RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/lib/arachni/browser/javascript.rb CHANGED

@@ -21,6 +21,12 @@ class Javascript
     require_relative 'javascript/taint_tracer'
     require_relative 'javascript/dom_monitor'
+    CACHE = {
+        select_event_attributes: Support::Cache::LeastRecentlyPushed.new( 1_000 )
+    }
+    TOKEN = 'arachni_js_namespace'
     # @return   [String]
     #   URL to use when requesting our custom JS scripts.
     SCRIPT_BASE_URL = 'http://javascript.browser.arachni/'
@@ -33,6 +39,8 @@ class Javascript
         h.merge!( path => IO.read(path) )
     end
+    HTML_IDENTIFIERS = ['<!doctype html', '<html', '<head', '<body', '<title', '<script']
     NO_EVENTS_FOR_ELEMENTS = Set.new([
         :base, :bdo, :br, :head, :html, :iframe, :meta, :param, :script, :style,
         :title, :link
@@ -126,15 +134,29 @@ class Javascript
         GLOBAL_EVENTS | EVENTS_PER_ELEMENT.values.flatten.uniq
     end
+    def self.event_whitelist
+        @event_whitelist ||= Set.new( events.flatten.map(&:to_s) )
+    end
+    # @param    [Symbol]    element
+    #
+    # @return   [Array<Symbol>]
+    #   Events for `element`.
+    def self.events_for( element )
+        GLOBAL_EVENTS | EVENTS_PER_ELEMENT[element.to_sym]
+    end
     # @param    [Hash]  attributes
     #   Element attributes.
     #
     # @return   [Hash]
     #   `attributes` that include {.events}.
     def self.select_event_attributes( attributes = {} )
-        attributes = attributes.my_stringify
-        Hash[(self.events.flatten.map(&:to_s) & attributes.keys).
-            map { |event| [event.to_sym, attributes[event]] }]
+        CACHE[:select_event_attributes][attributes] ||=
+            attributes.inject({}) do |h, (event, handler)|
+                next h if !event_whitelist.include?( event.to_s )
+                h.merge!( event.to_sym => handler )
+            end
     end
     # @param    [Browser]   browser
@@ -169,7 +191,7 @@ class Javascript
     # @return   [String]
     #   Token used to namespace the injected JS code and avoid clashes.
     def token
-        @token ||= generate_token.to_s
+        @token ||= TOKEN
     end
     # @return   [String]
@@ -268,6 +290,8 @@ class Javascript
         dom_monitor.digest
     end
+    # @note Will not include custom events.
+    #
     # @return   [Array<Hash>]
     #   Information about all DOM elements, including any registered event listeners.
     def dom_elements_with_events
@@ -277,10 +301,15 @@ class Javascript
             next if NO_EVENTS_FOR_ELEMENTS.include? element['tag_name'].to_sym
             attributes = element['attributes']
-            element['events'] =
-                element['events'].map { |event, fn| [event.to_sym, fn] } |
-                    (self.class.events.flatten.map(&:to_s) & attributes.keys).
-                        map { |event| [event.to_sym, attributes[event]] }
+            element['events'] = (element['events'].map do |event, fn|
+                next if !(self.class.event_whitelist.include?( event ) ||
+                    self.class.event_whitelist.include?( "on#{event}" ))
+                [event.to_sym, fn]
+            end.compact)
+            element['events'] |= self.class.select_event_attributes( attributes ).to_a
             element
         end.compact
@@ -327,63 +356,162 @@ class Javascript
     # @param    [HTTP::Response]    response
     #   Installs our custom JS interfaces in the given `response`.
     #
-    # @return   [Bool]
-    #   `true` if injection was performed, `false` otherwise (in case our code
-    #   is already present).
-    #
     # @see SCRIPT_BASE_URL
     # @see SCRIPT_LIBRARY
     def inject( response )
-        return false if has_js_initializer?( response )
+        # Don't intercept our own stuff!
+        return if response.url.start_with?( SCRIPT_BASE_URL )
+        # If it's a JS file, update our JS interfaces in case it has stuff that
+        # can be tracked.
+        #
+        # This is necessary because new files can be required dynamically.
+        if javascript?( response )
+            response.body = <<-EOCODE
+                #{js_comment}
+                #{taint_tracer.stub.function( :update_tracers )};
+                #{dom_monitor.stub.function( :update_trackers )};
+                #{response.body};
+            EOCODE
+        # Already has the JS initializer, so it's an HTML response; just update
+        # taints and custom code.
+        elsif has_js_initializer?( response )
+            body = response.body.dup
+            update_taints( body )
+            update_custom_code( body )
+            response.body = body
+        elsif html?( response )
+            body = response.body.dup
+            # Perform an update before each script.
+            body.gsub!(
+                /<script.*?>/i,
+                "\\0\n
+                #{js_comment}
+                #{@taint_tracer.stub.function( :update_tracers )};
+                #{@dom_monitor.stub.function( :update_trackers )};\n\n"
+            )
+            # Perform an update after each script.
+            body.gsub!(
+                /<\/script>/i,
+                "\\0\n<script type=\"text/javascript\">" <<
+                    "#{@taint_tracer.stub.function( :update_tracers )};" <<
+                    "#{@dom_monitor.stub.function( :update_trackers )};" <<
+                    "</script> #{html_comment}\n"
+            )
+            # Include and initialize our JS interfaces.
+            response.body = <<-EOHTML
+<script src="#{script_url_for( :taint_tracer )}"></script> #{html_comment}
+<script src="#{script_url_for( :dom_monitor )}"></script> #{html_comment}
+<script>
+#{wrapped_taint_tracer_initializer}
+#{js_initialization_signal};
+#{wrapped_custom_code}
+</script> #{html_comment}
+#{body}
+            EOHTML
+        end
-        body = response.body.dup
+        response.headers['content-length'] = response.body.size
+        true
+    end
-        # Schedule a tracer update at the beginning of each script block in order
-        # to put our hooks into any newly introduced functions.
+    def javascript?( response )
+        response.headers.content_type.to_s.downcase.include?( 'javascript' )
+    end
+    def html?( response )
+        return false if response.body.empty?
+        # We only care about HTML.
+        return false if !response.headers.content_type.to_s.downcase.start_with?( 'text/html' )
+        # Let's check that the response at least looks like it contains HTML
+        # code of interest.
+        body = response.body.downcase
+        return false if !HTML_IDENTIFIERS.find { |tag| body.include? tag.downcase }
+        # The last check isn't fool-proof, so don't do it when loading the page
+        # for the first time, but only when the page loads stuff via AJAX and whatnot.
         #
-        # The fact that our update call seems to be taking place before any
-        # functions get the chance to be defined doesn't seem to matter.
-        body.gsub!(
-            /<script(.*?)>/i,
-            "\\0\n#{@taint_tracer.stub.function( :update_tracers )}; // Injected by #{self.class}\n"
-        )
+        # Well, we can be pretty sure that the root page will be HTML anyways.
+        return true if @browser.last_url == response.url
-        # Also perform an update after each script block, this is for external
-        # scripts.
-        body.gsub!(
-            /<\/script>/i,
-            "\\0\n<script type=\"text/javascript\">#{@taint_tracer.stub.function( :update_tracers )}" <<
-                "</script> <!-- Script injected by #{self.class} -->\n"
-        )
+        # Finally, verify that we're really working with markup (hopefully HTML)
+        # and that the previous checks weren't just flukes matching some other
+        # kind of document.
+        #
+        # For example, it may have been JSON with the wrong content-type that
+        # includes HTML -- it happens.
+        begin
+            return false if Nokogiri::XML( response.body ).children.empty?
+        rescue => e
+            print_debug "Does not look like HTML: #{response.url}"
+            print_debug "\n#{response.body}"
+            print_debug_exception e
+            return false
+        end
+        true
+    end
+    private
+    def js_comment
+        "// Injected by #{self.class}"
+    end
+    def html_comment
+        "<!-- Injected by #{self.class} -->"
+    end
+    def taints
         taints = [@taint]
         # Include cookie names and values in the trace so that the browser will
         # be able to infer if they're being used, to avoid unnecessary audits.
         if Options.audit.cookie_doms?
             taints |= HTTP::Client.cookies.map { |c| c.inputs.to_a }.flatten
         end
-        taints = taints.flatten.reject { |v| v.to_s.empty? }
-        response.body = <<-EOHTML
-            <script src="#{script_url_for( :taint_tracer )}"></script> <!-- Script injected by #{self.class} -->
-            <script> #{@taint_tracer.stub.function( :initialize, taints )} </script> <!-- Script injected by #{self.class} -->
-            <script src="#{script_url_for( :dom_monitor )}"></script> <!-- Script injected by #{self.class} -->
-            <script>
-                #{@dom_monitor.stub.function( :initialize )};
-                #{js_initialization_signal};
+        taints.flatten.reject { |v| v.to_s.empty? }
+    end
-                #{custom_code}
-            </script> <!-- Script injected by #{self.class} -->
+    def update_taints( body )
+        body.gsub!(
+            /\/\* #{token}_initialize_start \*\/(.*)\/\* #{token}_initialize_stop \*\//,
+            wrapped_taint_tracer_initializer
+        )
+    end
-            #{body}
-        EOHTML
+    def update_custom_code( body )
+        body.gsub!(
+            /\/\* #{token}_code_start \*\/(.*)\/\* #{token}_code_stop \*\//,
+            wrapped_custom_code
+        )
+    end
-        response.headers['content-length'] = response.body.bytesize
-        true
+    def wrapped_taint_tracer_initializer
+        "/* #{token}_initialize_start */" <<
+            "#{@taint_tracer.stub.function( :initialize, taints )}" <<
+            "/* #{token}_initialize_stop */"
     end
-    private
+    def wrapped_custom_code
+        "/* #{token}_code_start */#{custom_code}/* #{token}_code_stop */"
+    end
     def js_initialization_signal
         "window._#{token} = true"

data/lib/arachni/browser/javascript/scripts/dom_monitor.js CHANGED

@@ -37,6 +37,10 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         _tokenDOMMonitor.initialized = true
     },
+    update_trackers: function () {
+        _tokenDOMMonitor.track_jQuery_delegated_events();
+    },
     // Returns information about all DOM elements, their attributes and registered
     // events.
     elements_with_events: function () {
@@ -50,9 +54,11 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
             // Skip invisible elements.
             if( element.offsetWidth <= 0 && element.offsetHeight <= 0 ) continue;
+            _tokenDOMMonitor.apply_jQuery_delegated_events( element );
             var e = {
                 tag_name:   element.tagName.toLowerCase(),
-                events:     element.events || [],
+                events:     element._arachni_events || [],
                 attributes: {}
             };
@@ -122,6 +128,54 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         };
     },
+    track_jQuery_delegated_events: function () {
+        if( _tokenDOMMonitor.tracked_jQuery_delegated_events || !window.jQuery ) return;
+        _tokenDOMMonitor.tracked_jQuery_delegated_events = true;
+        var original = window.jQuery.fn.on;
+        // We only care for calls with selectors, as any other will attach the
+        // events to the DOM element immediately and thus be captured by the
+        // addEventListener tracker.
+        window.jQuery.fn.on = function ( types, selector, data, fn, one ) {
+            // Types can be a map of types/handlers, in that case just run
+            // the original as it'll act recursively and pass itself (which is
+            // this override, really) each type.
+            if ( typeof types === "object" ) {
+                return original.apply( this, [].slice.call( arguments ) );
+            }
+            if ( data == null && fn == null ) {
+                // ( types, fn ) -- no selector, bail out.
+                return original.apply( this, [].slice.call( arguments ) );
+            } else if ( fn == null ) {
+                if ( typeof selector === "string" ) {
+                    // ( types, selector, fn ) -- with selector, proceed.
+                    fn = data;
+                } else {
+                    // ( types, data, fn ) -- no selector, bail out.
+                    return original.apply( this, [].slice.call( arguments ) );
+                }
+            }
+            if( selector ) {
+                this.each( function( i, e ){
+                    e['_arachni_jquery_delegated_event'] =
+                        e['_arachni_jquery_delegated_event'] || [];
+                    e['_arachni_jquery_delegated_event'].push({
+                        selector: selector,
+                        event:    types,
+                        handler:  fn
+                    });
+                });
+            }
+            return original.apply( this, [].slice.call( arguments ) );
+        };
+    },
     // Overrides window.addEventListener and Node.prototype.addEventListener
     // to intercept event binds so that we can keep track of them in order to
     // optimize DOM analysis.
@@ -129,7 +183,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         // Override window.addEventListener
         var original_Window_addEventListener = window.addEventListener;
-        window.addEventListener = function _window_addEventListener( event, listener, useCapture ) {
+        window.addEventListener = function ( event, listener, useCapture ) {
             _tokenDOMMonitor.registerEvent( window, event, listener );
             original_Window_addEventListener.apply( window, [].slice.call( arguments ) );
         };
@@ -137,16 +191,35 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         // Override Node.prototype.addEventListener
         var original_Node_addEventListener = Node.prototype.addEventListener;
-        Node.prototype.addEventListener = function _Node_addEventListener( event, listener, useCapture ) {
+        Node.prototype.addEventListener = function ( event, listener, useCapture ) {
             _tokenDOMMonitor.registerEvent( this, event, listener );
             original_Node_addEventListener.apply( this, [].slice.call( arguments ) );
         };
     },
+    apply_jQuery_delegated_events: function ( element ){
+        if( !element['_arachni_jquery_delegated_event'] ) return;
+        var event_data     = element['_arachni_jquery_delegated_event'];
+        var jquery_element = jQuery( element );
+        for( var i = 0; i < event_data.length; i++ ) {
+            var data = event_data[i];
+            jquery_element.find( data.selector ).each( function ( j, child ){
+                _tokenDOMMonitor.registerEvent( child, data.event, data.handler );
+            });
+        }
+        element['_arachni_jquery_delegated_event'] = undefined;
+    },
     // Registers an event and its handler for the given element.
     registerEvent: function ( element, event, handler ) {
-        if( !('events' in element) ) element['events'] = [];
-        element['events'].push( [event, handler] );
+        if( !('_arachni_events' in element) ) element['_arachni_events'] = [];
+        // Custom events are usually in the form of "click.delegateEventsview13".
+        element['_arachni_events'].push( [event.split( '.' )[0], handler] );
     },
     // Sets a unique enough custom ID attribute to elements that lack proper IDs.
@@ -169,7 +242,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
             if( element.offsetWidth <= 0 && element.offsetHeight <= 0 ) continue;
             // We don't care about elements without events.
-            if( !element.events || element.events.length == 0 ) continue;
+            if( !element._arachni_events || element._arachni_events.length == 0 ) continue;
             element.setAttribute( 'data-arachni-id', _tokenDOMMonitor.hashCode( element.innerHTML ) );
         }
@@ -188,3 +261,5 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         return hash;
     }
 };
+_tokenDOMMonitor.initialize();

data/lib/arachni/browser/javascript/scripts/taint_tracer.js CHANGED

@@ -23,6 +23,8 @@ var _tokenTaintTracer = _tokenTaintTracer || {
     // Allows the 'debug' function to operate.
     enable_debugging:     true,
+    max_sinks:            50,
     // Hold debugging information, usually pushed by the 'debug' function.
     debugging_data:       [],
@@ -33,8 +35,14 @@ var _tokenTaintTracer = _tokenTaintTracer || {
     // taints as keys and traces as values.
     data_flow_sinks:      {},
+    ignore:               {
+        '':       true,
+        'lodash': true
+    },
     // Keeps track of which functions have had tracers installed.
-    traced:               {},
+    traced:               {
+    },
     // Original functions, without tracers. We don't want to trigger traced
     // functions to provide functionality to this object.
@@ -198,14 +206,32 @@ var _tokenTaintTracer = _tokenTaintTracer || {
         _tokenTaintTracer.data_flow_sinks[taint].push({
             data:  frame_data,
             trace: _tokenTaintTracer.trace()
-        })
+        });
+        if( _tokenTaintTracer.data_flow_sinks[taint].length > _tokenTaintTracer.max_sinks ) {
+            _tokenTaintTracer.data_flow_sinks[taint] =
+                _tokenTaintTracer.data_flow_sinks[taint].slice(
+                    _tokenTaintTracer.data_flow_sinks[taint].length -
+                        _tokenTaintTracer.max_sinks,
+                    _tokenTaintTracer.data_flow_sinks[taint].length
+                )
+        }
     },
     log_execution_flow_sink: function (){
         _tokenTaintTracer.execution_flow_sinks.push({
             data:  arguments,
             trace: _tokenTaintTracer.trace()
-        })
+        });
+        if( _tokenTaintTracer.execution_flow_sinks.length > _tokenTaintTracer.max_sinks ) {
+            _tokenTaintTracer.execution_flow_sinks =
+                _tokenTaintTracer.execution_flow_sinks.slice(
+                        _tokenTaintTracer.execution_flow_sinks.length -
+                        _tokenTaintTracer.max_sinks,
+                    _tokenTaintTracer.execution_flow_sinks.length
+                )
+        }
     },
     flush_execution_flow_sinks: function (){
@@ -435,6 +461,8 @@ var _tokenTaintTracer = _tokenTaintTracer || {
             if( Object.prototype.toString.call(potentialFunction) !== '[object Function]' )
                 continue;
+            if( _tokenTaintTracer.ignore[potentialFunction.name] ) continue;
             var namespace_function_name = Object.prototype.toString.call(namespace) +
                 '-' + potentialFunction.name;
             if( _tokenTaintTracer.traced[namespace_function_name] ) continue;