RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/lib/arachni/browser/javascript.rb CHANGED

@@ -21,6 +21,12 @@ class Javascript
     require_relative 'javascript/taint_tracer'
     require_relative 'javascript/dom_monitor'
+    CACHE = {
+        select_event_attributes: Support::Cache::LeastRecentlyPushed.new( 1_000 )
+    }
+    TOKEN = 'arachni_js_namespace'
     # @return   [String]
     #   URL to use when requesting our custom JS scripts.
     SCRIPT_BASE_URL = 'http://javascript.browser.arachni/'
@@ -33,6 +39,8 @@ class Javascript
         h.merge!( path => IO.read(path) )
     end
+    HTML_IDENTIFIERS = ['<!doctype html', '<html', '<head', '<body', '<title', '<script']
     NO_EVENTS_FOR_ELEMENTS = Set.new([
         :base, :bdo, :br, :head, :html, :iframe, :meta, :param, :script, :style,
         :title, :link
@@ -126,15 +134,29 @@ class Javascript
         GLOBAL_EVENTS | EVENTS_PER_ELEMENT.values.flatten.uniq
     end
+    def self.event_whitelist
+        @event_whitelist ||= Set.new( events.flatten.map(&:to_s) )
+    end
+    # @param    [Symbol]    element
+    #
+    # @return   [Array<Symbol>]
+    #   Events for `element`.
+    def self.events_for( element )
+        GLOBAL_EVENTS | EVENTS_PER_ELEMENT[element.to_sym]
+    end
     # @param    [Hash]  attributes
     #   Element attributes.
     #
     # @return   [Hash]
     #   `attributes` that include {.events}.
     def self.select_event_attributes( attributes = {} )
-        attributes = attributes.my_stringify
-        Hash[(self.events.flatten.map(&:to_s) & attributes.keys).
-            map { |event| [event.to_sym, attributes[event]] }]
+        CACHE[:select_event_attributes][attributes] ||=
+            attributes.inject({}) do |h, (event, handler)|
+                next h if !event_whitelist.include?( event.to_s )
+                h.merge!( event.to_sym => handler )
+            end
     end
     # @param    [Browser]   browser
@@ -169,7 +191,7 @@ class Javascript
     # @return   [String]
     #   Token used to namespace the injected JS code and avoid clashes.
     def token
-        @token ||= generate_token.to_s
+        @token ||= TOKEN
     end
     # @return   [String]
@@ -268,6 +290,8 @@ class Javascript
         dom_monitor.digest
     end
+    # @note Will not include custom events.
+    #
     # @return   [Array<Hash>]
     #   Information about all DOM elements, including any registered event listeners.
     def dom_elements_with_events
@@ -277,10 +301,15 @@ class Javascript
             next if NO_EVENTS_FOR_ELEMENTS.include? element['tag_name'].to_sym
             attributes = element['attributes']
-            element['events'] =
-                element['events'].map { |event, fn| [event.to_sym, fn] } |
-                    (self.class.events.flatten.map(&:to_s) & attributes.keys).
-                        map { |event| [event.to_sym, attributes[event]] }
+            element['events'] = (element['events'].map do |event, fn|
+                next if !(self.class.event_whitelist.include?( event ) ||
+                    self.class.event_whitelist.include?( "on#{event}" ))
+                [event.to_sym, fn]
+            end.compact)
+            element['events'] |= self.class.select_event_attributes( attributes ).to_a
             element
         end.compact
@@ -327,63 +356,162 @@ class Javascript
     # @param    [HTTP::Response]    response
     #   Installs our custom JS interfaces in the given `response`.
     #
-    # @return   [Bool]
-    #   `true` if injection was performed, `false` otherwise (in case our code
-    #   is already present).
-    #
     # @see SCRIPT_BASE_URL
     # @see SCRIPT_LIBRARY
     def inject( response )
-        return false if has_js_initializer?( response )
+        # Don't intercept our own stuff!
+        return if response.url.start_with?( SCRIPT_BASE_URL )
+        # If it's a JS file, update our JS interfaces in case it has stuff that
+        # can be tracked.
+        #
+        # This is necessary because new files can be required dynamically.
+        if javascript?( response )
+            response.body = <<-EOCODE
+                #{js_comment}
+                #{taint_tracer.stub.function( :update_tracers )};
+                #{dom_monitor.stub.function( :update_trackers )};
+                #{response.body};
+            EOCODE
+        # Already has the JS initializer, so it's an HTML response; just update
+        # taints and custom code.
+        elsif has_js_initializer?( response )
+            body = response.body.dup
+            update_taints( body )
+            update_custom_code( body )
+            response.body = body
+        elsif html?( response )
+            body = response.body.dup
+            # Perform an update before each script.
+            body.gsub!(
+                /<script.*?>/i,
+                "\\0\n
+                #{js_comment}
+                #{@taint_tracer.stub.function( :update_tracers )};
+                #{@dom_monitor.stub.function( :update_trackers )};\n\n"
+            )
+            # Perform an update after each script.
+            body.gsub!(
+                /<\/script>/i,
+                "\\0\n<script type=\"text/javascript\">" <<
+                    "#{@taint_tracer.stub.function( :update_tracers )};" <<
+                    "#{@dom_monitor.stub.function( :update_trackers )};" <<
+                    "</script> #{html_comment}\n"
+            )
+            # Include and initialize our JS interfaces.
+            response.body = <<-EOHTML
+<script src="#{script_url_for( :taint_tracer )}"></script> #{html_comment}
+<script src="#{script_url_for( :dom_monitor )}"></script> #{html_comment}
+<script>
+#{wrapped_taint_tracer_initializer}
+#{js_initialization_signal};
+#{wrapped_custom_code}
+</script> #{html_comment}
+#{body}
+            EOHTML
+        end
-        body = response.body.dup
+        response.headers['content-length'] = response.body.size
+        true
+    end
-        # Schedule a tracer update at the beginning of each script block in order
-        # to put our hooks into any newly introduced functions.
+    def javascript?( response )
+        response.headers.content_type.to_s.downcase.include?( 'javascript' )
+    end
+    def html?( response )
+        return false if response.body.empty?
+        # We only care about HTML.
+        return false if !response.headers.content_type.to_s.downcase.start_with?( 'text/html' )
+        # Let's check that the response at least looks like it contains HTML
+        # code of interest.
+        body = response.body.downcase
+        return false if !HTML_IDENTIFIERS.find { |tag| body.include? tag.downcase }
+        # The last check isn't fool-proof, so don't do it when loading the page
+        # for the first time, but only when the page loads stuff via AJAX and whatnot.
         #
-        # The fact that our update call seems to be taking place before any
-        # functions get the chance to be defined doesn't seem to matter.
-        body.gsub!(
-            /<script(.*?)>/i,
-            "\\0\n#{@taint_tracer.stub.function( :update_tracers )}; // Injected by #{self.class}\n"
-        )
+        # Well, we can be pretty sure that the root page will be HTML anyways.
+        return true if @browser.last_url == response.url
-        # Also perform an update after each script block, this is for external
-        # scripts.
-        body.gsub!(
-            /<\/script>/i,
-            "\\0\n<script type=\"text/javascript\">#{@taint_tracer.stub.function( :update_tracers )}" <<
-                "</script> <!-- Script injected by #{self.class} -->\n"
-        )
+        # Finally, verify that we're really working with markup (hopefully HTML)
+        # and that the previous checks weren't just flukes matching some other
+        # kind of document.
+        #
+        # For example, it may have been JSON with the wrong content-type that
+        # includes HTML -- it happens.
+        begin
+            return false if Nokogiri::XML( response.body ).children.empty?
+        rescue => e
+            print_debug "Does not look like HTML: #{response.url}"
+            print_debug "\n#{response.body}"
+            print_debug_exception e
+            return false
+        end
+        true
+    end
+    private
+    def js_comment
+        "// Injected by #{self.class}"
+    end
+    def html_comment
+        "<!-- Injected by #{self.class} -->"
+    end
+    def taints
         taints = [@taint]
         # Include cookie names and values in the trace so that the browser will
         # be able to infer if they're being used, to avoid unnecessary audits.
         if Options.audit.cookie_doms?
             taints |= HTTP::Client.cookies.map { |c| c.inputs.to_a }.flatten
         end
-        taints = taints.flatten.reject { |v| v.to_s.empty? }
-        response.body = <<-EOHTML
-            <script src="#{script_url_for( :taint_tracer )}"></script> <!-- Script injected by #{self.class} -->
-            <script> #{@taint_tracer.stub.function( :initialize, taints )} </script> <!-- Script injected by #{self.class} -->
-            <script src="#{script_url_for( :dom_monitor )}"></script> <!-- Script injected by #{self.class} -->
-            <script>
-                #{@dom_monitor.stub.function( :initialize )};
-                #{js_initialization_signal};
+        taints.flatten.reject { |v| v.to_s.empty? }
+    end
-                #{custom_code}
-            </script> <!-- Script injected by #{self.class} -->
+    def update_taints( body )
+        body.gsub!(
+            /\/\* #{token}_initialize_start \*\/(.*)\/\* #{token}_initialize_stop \*\//,
+            wrapped_taint_tracer_initializer
+        )
+    end
-            #{body}
-        EOHTML
+    def update_custom_code( body )
+        body.gsub!(
+            /\/\* #{token}_code_start \*\/(.*)\/\* #{token}_code_stop \*\//,
+            wrapped_custom_code
+        )
+    end
-        response.headers['content-length'] = response.body.bytesize
-        true
+    def wrapped_taint_tracer_initializer
+        "/* #{token}_initialize_start */" <<
+            "#{@taint_tracer.stub.function( :initialize, taints )}" <<
+            "/* #{token}_initialize_stop */"
     end
-    private
+    def wrapped_custom_code
+        "/* #{token}_code_start */#{custom_code}/* #{token}_code_stop */"
+    end
     def js_initialization_signal
         "window._#{token} = true"

data/lib/arachni/browser/javascript/scripts/dom_monitor.js CHANGED

@@ -37,6 +37,10 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         _tokenDOMMonitor.initialized = true
     },
+    update_trackers: function () {
+        _tokenDOMMonitor.track_jQuery_delegated_events();
+    },
     // Returns information about all DOM elements, their attributes and registered
     // events.
     elements_with_events: function () {
@@ -50,9 +54,11 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
             // Skip invisible elements.
             if( element.offsetWidth <= 0 && element.offsetHeight <= 0 ) continue;
+            _tokenDOMMonitor.apply_jQuery_delegated_events( element );
             var e = {
                 tag_name:   element.tagName.toLowerCase(),
-                events:     element.events || [],
+                events:     element._arachni_events || [],
                 attributes: {}
             };
@@ -122,6 +128,54 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         };
     },
+    track_jQuery_delegated_events: function () {
+        if( _tokenDOMMonitor.tracked_jQuery_delegated_events || !window.jQuery ) return;
+        _tokenDOMMonitor.tracked_jQuery_delegated_events = true;
+        var original = window.jQuery.fn.on;
+        // We only care for calls with selectors, as any other will attach the
+        // events to the DOM element immediately and thus be captured by the
+        // addEventListener tracker.
+        window.jQuery.fn.on = function ( types, selector, data, fn, one ) {
+            // Types can be a map of types/handlers, in that case just run
+            // the original as it'll act recursively and pass itself (which is
+            // this override, really) each type.
+            if ( typeof types === "object" ) {
+                return original.apply( this, [].slice.call( arguments ) );
+            }
+            if ( data == null && fn == null ) {
+                // ( types, fn ) -- no selector, bail out.
+                return original.apply( this, [].slice.call( arguments ) );
+            } else if ( fn == null ) {
+                if ( typeof selector === "string" ) {
+                    // ( types, selector, fn ) -- with selector, proceed.
+                    fn = data;
+                } else {
+                    // ( types, data, fn ) -- no selector, bail out.
+                    return original.apply( this, [].slice.call( arguments ) );
+                }
+            }
+            if( selector ) {
+                this.each( function( i, e ){
+                    e['_arachni_jquery_delegated_event'] =
+                        e['_arachni_jquery_delegated_event'] || [];
+                    e['_arachni_jquery_delegated_event'].push({
+                        selector: selector,
+                        event:    types,
+                        handler:  fn
+                    });
+                });
+            }
+            return original.apply( this, [].slice.call( arguments ) );
+        };
+    },
     // Overrides window.addEventListener and Node.prototype.addEventListener
     // to intercept event binds so that we can keep track of them in order to
     // optimize DOM analysis.
@@ -129,7 +183,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         // Override window.addEventListener
         var original_Window_addEventListener = window.addEventListener;
-        window.addEventListener = function _window_addEventListener( event, listener, useCapture ) {
+        window.addEventListener = function ( event, listener, useCapture ) {
             _tokenDOMMonitor.registerEvent( window, event, listener );
             original_Window_addEventListener.apply( window, [].slice.call( arguments ) );
         };
@@ -137,16 +191,35 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         // Override Node.prototype.addEventListener
         var original_Node_addEventListener = Node.prototype.addEventListener;
-        Node.prototype.addEventListener = function _Node_addEventListener( event, listener, useCapture ) {
+        Node.prototype.addEventListener = function ( event, listener, useCapture ) {
             _tokenDOMMonitor.registerEvent( this, event, listener );
             original_Node_addEventListener.apply( this, [].slice.call( arguments ) );
         };
     },
+    apply_jQuery_delegated_events: function ( element ){
+        if( !element['_arachni_jquery_delegated_event'] ) return;
+        var event_data     = element['_arachni_jquery_delegated_event'];
+        var jquery_element = jQuery( element );
+        for( var i = 0; i < event_data.length; i++ ) {
+            var data = event_data[i];
+            jquery_element.find( data.selector ).each( function ( j, child ){
+                _tokenDOMMonitor.registerEvent( child, data.event, data.handler );
+            });
+        }
+        element['_arachni_jquery_delegated_event'] = undefined;
+    },
     // Registers an event and its handler for the given element.
     registerEvent: function ( element, event, handler ) {
-        if( !('events' in element) ) element['events'] = [];
-        element['events'].push( [event, handler] );
+        if( !('_arachni_events' in element) ) element['_arachni_events'] = [];
+        // Custom events are usually in the form of "click.delegateEventsview13".
+        element['_arachni_events'].push( [event.split( '.' )[0], handler] );
     },
     // Sets a unique enough custom ID attribute to elements that lack proper IDs.
@@ -169,7 +242,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
             if( element.offsetWidth <= 0 && element.offsetHeight <= 0 ) continue;
             // We don't care about elements without events.
-            if( !element.events || element.events.length == 0 ) continue;
+            if( !element._arachni_events || element._arachni_events.length == 0 ) continue;
             element.setAttribute( 'data-arachni-id', _tokenDOMMonitor.hashCode( element.innerHTML ) );
         }
@@ -188,3 +261,5 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
         return hash;
     }
 };
+_tokenDOMMonitor.initialize();

data/lib/arachni/browser/javascript/scripts/taint_tracer.js CHANGED

@@ -23,6 +23,8 @@ var _tokenTaintTracer = _tokenTaintTracer || {
     // Allows the 'debug' function to operate.
     enable_debugging:     true,
+    max_sinks:            50,
     // Hold debugging information, usually pushed by the 'debug' function.
     debugging_data:       [],
@@ -33,8 +35,14 @@ var _tokenTaintTracer = _tokenTaintTracer || {
     // taints as keys and traces as values.
     data_flow_sinks:      {},
+    ignore:               {
+        '':       true,
+        'lodash': true
+    },
     // Keeps track of which functions have had tracers installed.
-    traced:               {},
+    traced:               {
+    },
     // Original functions, without tracers. We don't want to trigger traced
     // functions to provide functionality to this object.
@@ -198,14 +206,32 @@ var _tokenTaintTracer = _tokenTaintTracer || {
         _tokenTaintTracer.data_flow_sinks[taint].push({
             data:  frame_data,
             trace: _tokenTaintTracer.trace()
-        })
+        });
+        if( _tokenTaintTracer.data_flow_sinks[taint].length > _tokenTaintTracer.max_sinks ) {
+            _tokenTaintTracer.data_flow_sinks[taint] =
+                _tokenTaintTracer.data_flow_sinks[taint].slice(
+                    _tokenTaintTracer.data_flow_sinks[taint].length -
+                        _tokenTaintTracer.max_sinks,
+                    _tokenTaintTracer.data_flow_sinks[taint].length
+                )
+        }
     },
     log_execution_flow_sink: function (){
         _tokenTaintTracer.execution_flow_sinks.push({
             data:  arguments,
             trace: _tokenTaintTracer.trace()
-        })
+        });
+        if( _tokenTaintTracer.execution_flow_sinks.length > _tokenTaintTracer.max_sinks ) {
+            _tokenTaintTracer.execution_flow_sinks =
+                _tokenTaintTracer.execution_flow_sinks.slice(
+                        _tokenTaintTracer.execution_flow_sinks.length -
+                        _tokenTaintTracer.max_sinks,
+                    _tokenTaintTracer.execution_flow_sinks.length
+                )
+        }
     },
     flush_execution_flow_sinks: function (){
@@ -435,6 +461,8 @@ var _tokenTaintTracer = _tokenTaintTracer || {
             if( Object.prototype.toString.call(potentialFunction) !== '[object Function]' )
                 continue;
+            if( _tokenTaintTracer.ignore[potentialFunction.name] ) continue;
             var namespace_function_name = Object.prototype.toString.call(namespace) +
                 '-' + potentialFunction.name;
             if( _tokenTaintTracer.traced[namespace_function_name] ) continue;