RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/spec/arachni/browser_spec.rb CHANGED

@@ -42,6 +42,10 @@ describe Arachni::Browser do
         Typhoeus::Request.get( "#{@url}/hit-count" ).body.to_i
     end
+    def image_hit_count
+        Typhoeus::Request.get( "#{@url}/image-hit-count" ).body.to_i
+    end
     def clear_hit_count
         Typhoeus::Request.get( "#{@url}/clear-hit-count" )
     end
@@ -1011,7 +1015,7 @@ describe Arachni::Browser do
             @browser.load( @url )
             @browser.to_page.dom.instance_variable_get(:@digest).should ==
                 '<HTML><HEAD><SCRIPT src=http://javascript.browser.arachni/' <<
-                    'taint_tracer.js><SCRIPT><SCRIPT src=http://javascript.' <<
+                    'taint_tracer.js><SCRIPT src=http://javascript.' <<
                     'browser.arachni/dom_monitor.js><SCRIPT><TITLE><BODY><' <<
                     'DIV><SCRIPT type=text/javascript><SCRIPT type=text/javascript>'
         end
@@ -1871,6 +1875,104 @@ describe Arachni::Browser do
             @browser.source.should include( ua )
         end
+        it 'puts the domain in the asset domains list' do
+            subject.goto @url
+            described_class.asset_domains.should include Arachni::URI( @url ).domain
+        end
+        context 'when requesting the page URL' do
+            it 'does not send If-None-Match request headers' do
+                subject.goto "#{@url}/If-None-Match"
+                subject.response.code.should == 200
+                subject.response.request.headers.should_not include 'If-None-Match'
+                subject.goto "#{@url}/If-None-Match"
+                subject.response.code.should == 200
+                subject.response.request.headers.should_not include 'If-None-Match'
+            end
+            it 'does not send If-Modified-Since request headers' do
+                subject.goto "#{@url}/If-Modified-Since"
+                subject.response.code.should == 200
+                subject.response.request.headers.should_not include 'If-Modified-Since'
+                subject.goto "#{@url}/If-Modified-Since"
+                subject.response.code.should == 200
+                subject.response.request.headers.should_not include 'If-Modified-Since'
+            end
+        end
+        context 'when requesting something other than the page URL' do
+            it 'sends If-None-Match request headers' do
+                url = "#{@url}If-None-Match"
+                response = nil
+                subject.on_response do |r|
+                    next if r.url == url
+                    response = r
+                end
+                subject.goto url
+                response.request.headers.should_not include 'If-None-Match'
+                subject.goto url
+                response.request.headers.should include 'If-None-Match'
+            end
+            it 'sends If-Modified-Since request headers' do
+                url = "#{@url}If-Modified-Since"
+                response = nil
+                subject.on_response do |r|
+                    next if r.url == url
+                    response = r
+                end
+                subject.goto url
+                response.request.headers.should_not include 'If-Modified-Since'
+                subject.goto url
+                response.request.headers.should include 'If-Modified-Since'
+            end
+        end
+        context 'when the page requires an asset' do
+            before do
+                described_class.asset_domains.clear
+                subject.goto url
+            end
+            let(:url) { "#{@url}/asset_domains" }
+            %w(link input script img).each do |type|
+                context 'via link' do
+                    let(:url) { "#{super()}/#{type}" }
+                    it 'whitelists it' do
+                        described_class.asset_domains.should include "#{type}.stuff"
+                    end
+                end
+            end
+            context 'with an extension of' do
+                described_class::ASSET_EXTENSIONS.each do |extension|
+                    context extension do
+                        it 'loads it'
+                    end
+                end
+            end
+            context 'without an extension' do
+                context 'and has been whitelisted' do
+                    it 'loads it'
+                end
+                context 'and has not been whitelisted' do
+                    it 'does not load it'
+                end
+            end
+        end
         context 'when the page has JS timeouts' do
             it 'waits for them to complete' do
                 time = Time.now
@@ -1906,38 +2008,70 @@ describe Arachni::Browser do
             end
         end
+        context "with #{Arachni::OptionGroups::BrowserCluster}#wait_for_elements" do
+            before do
+                Arachni::Options.browser_cluster.wait_for_elements = {
+                    'stuff' => '#matchThis'
+                }
+            end
+            context 'when the URL matches a pattern' do
+                it 'waits for the element matching the CSS to appear' do
+                    t = Time.now
+                    @browser.goto( @url + '/wait_for_elements#stuff/here' )
+                    (Time.now - t).should > 5
+                    @browser.watir.element( css: '#matchThis' ).tag_name.should == 'button'
+                end
+                it "waits a maximum of #{Arachni::OptionGroups::BrowserCluster}#job_timeout" do
+                    Arachni::Options.browser_cluster.job_timeout = 4
+                    t = Time.now
+                    @browser.goto( @url + '/wait_for_elements#stuff/here' )
+                    (Time.now - t).should < 5
+                    expect do
+                        @browser.watir.element( css: '#matchThis' ).tag_name
+                    end.to raise_error Watir::Exception::UnknownObjectException
+                end
+            end
+            context 'when the URL does not match any patterns' do
+                it 'does not wait' do
+                    t = Time.now
+                    @browser.goto( @url + '/wait_for_elements' )
+                    (Time.now - t).should < 5
+                    expect do
+                        @browser.watir.element( css: '#matchThis' ).tag_name
+                    end.to raise_error Watir::Exception::UnknownObjectException
+                end
+            end
+        end
         context "#{Arachni::OptionGroups::BrowserCluster}#ignore_images" do
             context true do
                 it 'does not load images' do
                     Arachni::Options.browser_cluster.ignore_images = true
                     @browser.shutdown
-                    @browser = described_class.new
-                    loaded_image = false
-                    @browser.on_response do |response|
-                        loaded_image ||= (response.parsed_url.resource_extension == 'png')
-                    end
+                    @browser = described_class.new( disk_cache: false )
                     @browser.load( "#{@url}form-with-image-button" )
-                    loaded_image.should be_false
+                    image_hit_count.should == 0
                 end
             end
             context false do
-                it 'does not load images' do
+                it 'loads images' do
                     Arachni::Options.browser_cluster.ignore_images = false
                     @browser.shutdown
-                    @browser = described_class.new
-                    loaded_image = false
-                    @browser.on_response do |response|
-                        loaded_image ||= (response.parsed_url.resource_extension == 'png')
-                    end
+                    @browser = described_class.new( disk_cache: false )
                     @browser.load( "#{@url}form-with-image-button" )
-                    loaded_image.should be_true
+                    image_hit_count.should == 1
                 end
             end
         end
@@ -1986,21 +2120,20 @@ describe Arachni::Browser do
                 transition.options[:cookies].should == cookie
             end
-        context 'when auditing existing cookies' do
-            it 'preserves the HttpOnly attribute' do
-                @browser.goto( @url )
-                @browser.cookies.size.should == 1
+            context 'when auditing existing cookies' do
+                it 'preserves the HttpOnly attribute' do
+                    @browser.goto( @url )
+                    @browser.cookies.size.should == 1
-                cookies = { @browser.cookies.first.name => 'updated' }
-                @browser.goto( @url, cookies: cookies )
+                    cookies = { @browser.cookies.first.name => 'updated' }
+                    @browser.goto( @url, cookies: cookies )
-                @browser.cookies.first.value == 'updated'
-                @browser.cookies.first.should be_http_only
+                    @browser.cookies.first.value == 'updated'
+                    @browser.cookies.first.should be_http_only
+                end
             end
         end
-        end
         describe :take_snapshot do
             describe true do
                 it 'captures a snapshot of the loaded page' do
@@ -2512,6 +2645,17 @@ describe Arachni::Browser do
             @browser.cookies.first.should be_http_only
         end
+        context 'when parsing v1 cookies' do
+            it 'removes the quotes' do
+                cookie = 'rsession="06142010_0%3Ae275d357943e9a2de0"'
+                @browser.load @url
+                @browser.javascript.run( "document.cookie = '#{cookie}';" )
+                @browser.cookies.first.value.should == '06142010_0:e275d357943e9a2de0'
+            end
+        end
         context 'when no page is available' do
             it 'returns an empty Array' do
                 @browser.cookies.should be_empty

data/spec/arachni/check/auditor_spec.rb CHANGED

@@ -202,10 +202,13 @@ describe Arachni::Check::Auditor do
         element_classes.each do |element|
             context "when #{Arachni::OptionGroups::Audit}##{element.type.to_s.gsub( '_dom', '')}? is" do
                 let(:page) do
-                    Arachni::Page.from_data(
+                    p = Arachni::Page.from_data(
                         url: url,
                         "#{element.type}s".gsub( '_dom', '').to_sym => [Factory[element.type]]
                     )
+                    p.dom.stub(:depth) { 1 }
+                    p.stub(:has_script?) { true }
+                    p
                 end
                 before(:each) { auditor.class.info[:elements] = [element] }
@@ -226,6 +229,22 @@ describe Arachni::Check::Auditor do
                             if element == Arachni::Element::Form::DOM ||
                                 element == Arachni::Element::Cookie::DOM
+                                context 'and Page::DOM#depth is' do
+                                    context '0' do
+                                        it 'returns false' do
+                                            page.dom.stub(:depth) { 0 }
+                                            auditor.class.check?( page ).should be_false
+                                        end
+                                    end
+                                    context '> 0' do
+                                        it 'returns true' do
+                                            page.dom.stub(:depth) { 1 }
+                                            auditor.class.check?( page ).should be_true
+                                        end
+                                    end
+                                end
                                 context 'and Page#has_script? is' do
                                     context true do
                                         it 'returns true' do
@@ -587,13 +606,13 @@ describe Arachni::Check::Auditor do
             logged_issue = Arachni::Data.issues.flatten.first
             logged_issue.to_h.tap do |h|
-                h[:page][:dom][:transitions].first.delete :time
+                h[:page][:dom][:transitions].each { |t| t.delete :time }
             end.should eq issue.to_h.merge( referring_page: {
                 body: auditor.page.body,
                 dom:  auditor.page.dom.to_h.tap do |h|
                     h.delete :skip_states
                 end
-            }).tap { |h| h[:page][:dom][:transitions].first.delete :time }
+            }).tap { |h| h[:page][:dom][:transitions].each { |t| t.delete :time } }
         end
         it 'assigns a #referring_page' do

data/spec/arachni/check/base_spec.rb CHANGED

@@ -53,6 +53,28 @@ describe Arachni::Check::Base do
         end
     end
+    describe '#has_exempt_platforms?' do
+        context 'when exempt platforms are provided' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [ :unix ] } }
+            end
+            it 'returns true' do
+                described_class.has_exempt_platforms?.should be_true
+            end
+        end
+        context 'when exempt platforms are not provided' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [] } }
+            end
+            it 'returns false' do
+                described_class.has_exempt_platforms?.should be_false
+            end
+        end
+    end
     describe '#supports_platforms?' do
         context 'when empty platforms are given' do
             it 'returns true' do
@@ -80,6 +102,16 @@ describe Arachni::Check::Base do
             end
         end
+        context 'when any of the given platforms are exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:php] } }
+            end
+            it 'returns false' do
+                described_class.supports_platforms?([:unix, :php]).should be_false
+            end
+        end
         context 'when a parent of any of the given platforms is supported' do
             before do
                 described_class.stub(:info) { { platforms: [:unix] } }
@@ -90,6 +122,17 @@ describe Arachni::Check::Base do
             end
         end
+        context 'when a parent of any of the given platforms is exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:unix] } }
+            end
+            it 'returns false' do
+                described_class.supports_platforms?([:linux]).should be_false
+            end
+        end
         context 'when a child of any of the given platforms is supported' do
             before do
                 described_class.stub(:info) { { platforms: [:linux] } }
@@ -100,6 +143,16 @@ describe Arachni::Check::Base do
             end
         end
+        context 'when a child of any of the given platforms is exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:linux] } }
+            end
+            it 'returns false' do
+                described_class.supports_platforms?([:unix]).should be_false
+            end
+        end
         context 'when none of the given platforms are not provided' do
             before do
                 described_class.stub(:info) { { platforms: [:windows] } }
@@ -109,5 +162,36 @@ describe Arachni::Check::Base do
                 described_class.supports_platforms?([:unix]).should be_false
             end
         end
+        context 'when none of the given platforms are exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:windows] } }
+            end
+            it 'returns true' do
+                described_class.supports_platforms?([:unix]).should be_true
+            end
+        end
+        context 'when any of the given platforms are exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:windows, :linux] } }
+            end
+            it 'returns false' do
+                described_class.supports_platforms?([:unix]).should be_false
+            end
+        end
+        context 'when a platforms of different type is exempt' do
+            before do
+                described_class.stub(:info) { { exempt_platforms: [:windows] } }
+            end
+            it 'returns true' do
+                described_class.supports_platforms?([:ruby]).should be_true
+            end
+        end
     end
 end

data/spec/arachni/element/body_spec.rb CHANGED

@@ -42,7 +42,7 @@ describe Arachni::Element::Body do
                     logged_issue.vector.url.should == Arachni::Utilities.normalize_url( @url )
                     logged_issue.vector.class.should == Arachni::Element::Body
-                    logged_issue.signature.should == valid_pattern.to_s
+                    logged_issue.signature.should == valid_pattern.source
                     logged_issue.proof.should == 'Match'
                     logged_issue.trusted.should be_true
                 end

data/spec/arachni/element/capabilities/analyzable/taint_spec.rb CHANGED

@@ -109,7 +109,7 @@ describe Arachni::Element::Capabilities::Analyzable::Taint do
                         issues.size.should == 1
                         issues[0].platform_name.should == :windows
-                        issues[0].signature.should == regexps[:windows].to_s
+                        issues[0].signature.should == regexps[:windows].source
                     end
                     context 'when the payloads are per platform' do
@@ -148,7 +148,7 @@ describe Arachni::Element::Capabilities::Analyzable::Taint do
                                 issue.vector.seed.should == payloads[platform]
                                 issue.platform_name.should == platform
-                                issue.signature.should == regexps[platform].to_s
+                                issue.signature.should == regexps[platform].source
                             end
                         end
@@ -177,7 +177,7 @@ describe Arachni::Element::Capabilities::Analyzable::Taint do
                                 issue = issues.first
                                 issue.platform_name.should == :asp
-                                issue.signature.should == regexps[:asp].to_s
+                                issue.signature.should == regexps[:asp].source
                             end
                         end
                     end