arachni 0.4.2 → 0.4.3

data/lib/arachni/element/capabilities/auditable/rdiff.rb

@@ -16,8 +16,6 @@
 
 module Arachni
 
-require Options.dir['lib'] + 'bloom_filter'
-
 module Element::Capabilities
 
 #
@@ -34,7 +32,7 @@ module Auditable::RDiff
     def self.included( mod )
         # the rdiff attack performs it own redundancy checks so we need this to
         # keep track of audited elements
-        @@rdiff_audited ||= BloomFilter.new
+        @@rdiff_audited ||= Support::LookUp::HashSet.new
     end
 
     RDIFF_OPTIONS =  {
@@ -89,19 +87,29 @@ module Auditable::RDiff
     #   webapp behavior when interpreted).
     # @param    [Block]     block
     #   To be used for custom analysis of responses; will be passed the following:
+    #
     #     * injected string
     #     * audited element
     #     * default response body
     #     * boolean response
     #     * fault injection response body
     #
+    # @return   [Bool]
+    #   `true` if the audit was scheduled successfully, `false` otherwise (like
+    #   if the resource is out of scope or already audited).
+    #
     def rdiff_analysis( opts = {}, &block )
+        if skip_path? self.action
+            print_debug "Element's action matches skip rule, bailing out."
+            return false
+        end
+
         opts = self.class::MUTATION_OPTIONS.merge( RDIFF_OPTIONS.merge( opts ) )
 
         # don't continue if there's a missing value
         auditable.values.each { |val| return if !val || val.empty? }
 
-        return if rdiff_audited?
+        return false if rdiff_audited?
         rdiff_audited
 
         responses = {
@@ -220,6 +228,8 @@ module Auditable::RDiff
                 end
             end
         }
+
+        true
     end
 
     private

data/lib/arachni/element/capabilities/auditable/taint.rb

@@ -52,24 +52,44 @@ module Auditable::Taint
         ignore:    nil
     }
 
-    REMARK = "This issue was identified by a pattern but the pattern matched " +
-            "the page's response body even before auditing the logged element."
+    REMARK = 'This issue was identified by a pattern but the pattern matched ' <<
+            'the page\'s response body even before auditing the logged element.'
 
     #
     # Performs taint analysis and logs an issue should there be one.
     #
     # It logs an issue when:
-    # * _:match_ == nil AND _:regexp_ matches the response body
-    # * _:match_ == not nil AND  _:regexp_ match == _:match_
-    # * _:substring_ exists in the response body
     #
-    # @param  [String]  seed      the string to be injected
-    # @param  [Hash]    opts      options as described in {Arachni::Module::Auditor::OPTIONS} and {TAINT_OPTIONS}
+    # * `:match` == nil AND `:regexp` matches the response body
+    # * `:match`` == not nil AND  `:regexp` match == `:match`
+    # * `:substring`exists in the response body
     #
-    def taint_analysis( seed, opts = { } )
+    # @param  [String, Array<String>, Hash{Symbol => <String, Array<String>>}]  payloads
+    #   Payloads to inject, if given:
+    #
+    #   * {String} -- Will inject the single payload.
+    #   * {Array} -- Will iterate over all payloads and inject them.
+    #   * {Hash} -- Expects {Platform} (as `Symbol`s ) for keys and {Array} of
+    #       `payloads` for values. The applicable `payloads` will be
+    #       {Platform#pick picked} from the hash based on
+    #       {Element::Base#platforms applicable platforms} for the
+    #       {Base#action resource} to be audited.
+    # @param  [Hash]    opts
+    #   Options as described in {Arachni::Module::Auditor::OPTIONS} and
+    #   {TAINT_OPTIONS}.
+    #
+    # @return   [Bool]
+    #   `true` if the audit was scheduled successfully, `false` otherwise (like
+    #   if the resource is out of scope).
+    #
+    def taint_analysis( payloads, opts = { } )
+        if skip_path? self.action
+            print_debug "Element's action matches skip rule, bailing out."
+            return false
+        end
+
         opts = self.class::OPTIONS.merge( TAINT_OPTIONS.merge( opts ) )
-        opts[:substring] = seed if !opts[:regexp] && !opts[:substring]
-        audit( seed, opts ) { |res, c_opts| get_matches( res, c_opts ) }
+        audit( payloads, opts ) { |res, c_opts| get_matches( res, c_opts ) }
     end
 
     private
@@ -83,6 +103,8 @@ module Auditable::Taint
     # @param  [Hash]  opts
     #
     def get_matches( res, opts )
+        opts[:substring] = opts[:injected_orig] if !opts[:regexp] && !opts[:substring]
+
         [opts[:regexp]].flatten.compact.each { |regexp| match_regexp_and_log( regexp, res, opts ) }
         [opts[:substring]].flatten.compact.each { |substring| match_substring_and_log( substring, res, opts ) }
     end

data/lib/arachni/element/capabilities/auditable/timeout.rb

@@ -14,8 +14,6 @@
     limitations under the License.
 =end
 
-require 'set'
-
 module Arachni::Element::Capabilities
 
 #
@@ -82,8 +80,9 @@ module Auditable::Timeout
             @@timeout_candidates
         end
 
-        # @return   [Integer]    amount of timeout-audit related operations
-        #                           (audit blocks + candidate elements)
+        # @return   [Integer]
+        #   Amount of timeout-audit related operations
+        #   (`audit blocks + candidate elements`).
         def @@parent.current_timeout_audit_operations_cnt
             @@timeout_candidates.size + @@timeout_candidates_phase3.size
         end
@@ -181,7 +180,7 @@ module Auditable::Timeout
                         @@timeout_candidate_phase3_ids << elem.audit_id
                     end
 
-                    elem.print_info "Phase 2: Candidate can progress to Phase 3 --" +
+                    elem.print_info 'Phase 2: Candidate can progress to Phase 3 --' <<
                                         " #{elem.type.capitalize} input " +
                                         "'#{elem.altered}' at #{elem.action}"
 
@@ -250,17 +249,17 @@ module Auditable::Timeout
 
         @@timeout_audit_operations_cnt ||= 0
 
-        # populated by timing attack phase 1 with
-        # candidate elements to be verified by phase 2
+        # Populated by timing attack phase 1 with candidate elements to be
+        # verified by phase 2.
         @@timeout_candidates     ||= []
-        @@timeout_candidate_ids  ||= ::Arachni::BloomFilter.new
+        @@timeout_candidate_ids  ||= ::Arachni::Support::LookUp::HashSet.new
 
         @@timeout_candidates_phase3    ||= []
-        @@timeout_candidate_phase3_ids ||= ::Arachni::BloomFilter.new
+        @@timeout_candidate_phase3_ids ||= ::Arachni::Support::LookUp::HashSet.new
 
-        # modules which have called the timing attack audit method (audit_timeout)
-        # we're interested in the amount, not the names, and is used to
-        # determine scan progress
+        # Modules which have called the timing attack audit method
+        # ({Arachni::Module::Auditor#audit_timeout}) we're interested in the
+        # amount, not the names, and is used to determine scan progress.
         @@timeout_loaded_modules ||= Set.new
 
         @@on_timing_attacks      ||= []
@@ -299,23 +298,42 @@ module Auditable::Timeout
     #
     # Performs timeout/time-delay analysis and logs an issue should there be one.
     #
-    # @param   [Array]     strings
-    #   Injection strings (`__TIME__` will be substituted with `timeout / timeout_divider`).
+    # @param  [String, Array<String>, Hash{Symbol => <String, Array<String>>}]  payloads
+    #   Payloads to inject, if given:
+    #
+    #   * {String} -- Will inject the single payload.
+    #   * {Array} -- Will iterate over all payloads and inject them.
+    #   * {Hash} -- Expects {Platform} (as `Symbol`s ) for keys and {Array} of
+    #       `payloads` for values. The applicable `payloads` will be
+    #       {Platform#pick picked} from the hash based on
+    #       {Element::Base#platforms applicable platforms} for the
+    #       {Base#action resource} to be audited.
+    #
+    #   Delay placeholder `__TIME__` will be substituted with `timeout / timeout_divider`.
     # @param   [Hash]      opts
-    #   Options as described in {Arachni::Element::Mutable::OPTIONS} with the
-    #   specified extras.
+    #   Options as described in {Arachni::Element::Capabilities::Mutable::MUTATION_OPTIONS}
+    #   with the specified extras.
     # @option   opts    [Integer] :timeout
     #   Milliseconds to wait for the request to complete.
     # @option   opts    [Integer] :timeout_divider
     #   `__TIME__ = timeout / timeout_divider`
     #
-    def timeout_analysis( strings, opts )
+    # @return   [Bool]
+    #   `true` if the audit was scheduled successfully, `false` otherwise (like
+    #   if the resource is out of scope).
+    #
+    def timeout_analysis( payloads, opts )
+        if skip_path? self.action
+            print_debug "Element's action matches skip rule, bailing out."
+            return false
+        end
+
         @@timeout_loaded_modules << @auditor.fancy_name
 
         delay = opts[:timeout]
 
         audit_timeout_debug_msg( 1, delay )
-        timing_attack( strings, opts ) do |_, _, elem|
+        timing_attack( payloads, opts ) do |elem|
             elem.auditor = @auditor
 
             if deduplicate?
@@ -323,11 +341,13 @@ module Auditable::Timeout
                 @@timeout_candidate_ids << elem.audit_id
             end
 
-            print_info "Found a candidate for Phase 2 -- " +
+            print_info 'Found a candidate for Phase 2 -- ' <<
                     "#{elem.type.capitalize} input '#{elem.altered}' at #{elem.action}"
 
             @@parent.add_timeout_candidate( elem ) if elem.responsive?
         end
+
+        true
     end
 
     #
@@ -370,6 +390,7 @@ module Auditable::Timeout
     end
 
     private
+
     def audit_timeout_debug_msg( phase, delay )
         print_debug '---------------------------------------------'
         print_debug "Running phase #{phase.to_s} of timing attack."
@@ -383,7 +404,7 @@ module Auditable::Timeout
     # 'opts' needs to contain a :timeout value in milliseconds.</br>
     # Optionally, you can add a :timeout_divider.
     #
-    # @param   [Array]     strings
+    # @param   [String, Array, Hash{Symbol => String, Array<String>}]     payloads
     #   Injection strings (`__TIME__` will be substituted with
     #   `timeout / timeout_divider`).
     # @param    [Hash]      opts
@@ -392,19 +413,28 @@ module Auditable::Timeout
     #   Block to call if a timeout occurs, it will be passed the
     #   {Typhoeus::Response response} and `opts`.
     #
-    def timing_attack( strings, opts, &block )
+    def timing_attack( payloads, opts, &block )
+        opts = opts.dup
         opts[:timeout_divider] ||= 1
+        delay = opts[:timeout] / opts[:timeout_divider]
 
-        [strings].flatten.each do |str|
+        # Intercept each element mutation prior to it being submitted and replace
+        # the '__TIME__' placeholder with the actual delay value.
+        each_mutation = proc do |mutation|
+            injected = mutation.altered_value
 
-            opts[:timing_string] = str
-            str = str.gsub( '__TIME__', ( opts[:timeout] / opts[:timeout_divider] ).to_s )
-            opts[:skip_orig] = true
+            # Preserve the original because it's going to be needed for the
+            # verification phases.
+            mutation.opts[:timing_string] = injected
 
-            audit( str, opts ) do |res, c_opts, elem|
-                call_on_timing_blocks( res, elem )
-                block.call( res, c_opts, elem ) if block && res.timed_out?
-            end
+            mutation.altered_value = injected.gsub( '__TIME__', delay.to_s )
+        end
+
+        opts.merge!( each_mutation: each_mutation, skip_orig: true )
+
+        audit( payloads, opts ) do |res, _, elem|
+            call_on_timing_blocks( res, elem )
+            block.call( elem ) if block && res.timed_out?
         end
     end
 

data/lib/arachni/element/cookie.rb

@@ -57,7 +57,7 @@ class Cookie < Arachni::Element::Base
 
         @raw ||= {}
         if @raw['name'] && @raw['value']
-            self.auditable = { @raw['name'] => @raw['value'] }
+            self.auditable = { @raw['name'].to_s.recode => @raw['value'].to_s.recode }
         else
             self.auditable = raw.dup
         end
@@ -981,6 +981,7 @@ class Cookie < Arachni::Element::Base
             end
             cookie_hash['expires'] = cookie.expires
 
+            cookie_hash['path'] ||= '/'
             cookie_hash['name']  = decode( cookie.name )
             cookie_hash['value'] = decode( cookie.value )
 
@@ -1115,7 +1116,7 @@ class Cookie < Arachni::Element::Base
     # @return   [String]
     #
     def self.encode( str )
-        URI.encode( str, "+;%=\0" ).gsub( ' ', '+' )
+        URI.encode( str, "+;%=\0" ).recode.gsub( ' ', '+' )
     end
     # @see .encode
     def encode( str )
@@ -1134,7 +1135,7 @@ class Cookie < Arachni::Element::Base
     # @return   [String]
     #
     def self.decode( str )
-        URI.decode( str.gsub( '+', ' ' ) )
+        URI.decode( str.to_s.recode.gsub( '+', ' ' ) )
     end
     # @see .decode
     def decode( str )

data/lib/arachni/element/form.rb

@@ -1295,11 +1295,7 @@ class Form < Arachni::Element::Base
             action = url_sanitize( c_form['attrs']['action'] )
         end
 
-        begin
-             action = to_absolute( action.dup, url ).to_s
-             return if skip_path? action
-        rescue
-        end
+        action = to_absolute( action.to_s, url ).to_s
 
         c_form['attrs']['action'] = action
 

data/lib/arachni/element/header.rb

@@ -57,6 +57,16 @@ class Header < Arachni::Element::Base
         muts
     end
 
+    # @return   [String]    Header name.
+    def name
+        @auditable.first.first
+    end
+
+    # @return   [String]    Header value.
+    def value
+        @auditable.first.last
+    end
+
     def type
         Arachni::Element::HEADER
     end

data/lib/arachni/element/link.rb

@@ -169,7 +169,6 @@ class Link < Arachni::Element::Base
             c_link = {}
             c_link['href'] = to_absolute( link['href'], base_url )
             next if !c_link['href']
-            next if skip_path?( c_link['href'] )
 
             new( url, c_link['href'] )
         end.compact

data/lib/arachni/element_filter.rb

@@ -27,8 +27,8 @@ module Arachni
 module ElementFilter
     include Utilities
 
-    @@forms    ||= BloomFilter.new
-    @@links    ||= BloomFilter.new
+    @@forms    ||= Support::LookUp::HashSet.new
+    @@links    ||= Support::LookUp::HashSet.new
     @@cookies  ||= Set.new
 
     def self.reset

data/lib/arachni/framework.rb

@@ -30,9 +30,11 @@ lib = Options.dir['lib']
 require lib + 'version'
 require lib + 'ruby'
 require lib + 'error'
-require lib + 'cache'
+require lib + 'support'
 require lib + 'utilities'
 require lib + 'uri'
+require lib + 'component/manager'
+require lib + 'platform'
 require lib + 'spider'
 require lib + 'parser'
 require lib + 'issue'
@@ -41,8 +43,6 @@ require lib + 'plugin'
 require lib + 'audit_store'
 require lib + 'http'
 require lib + 'report'
-require lib + 'database'
-require lib + 'component/manager'
 require lib + 'session'
 require lib + 'trainer'
 
@@ -226,6 +226,10 @@ class Framework
         print_line
         print_status "Auditing: [HTTP: #{page.code}] #{page.url}"
 
+        if page.platforms.any?
+            print_info "Identified as: #{page.platforms.to_a.join( ', ' )}"
+        end
+
         call_on_audit_page( page )
 
         @current_url = page.url.to_s
@@ -252,6 +256,13 @@ class Framework
     end
     alias :on_run_mods :on_audit_page
 
+    # @return   [Bool]
+    #   `true` if the {Options#link_count_limit} has been reached, `false`
+    #   otherwise.
+    def link_count_limit_reached?
+        @opts.link_count_limit_reached? @sitemap.size
+    end
+
     #
     # Returns the following framework stats:
     #
@@ -433,7 +444,7 @@ class Framework
             @reports.clear
 
             if !@reports[name].has_outfile?
-                fail Component::Error::InvalidOptions,
+                fail Component::Options::Error::Invalid,
                      "Report '#{name}' cannot format the audit results as a String."
             end
 
@@ -442,7 +453,7 @@ class Framework
 
             IO.read( outfile )
         ensure
-            File.delete( outfile )
+            File.delete( outfile ) if outfile
             @reports.clear
             @reports.load loaded
         end
@@ -523,6 +534,18 @@ class Framework
     end
     alias :lsplug :list_plugins
 
+    # @return    [Array<Hash>]  Information about all available platforms.
+    def list_platforms
+        platforms = Platform::Manager.new
+        platforms.valid.inject({}) do |h, platform|
+            type = Platform::Manager::TYPES[platforms.find_type( platform )]
+            h[type] ||= {}
+            h[type][platform] = platforms.fullname( platform )
+            h
+        end
+    end
+    alias :lsplat :list_platforms
+
     # @return   [String]
     #   Status of the instance, possible values are (in order):
     #
@@ -557,7 +580,6 @@ class Framework
         @paused << caller
         true
     end
-    alias :pause! :pause
 
     # @return   [TrueClass]  Resumes the scan/audit.
     def resume
@@ -565,7 +587,6 @@ class Framework
         spider.resume
         true
     end
-    alias :resume! :resume
 
     # @return    [String]   Returns the version of the framework.
     def version
@@ -601,7 +622,6 @@ class Framework
 
         true
     end
-    alias :clean_up! :clean_up
 
     def reset_spider
         @spider = Spider.new( @opts )
@@ -643,6 +663,8 @@ class Framework
     # You should first update {Arachni::Options}.
     #
     def self.reset
+        UI::Output.reset_output_options
+        Platform::Manager.reset
         Module::Auditor.reset
         ElementFilter.reset
         Element::Capabilities::Auditable.reset
@@ -689,16 +711,16 @@ class Framework
             @opts.restrict_paths.each { |url| push_to_url_queue( url ) }
         else
             # initiates the crawl
-            spider.run( false ) do |response|
+            spider.run do |page|
                 @sitemap |= spider.sitemap
-                push_to_url_queue( url_sanitize( response.effective_url ) )
+                push_to_url_queue page.url
+
+                next if page.platforms.empty?
+                print_info "Identified as: #{page.platforms.to_a.join( ', ' )}"
             end
         end
 
-        @status = :auditing
         audit_queues
-
-        exception_jail { audit_queues }
     end
 
     #
@@ -707,6 +729,8 @@ class Framework
     def audit_queues
         return if modules.empty?
 
+        @status = :auditing
+
         # goes through the URLs discovered by the spider, repeats the request
         # and parses the responses into page objects
         #