/defaults/meta/remedies/timing_attacks.rb +108 -0
  244. data/plugins/defaults/meta/uniformity.rb +81 -0
  245. data/plugins/defaults/profiler.rb +68 -115
  246. data/plugins/defaults/resolver.rb +33 -28
  247. data/plugins/email_notify.rb +60 -62
  248. data/plugins/form_dicattack.rb +67 -121
  249. data/plugins/http_dicattack.rb +51 -65
  250. data/plugins/libnotify.rb +37 -41
  251. data/plugins/proxy.rb +407 -152
  252. data/plugins/proxy/panel/403_forbidden.html.erb +11 -0
  253. data/plugins/proxy/panel/404_not_found.html.erb +6 -0
  254. data/plugins/proxy/panel/css/bootstrap.min.css +9 -0
  255. data/plugins/proxy/panel/css/panel.css +30 -0
  256. data/plugins/proxy/panel/help.html.erb +66 -0
  257. data/plugins/proxy/panel/img/glyphicons-halflings-white.png +0 -0
  258. data/plugins/proxy/panel/img/glyphicons-halflings.png +0 -0
  259. data/plugins/proxy/panel/img/record.png +0 -0
  260. data/plugins/proxy/panel/inspect.html.erb +7 -0
  261. data/plugins/proxy/panel/js/bootstrap.min.js +6 -0
  262. data/plugins/proxy/panel/js/jquery.min.js +2 -0
  263. data/plugins/proxy/panel/js/panel.js +39 -0
  264. data/plugins/proxy/panel/layout.html.erb +25 -0
  265. data/plugins/proxy/panel/page_accordion.html.erb +67 -0
  266. data/plugins/proxy/panel/page_twin_accordion.html.erb +18 -0
  267. data/plugins/proxy/panel/panel.html.erb +63 -0
  268. data/plugins/proxy/panel/shutdown_message.html.erb +7 -0
  269. data/plugins/proxy/panel/verify_login_check.html.erb +31 -0
  270. data/plugins/proxy/panel/verify_login_final.html.erb +26 -0
  271. data/plugins/proxy/panel/verify_login_sequence.html.erb +45 -0
  272. data/plugins/proxy/server.rb +175 -47
  273. data/plugins/proxy/ssl-interceptor-cert.pem +34 -0
  274. data/plugins/proxy/ssl-interceptor-pkey.pem +51 -0
  275. data/plugins/rescan.rb +27 -28
  276. data/plugins/script.rb +53 -0
  277. data/plugins/vector_feed.rb +226 -0
  278. data/plugins/waf_detector.rb +70 -73
  279. data/reports/afr.rb +23 -24
  280. data/reports/ap.rb +25 -36
  281. data/reports/html.rb +109 -163
  282. data/reports/html/default.erb +13 -12
  283. data/reports/html/default/configuration.erb +21 -21
  284. data/reports/html/default/css/main.css +350 -350
  285. data/reports/html/default/issues.erb +1 -1
  286. data/reports/html/default/js/charts.js +2 -2
  287. data/reports/html/default/js/helpers.js +0 -42
  288. data/reports/html/default/js/init.js +0 -1
  289. data/reports/html/default/sitemap.erb +2 -2
  290. data/reports/html/default/summary.erb +4 -4
  291. data/reports/html/default/summary_issue.erb +1 -1
  292. data/reports/json.rb +26 -28
  293. data/reports/marshal.rb +23 -25
  294. data/reports/metareport.rb +65 -98
  295. data/reports/plugin_formatters/html/autologin.rb +34 -41
  296. data/reports/plugin_formatters/html/content_types.rb +46 -52
  297. data/reports/plugin_formatters/html/cookie_collector.rb +41 -47
  298. data/reports/plugin_formatters/html/discovery.rb +36 -41
  299. data/reports/plugin_formatters/html/form_dicattack.rb +28 -34
  300. data/reports/plugin_formatters/html/healthmap.rb +48 -55
  301. data/reports/plugin_formatters/html/http_dicattack.rb +28 -34
  302. data/reports/plugin_formatters/html/profiler.rb +26 -30
  303. data/reports/plugin_formatters/html/profiler/template.erb +7 -7
  304. data/reports/plugin_formatters/html/resolver.rb +44 -52
  305. data/reports/plugin_formatters/html/timing_attacks.rb +42 -44
  306. data/reports/plugin_formatters/html/uniformity.rb +37 -42
  307. data/reports/plugin_formatters/html/waf_detector.rb +26 -34
  308. data/reports/plugin_formatters/stdout/autologin.rb +28 -40
  309. data/reports/plugin_formatters/stdout/content_types.rb +36 -53
  310. data/reports/plugin_formatters/stdout/cookie_collector.rb +28 -41
  311. data/reports/plugin_formatters/stdout/discovery.rb +27 -37
  312. data/reports/plugin_formatters/stdout/form_dicattack.rb +22 -35
  313. data/reports/plugin_formatters/stdout/healthmap.rb +40 -57
  314. data/reports/plugin_formatters/stdout/http_dicattack.rb +22 -36
  315. data/reports/plugin_formatters/stdout/profiler.rb +55 -74
  316. data/reports/plugin_formatters/stdout/resolver.rb +18 -34
  317. data/reports/plugin_formatters/stdout/timing_attacks.rb +27 -39
  318. data/reports/plugin_formatters/stdout/uniformity.rb +32 -44
  319. data/reports/plugin_formatters/stdout/waf_detector.rb +20 -32
  320. data/reports/plugin_formatters/xml/autologin.rb +27 -49
  321. data/reports/plugin_formatters/xml/content_types.rb +41 -66
  322. data/reports/plugin_formatters/xml/cookie_collector.rb +29 -49
  323. data/reports/plugin_formatters/xml/discovery.rb +23 -41
  324. data/reports/plugin_formatters/xml/form_dicattack.rb +22 -40
  325. data/reports/plugin_formatters/xml/healthmap.rb +44 -63
  326. data/reports/plugin_formatters/xml/http_dicattack.rb +22 -41
  327. data/reports/plugin_formatters/xml/profiler.rb +65 -89
  328. data/reports/plugin_formatters/xml/resolver.rb +21 -41
  329. data/reports/plugin_formatters/xml/timing_attacks.rb +27 -45
  330. data/reports/plugin_formatters/xml/uniformity.rb +36 -55
  331. data/reports/plugin_formatters/xml/waf_detector.rb +23 -42
  332. data/reports/stdout.rb +120 -121
  333. data/reports/txt.rb +29 -45
  334. data/reports/xml.rb +109 -148
  335. data/reports/xml/buffer.rb +66 -79
  336. data/reports/yaml.rb +26 -28
  337. data/rpcd_handlers/placeholder +0 -0
  338. data/spec/arachni/audit_store_spec.rb +223 -0
  339. data/spec/arachni/bloom_filter_spec.rb +76 -0
  340. data/spec/arachni/cache/base_spec.rb +275 -0
  341. data/spec/arachni/cache/least_cost_replacement_spec.rb +58 -0
  342. data/spec/arachni/cache/least_recently_used_spec.rb +91 -0
  343. data/spec/arachni/cache/random_replacement_spec.rb +43 -0
  344. data/spec/arachni/component/manager_spec.rb +448 -0
  345. data/spec/arachni/component/options/address_spec.rb +32 -0
  346. data/spec/arachni/component/options/base_spec.rb +105 -0
  347. data/spec/arachni/component/options/bool_spec.rb +67 -0
  348. data/spec/arachni/component/options/enum_spec.rb +51 -0
  349. data/spec/arachni/component/options/float_spec.rb +42 -0
  350. data/spec/arachni/component/options/int_spec.rb +46 -0
  351. data/spec/arachni/component/options/path_spec.rb +32 -0
  352. data/spec/arachni/component/options/port_spec.rb +38 -0
  353. data/spec/arachni/component/options/string_spec.rb +38 -0
  354. data/spec/arachni/component/options/url_spec.rb +36 -0
  355. data/spec/arachni/crypto/rsa_aes_cbc_spec.rb +31 -0
  356. data/spec/arachni/database/hash_spec.rb +217 -0
  357. data/spec/arachni/database/queue_spec.rb +52 -0
  358. data/spec/arachni/element/base_spec.rb +127 -0
  359. data/spec/arachni/element/body_spec.rb +9 -0
  360. data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +47 -0
  361. data/spec/arachni/element/capabilities/auditable/taint_spec.rb +110 -0
  362. data/spec/arachni/element/capabilities/auditable/timeout_spec.rb +107 -0
  363. data/spec/arachni/element/capabilities/mutable_spec.rb +261 -0
  364. data/spec/arachni/element/cookie_spec.rb +362 -0
  365. data/spec/arachni/element/form_spec.rb +668 -0
  366. data/spec/arachni/element/header_spec.rb +49 -0
  367. data/spec/arachni/element/link_spec.rb +220 -0
  368. data/spec/arachni/element/path_spec.rb +9 -0
  369. data/spec/arachni/element/server_spec.rb +9 -0
  370. data/spec/arachni/framework_spec.rb +860 -0
  371. data/spec/arachni/http/cookie_jar_spec.rb +267 -0
  372. data/spec/arachni/http_spec.rb +991 -0
  373. data/spec/arachni/issue_spec.rb +307 -0
  374. data/spec/arachni/mixins/observable_spec.rb +59 -0
  375. data/spec/arachni/mixins/progress_bar_spec.rb +41 -0
  376. data/spec/arachni/module/auditor_spec.rb +506 -0
  377. data/spec/arachni/module/element_db_spec.rb +131 -0
  378. data/spec/arachni/module/key_filler.rb +15 -0
  379. data/spec/arachni/module/manager_spec.rb +154 -0
  380. data/spec/arachni/module/trainer_spec.rb +102 -0
  381. data/spec/arachni/module/utilities_spec.rb +30 -0
  382. data/spec/arachni/module/utilities_spec/read_file.txt +3 -0
  383. data/spec/arachni/options_spec.rb +555 -0
  384. data/spec/arachni/page_spec.rb +290 -0
  385. data/spec/arachni/parser_spec.rb +508 -0
  386. data/spec/arachni/plugin/manager_spec.rb +174 -0
  387. data/spec/arachni/report/base_spec.rb +53 -0
  388. data/spec/arachni/report/manager_spec.rb +82 -0
  389. data/spec/arachni/rpc/client/base_spec.rb +157 -0
  390. data/spec/arachni/rpc/client/dispatcher_spec.rb +40 -0
  391. data/spec/arachni/rpc/client/instance_spec.rb +92 -0
  392. data/spec/arachni/rpc/server/base_spec.rb +40 -0
  393. data/spec/arachni/rpc/server/dispatcher/handler.rb +120 -0
  394. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +220 -0
  395. data/spec/arachni/rpc/server/dispatcher_spec.rb +136 -0
  396. data/spec/arachni/rpc/server/distributor_spec.rb +628 -0
  397. data/spec/arachni/rpc/server/framework_hpg_spec.rb +321 -0
  398. data/spec/arachni/rpc/server/framework_simple_spec.rb +453 -0
  399. data/spec/arachni/rpc/server/instance_spec.rb +81 -0
  400. data/spec/arachni/rpc/server/modules/manager_spec.rb +79 -0
  401. data/spec/arachni/rpc/server/options_spec.rb +124 -0
  402. data/spec/arachni/rpc/server/output_spec.rb +238 -0
  403. data/spec/arachni/rpc/server/plugin/manager_spec.rb +86 -0
  404. data/spec/arachni/ruby/array_spec.rb +103 -0
  405. data/spec/arachni/ruby/enumerable_spec.rb +37 -0
  406. data/spec/arachni/ruby/object_spec.rb +38 -0
  407. data/spec/arachni/ruby/string_spec.rb +77 -0
  408. data/spec/arachni/ruby/webrick_spec.rb +15 -0
  409. data/spec/arachni/session_spec.rb +308 -0
  410. data/spec/arachni/spider_spec.rb +383 -0
  411. data/spec/arachni/typhoeus/hydra_spec.rb +14 -0
  412. data/spec/arachni/typhoeus/requrest_spec.rb +58 -0
  413. data/spec/arachni/typhoeus/response_spec.rb +78 -0
  414. data/spec/arachni/uri_spec.rb +462 -0
  415. data/spec/arachni/utilities_spec.rb +297 -0
  416. data/spec/fixtures/auditstore.afr +2959 -0
  417. data/spec/fixtures/cookies.txt +9 -0
  418. data/spec/fixtures/modules/test.rb +58 -0
  419. data/spec/fixtures/modules/test2.rb +46 -0
  420. data/spec/fixtures/modules/test3.rb +46 -0
  421. data/spec/fixtures/passwords.txt +17 -0
  422. data/spec/fixtures/plugins/bad.rb +46 -0
  423. data/spec/fixtures/plugins/defaults/default.rb +45 -0
  424. data/spec/fixtures/plugins/distributable.rb +42 -0
  425. data/spec/fixtures/plugins/loop.rb +32 -0
  426. data/spec/fixtures/plugins/wait.rb +34 -0
  427. data/spec/fixtures/plugins/with_options.rb +31 -0
  428. data/spec/fixtures/reports/base_spec/plugin_formatters/with_formatters/foobar.rb +21 -0
  429. data/spec/fixtures/reports/base_spec/with_formatters.rb +23 -0
  430. data/spec/fixtures/reports/base_spec/with_outfile.rb +24 -0
  431. data/spec/fixtures/reports/base_spec/without_outfile.rb +20 -0
  432. data/spec/fixtures/reports/manager_spec/afr.rb +21 -0
  433. data/spec/fixtures/reports/manager_spec/foo.rb +26 -0
  434. data/spec/fixtures/rescan.afr.tpl +145 -0
  435. data/spec/fixtures/rpcd_handlers/echo.rb +68 -0
  436. data/spec/fixtures/run_mod/body.rb +58 -0
  437. data/spec/fixtures/run_mod/cookies.rb +58 -0
  438. data/spec/fixtures/run_mod/empty.rb +58 -0
  439. data/spec/fixtures/run_mod/flch.rb +63 -0
  440. data/spec/fixtures/run_mod/forms.rb +58 -0
  441. data/spec/fixtures/run_mod/headers.rb +58 -0
  442. data/spec/fixtures/run_mod/links.rb +58 -0
  443. data/spec/fixtures/run_mod/nil.rb +57 -0
  444. data/spec/fixtures/run_mod/path.rb +58 -0
  445. data/spec/fixtures/run_mod/server.rb +58 -0
  446. data/spec/fixtures/script_plugin.rb +1 -0
  447. data/spec/fixtures/taint_module/taint.rb +48 -0
  448. data/spec/fixtures/usernames.txt +13 -0
  449. data/spec/fixtures/wait_module/wait.rb +48 -0
  450. data/spec/helpers/auditor.rb +9 -0
  451. data/spec/helpers/misc.rb +41 -0
  452. data/spec/helpers/processes.rb +112 -0
  453. data/spec/helpers/requires.rb +8 -0
  454. data/spec/helpers/server.rb +54 -0
  455. data/spec/logs/Dispatcher - 2752-13830.log +49 -0
  456. data/spec/logs/Dispatcher - 2766-8238.log +35 -0
  457. data/spec/logs/Dispatcher - 2808-9029.log +31 -0
  458. data/spec/logs/Dispatcher - 2854-8571.log +26 -0
  459. data/spec/logs/Dispatcher - 2888-10411.log +20 -0
  460. data/spec/logs/Dispatcher - 2922-14464.log +13 -0
  461. data/spec/logs/Dispatcher - 2957-15255.log +19 -0
  462. data/spec/logs/Dispatcher - 3216-14203.log +35 -0
  463. data/spec/logs/Dispatcher - 3305-8622.log +43 -0
  464. data/spec/logs/Dispatcher - 3340-15426.log +35 -0
  465. data/spec/logs/Dispatcher - 3399-12586.log +40 -0
  466. data/spec/logs/Dispatcher - 3433-14149.log +26 -0
  467. data/spec/logs/Dispatcher - 3582-6198.log +27 -0
  468. data/spec/logs/Dispatcher - 3616-11169.log +13 -0
  469. data/spec/logs/Dispatcher - 3849-9016.log +7 -0
  470. data/spec/logs/output_spec.log +4 -0
  471. data/spec/logs/placeholder +0 -0
  472. data/spec/modules/audit/code_injection_spec.rb +25 -0
  473. data/spec/modules/audit/code_injection_timing_spec.rb +24 -0
  474. data/spec/modules/audit/csrf_spec.rb +38 -0
  475. data/spec/modules/audit/ldapi_spec.rb +19 -0
  476. data/spec/modules/audit/os_cmd_injection_spec.rb +24 -0
  477. data/spec/modules/audit/os_cmd_injection_timing_spec.rb +24 -0
  478. data/spec/modules/audit/path_traversal_spec.rb +23 -0
  479. data/spec/modules/audit/response_splitting_spec.rb +19 -0
  480. data/spec/modules/audit/rfi_spec.rb +19 -0
  481. data/spec/modules/audit/session_fixation_spec.rb +23 -0
  482. data/spec/modules/audit/sqli_blind_rdiff_spec.rb +19 -0
  483. data/spec/modules/audit/sqli_blind_timing_spec.rb +23 -0
  484. data/spec/modules/audit/sqli_spec.rb +24 -0
  485. data/spec/modules/audit/trainer_spec.rb +25 -0
  486. data/spec/modules/audit/unvalidated_redirect_spec.rb +24 -0
  487. data/spec/modules/audit/xpath_spec.rb +25 -0
  488. data/spec/modules/audit/xss_event_spec.rb +19 -0
  489. data/spec/modules/audit/xss_path_spec.rb +19 -0
  490. data/spec/modules/audit/xss_script_tag_spec.rb +19 -0
  491. data/spec/modules/audit/xss_spec.rb +24 -0
  492. data/spec/modules/audit/xss_tag_spec.rb +19 -0
  493. data/spec/modules/recon/allowed_methods_spec.rb +19 -0
  494. data/spec/modules/recon/backdoors_spec.rb +19 -0
  495. data/spec/modules/recon/backup_files_spec.rb +19 -0
  496. data/spec/modules/recon/common_directories_spec.rb +19 -0
  497. data/spec/modules/recon/common_files_spec.rb +19 -0
  498. data/spec/modules/recon/directory_listing_spec.rb +19 -0
  499. data/spec/modules/recon/grep/captcha_spec.rb +19 -0
  500. data/spec/modules/recon/grep/credit_card_spec.rb +19 -0
  501. data/spec/modules/recon/grep/cvs_svn_users_spec.rb +19 -0
  502. data/spec/modules/recon/grep/emails_spec.rb +19 -0
  503. data/spec/modules/recon/grep/html_objects_spec.rb +19 -0
  504. data/spec/modules/recon/grep/http_only_cookies_spec.rb +19 -0
  505. data/spec/modules/recon/grep/insecure_cookies_spec.rb +19 -0
  506. data/spec/modules/recon/grep/mixed_resource_spec.rb +20 -0
  507. data/spec/modules/recon/grep/private_ip_spec.rb +26 -0
  508. data/spec/modules/recon/grep/ssn_spec.rb +19 -0
  509. data/spec/modules/recon/grep/unencrypted_password_forms_spec.rb +19 -0
  510. data/spec/modules/recon/htaccess_limit_spec.rb +19 -0
  511. data/spec/modules/recon/http_put_spec.rb +19 -0
  512. data/spec/modules/recon/interesting_responses_spec.rb +27 -0
  513. data/spec/modules/recon/webdav_spec.rb +19 -0
  514. data/spec/modules/recon/xst_spec.rb +19 -0
  515. data/spec/path_extractors/anchors_spec.rb +19 -0
  516. data/spec/path_extractors/forms_spec.rb +19 -0
  517. data/spec/path_extractors/frames_spec.rb +20 -0
  518. data/spec/path_extractors/generic_spec.rb +28 -0
  519. data/spec/path_extractors/links_spec.rb +19 -0
  520. data/spec/path_extractors/meta_refresh_spec.rb +24 -0
  521. data/spec/path_extractors/scripts_spec.rb +19 -0
  522. data/spec/pems/cacert.pem +39 -0
  523. data/spec/pems/client/cert.pem +39 -0
  524. data/spec/pems/client/foo-cert.pem +39 -0
  525. data/spec/pems/client/foo-key.pem +51 -0
  526. data/spec/pems/client/key.pem +51 -0
  527. data/spec/pems/server/cert.pem +39 -0
  528. data/spec/pems/server/key.pem +51 -0
  529. data/spec/plugins/autologin_spec.rb +76 -0
  530. data/spec/plugins/autothrottle_spec.rb +45 -0
  531. data/spec/plugins/content_types_spec.rb +93 -0
  532. data/spec/plugins/cookie_collector_spec.rb +32 -0
  533. data/spec/plugins/form_dicattack_spec.rb +60 -0
  534. data/spec/plugins/healthmap_spec.rb +40 -0
  535. data/spec/plugins/http_dicattack_spec.rb +40 -0
  536. data/spec/plugins/meta/remedies/discovery_spec.rb +15 -0
  537. data/spec/plugins/meta/remedies/manual_verification_spec.rb +28 -0
  538. data/spec/plugins/meta/remedies/timing_attacks_spec.rb +30 -0
  539. data/spec/plugins/meta/uniformity_spec.rb +83 -0
  540. data/spec/plugins/profiler_spec.rb +82 -0
  541. data/spec/plugins/rescan_spec.rb +26 -0
  542. data/spec/plugins/resolver_spec.rb +16 -0
  543. data/spec/plugins/script_spec.rb +12 -0
  544. data/spec/plugins/vector_feed_spec.rb +155 -0
  545. data/spec/plugins/waf_detector_spec.rb +41 -0
  546. data/spec/reports/afr_spec.rb +13 -0
  547. data/spec/reports/ap_spec.rb +9 -0
  548. data/spec/reports/html_spec.rb +13 -0
  549. data/spec/reports/json_spec.rb +17 -0
  550. data/spec/reports/marshal_spec.rb +13 -0
  551. data/spec/reports/stdout_spec.rb +9 -0
  552. data/spec/reports/txt_spec.rb +8 -0
  553. data/spec/reports/xml_spec.rb +13 -0
  554. data/spec/reports/yaml_spec.rb +13 -0
  555. data/spec/servers/arachni/element/capabilities/auditable/rdiff.rb +36 -0
  556. data/spec/servers/arachni/element/capabilities/auditable/taint.rb +10 -0
  557. data/spec/servers/arachni/element/capabilities/auditable/timeout.rb +30 -0
  558. data/spec/servers/arachni/element/cookie.rb +37 -0
  559. data/spec/servers/arachni/element/form.rb +93 -0
  560. data/spec/servers/arachni/element/header.rb +22 -0
  561. data/spec/servers/arachni/element/link.rb +26 -0
  562. data/spec/servers/arachni/framework.rb +54 -0
  563. data/spec/servers/arachni/http.rb +140 -0
  564. data/spec/servers/arachni/http_auth.rb +9 -0
  565. data/spec/servers/arachni/module/auditor.rb +135 -0
  566. data/spec/servers/arachni/module/trainer.rb +40 -0
  567. data/spec/servers/arachni/parser.rb +70 -0
  568. data/spec/servers/arachni/rpc/server/framework_hpg.rb +21 -0
  569. data/spec/servers/arachni/rpc/server/framework_simple.rb +30 -0
  570. data/spec/servers/arachni/session.rb +110 -0
  571. data/spec/servers/arachni/spider.rb +148 -0
  572. data/spec/servers/modules/audit/code_injection.rb +140 -0
  573. data/spec/servers/modules/audit/code_injection_timing.rb +110 -0
  574. data/spec/servers/modules/audit/csrf.rb +80 -0
  575. data/spec/servers/modules/audit/ldapi.rb +73 -0
  576. data/spec/servers/modules/audit/os_cmd_injection.rb +140 -0
  577. data/spec/servers/modules/audit/os_cmd_injection_timing.rb +111 -0
  578. data/spec/servers/modules/audit/path_traversal.rb +176 -0
  579. data/spec/servers/modules/audit/response_splitting.rb +114 -0
  580. data/spec/servers/modules/audit/rfi.rb +113 -0
  581. data/spec/servers/modules/audit/session_fixation.rb +87 -0
  582. data/spec/servers/modules/audit/sqli.rb +118 -0
  583. data/spec/servers/modules/audit/sqli/coldfusion +1 -0
  584. data/spec/servers/modules/audit/sqli/db2 +4 -0
  585. data/spec/servers/modules/audit/sqli/emc +2 -0
  586. data/spec/servers/modules/audit/sqli/informix +3 -0
  587. data/spec/servers/modules/audit/sqli/interbase +2 -0
  588. data/spec/servers/modules/audit/sqli/jdbc +0 -0
  589. data/spec/servers/modules/audit/sqli/mssql +26 -0
  590. data/spec/servers/modules/audit/sqli/mysql +13 -0
  591. data/spec/servers/modules/audit/sqli/oracle +6 -0
  592. data/spec/servers/modules/audit/sqli/postgresql +7 -0
  593. data/spec/servers/modules/audit/sqli/sqlite +4 -0
  594. data/spec/servers/modules/audit/sqli/sybase +0 -0
  595. data/spec/servers/modules/audit/sqli_blind_rdiff.rb +74 -0
  596. data/spec/servers/modules/audit/sqli_blind_timing.rb +121 -0
  597. data/spec/servers/modules/audit/trainer_module.rb +160 -0
  598. data/spec/servers/modules/audit/unvalidated_redirect.rb +115 -0
  599. data/spec/servers/modules/audit/xpath.rb +111 -0
  600. data/spec/servers/modules/audit/xpath/dotnet +5 -0
  601. data/spec/servers/modules/audit/xpath/general +13 -0
  602. data/spec/servers/modules/audit/xpath/java +3 -0
  603. data/spec/servers/modules/audit/xpath/libxml2 +2 -0
  604. data/spec/servers/modules/audit/xpath/php +2 -0
  605. data/spec/servers/modules/audit/xss.rb +152 -0
  606. data/spec/servers/modules/audit/xss_event.rb +80 -0
  607. data/spec/servers/modules/audit/xss_path.rb +44 -0
  608. data/spec/servers/modules/audit/xss_script_tag.rb +73 -0
  609. data/spec/servers/modules/audit/xss_tag.rb +139 -0
  610. data/spec/servers/modules/module_server.rb +14 -0
  611. data/spec/servers/modules/recon/allowed_methods.rb +5 -0
  612. data/spec/servers/modules/recon/backdoors.rb +4 -0
  613. data/spec/servers/modules/recon/backup_files.rb +28 -0
  614. data/spec/servers/modules/recon/common_directories.rb +6 -0
  615. data/spec/servers/modules/recon/common_files.rb +6 -0
  616. data/spec/servers/modules/recon/directory_listing.rb +30 -0
  617. data/spec/servers/modules/recon/grep/captcha.rb +27 -0
  618. data/spec/servers/modules/recon/grep/credit_card.rb +28 -0
  619. data/spec/servers/modules/recon/grep/cvs_svn_users.rb +23 -0
  620. data/spec/servers/modules/recon/grep/emails.rb +21 -0
  621. data/spec/servers/modules/recon/grep/html_objects.rb +7 -0
  622. data/spec/servers/modules/recon/grep/http_only_cookies.rb +21 -0
  623. data/spec/servers/modules/recon/grep/insecure_cookies.rb +21 -0
  624. data/spec/servers/modules/recon/grep/mixed_resource.rb +83 -0
  625. data/spec/servers/modules/recon/grep/private_ip.rb +18 -0
  626. data/spec/servers/modules/recon/grep/ssn.rb +5 -0
  627. data/spec/servers/modules/recon/grep/unencrypted_password_forms.rb +33 -0
  628. data/spec/servers/modules/recon/htaccess_limit.rb +8 -0
  629. data/spec/servers/modules/recon/http_put.rb +7 -0
  630. data/spec/servers/modules/recon/interesting_responses.rb +5 -0
  631. data/spec/servers/modules/recon/webdav.rb +25 -0
  632. data/spec/servers/modules/recon/xst.rb +6 -0
  633. data/spec/servers/plugins/autologin.rb +38 -0
  634. data/spec/servers/plugins/autothrottle.rb +8 -0
  635. data/spec/servers/plugins/content_types.rb +17 -0
  636. data/spec/servers/plugins/cookie_collector.rb +20 -0
  637. data/spec/servers/plugins/form_dicattack.rb +28 -0
  638. data/spec/servers/plugins/healthmap.rb +16 -0
  639. data/spec/servers/plugins/http_dicattack.rb +9 -0
  640. data/spec/servers/plugins/http_dicattack_secure.rb +9 -0
  641. data/spec/servers/plugins/http_dicattack_unprotected.rb +5 -0
  642. data/spec/servers/plugins/meta/remedies/discovery.rb +7 -0
  643. data/spec/servers/plugins/meta/remedies/timing_attacks.rb +29 -0
  644. data/spec/servers/plugins/profiler.rb +82 -0
  645. data/spec/servers/plugins/rescan.rb +31 -0
  646. data/spec/servers/plugins/waf_detector.rb +33 -0
  647. data/spec/shared/component.rb +43 -0
  648. data/spec/shared/element/capabilities/auditable.rb +729 -0
  649. data/spec/shared/element/capabilities/refreshable.rb +56 -0
  650. data/spec/shared/module.rb +162 -0
  651. data/spec/shared/path_extractor.rb +47 -0
  652. data/spec/shared/plugin.rb +50 -0
  653. data/spec/shared/reports.rb +47 -0
  654. data/spec/spec_helper.rb +53 -0
  655. metadata +870 -323
  656. data/extras/modules/recon/raft_dirs.rb +0 -108
  657. data/extras/modules/recon/raft_dirs/raft-large-directories.txt +0 -62290
  658. data/extras/modules/recon/raft_files.rb +0 -110
  659. data/extras/modules/recon/raft_files/raft-large-files.txt +0 -37037
  660. data/extras/modules/recon/svn_digger_dirs.rb +0 -108
  661. data/extras/modules/recon/svn_digger_dirs/Licence.txt +0 -674
  662. data/extras/modules/recon/svn_digger_dirs/ReadMe-Arachni.txt +0 -4
  663. data/extras/modules/recon/svn_digger_dirs/ReadMe.txt +0 -6
  664. data/extras/modules/recon/svn_digger_dirs/all-dirs.txt +0 -5960
  665. data/extras/modules/recon/svn_digger_files.rb +0 -114
  666. data/extras/modules/recon/svn_digger_files/Licence.txt +0 -674
  667. data/extras/modules/recon/svn_digger_files/ReadMe-Arachni.txt +0 -4
  668. data/extras/modules/recon/svn_digger_files/ReadMe.txt +0 -6
  669. data/extras/modules/recon/svn_digger_files/all-extensionless.txt +0 -25419
  670. data/extras/modules/recon/svn_digger_files/all.txt +0 -43135
  671. data/lib/arachni/component_manager.rb +0 -293
  672. data/lib/arachni/component_options.rb +0 -425
  673. data/lib/arachni/parser/auditable.rb +0 -606
  674. data/lib/arachni/parser/elements.rb +0 -315
  675. data/lib/arachni/parser/page.rb +0 -168
  676. data/lib/arachni/parser/parser.rb +0 -866
  677. data/lib/arachni/rpc/server/options.rb +0 -95
  678. data/lib/arachni/ui/web/addons/autodeploy.rb +0 -207
  679. data/lib/arachni/ui/web/addons/autodeploy/lib/manager.rb +0 -398
  680. data/lib/arachni/ui/web/addons/autodeploy/views/index.erb +0 -291
  681. data/modules/recon/mixed_resource.rb +0 -100
  682. data/modules/recon/unencrypted_password_forms.rb +0 -107
  683. data/path_extractors/sitemap.rb +0 -31
  684. data/plugins/defaults/metamodules/remedies/manual_verification.rb +0 -65
  685. data/plugins/defaults/metamodules/remedies/timing_attacks.rb +0 -134
  686. data/plugins/defaults/metamodules/uniformity.rb +0 -99
  687. data/reports/metareport/arachni_metareport.rb +0 -174
  688. data/reports/plugin_formatters/stdout/metamodules.rb +0 -82
data/spec/arachni/http/cookie_jar_spec.rb ADDED
@@ -0,0 +1,267 @@
1
+ require_relative '../../spec_helper'
2
+
3
+ describe Arachni::HTTP::CookieJar do
4
+
5
+ before do
6
+ @jar = Arachni::HTTP::CookieJar.new
7
+ @file = spec_path + '/fixtures/cookies.txt'
8
+ end
9
+
10
+ describe '.from_file' do
11
+ it 'should load cookies from a Netscape cookie-jar file' do
12
+ j = @jar.class.from_file( @file )
13
+ cookies = j.cookies
14
+ cookies.size.should == 3
15
+ cookies.should == Arachni::Utilities.cookies_from_file( '', @file )
16
+ end
17
+
18
+ context 'when the provided file does not exist' do
19
+ it 'should raise an exception' do
20
+ raised = false
21
+ begin
22
+ j = @jar.class.from_file( 'file' )
23
+ rescue Arachni::Exceptions::NoCookieJar
24
+ raised = true
25
+ end
26
+ raised.should be_true
27
+ end
28
+ end
29
+ end
30
+
31
+ describe '#initialize' do
32
+ it 'should return a new instance' do
33
+ Arachni::HTTP::CookieJar.new.is_a?( Arachni::HTTP::CookieJar ).should be_true
34
+ end
35
+
36
+ context 'when a cookiejer option has been provided' do
37
+ it 'should load cookies from a Netscape cookie-jar file' do
38
+ j = @jar.class.from_file( @file )
39
+ cookies = j.cookies
40
+ cookies.size.should == 3
41
+ cookies.should == Arachni::Utilities.cookies_from_file( '', @file )
42
+ end
43
+ end
44
+
45
+ context 'when the provided file does not exist' do
46
+ it 'should raise an exception' do
47
+ raised = false
48
+ begin
49
+ j = @jar.class.from_file( 'file' )
50
+ rescue Arachni::Exceptions::NoCookieJar
51
+ raised = true
52
+ end
53
+ raised.should be_true
54
+ end
55
+ end
56
+ end
57
+
58
+ describe '#<<' do
59
+ context 'when a cookie with that name does not already exist' do
60
+ it 'should add the cookie to the jar' do
61
+ cookie = Arachni::Utilities.cookies_from_file( '', @file ).first
62
+ @jar.empty?.should be_true
63
+
64
+ (@jar << cookie).should == @jar
65
+ @jar.cookies.first.should == cookie
66
+
67
+ @jar.empty?.should be_false
68
+ end
69
+ end
70
+ context 'when a cookie with that name already exists' do
71
+ it 'should update the jar (i.e. replace the cookie)' do
72
+ cookie = Arachni::Utilities.cookies_from_file( '', @file ).first
73
+ @jar.empty?.should be_true
74
+
75
+ (@jar << cookie).should == @jar
76
+ @jar.cookies.first.should == cookie
77
+
78
+ c = cookie.dup
79
+ c.auditable = { c.name => 'my val' }
80
+
81
+ (@jar << c).should == @jar
82
+ @jar.cookies.first.should == c
83
+
84
+ @jar.empty?.should be_false
85
+ end
86
+ end
87
+ end
88
+
89
+ describe '#update' do
90
+ context 'when cookies with the same name do not already exist' do
91
+ it 'should add the cookies to the jar' do
92
+ cookies = Arachni::Utilities.cookies_from_file( '', @file )
93
+ @jar.empty?.should be_true
94
+
95
+ @jar.update( cookies ).should == @jar
96
+ @jar.cookies.should == cookies
97
+
98
+ @jar.empty?.should be_false
99
+ end
100
+ end
101
+ context 'when cookies with the same name already exist' do
102
+ it 'should update the jar (i.e. replace the cookies)' do
103
+ cookies = Arachni::Utilities.cookies_from_file( '', @file )
104
+ @jar.empty?.should be_true
105
+
106
+ @jar.update( cookies ).should == @jar
107
+ @jar.cookies.should == cookies
108
+
109
+ c = cookies.dup.map { |dc| dc.auditable = { dc.name => dc.name + '-updated' }; dc }
110
+ @jar.update( c ).should == @jar
111
+ @jar.cookies.should == c
112
+
113
+ @jar.empty?.should be_false
114
+ end
115
+ end
116
+ end
117
+
118
+ describe '#for_url' do
119
+ it 'should return all cookies for that particular URL' do
120
+ cookies = {}
121
+ cookies[:with_path] = Arachni::Element::Cookie.new( '',
122
+ 'name' => 'my_cookie',
123
+ 'value' => 'my_value',
124
+ 'domain'=> 'domain.com',
125
+ 'path' => '/my/path'
126
+ )
127
+
128
+ cookies[:without_path] = Arachni::Element::Cookie.new( '',
129
+ 'name' => 'my_cookie1',
130
+ 'value' => 'my_value2',
131
+ 'domain'=> 'domain.com',
132
+ 'path' => '/'
133
+ )
134
+
135
+ cookies[:another_domain] = Arachni::Element::Cookie.new( '',
136
+ 'name' => 'my_cookie1',
137
+ 'value' => 'my_value2',
138
+ 'domain'=> 'mydomain.com',
139
+ 'path' => '/'
140
+ )
141
+
142
+ cookies[:tailmatching] = Arachni::Element::Cookie.new( '',
143
+ 'name' => 'tail_name',
144
+ 'value' => 'tail_value',
145
+ 'domain'=> '.mydomain.com',
146
+ 'path' => '/'
147
+ )
148
+
149
+ cookies[:subdomain] = Arachni::Element::Cookie.new( '',
150
+ 'name' => 'name',
151
+ 'value' => 'value',
152
+ 'domain'=> 'sub.domain.com',
153
+ 'path' => '/'
154
+ )
155
+
156
+ cookies[:subdomain_tailmatching] = Arachni::Element::Cookie.new( '',
157
+ 'name' => 'tail_name',
158
+ 'value' => 'tail_value',
159
+ 'domain'=> '.sub.domain.com',
160
+ 'path' => '/'
161
+ )
162
+
163
+ cookies[:expired] = Arachni::Element::Cookie.new( '',
164
+ 'name' => 'expired_name',
165
+ 'value' => 'expired_value',
166
+ 'domain'=> 'expired.com',
167
+ 'path' => '/',
168
+ 'expires' => Time.now - 999999
169
+ )
170
+
171
+ @jar.update( cookies.values )
172
+
173
+ @jar.for_url( 'http://domain.com/my/path' ).should == [cookies[:with_path], cookies[:without_path]]
174
+ @jar.for_url( 'http://domain.com/my/path/' ).should == [cookies[:with_path], cookies[:without_path]]
175
+ @jar.for_url( 'http://domain.com' ).should == [cookies[:without_path]]
176
+ @jar.for_url( 'http://domain.com/' ).should == [cookies[:without_path]]
177
+
178
+ @jar.for_url( 'http://mydomain.com' ).should == [cookies[:another_domain], cookies[:tailmatching]]
179
+ @jar.for_url( 'http://sub.mydomain.com' ).should == [cookies[:tailmatching]]
180
+ @jar.for_url( 'http://deep.sub.mydomain.com' ).should == [cookies[:tailmatching]]
181
+
182
+ @jar.for_url( 'http://sub.domain.com' ).should == [cookies[:subdomain], cookies[:subdomain_tailmatching]]
183
+ @jar.for_url( 'http://deeeep.deep.sub.domain.com' ).should == [cookies[:subdomain_tailmatching]]
184
+
185
+ @jar.for_url( 'http://expired.com' ).should be_empty
186
+ end
187
+ end
188
+
189
+ describe '#cookies' do
190
+ before( :each ) do
191
+ @jar << Arachni::Element::Cookie.new( '',
192
+ 'name' => 'expired_name',
193
+ 'value' => 'expired_value',
194
+ 'domain'=> 'expired.com',
195
+ 'path' => '/',
196
+ 'expires' => Time.now - 999999
197
+ )
198
+ @jar << Arachni::Element::Cookie.new( '',
199
+ 'name' => 'my_name',
200
+ 'value' => 'my_value',
201
+ 'domain'=> 'domain.com',
202
+ 'path' => '/',
203
+ )
204
+ end
205
+ describe 'include_expired' do
206
+ context true do
207
+ it 'should return all cookies' do
208
+ @jar.cookies( true ).size.should == 2
209
+ end
210
+ end
211
+ context false do
212
+ it 'should return non expired cookies only' do
213
+ c = @jar.cookies( false )
214
+ c.size.should == 1
215
+ c.first.name.should == 'my_name'
216
+ end
217
+ end
218
+ context 'nil' do
219
+ it 'should return non expired cookies only' do
220
+ c = @jar.cookies( false )
221
+ c.size.should == 1
222
+ c.first.name.should == 'my_name'
223
+ end
224
+ end
225
+ end
226
+ end
227
+
228
+ describe '#clear' do
229
+ it 'should empty the jar' do
230
+ @jar.load( @file )
231
+ @jar.empty?.should be_false
232
+ @jar.clear
233
+ @jar.empty?.should be_true
234
+ end
235
+ end
236
+
237
+ describe '#empty?' do
238
+ context 'when the cookie jar is empty' do
239
+ it 'should return true' do
240
+ @jar.empty?.should be_true
241
+ end
242
+ end
243
+ context 'when the cookie jar is not empty' do
244
+ it 'should return false' do
245
+ @jar.empty?.should be_true
246
+ @jar.load( @file )
247
+ @jar.empty?.should be_false
248
+ end
249
+ end
250
+ end
251
+
252
+ describe '#any?' do
253
+ context 'when the cookie jar is empty' do
254
+ it 'should return false' do
255
+ @jar.any?.should be_false
256
+ end
257
+ end
258
+ context 'when the cookie jar is not empty' do
259
+ it 'should return true' do
260
+ @jar.any?.should be_false
261
+ @jar.load( @file )
262
+ @jar.any?.should be_true
263
+ end
264
+ end
265
+ end
266
+
267
+ end
data/spec/arachni/http_spec.rb ADDED
@@ -0,0 +1,991 @@
1
+ require_relative '../spec_helper'
2
+
3
+ describe Arachni::HTTP do
4
+
5
+ before( :all ) do
6
+ @opts = Arachni::Options.instance
7
+ @http = Arachni::HTTP
8
+ @url = server_url_for( :http )
9
+ end
10
+ before( :each ){
11
+ @opts.reset
12
+ @opts.audit_links = true
13
+ @opts.url = @url
14
+ @http.reset
15
+ }
16
+
17
+ it 'should support gzip content-encoding' do
18
+ body = nil
19
+ @http.get( @opts.url + 'gzip' ) { |res| body = res.body }
20
+ @http.run
21
+ body.should == 'success'
22
+ end
23
+
24
+ it 'should preserve set-cookies' do
25
+ body = nil
26
+ @http.get( @opts.url + 'set_and_preserve_cookies', update_cookies: true )
27
+ @http.run
28
+ @http.cookies.first.value.should == "=stuf \00 here=="
29
+ @http.get( @opts.url + 'cookies' ) { |res| body = res.body }
30
+ @http.run
31
+ body.should == "stuff==stuf \00 here=="
32
+ end
33
+
34
+ describe 'Arachni::Options#http_req_limit' do
35
+ context Integer do
36
+ it 'should use it as a max_concurrency' do
37
+ @opts.http_req_limit = 34
38
+ @http.reset
39
+ @http.max_concurrency.should == 34
40
+ end
41
+ end
42
+ context 'nil' do
43
+ it 'should use a default max concurrency setting' do
44
+ @opts.http_req_limit = nil
45
+ @http.reset
46
+ @http.max_concurrency.should == Arachni::HTTP::MAX_CONCURRENCY
47
+ end
48
+ end
49
+ end
50
+
51
+ describe 'Arachni::Options#http_timeout' do
52
+ context Integer do
53
+ it 'should use it as an HTTP timeout' do
54
+ @opts.http_timeout = 10000000000
55
+ timed_out = false
56
+ @http.request( @url + '/sleep' ) { |res| timed_out = res.timed_out? }
57
+ @http.run
58
+ timed_out.should be_false
59
+
60
+ @opts.http_timeout = 1
61
+ @http.reset
62
+ timed_out = false
63
+ @http.request( @url + '/sleep' ) { |res| timed_out = res.timed_out? }
64
+ @http.run
65
+ timed_out.should be_true
66
+ end
67
+ end
68
+ context 'nil' do
69
+ it 'should use a default timeout setting' do
70
+ timed_out = false
71
+ @http.request( @url + '/sleep' ) { |res| timed_out = res.timed_out? }
72
+ @http.run
73
+ timed_out.should be_false
74
+ end
75
+ end
76
+ end
77
+
78
+
79
+ describe 'Arachni::Options#url' do
80
+ context 'when the target URL includes auth credentials' do
81
+ it 'should use them globally' do
82
+ url = Arachni::Module::Utilities.uri_parse( server_url_for( :http_auth ) )
83
+ @opts.url = url.to_s
84
+
85
+ # first fail to make sure that our test server is actually working properly
86
+ code = 0
87
+ @http.get( @opts.url + 'auth' ) { |res| code = res.code }
88
+ @http.run
89
+ code.should == 401
90
+
91
+ # now test the client
92
+ url.user = 'username'
93
+ url.password = 'password'
94
+ @opts.url = url.to_s
95
+
96
+ body = nil
97
+ @http.get( @opts.url + 'auth' ) { |res| body = res.body }
98
+ @http.run
99
+ body.should == 'authenticated!'
100
+ end
101
+ end
102
+ end
103
+
104
+ describe 'Arachni::Options#user_agent' do
105
+ context String do
106
+ it 'should use it as a user agent' do
107
+ ua = 'my user agent'
108
+ @opts.user_agent = ua.dup
109
+ @http.reset
110
+
111
+ body = nil
112
+ @http.get( @opts.url + 'user-agent' ) { |res| body = res.body }
113
+ @http.run
114
+ body.should == ua
115
+ end
116
+ end
117
+ context 'nil' do
118
+ it 'should use a default user agent setting and update the global setting' do
119
+ @opts.user_agent = nil
120
+ @http.reset
121
+
122
+ body = nil
123
+ @http.get( @opts.url + 'user-agent' ) { |res| body = res.body }
124
+ @http.run
125
+ body.should == Arachni::HTTP::USER_AGENT + Arachni::VERSION.to_s
126
+ @opts.user_agent.should == body
127
+ end
128
+ end
129
+ end
130
+
131
+ describe 'Arachni::Options#redirect_limit' do
132
+ context Integer do
133
+ it 'should not exceed that amount of redirects' do
134
+ @opts.redirect_limit = 2
135
+ @http.reset
136
+
137
+ code = nil
138
+ @http.get( @opts.url + 'redirect', follow_location: true ) { |res| code = res.code }
139
+ @http.run
140
+ code.should == 302
141
+
142
+ @opts.redirect_limit = 10
143
+ @http.reset
144
+
145
+ body = nil
146
+ @http.get( @opts.url + 'redirect', follow_location: true ) { |res| body = res.body }
147
+ @http.run
148
+ body.should == 'This is the end.'
149
+ end
150
+ end
151
+ context 'nil' do
152
+ it 'should use a default setting and update the global setting' do
153
+ @opts.redirect_limit = nil
154
+ @http.reset
155
+
156
+ body = nil
157
+ @http.get( @opts.url + 'redirect', follow_location: true ) { |res| body = res.body }
158
+ @http.run
159
+ body.should == 'This is the end.'
160
+
161
+ @opts.redirect_limit.should == Arachni::HTTP::REDIRECT_LIMIT
162
+ end
163
+ end
164
+ end
165
+
166
+ describe '#sandbox' do
167
+ it 'should preserve state, run the block and then restore it' do
168
+
169
+ @http.cookies.should be_empty
170
+ body = nil
171
+ @http.get( @opts.url + 'set_and_preserve_cookies', update_cookies: true )
172
+ @http.run
173
+ @http.cookies.should be_any
174
+
175
+ headers = @http.headers.dup
176
+
177
+ signals = []
178
+ @http.add_on_complete do |r|
179
+ signals << :out
180
+ end
181
+
182
+ @http.get( @opts.url + 'out', async: false )
183
+ @http.sandbox do
184
+ @http.cookies.should be_any
185
+ @http.cookie_jar.clear
186
+ @http.cookies.should be_empty
187
+
188
+ @http.headers.should == headers
189
+ @http.headers['X-Custom'] = 'stuff'
190
+ @http.headers.include?( 'X-Custom' ).should be_true
191
+
192
+ @http.add_on_complete do |r|
193
+ signals << :in
194
+ end
195
+
196
+ @http.get( @opts.url + 'in', async: false )
197
+ @http.run
198
+ end
199
+ @http.get( @opts.url + 'out', async: false )
200
+
201
+ signals.delete( :out )
202
+ signals.size.should == 1
203
+
204
+ @http.headers.include?( 'X-Custom' ).should be_false
205
+ @http.cookies.should be_any
206
+ end
207
+ end
208
+
209
+ describe '#url' do
210
+ it 'should return the URL in opts' do
211
+ @http.url.should == @opts.url.to_s
212
+ end
213
+ end
214
+
215
+ describe '#page=' do
216
+ it 'should update the trainer and the cookiejar using the given page' do
217
+ cookies = []
218
+ cookies << Arachni::Element::Cookie.new( 'http://test.com',
219
+ 'key1' => 'val1' )
220
+ cookies << Arachni::Element::Cookie.new( @url,
221
+ 'key2' => 'val2' )
222
+
223
+ page = Arachni::Page.new( cookiejar: cookies )
224
+ @http.page = page
225
+ @http.cookies.should == cookies
226
+ @http.trainer.page.should == page
227
+ end
228
+ end
229
+
230
+ describe '#headers' do
231
+ it 'should provide access to default headers' do
232
+ headers = @http.headers
233
+ headers['Accept'].should == 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
234
+ headers['User-Agent'].should == 'Arachni/v' + Arachni::VERSION
235
+ end
236
+
237
+ context 'when provided with custom headers' do
238
+ it 'should include them' do
239
+ @opts.custom_headers = {
240
+ 'User-Agent' => 'My UA',
241
+ 'From' => 'Some dude',
242
+ }
243
+ @http.reset
244
+ headers = @http.headers
245
+ headers['From'].should == @opts.custom_headers['From']
246
+ headers['Accept'].should == 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
247
+ headers['User-Agent'].should == @opts.custom_headers['User-Agent']
248
+ end
249
+ end
250
+
251
+ context 'when the authed_by option is set' do
252
+ it 'should include it in the From field' do
253
+ @opts.authed_by = 'The Dude'
254
+ @http.reset
255
+ @http.headers['From'].should == @opts.authed_by
256
+ end
257
+ end
258
+
259
+ end
260
+
261
+ describe '#cookie_jar' do
262
+ it 'should provide access to the Cookie-jar' do
263
+ @http.cookie_jar.is_a?( Arachni::HTTP::CookieJar ).should be_true
264
+ end
265
+
266
+ context 'when the cookie_jar option is set' do
267
+ it 'should add the contained cookies to the CookieJar' do
268
+ @opts.cookie_jar = spec_path + '/fixtures/cookies.txt'
269
+ @http.cookie_jar.cookies.should be_empty
270
+ @http.reset
271
+ cookies = @http.cookie_jar.cookies
272
+ cookies.size.should == 3
273
+ cookies.should == Arachni::Module::Utilities.cookies_from_file( '', @opts.cookie_jar )
274
+ end
275
+ context 'but the path is invalid' do
276
+ it 'should raise an exception' do
277
+ @opts.cookie_jar = spec_path + '/fixtures/cookies.does_not_exist.txt'
278
+ raised = false
279
+ begin
280
+ @http.reset
281
+ rescue Arachni::Exceptions::NoCookieJar
282
+ raised = true
283
+ end
284
+ raised.should be_true
285
+ end
286
+ end
287
+ end
288
+
289
+ context 'when the cookies option is set' do
290
+ it 'should add those cookies to the CookieJar' do
291
+ cookie_jar_file = spec_path + '/fixtures/cookies.txt'
292
+ @opts.cookies = Arachni::Module::Utilities.cookies_from_file( '', cookie_jar_file )
293
+ @http.cookie_jar.cookies.should be_empty
294
+ @http.reset
295
+ cookies = @http.cookie_jar.cookies
296
+ cookies.size.should == 3
297
+ cookies.should == @opts.cookies
298
+ end
299
+ end
300
+
301
+ context 'when the cookie_string option is set' do
302
+ it 'should parse the string and add those cookies to the CookieJar' do
303
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2; another_name=another_val'
304
+ @http.cookie_jar.cookies.should be_empty
305
+ @http.reset
306
+ cookies = @http.cookie_jar.cookies
307
+ cookies.size.should == 3
308
+ cookies.first.name.should == 'my_cookie_name'
309
+ cookies.first.value.should == 'val1'
310
+ cookies[1].name.should == 'blah_name'
311
+ cookies[1].value.should == 'val2'
312
+ cookies.last.name.should == 'another_name'
313
+ cookies.last.value.should == 'another_val'
314
+ end
315
+ end
316
+ end
317
+
318
+ describe '#cookies' do
319
+ it 'should return the current cookies' do
320
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2; another_name=another_val'
321
+ @http.cookie_jar.cookies.should be_empty
322
+ @http.reset
323
+ @http.cookies.size.should == 3
324
+ @http.cookies.should == @http.cookie_jar.cookies
325
+ end
326
+ end
327
+
328
+ describe '#run' do
329
+ it 'should perform the queues requests' do
330
+ @http.run
331
+ end
332
+
333
+ it 'should call the after_run callbacks ONCE' do
334
+ called = false
335
+ @http.after_run { called = true }
336
+ @http.run
337
+ called.should be_true
338
+ called = false
339
+ @http.run
340
+ called.should be_false
341
+ end
342
+
343
+ it 'should call the after_run_persistent callbacks EVERY TIME' do
344
+ called = false
345
+ @http.after_run_persistent { called = true }
346
+ @http.run
347
+ called.should be_true
348
+ called = false
349
+ @http.run
350
+ called.should be_true
351
+ end
352
+
353
+ it 'should calculate the burst average response time' do
354
+ @http.run
355
+ @http.burst_runtime.should > 0
356
+ end
357
+
358
+ it 'should update curr_res_time, curr_res_cnt, average_res_time and curr_res_per_second' +
359
+ ' during runtime but reset them afterwards' do
360
+ @http.curr_res_time.should == 0
361
+ @http.curr_res_cnt.should == 0
362
+ @http.average_res_time.should == 0
363
+ @http.curr_res_per_second.should == 0
364
+
365
+ curr_res_cnt = 0
366
+ curr_res_time = 0
367
+ average_res_time = 0
368
+ curr_res_per_second = 0
369
+ 20.times{
370
+ @http.get {
371
+ curr_res_time = @http.curr_res_time
372
+ curr_res_cnt = @http.curr_res_cnt
373
+ average_res_time = @http.average_res_time
374
+ curr_res_per_second = @http.curr_res_per_second
375
+ }
376
+ }
377
+ @http.run
378
+ curr_res_time.should > 0
379
+ curr_res_cnt.should > 0
380
+ average_res_time.should > 0
381
+ curr_res_per_second.should > 0
382
+ @http.curr_res_time.should == 0
383
+ @http.curr_res_cnt.should == 0
384
+ end
385
+ end
386
+
387
+ describe '#abort' do
388
+ it 'should abort the running requests on a best effort basis' do
389
+ cnt = 0
390
+ n = 50
391
+ n.times do |i|
392
+ @http.get {
393
+ cnt += 1
394
+ @http.abort
395
+ }
396
+ end
397
+ @http.run
398
+ cnt.should < n
399
+ end
400
+ end
401
+
402
+ describe '#max_concurrency' do
403
+ it 'should default to 20' do
404
+ @http.max_concurrency.should == 20
405
+ end
406
+ it 'should respect the http_req_limit option' do
407
+ @opts.http_req_limit = 50
408
+ @http.reset
409
+ @http.max_concurrency.should == 50
410
+ end
411
+ end
412
+
413
+ describe '#max_concurrency=' do
414
+ it 'should set the max_concurrency setting' do
415
+ @http.max_concurrency.should_not == 30
416
+ @http.max_concurrency = 30
417
+ @http.max_concurrency.should == 30
418
+ end
419
+ end
420
+
421
+ describe '#request' do
422
+ it 'should use the URL in Arachni::Options.instance.url as a default' do
423
+ url = nil
424
+ @http.request{ |res| url = res.effective_url }
425
+ @http.run
426
+ url.start_with?( @opts.url.to_s ).should be_true
427
+ end
428
+ it 'should raise exception when no URL is available' do
429
+ @opts.reset
430
+ @http.reset
431
+ raised = false
432
+ begin
433
+ @http.request
434
+ rescue
435
+ raised = true
436
+ end
437
+ raised.should be_true
438
+ end
439
+
440
+ describe :no_cookiejar do
441
+ context true do
442
+ it 'should not use the cookiejar' do
443
+ body = nil
444
+ @http.request( @url + '/cookies', no_cookiejar: true ) { |res| body = res.body }
445
+ @http.run
446
+ body.should == ''
447
+ end
448
+ end
449
+ context false do
450
+ it 'should use the cookiejar' do
451
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
452
+ @http.cookie_jar.cookies.should be_empty
453
+ @http.reset
454
+
455
+ body = nil
456
+
457
+ @http.request( @url + '/cookies', no_cookiejar: false ) { |res| body = res.body }
458
+ @http.run
459
+ body.should == @opts.cookie_string
460
+ end
461
+ context 'when custom cookies are provided' do
462
+ it 'should merge them with the cookiejar and override it' do
463
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
464
+ @http.cookie_jar.cookies.should be_empty
465
+ @http.reset
466
+
467
+ body = nil
468
+
469
+ custom_cookies = { 'newcookie' => 'newval', 'blah_name' => 'val3' }
470
+ @http.request( @url + '/cookies', cookies: custom_cookies,
471
+ no_cookiejar: false ) { |res| body = res.body }
472
+ @http.run
473
+ body.should == 'my_cookie_name=val1;blah_name=val3;another_name=another_val;newcookie=newval'
474
+ end
475
+ end
476
+ end
477
+ context 'nil' do
478
+ it 'should default to false' do
479
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
480
+ @http.cookie_jar.cookies.should be_empty
481
+ @http.reset
482
+
483
+ body = nil
484
+
485
+ @http.request( @url + '/cookies' ) { |res| body = res.body }
486
+ @http.run
487
+ body.should == @opts.cookie_string
488
+ end
489
+ end
490
+ end
491
+
492
+ describe :body do
493
+ it 'should use its value as a request body' do
494
+ req_body = 'heyaya'
495
+ body = nil
496
+ @http.request( @url + '/body', method: :post, body: req_body ) { |res| body = res.body }
497
+ @http.run
498
+ body.should == req_body
499
+ end
500
+ end
501
+
502
+ describe :method do
503
+ describe 'nil' do
504
+ it 'should perform a GET HTTP request' do
505
+ body = nil
506
+ @http.request( @url ) { |res| body = res.body }
507
+ @http.run
508
+ body.should == 'GET'
509
+ end
510
+ end
511
+ describe :get do
512
+ it 'should perform a GET HTTP request' do
513
+ body = nil
514
+ @http.request( @url, method: :get ) { |res| body = res.body }
515
+ @http.run
516
+ body.should == 'GET'
517
+ end
518
+
519
+ context 'when there are both query string and hash params' do
520
+ it 'should merge them while giving priority to the hash params' do
521
+ body = nil
522
+ params = {
523
+ 'param1' => 'value1_updated',
524
+ 'param2' => 'value 2'
525
+ }
526
+ url = @url + '/echo?param1=value1&param3=value3'
527
+ @http.request( url,
528
+ remove_id: true, params: params, method: :get
529
+ ){ |res| body = res.body }
530
+ @http.run
531
+ body.should == params.merge( 'param3' => 'value3' ).to_s
532
+ end
533
+ end
534
+ end
535
+ describe :post do
536
+ it 'should perform a POST HTTP request' do
537
+ body = nil
538
+ @http.request( @url, method: :post ) { |res| body = res.body }
539
+ @http.run
540
+ body.should == 'POST'
541
+ end
542
+ end
543
+ describe :put do
544
+ it 'should perform a PUT HTTP request' do
545
+ body = nil
546
+ @http.request( @url, method: :put ) { |res| body = res.body }
547
+ @http.run
548
+ body.should == 'PUT'
549
+ end
550
+ end
551
+ describe :options do
552
+ it 'should perform a OPTIONS HTTP request' do
553
+ body = nil
554
+ @http.request( @url, method: :options ) { |res| body = res.body }
555
+ @http.run
556
+ body.should == 'OPTIONS'
557
+ end
558
+ end
559
+ describe :delete do
560
+ it 'should perform a POST HTTP request' do
561
+ body = nil
562
+ @http.request( @url, method: :delete ) { |res| body = res.body }
563
+ @http.run
564
+ body.should == 'DELETE'
565
+ end
566
+ end
567
+ end
568
+ describe :params do
569
+ it 'should specify the query params as a hash' do
570
+ body = nil
571
+ params = { 'param' => 'value' }
572
+ @http.request( @url + '/echo',
573
+ params: params,
574
+ remove_id: true
575
+ ) { |res| body = res.body }
576
+ @http.run
577
+ params.to_s.should == body
578
+ end
579
+ context 'POST' do
580
+ it 'should encode special characters' do
581
+ body = nil
582
+ params = { '% param\ +=&;' => '% value\ +=&;', 'nil' => nil }
583
+ @http.request( @url + '/echo',
584
+ method: :post,
585
+ params: params,
586
+ remove_id: true
587
+ ) { |res| body = res.body }
588
+ @http.run
589
+ body.should == { '% param\ +=&;' => '% value\ +=&;' }.to_s
590
+ end
591
+ end
592
+
593
+ end
594
+ #describe :remove_id do
595
+ # describe 'nil' do
596
+ # it 'should include the framework-wide hash ID in the params' do
597
+ # body = nil
598
+ # @http.request( @url + '/echo' ) { |res| body = res.body }
599
+ # @http.run
600
+ # body.should == { Arachni::Module::Utilities.seed => '' }.to_s
601
+ # end
602
+ # end
603
+ # describe false do
604
+ # it 'should include the framework-wide hash ID in the params' do
605
+ # body = nil
606
+ # @http.request( @url + '/echo', remove_id: false ) { |res| body = res.body }
607
+ # @http.run
608
+ # body.should == { Arachni::Module::Utilities.seed => '' }.to_s
609
+ # end
610
+ # end
611
+ # describe true do
612
+ # it 'should remove the framework-wide hash ID from the params' do
613
+ # body = nil
614
+ # @http.request( @url + '/echo', remove_id: true ) { |res| body = res.body }
615
+ # @http.run
616
+ # body.should == {}.to_s
617
+ # end
618
+ # end
619
+ #end
620
+
621
+ describe :train do
622
+ before( :all ) do
623
+ res = @http.get( @url, async: false, remove_id: true ).response
624
+ @page = Arachni::Page.from_response( res, @opts )
625
+ end
626
+ describe 'nil' do
627
+ it 'should not pass the response to the Trainer' do
628
+ @http.trainer.init( @page )
629
+ @http.request( @url + '/elems' )
630
+ @http.run
631
+ @http.trainer.flush.should be_empty
632
+ end
633
+ end
634
+ describe false do
635
+ it 'should not pass the response to the Trainer' do
636
+ @http.trainer.init( @page )
637
+ @http.request( @url + '/elems', train: false )
638
+ @http.run
639
+ @http.trainer.flush.should be_empty
640
+ end
641
+ end
642
+ describe true do
643
+ it 'should pass the response to the Trainer' do
644
+ @http.trainer.init( @page )
645
+ @http.request( @url + '/elems', train: true )
646
+ @http.run
647
+ @http.trainer.flush.should be_any
648
+ end
649
+
650
+ context 'when a redirection leads to new elements' do
651
+ it 'should pass the response to the Trainer' do
652
+ @http.trainer.init( @page )
653
+ @http.request( @url + '/train/redirect', train: true )
654
+ @http.run
655
+ page = @http.trainer.flush.first
656
+ page.links.first.auditable.include?( 'msg' ).should be_true
657
+ end
658
+ end
659
+ end
660
+ end
661
+
662
+ describe :timeout do
663
+ describe 'nil' do
664
+ it 'should not set a timeout value' do
665
+ timed_out = false
666
+ @http.request( @url + '/sleep' ) { |res| timed_out = res.timed_out? }
667
+ @http.run
668
+ timed_out.should be_false
669
+ end
670
+ end
671
+ describe Numeric do
672
+ it 'should not set a timeout value' do
673
+ timed_out = false
674
+ @http.request( @url + '/sleep', timeout: 1.3 ) { |res| timed_out = res.timed_out? }
675
+ @http.run
676
+ timed_out.should be_true
677
+ end
678
+ end
679
+ end
680
+
681
+ describe :cookies do
682
+ describe 'nil' do
683
+ it 'should use te cookies in the CookieJar' do
684
+ @opts.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
685
+ @http.cookie_jar.cookies.should be_empty
686
+ @http.reset
687
+
688
+ body = nil
689
+ @http.request( @url + '/cookies' ) { |res| body = res.body }
690
+ @http.run
691
+ body.should == @opts.cookie_string
692
+ end
693
+
694
+ it 'should only send the appropriate cookies for the domain' do
695
+ cookies = []
696
+ cookies << Arachni::Element::Cookie.new( 'http://test.com',
697
+ 'key1' => 'val1' )
698
+ cookies << Arachni::Element::Cookie.new( @url,
699
+ 'key2' => 'val2' )
700
+
701
+ @http.cookie_jar.update( cookies )
702
+ body = nil
703
+ @http.request( @url + '/cookies' ) { |res| body = res.body }
704
+ @http.run
705
+ body.should == 'key2=val2'
706
+ end
707
+ end
708
+ describe Hash do
709
+ it 'should use the key-value pairs as cookies' do
710
+ cookies = { 'name' => 'val' }
711
+ body = nil
712
+ @http.request( @url + '/cookies', cookies: cookies ) { |res| body = res.body }
713
+ @http.run
714
+ body.should == cookies.keys.first.to_s + '=' + cookies.values.first.to_s
715
+ end
716
+ end
717
+ end
718
+
719
+ describe :async do
720
+ describe 'nil' do
721
+ it 'should perform the request asynchronously' do
722
+ performed = false
723
+ @http.request( @url ) { performed = true }
724
+ @http.run
725
+ performed.should be_true
726
+ end
727
+ end
728
+ describe true do
729
+ it 'should perform the request asynchronously' do
730
+ performed = false
731
+ @http.request( @url, async: true ) { performed = true }
732
+ @http.run
733
+ performed.should be_true
734
+ end
735
+ end
736
+ describe false do
737
+ it 'should not perform the request asynchronously' do
738
+ performed = false
739
+ @http.request( @url, async: false ) { performed = true }
740
+ performed.should be_true
741
+ end
742
+ end
743
+ end
744
+
745
+ describe :headers do
746
+ describe 'nil' do
747
+ it 'should use the default headers' do
748
+ body = nil
749
+ @http.request( @url + '/headers' ) { |res| body = res.body }
750
+ @http.run
751
+ sent_headers = YAML.load( body )
752
+ @http.headers.each { |k, v| sent_headers[k].should == v }
753
+ end
754
+ end
755
+
756
+ describe Hash do
757
+ it 'should merge them with the default headers' do
758
+ headers = { 'My-Header' => 'my value'}
759
+ body = nil
760
+ @http.request( @url + '/headers', headers: headers ) { |res| body = res.body }
761
+ @http.run
762
+ header_str = @http.headers.merge( headers ).
763
+ map { |k, v| k + '=' + v }.join( ';' )
764
+ sent_headers = YAML.load( body )
765
+ @http.headers.merge( headers ).each { |k, v| sent_headers[k].should == v }
766
+ end
767
+ end
768
+ end
769
+
770
+ describe :update_cookies do
771
+ describe 'nil' do
772
+ it 'should not update the cookiejar' do
773
+ cookies = []
774
+ cookies << Arachni::Element::Cookie.new( @url,
775
+ 'key2' => 'val2' )
776
+ @http.update_cookies( cookies )
777
+ body = nil
778
+ @http.request( @url + '/update_cookies' ) { |res| body = res.body }
779
+ @http.run
780
+ @http.cookies.should == cookies
781
+ end
782
+ end
783
+
784
+ describe false do
785
+ it 'should not update the cookiejar' do
786
+ cookies = []
787
+ cookies << Arachni::Element::Cookie.new( @url,
788
+ 'key2' => 'val2' )
789
+ @http.update_cookies( cookies )
790
+ body = nil
791
+ @http.request( @url + '/update_cookies', update_cookies: false ) { |res| body = res.body }
792
+ @http.run
793
+ @http.cookies.should == cookies
794
+ end
795
+ end
796
+
797
+ describe true do
798
+ it 'should update the cookiejar' do
799
+ cookies = []
800
+ cookies << Arachni::Element::Cookie.new( @url,
801
+ 'key2' => 'val2' )
802
+ @http.update_cookies( cookies )
803
+ body = nil
804
+ @http.request( @url + '/update_cookies', update_cookies: true ) { |res| body = res.body }
805
+ @http.run
806
+ @http.cookies.first.value.should == cookies.first.value + ' [UPDATED!]'
807
+ end
808
+ end
809
+ end
810
+
811
+ describe :follow_location do
812
+ describe 'nil' do
813
+ it 'should not follow redirects' do
814
+ res = nil
815
+ @http.request( @url + '/follow_location' ) { |c_res| res = c_res }
816
+ @http.run
817
+ res.effective_url.start_with?( @url + '/follow_location' ).should be_true
818
+ res.body.should == ''
819
+ end
820
+ end
821
+ describe false do
822
+ it 'should not follow redirects' do
823
+ res = nil
824
+ @http.request( @url + '/follow_location', follow_location: false ) { |c_res| res = c_res }
825
+ @http.run
826
+ res.effective_url.start_with?( @url + '/follow_location' ).should be_true
827
+ res.body.should == ''
828
+ end
829
+ end
830
+ describe true do
831
+ it 'should follow redirects' do
832
+ res = nil
833
+ @http.request( @url + '/follow_location', follow_location: true ) { |c_res| res = c_res }
834
+ @http.run
835
+ res.effective_url.should == @url + '/redir_2'
836
+ res.body.should == "Welcome to redir_2!"
837
+ end
838
+ end
839
+ end
840
+ end
841
+
842
+ describe '#get' do
843
+ it 'should perform a GET request' do
844
+ body = nil
845
+ @http.get { |res| body = res.body }
846
+ @http.run
847
+ body.should == 'GET'
848
+ end
849
+ end
850
+
851
+ describe '#post' do
852
+ it 'should perform a GET request' do
853
+ body = nil
854
+ @http.post { |res| body = res.body }
855
+ @http.run
856
+ body.should == 'POST'
857
+ end
858
+ end
859
+
860
+ describe '#cookie' do
861
+ it 'should perform a GET request' do
862
+ body = nil
863
+ cookies = { 'name' => "v%+;al\00=" }
864
+ @http.cookie( @url + '/cookies', params: cookies ) { |res| body = res.body }
865
+ @http.run
866
+ body.should == cookies.keys.first + '=' + cookies.values.first
867
+ end
868
+ end
869
+
870
+ describe '#headers' do
871
+ it 'should perform a GET request' do
872
+ body = nil
873
+ headers = { 'name' => 'val' }
874
+ @http.header( @url + '/headers', params: headers ) { |res| body = res.body }
875
+ @http.run
876
+ YAML.load( body )['Name'].should == headers.values.first
877
+ end
878
+ end
879
+
880
+ describe '#update_cookies' do
881
+ it 'should update the cookies' do
882
+ cookies = []
883
+ cookies << Arachni::Element::Cookie.new( @url,
884
+ 'key2' => 'val2' )
885
+ @http.cookies.should be_empty
886
+ @http.update_cookies( cookies )
887
+ @http.cookies.should == cookies
888
+ end
889
+ end
890
+
891
+ describe '#on_new_cookies' do
892
+ it 'should add blocks to be called when new cookies arrive' do
893
+ cookies = []
894
+ cookies << Arachni::Element::Cookie.new( @url,
895
+ 'name' => 'value' )
896
+ res = Typhoeus::Response.new( effective_url: @url, headers_hash: { 'Set-Cookie' => 'name=value' } )
897
+
898
+ callback_cookies = nil
899
+ callback_response = nil
900
+ @http.on_new_cookies do |cookies, res|
901
+ callback_cookies = cookies
902
+ callback_response = res
903
+ end
904
+ @http.parse_and_set_cookies( res )
905
+
906
+ callback_cookies.should == cookies
907
+ callback_response.should == res
908
+ end
909
+ end
910
+
911
+ describe '#parse_and_set_cookies' do
912
+ it 'should update the cookies from a response and call on_new_cookies blocks' do
913
+ cookies = []
914
+ cookies << Arachni::Element::Cookie.new( @url,
915
+ 'name' => 'value' )
916
+ res = Typhoeus::Response.new( effective_url: @url, headers_hash: { 'Set-Cookie' => 'name=value' } )
917
+
918
+ @opts.cookies.should be_nil
919
+ @http.cookies.should be_empty
920
+ @http.parse_and_set_cookies( res )
921
+ @http.cookies.should == cookies
922
+ @opts.cookies.should == cookies
923
+ end
924
+ end
925
+
926
+
927
+ describe '#custom_404?' do
928
+ before { @custom_404 = @url + '/custom_404/' }
929
+
930
+ context 'when not dealing with a custom 404 handler' do
931
+ it 'should not identify the responses as custom 404s' do
932
+ res = nil
933
+ @http.get( @custom_404 + 'not' ) { |c_res| res = c_res }
934
+ @http.run
935
+ bool = false
936
+ @http.custom_404?( res ) { |c_bool| bool = c_bool }
937
+ @http.run
938
+ bool.should be_false
939
+ end
940
+ end
941
+
942
+ context 'when dealing with a static handler' do
943
+ it 'should identify custom 404 (Not Found) responses' do
944
+ res = nil
945
+ @http.get( @custom_404 + 'static/crap' ) { |c_res| res = c_res }
946
+ @http.run
947
+ bool = false
948
+ @http.custom_404?( res ) { |c_bool| bool = c_bool }
949
+ @http.run
950
+ bool.should be_true
951
+ end
952
+ end
953
+
954
+ context 'when dealing with a dynamic handler' do
955
+ context 'which includes the required resource in the response' do
956
+ it 'should identify custom 404 (Not Found) responses' do
957
+ res = nil
958
+ @http.get( @custom_404 + 'dynamic/crap' ) { |c_res| res = c_res }
959
+ @http.run
960
+ bool = false
961
+ @http.custom_404?( res ) { |c_bool| bool = c_bool }
962
+ @http.run
963
+ bool.should be_true
964
+ end
965
+ end
966
+ context 'which includes constantly changing text in the response' do
967
+ it 'should identify custom 404 (Not Found) responses' do
968
+ res = nil
969
+ @http.get( @custom_404 + 'random/crap' ) { |c_res| res = c_res }
970
+ @http.run
971
+ bool = false
972
+ @http.custom_404?( res ) { |c_bool| bool = c_bool }
973
+ @http.run
974
+ bool.should be_true
975
+ end
976
+ end
977
+ context 'which returns a combination of the above' do
978
+ it 'should identify custom 404 (Not Found) responses' do
979
+ res = nil
980
+ @http.get( @custom_404 + 'combo/crap' ) { |c_res| res = c_res }
981
+ @http.run
982
+ bool = false
983
+ @http.custom_404?( res ) { |c_bool| bool = c_bool }
984
+ @http.run
985
+ bool.should be_true
986
+ end
987
+ end
988
+ end
989
+ end
990
+
991
+ end