RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb CHANGED

@@ -47,7 +47,7 @@ describe Arachni::Element::Capabilities::Analyzable::Timeout do
         context 'when #timing_attack_remark_data is' do
             context 'not nil' do
                 it 'duplicates it' do
-                    h = { stuff: 1 }
+                    h = { stuff: [1] }
                     subject.timing_attack_remark_data = h

data/spec/arachni/element/cookie/dom_spec.rb CHANGED

@@ -62,15 +62,6 @@ describe Arachni::Element::Cookie::DOM do
         end
     end
-    %w(encode decode).each do |m|
-        describe "##{m}" do
-            it "delegates to #{Arachni::Element::Cookie}.#{m}" do
-                Arachni::Element::Cookie.stub(m) { |arg| "#{arg}1" }
-                subject.send( m, 'blah' ).should == 'blah1'
-            end
-        end
-    end
     describe '#type' do
         it 'returns :cookie_dom' do
             subject.type.should == :cookie_dom

data/spec/arachni/element/cookie_spec.rb CHANGED

@@ -2,6 +2,7 @@ require 'spec_helper'
 describe Arachni::Element::Cookie do
     it_should_behave_like 'element'
+    it_should_behave_like 'with_source'
     it_should_behave_like 'with_dom'
     it_should_behave_like 'auditable', single_input: true
@@ -452,6 +453,7 @@ describe Arachni::Element::Cookie do
             cookie.name.should == 'coo@ki e2'
             cookie.value.should == 'blah val2@'
             cookie.path.should == '/stuff'
+            cookie.source.should == sc3
         end
         context 'when there is no path' do
@@ -465,6 +467,44 @@ describe Arachni::Element::Cookie do
                 cookie.path.should == '/'
             end
         end
+        context 'when its value is' do
+            let(:value) { 'a' * size }
+            let(:cookie) { "cookie=#{value}; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Domain=.foo.com; HttpOnly" }
+            context "equal to #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE }
+                it 'returns empty array' do
+                    described_class.from_set_cookie(
+                        'http://test.com/stuff',
+                        cookie
+                    ).first.value.should be_empty
+                end
+            end
+            context "larger than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE + 1 }
+                it 'sets empty value' do
+                    described_class.from_set_cookie(
+                        'http://test.com/stuff',
+                        cookie
+                    ).first.value.should be_empty
+                end
+            end
+            context "smaller than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE - 1 }
+                it 'leaves the values alone' do
+                    described_class.from_set_cookie(
+                        'http://test.com/stuff',
+                        cookie
+                    ).first.value.should == value
+                end
+            end
+        end
     end
     describe '.from_string' do
@@ -485,6 +525,51 @@ describe Arachni::Element::Cookie do
              c.name.should == 'name2'
              c.value.should == 'value2'
         end
+        it 'can handle v1 values' do
+            described_class.from_string(
+                'http://owner-url.com',
+                'cookie="blah stuff"'
+            ).first.value.should == 'blah stuff'
+        end
+        context 'when its value is' do
+            let(:value) { 'a' * size }
+            let(:cookie) { "cookie=#{value}" }
+            context "equal to #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE }
+                it 'sets empty value' do
+                    described_class.from_string(
+                        'http://owner-url.com',
+                        cookie
+                    ).first.value.should be_empty
+                end
+            end
+            context "larger than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE + 1 }
+                it 'sets empty value' do
+                    described_class.from_string(
+                        'http://owner-url.com',
+                        cookie
+                    ).first.value.should be_empty
+                end
+            end
+            context "smaller than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE - 1 }
+                it 'leaves the values alone' do
+                    described_class.from_string(
+                        'http://owner-url.com',
+                        cookie
+                    ).first.value.should == value
+                end
+            end
+        end
     end
 end

data/spec/arachni/element/form/dom_spec.rb CHANGED

@@ -43,15 +43,6 @@ describe Arachni::Element::Form::DOM do
         end
     end
-    %w(encode decode).each do |m|
-        describe "##{m}" do
-            it "delegates to #{Arachni::Element::Form}.#{m}" do
-                Arachni::Element::Form.stub(m) { |arg| "#{arg}1" }
-                subject.send( m, 'blah' ).should == 'blah1'
-            end
-        end
-    end
     describe '#parent' do
         it 'returns the parent element' do
             subject.parent.should be_kind_of Arachni::Element::Form

data/spec/arachni/element/form_spec.rb CHANGED

@@ -1076,12 +1076,55 @@ EOHTML
                     }
                 end
             end
+            context 'when its value is' do
+                let(:form) { described_class.from_document( url, form_html ).first }
+                let(:value) { 'a' * size }
+                let(:form_html) do
+                    '<html>
+                        <body>
+                            <form method="post" action="/form" name="my_form">
+                                <input type="text" name="input_1" value="' + value + '">
+                                <input type="text" name="input_2" value="val_2">
+                                <input type="submit">
+                            </form>
+                        </body>
+                    </html>'
+                end
+                context "equal to #{described_class::MAX_SIZE}" do
+                    let(:size) { described_class::MAX_SIZE }
+                    it 'returns empty array' do
+                        form.inputs['input_1'].should be_empty
+                        form.inputs['input_2'].should == 'val_2'
+                    end
+                end
+                context "larger than #{described_class::MAX_SIZE}" do
+                    let(:size) { described_class::MAX_SIZE + 1 }
+                    it 'sets empty value' do
+                        form.inputs['input_1'].should be_empty
+                        form.inputs['input_2'].should == 'val_2'
+                    end
+                end
+                context "smaller than #{described_class::MAX_SIZE}" do
+                    let(:size) { described_class::MAX_SIZE - 1 }
+                    it 'leaves the values alone' do
+                        form.inputs['input_1'].should == value
+                        form.inputs['input_2'].should == 'val_2'
+                    end
+                end
+            end
         end
     end
     describe '.encode' do
         it 'form-encodes the passed string' do
-            described_class.encode( '% value\ +=&;' ).should == '%25+value%5C+%2B%3D%26%3B'
+            described_class.encode( '% value\ +=&;' ).should == '%25%20value%5C%20%2B%3D%26%3B'
         end
     end
     describe '#encode' do
@@ -1093,12 +1136,12 @@ EOHTML
     describe '.decode' do
         it 'form-decodes the passed string' do
-            described_class.decode( '%25+value%5C+%2B%3D%26%3B' ).should == '% value\ +=&;'
+            described_class.decode( '%25%20value%5C%20%2B%3D%26%3B' ).should == '% value\ +=&;'
         end
     end
     describe '#decode' do
         it 'form-decodes the passed string' do
-            v = '%25+value%5C+%2B%3D%26%3B'
+            v = '%25%20value%5C%20%2B%3D%26%3B'
             subject.decode( v ).should == described_class.decode( v )
         end
     end

data/spec/arachni/element/json_spec.rb CHANGED

@@ -517,6 +517,26 @@ describe Arachni::Element::JSON do
         context 'when there are no inputs' do
             it 'returns nil'
         end
+        context 'when it is' do
+            context "equal to #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE }
+                it 'returns nil'
+            end
+            context "larger than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE + 1 }
+                it 'returns nil'
+            end
+            context "smaller than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE - 1 }
+                it 'leaves parses it'
+            end
+        end
     end
 end

data/spec/arachni/element/link/dom_spec.rb CHANGED

@@ -43,15 +43,6 @@ describe Arachni::Element::Link::DOM do
         end
     end
-    %w(encode decode).each do |m|
-        describe "##{m}" do
-            it "delegates to #{Arachni::Element::Link}.#{m}" do
-                Arachni::Element::Link.stub(m) { |arg| "#{arg}1" }
-                subject.send( m, 'blah' ).should == 'blah1'
-            end
-        end
-    end
     describe '#parent' do
         it 'returns the parent element' do
             subject.parent.should be_kind_of Arachni::Element::Link

data/spec/arachni/element/link_spec.rb CHANGED

@@ -254,26 +254,51 @@ describe Arachni::Element::Link do
                 end
             end
         end
-    end
-    describe '.encode_query_params' do
-        it "encodes '='" do
-            v = 'stuff='
-            described_class.encode_query_params( v ).should == 'stuff%3D'
-        end
-    end
-    describe '#encode_query_params' do
-        it "encodes '='" do
-            v = 'stuff='
-            subject.encode_query_params( v ).should ==
-                described_class.encode_query_params( v )
+        context 'when its value is' do
+            let(:link) { described_class.from_document( url, link_html ).first }
+            let(:value) { 'a' * size }
+            let(:href) { "test?param=#{value}" }
+            let(:link_html) do
+                tpl = '<html>
+                           <body>
+                               <a href="%s"></a>
+                           </body>
+                      </html>'
+                tpl % href[0...size]
+            end
+            context "equal to #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE }
+                it 'returns empty array' do
+                    link.should be_nil
+                end
+            end
+            context "larger than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE + 1 }
+                it 'sets empty value' do
+                    link.should be_nil
+                end
+            end
+            context "smaller than #{described_class::MAX_SIZE}" do
+                let(:size) { described_class::MAX_SIZE - 1 }
+                it 'leaves the values alone' do
+                    link.inputs['param'].should_not be_empty
+                end
+            end
         end
     end
     describe '.encode' do
         it 'URL-encodes the passed string' do
             v = '% value\ +=&;'
-            described_class.encode( v ).should == URI.encode( v )
+            described_class.encode( v ).should == '%25%20value%5C%20%2B%3D%26%3B'
         end
     end
     describe '#encode' do
@@ -285,13 +310,13 @@ describe Arachni::Element::Link do
     describe '.decode' do
         it 'URL-decodes the passed string' do
-            v = '%25+value%5C+%2B%3D%26%3B'
+            v = '%25%20value%5C%20%2B%3D%26%3B'
             described_class.decode( v ).should == URI.decode( v )
         end
     end
     describe '#decode' do
         it 'URL-decodes the passed string' do
-            v = '%25+value%5C+%2B%3D%26%3B'
+            v = '%25%20value%5C%20%2B%3D%26%3B'
             subject.decode( v ).should == described_class.decode( v )
         end
     end

data/spec/arachni/element/link_template/dom_spec.rb CHANGED

@@ -60,14 +60,6 @@ describe Arachni::Element::LinkTemplate::DOM do
         end
     end
-    %w(encode decode).each do |m|
-        describe "##{m}" do
-            it 'returns the string as is' do
-                subject.send( m, 'blah' ).should == 'blah'
-            end
-        end
-    end
     describe '#parent' do
         it 'returns the parent element' do
             subject.parent.should be_kind_of Arachni::Element::LinkTemplate

data/spec/arachni/element/link_template_spec.rb CHANGED

@@ -215,12 +215,8 @@ describe Arachni::Element::LinkTemplate do
     end
     describe '.encode' do
-        it "double encodes ';'" do
-            described_class.encode( 'test;' ).should == 'test%253B'
-        end
-        it "double encodes '/'" do
-            described_class.encode( 'test/' ).should == 'test%2F'
+        it 'URL-encodes the passed string' do
+            described_class.encode( 'test/;' ).should == 'test%2F%3B'
         end
     end

data/spec/arachni/element/server_spec.rb CHANGED

@@ -75,16 +75,30 @@ describe Arachni::Element::Server do
                     name:      'Auditor',
                     shortname: 'auditor_test'
                 }
+                logged_issue.variations.first.proof.should ==
+                    logged_issue.variations.first.page.response.status_line
                 logged_issue.name.should == @auditor.class.info[:issue][:name]
                 logged_issue.trusted.should be_true
             end
-            it "does not push the response to the #{Arachni::Trainer}" do
-                file = @base_url + 'true'
-                auditable.log_remote_file_if_exists( file )
+            context 'when one issue is logged' do
+                it "does not push the response to the #{Arachni::Trainer}" do
+                    auditable.log_remote_file_if_exists( @base_url + 'true' )
-                @framework.trainer.should_not receive(:push)
-                @framework.http.run
+                    @framework.trainer.should_not receive(:push)
+                    @framework.http.run
+                end
+            end
+            context 'when multiple issues are logged' do
+                it "pushes the responses to the #{Arachni::Trainer}" do
+                    auditable.log_remote_file_if_exists( @base_url + 'true' )
+                    auditable.log_remote_file_if_exists( "#{url}/each_candidate_dom_element" )
+                    @framework.trainer.should receive(:push).twice
+                    @framework.http.run
+                end
             end
         end
@@ -94,12 +108,41 @@ describe Arachni::Element::Server do
                 @framework.http.run
                 Arachni::Data.issues.should be_empty
             end
+            it "does not push the responses to the #{Arachni::Trainer}" do
+                auditable.log_remote_file_if_exists( @base_url + 'false' )
+                @framework.trainer.should_not receive(:push)
+                @framework.http.run
+            end
         end
         context 'when issues are too similar' do
+            let(:check_url) { @base_url + 'true' }
+            it 'flags them as untrusted' do
+                10.times { auditable.log_remote_file_if_exists( check_url ) }
+                @framework.http.run
+                issues.should be_any
+                issues.each do |issue|
+                    issue.should be_untrusted
+                end
+            end
+            it 'assigns a remark' do
+                10.times { auditable.log_remote_file_if_exists( check_url ) }
+                @framework.http.run
+                issues.should be_any
+                issues.each do |issue|
+                    issue.remarks[:meta_analysis].should == [described_class::REMARK]
+                end
+            end
             it "does not push the responses to the #{Arachni::Trainer}" do
-                file = @base_url + 'true'
-                10.times { auditable.log_remote_file_if_exists( file ) }
+                10.times { auditable.log_remote_file_if_exists( url ) }
                 @framework.trainer.should_not receive(:push)
                 @framework.http.run
@@ -125,11 +168,33 @@ describe Arachni::Element::Server do
         end
         context 'without a custom 404 handler' do
+            it 'performs fingerprinting' do
+                url = @base_url + 'true'
+                # We run this twice because the cache is empty the first time
+                # around so we don't know what kind of handler we're dealing with.
+                auditable.remote_file_exist?( url ) {}
+                @framework.http.run
+                request = nil
+                @framework.http.on_complete do |response|
+                    next if url != response.url
+                    request = response.request
+                end
+                auditable.remote_file_exist?( url ) {}
+                @framework.http.run
+                request.fingerprint?.should be_true
+            end
             context 'when a remote file exists' do
                 it 'yields true' do
                     exists = false
                     auditable.remote_file_exist?( @base_url + 'true' ) { |bool| exists = bool }
                     @framework.http.run
+                    exists.should be_true
                 end
                 context 'on subsequent calls' do
@@ -165,9 +230,30 @@ describe Arachni::Element::Server do
             end
         end
-        context 'without a custom 404 handler' do
+        context 'with a custom 404 handler' do
             before { @_404_url = @base_url + 'custom_404/' }
+            it 'does not perform fingerprinting' do
+                url = @_404_url + 'true'
+                # We run this twice because the cache is empty the first time
+                # around so we don't know what kind of handler we're dealing with.
+                auditable.remote_file_exist?( url ) {}
+                @framework.http.run
+                request = nil
+                @framework.http.on_complete do |response|
+                    next if url != response.url
+                    request = response.request
+                end
+                auditable.remote_file_exist?( url ) {}
+                @framework.http.run
+                request.fingerprint?.should be_false
+            end
             context 'and the response' do
                 context 'is static' do
                     it 'yields false' do