arachni 1.1 → 1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +159 -0
- data/LICENSE.md +126 -196
- data/README.md +32 -24
- data/arachni.gemspec +7 -7
- data/components/checks/active/code_injection_timing.rb +3 -3
- data/components/checks/active/csrf.rb +2 -2
- data/components/checks/active/file_inclusion.rb +6 -7
- data/components/checks/active/os_cmd_injection.rb +3 -3
- data/components/checks/active/path_traversal.rb +7 -7
- data/components/checks/active/response_splitting.rb +9 -4
- data/components/checks/active/session_fixation.rb +7 -3
- data/components/checks/active/source_code_disclosure.rb +5 -5
- data/components/checks/active/unvalidated_redirect.rb +12 -3
- data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
- data/components/checks/active/xss.rb +23 -10
- data/components/checks/active/xss_dom_inputs.rb +113 -11
- data/components/checks/active/xxe.rb +3 -3
- data/components/checks/passive/backdoors.rb +6 -5
- data/components/checks/passive/backup_directories.rb +6 -6
- data/components/checks/passive/backup_files.rb +6 -6
- data/components/checks/passive/common_admin_interfaces.rb +58 -0
- data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
- data/components/checks/passive/common_directories/directories.txt +0 -16
- data/components/checks/passive/common_files.rb +6 -5
- data/components/checks/passive/common_files/filenames.txt +0 -2
- data/components/checks/passive/directory_listing.rb +6 -6
- data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
- data/components/checks/passive/grep/hsts.rb +6 -3
- data/components/checks/passive/grep/http_only_cookies.rb +3 -3
- data/components/checks/passive/grep/insecure_cookies.rb +2 -2
- data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
- data/components/checks/passive/grep/x_frame_options.rb +6 -4
- data/components/checks/passive/htaccess_limit.rb +6 -2
- data/components/checks/passive/http_put.rb +8 -4
- data/components/checks/passive/interesting_responses.rb +3 -2
- data/components/checks/passive/localstart_asp.rb +6 -2
- data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
- data/components/checks/passive/xst.rb +6 -2
- data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
- data/components/fingerprinters/frameworks/cakephp.rb +28 -0
- data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
- data/components/fingerprinters/frameworks/django.rb +33 -0
- data/components/fingerprinters/frameworks/jsf.rb +30 -0
- data/components/fingerprinters/frameworks/rack.rb +5 -7
- data/components/fingerprinters/frameworks/rails.rb +43 -0
- data/components/fingerprinters/languages/aspx.rb +11 -11
- data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
- data/components/fingerprinters/languages/php.rb +6 -6
- data/components/fingerprinters/languages/python.rb +14 -6
- data/components/fingerprinters/languages/ruby.rb +3 -5
- data/components/fingerprinters/servers/apache.rb +5 -4
- data/components/fingerprinters/servers/gunicorn.rb +33 -0
- data/components/fingerprinters/servers/jetty.rb +1 -1
- data/components/fingerprinters/servers/tomcat.rb +11 -4
- data/components/path_extractors/anchors.rb +5 -12
- data/components/path_extractors/areas.rb +5 -13
- data/components/path_extractors/comments.rb +5 -3
- data/components/path_extractors/data_url.rb +21 -0
- data/components/path_extractors/forms.rb +5 -13
- data/components/path_extractors/frames.rb +6 -13
- data/components/path_extractors/generic.rb +3 -12
- data/components/path_extractors/links.rb +5 -13
- data/components/path_extractors/meta_refresh.rb +5 -13
- data/components/path_extractors/scripts.rb +8 -14
- data/components/plugins/autologin.rb +17 -5
- data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
- data/components/plugins/login_script.rb +40 -10
- data/components/plugins/metrics.rb +235 -0
- data/components/plugins/proxy.rb +21 -4
- data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
- data/components/plugins/restrict_to_dom_state.rb +70 -0
- data/components/plugins/vector_feed.rb +38 -9
- data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
- data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
- data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
- data/components/reporters/stdout.rb +4 -2
- data/components/reporters/xml.rb +4 -4
- data/components/reporters/xml/schema.xsd +95 -0
- data/lib/arachni.rb +2 -0
- data/lib/arachni/browser.rb +132 -77
- data/lib/arachni/browser/javascript.rb +173 -45
- data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
- data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
- data/lib/arachni/browser_cluster.rb +41 -15
- data/lib/arachni/browser_cluster/job.rb +4 -0
- data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
- data/lib/arachni/browser_cluster/worker.rb +8 -5
- data/lib/arachni/check/auditor.rb +20 -8
- data/lib/arachni/check/base.rb +38 -6
- data/lib/arachni/element/base.rb +18 -1
- data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
- data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
- data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
- data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
- data/lib/arachni/element/capabilities/inputtable.rb +6 -2
- data/lib/arachni/element/capabilities/submittable.rb +1 -1
- data/lib/arachni/element/cookie.rb +37 -23
- data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
- data/lib/arachni/element/cookie/dom.rb +0 -8
- data/lib/arachni/element/form.rb +28 -14
- data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
- data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
- data/lib/arachni/element/form/dom.rb +0 -8
- data/lib/arachni/element/generic_dom.rb +1 -1
- data/lib/arachni/element/json.rb +2 -1
- data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
- data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
- data/lib/arachni/element/link.rb +13 -16
- data/lib/arachni/element/link/dom.rb +1 -14
- data/lib/arachni/element/link_template.rb +3 -2
- data/lib/arachni/element/link_template/dom.rb +0 -16
- data/lib/arachni/element/server.rb +51 -9
- data/lib/arachni/element/xml.rb +1 -0
- data/lib/arachni/ethon/easy.rb +4 -1
- data/lib/arachni/framework/parts/audit.rb +26 -77
- data/lib/arachni/framework/parts/browser.rb +50 -55
- data/lib/arachni/framework/parts/check.rb +4 -3
- data/lib/arachni/framework/parts/data.rb +41 -6
- data/lib/arachni/framework/parts/state.rb +16 -7
- data/lib/arachni/http/client.rb +66 -38
- data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
- data/lib/arachni/http/headers.rb +22 -10
- data/lib/arachni/http/proxy_server.rb +67 -22
- data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
- data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
- data/lib/arachni/http/request.rb +71 -18
- data/lib/arachni/issue.rb +17 -3
- data/lib/arachni/option_groups/browser_cluster.rb +34 -1
- data/lib/arachni/option_groups/http.rb +1 -1
- data/lib/arachni/page.rb +26 -13
- data/lib/arachni/page/dom/transition.rb +2 -2
- data/lib/arachni/parser.rb +28 -11
- data/lib/arachni/platform/fingerprinter.rb +5 -0
- data/lib/arachni/platform/manager.rb +65 -32
- data/lib/arachni/plugin/base.rb +8 -0
- data/lib/arachni/processes/instances.rb +25 -11
- data/lib/arachni/reporter/manager.rb +2 -2
- data/lib/arachni/rpc/client/instance.rb +4 -0
- data/lib/arachni/rpc/server/framework/master.rb +3 -3
- data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
- data/lib/arachni/rpc/server/instance.rb +2 -1
- data/lib/arachni/ruby/array.rb +5 -0
- data/lib/arachni/ruby/hash.rb +5 -0
- data/lib/arachni/ruby/string.rb +2 -3
- data/lib/arachni/session.rb +32 -6
- data/lib/arachni/state/framework.rb +6 -2
- data/lib/arachni/support/cache.rb +1 -0
- data/lib/arachni/support/cache/base.rb +12 -8
- data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
- data/lib/arachni/support/cache/least_recently_used.rb +5 -8
- data/lib/arachni/support/cache/preference.rb +1 -1
- data/lib/arachni/support/cache/random_replacement.rb +1 -25
- data/lib/arachni/support/database/queue.rb +21 -8
- data/lib/arachni/support/lookup/base.rb +7 -1
- data/lib/arachni/support/mixins/observable.rb +3 -1
- data/lib/arachni/support/profiler.rb +51 -10
- data/lib/arachni/support/signature.rb +11 -2
- data/lib/arachni/trainer.rb +8 -2
- data/lib/arachni/uri.rb +28 -25
- data/lib/arachni/uri/scope.rb +1 -1
- data/lib/arachni/utilities.rb +8 -0
- data/lib/arachni/watir/element.rb +1 -1
- data/lib/version +1 -1
- data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
- data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
- data/spec/arachni/browser/javascript_spec.rb +235 -61
- data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
- data/spec/arachni/browser_cluster_spec.rb +58 -10
- data/spec/arachni/browser_spec.rb +170 -26
- data/spec/arachni/check/auditor_spec.rb +22 -3
- data/spec/arachni/check/base_spec.rb +84 -0
- data/spec/arachni/element/body_spec.rb +1 -1
- data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
- data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
- data/spec/arachni/element/cookie/dom_spec.rb +0 -9
- data/spec/arachni/element/cookie_spec.rb +85 -0
- data/spec/arachni/element/form/dom_spec.rb +0 -9
- data/spec/arachni/element/form_spec.rb +46 -3
- data/spec/arachni/element/json_spec.rb +20 -0
- data/spec/arachni/element/link/dom_spec.rb +0 -9
- data/spec/arachni/element/link_spec.rb +40 -15
- data/spec/arachni/element/link_template/dom_spec.rb +0 -8
- data/spec/arachni/element/link_template_spec.rb +2 -6
- data/spec/arachni/element/server_spec.rb +94 -8
- data/spec/arachni/element/xml_spec.rb +20 -0
- data/spec/arachni/framework/parts/audit_spec.rb +12 -14
- data/spec/arachni/framework/parts/browser_spec.rb +0 -171
- data/spec/arachni/framework/parts/platform_spec.rb +14 -8
- data/spec/arachni/framework/parts/report_spec.rb +1 -1
- data/spec/arachni/framework/parts/state_spec.rb +0 -9
- data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
- data/spec/arachni/http/client_spec.rb +169 -42
- data/spec/arachni/http/headers_spec.rb +18 -0
- data/spec/arachni/http/request_spec.rb +23 -0
- data/spec/arachni/issue_spec.rb +17 -6
- data/spec/arachni/page_spec.rb +22 -2
- data/spec/arachni/parser_spec.rb +5 -0
- data/spec/arachni/platform/manager_spec.rb +57 -25
- data/spec/arachni/reporter/manager_spec.rb +26 -0
- data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
- data/spec/arachni/state/framework_spec.rb +2 -8
- data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
- data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
- data/spec/arachni/support/database/queue_spec.rb +7 -0
- data/spec/arachni/support/mixins/observable_spec.rb +15 -1
- data/spec/arachni/trainer_spec.rb +2 -2
- data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
- data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
- data/spec/components/checks/active/path_traversal_spec.rb +2 -2
- data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
- data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
- data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
- data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
- data/spec/components/checks/active/xss_spec.rb +5 -5
- data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
- data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
- data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
- data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
- data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
- data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
- data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
- data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
- data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
- data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
- data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
- data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
- data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
- data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
- data/spec/components/fingerprinters/languages/ruby.rb +6 -4
- data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
- data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
- data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
- data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
- data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
- data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
- data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
- data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
- data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
- data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
- data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
- data/spec/components/path_extractors/data_url_spec.rb +19 -0
- data/spec/components/plugins/autologin_spec.rb +23 -0
- data/spec/components/plugins/login_script_spec.rb +112 -24
- data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
- data/spec/components/plugins/vector_feed_spec.rb +39 -1
- data/spec/support/factories/page/dom.rb +9 -4
- data/spec/support/factories/page/dom/transition.rb +31 -9
- data/spec/support/factories/scan_report.rb +8 -6
- data/spec/support/fixtures/empty/placeholder +0 -0
- data/spec/support/fixtures/report.afr +0 -0
- data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
- data/spec/support/servers/arachni/browser.rb +117 -11
- data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
- data/spec/support/servers/arachni/check/auditor.rb +4 -0
- data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
- data/spec/support/servers/arachni/http/client.rb +5 -0
- data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
- data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
- data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
- data/spec/support/servers/checks/active/path_traversal.rb +2 -2
- data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
- data/spec/support/servers/checks/active/trainer_check.rb +9 -10
- data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
- data/spec/support/servers/checks/active/xss.rb +35 -0
- data/spec/support/servers/checks/active/xss_dom.rb +1 -1
- data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
- data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
- data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
- data/spec/support/servers/plugins/autologin.rb +9 -0
- data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
- data/spec/support/shared/element/base.rb +42 -0
- data/spec/support/shared/element/capabilities/auditable.rb +4 -4
- data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
- data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
- data/spec/support/shared/element/capabilities/submitable.rb +7 -2
- data/spec/support/shared/fingerprinter.rb +8 -0
- data/spec/support/shared/path_extractor.rb +1 -1
- data/ui/cli/framework.rb +3 -3
- data/ui/cli/framework/option_parser.rb +9 -0
- data/ui/cli/output.rb +9 -0
- data/ui/cli/reporter.rb +5 -2
- data/ui/cli/utilities.rb +4 -2
- metadata +76 -17
- data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
- data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
- data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56
|
@@ -8,26 +8,18 @@ describe Arachni::Support::Cache::LeastRecentlyUsed do
|
|
|
8
8
|
|
|
9
9
|
subject[:k] = '1'
|
|
10
10
|
subject[:k2] = '2'
|
|
11
|
+
subject[:k]
|
|
11
12
|
subject[:k3] = '3'
|
|
12
13
|
subject[:k4] = '4'
|
|
13
|
-
subject.size.should == 3
|
|
14
|
-
|
|
15
|
-
subject[:k4].should be_true
|
|
16
|
-
subject[:k3].should be_true
|
|
17
|
-
subject[:k2].should be_true
|
|
18
|
-
subject[:k].should be_nil
|
|
19
14
|
|
|
20
|
-
subject.
|
|
15
|
+
subject.size.should == 3
|
|
21
16
|
|
|
22
|
-
subject
|
|
23
|
-
subject[:k] = '1'
|
|
24
|
-
subject[:k2] = '3'
|
|
25
|
-
subject[:k3] = '4'
|
|
26
|
-
subject.size.should == 1
|
|
17
|
+
ap subject
|
|
27
18
|
|
|
19
|
+
subject[:k].should be_true
|
|
20
|
+
subject[:k4].should be_true
|
|
28
21
|
subject[:k3].should be_true
|
|
29
22
|
subject[:k2].should be_nil
|
|
30
|
-
subject[:k].should be_nil
|
|
31
23
|
end
|
|
32
24
|
|
|
33
25
|
describe '#[]=' do
|
|
@@ -167,6 +167,13 @@ describe Arachni::Support::Database::Queue do
|
|
|
167
167
|
end
|
|
168
168
|
end
|
|
169
169
|
|
|
170
|
+
describe '#free_buffer_size' do
|
|
171
|
+
it 'returns the size of the available buffer' do
|
|
172
|
+
(subject.max_buffer_size - 2).times { |i| subject << i }
|
|
173
|
+
subject.free_buffer_size.should == 2
|
|
174
|
+
end
|
|
175
|
+
end
|
|
176
|
+
|
|
170
177
|
describe '#buffer_size' do
|
|
171
178
|
it 'returns the size of the in-memory entries' do
|
|
172
179
|
subject.buffer_size.should == 0
|
|
@@ -57,11 +57,25 @@ describe Arachni::Support::Mixins::Observable do
|
|
|
57
57
|
end
|
|
58
58
|
end
|
|
59
59
|
|
|
60
|
-
describe '#
|
|
60
|
+
describe '#notify' do
|
|
61
61
|
it 'returns nil' do
|
|
62
62
|
subject.my_event { }
|
|
63
63
|
subject.notify( :my_event ).should be_nil
|
|
64
64
|
end
|
|
65
|
+
|
|
66
|
+
context 'when a callback raises an exception' do
|
|
67
|
+
it 'does not affect other callbacks' do
|
|
68
|
+
called = []
|
|
69
|
+
|
|
70
|
+
subject.my_event { called << 1 }
|
|
71
|
+
subject.my_event { called << 2; raise }
|
|
72
|
+
subject.my_event { called << 3 }
|
|
73
|
+
|
|
74
|
+
subject.notify( :my_event )
|
|
75
|
+
|
|
76
|
+
called.should == [1, 2, 3]
|
|
77
|
+
end
|
|
78
|
+
end
|
|
65
79
|
end
|
|
66
80
|
|
|
67
81
|
describe '#clear_observers' do
|
|
@@ -99,9 +99,9 @@ describe Arachni::Trainer do
|
|
|
99
99
|
@framework.pages.size.should == 0
|
|
100
100
|
|
|
101
101
|
Arachni::HTTP::Client.request( @url + '/elems', train: true )
|
|
102
|
-
@framework.run
|
|
103
102
|
|
|
104
|
-
@
|
|
103
|
+
@trainer.should receive(:push)
|
|
104
|
+
@framework.run
|
|
105
105
|
end
|
|
106
106
|
|
|
107
107
|
context 'when a redirection leads to new elements' do
|
|
@@ -4,7 +4,7 @@ describe name_from_filename do
|
|
|
4
4
|
include_examples 'check'
|
|
5
5
|
|
|
6
6
|
def self.platforms
|
|
7
|
-
[:unix, :windows, :
|
|
7
|
+
[:unix, :windows, :php, :perl, :java]
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def self.elements
|
|
@@ -32,7 +32,7 @@ describe name_from_filename do
|
|
|
32
32
|
Element::JSON => 96,
|
|
33
33
|
Element::XML => 192
|
|
34
34
|
},
|
|
35
|
-
|
|
35
|
+
java: {
|
|
36
36
|
Element::Form => 8,
|
|
37
37
|
Element::Link => 8,
|
|
38
38
|
Element::Cookie => 8,
|
|
@@ -44,11 +44,11 @@ describe name_from_filename do
|
|
|
44
44
|
php: {
|
|
45
45
|
Element::Form => 120,
|
|
46
46
|
Element::Link => 120,
|
|
47
|
-
Element::Cookie =>
|
|
48
|
-
Element::Header =>
|
|
47
|
+
Element::Cookie => 112,
|
|
48
|
+
Element::Header => 56,
|
|
49
49
|
Element::LinkTemplate => 60,
|
|
50
|
-
Element::JSON =>
|
|
51
|
-
Element::XML =>
|
|
50
|
+
Element::JSON => 112,
|
|
51
|
+
Element::XML => 224
|
|
52
52
|
},
|
|
53
53
|
perl: {
|
|
54
54
|
Element::Form => 120,
|
|
@@ -4,7 +4,7 @@ describe name_from_filename do
|
|
|
4
4
|
include_examples 'check'
|
|
5
5
|
|
|
6
6
|
def self.platforms
|
|
7
|
-
[:unix, :windows, :
|
|
7
|
+
[:unix, :windows, :java]
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def self.elements
|
|
@@ -32,7 +32,7 @@ describe name_from_filename do
|
|
|
32
32
|
Element::JSON => 504,
|
|
33
33
|
Element::XML => 672
|
|
34
34
|
},
|
|
35
|
-
|
|
35
|
+
java: {
|
|
36
36
|
Element::Form => 8,
|
|
37
37
|
Element::Link => 8,
|
|
38
38
|
Element::Cookie => 8,
|
|
@@ -4,7 +4,7 @@ describe name_from_filename do
|
|
|
4
4
|
include_examples 'check'
|
|
5
5
|
|
|
6
6
|
def self.platforms
|
|
7
|
-
[:php, :asp, :
|
|
7
|
+
[:php, :asp, :java]
|
|
8
8
|
end
|
|
9
9
|
|
|
10
10
|
def self.elements
|
|
@@ -17,7 +17,7 @@ describe name_from_filename do
|
|
|
17
17
|
Element::Form => 6,
|
|
18
18
|
Element::Link => 6,
|
|
19
19
|
Element::Cookie => 4,
|
|
20
|
-
Element::Header =>
|
|
20
|
+
Element::Header => 4,
|
|
21
21
|
Element::LinkTemplate => 5,
|
|
22
22
|
Element::JSON => 6,
|
|
23
23
|
Element::XML => 16
|
|
@@ -10,12 +10,12 @@ describe name_from_filename do
|
|
|
10
10
|
|
|
11
11
|
def issue_count_per_element
|
|
12
12
|
{
|
|
13
|
-
Element::Form =>
|
|
14
|
-
Element::Link =>
|
|
15
|
-
Element::Cookie =>
|
|
16
|
-
Element::Header =>
|
|
17
|
-
Element::JSON =>
|
|
18
|
-
Element::XML =>
|
|
13
|
+
Element::Form => 5,
|
|
14
|
+
Element::Link => 5,
|
|
15
|
+
Element::Cookie => 5,
|
|
16
|
+
Element::Header => 5,
|
|
17
|
+
Element::JSON => 3,
|
|
18
|
+
Element::XML => 6
|
|
19
19
|
}
|
|
20
20
|
end
|
|
21
21
|
|
|
@@ -9,7 +9,7 @@ describe name_from_filename do
|
|
|
9
9
|
|
|
10
10
|
def issue_count_per_element
|
|
11
11
|
{
|
|
12
|
-
Element::GenericDOM =>
|
|
12
|
+
Element::GenericDOM => 9
|
|
13
13
|
}
|
|
14
14
|
end
|
|
15
15
|
|
|
@@ -20,13 +20,11 @@ describe name_from_filename do
|
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
easy_test do
|
|
23
|
-
issues.
|
|
24
|
-
|
|
25
|
-
end
|
|
23
|
+
issues.select { |i| i.vector.type == :input }.size.should == 8
|
|
24
|
+
issues.select { |i| i.vector.type == :button }.size.should == 1
|
|
26
25
|
|
|
27
26
|
Arachni::Browser::Javascript::EVENTS_PER_ELEMENT[:input].each do |event|
|
|
28
27
|
find_issue( event ).vector.action.should end_with event.to_s
|
|
29
28
|
end
|
|
30
|
-
|
|
31
29
|
end
|
|
32
30
|
end
|
|
@@ -10,11 +10,11 @@ describe name_from_filename do
|
|
|
10
10
|
|
|
11
11
|
def issue_count_per_element
|
|
12
12
|
{
|
|
13
|
-
Element::Link =>
|
|
14
|
-
Element::Form =>
|
|
15
|
-
Element::Cookie =>
|
|
16
|
-
Element::Header =>
|
|
17
|
-
Element::LinkTemplate =>
|
|
13
|
+
Element::Link => 13,
|
|
14
|
+
Element::Form => 12,
|
|
15
|
+
Element::Cookie => 12,
|
|
16
|
+
Element::Header => 11,
|
|
17
|
+
Element::LinkTemplate => 12
|
|
18
18
|
}
|
|
19
19
|
end
|
|
20
20
|
|
|
@@ -7,7 +7,7 @@ describe name_from_filename do
|
|
|
7
7
|
[ Element::Server ]
|
|
8
8
|
end
|
|
9
9
|
|
|
10
|
-
it '
|
|
10
|
+
it 'logs HTTP responses with status codes other than 200 or 404' do
|
|
11
11
|
run
|
|
12
12
|
current_check.acceptable.each do |code|
|
|
13
13
|
http.get( url + code.to_s )
|
|
@@ -20,4 +20,17 @@ describe name_from_filename do
|
|
|
20
20
|
max_issues = current_check.max_issues
|
|
21
21
|
issues.size.should == max_issues
|
|
22
22
|
end
|
|
23
|
+
|
|
24
|
+
it 'skips HTTP responses which are out of scope' do
|
|
25
|
+
options.scope.exclude_path_patterns << /blah/
|
|
26
|
+
|
|
27
|
+
run
|
|
28
|
+
|
|
29
|
+
current_check.acceptable.each do |code|
|
|
30
|
+
http.get( url + 'blah/' + code.to_s )
|
|
31
|
+
end
|
|
32
|
+
http.run
|
|
33
|
+
|
|
34
|
+
issues.should be_empty
|
|
35
|
+
end
|
|
23
36
|
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Arachni::Platform::Fingerprinters::ASPXMVC do
|
|
4
|
+
include_examples 'fingerprinter'
|
|
5
|
+
|
|
6
|
+
def platforms
|
|
7
|
+
[:asp, :aspx, :windows, :aspx_mvc]
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
context 'when there is a __requestverificationtoken cookie' do
|
|
11
|
+
it 'identifies it as ASP.NET MVC' do
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
13
|
+
url: 'http://stuff.com/blah',
|
|
14
|
+
cookies: [Arachni::Cookie.new(
|
|
15
|
+
url: 'http://stuff.com/blah',
|
|
16
|
+
inputs: { '__requestverificationtoken' => 'stuff' } )]
|
|
17
|
+
|
|
18
|
+
)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
context 'when there is an X-AspNetMvc-Version header' do
|
|
23
|
+
it 'identifies it as ASP.NET MVC' do
|
|
24
|
+
check_platforms Arachni::Page.from_data(
|
|
25
|
+
url: 'http://stuff.com/blah',
|
|
26
|
+
response: { headers: { 'X-AspNetMvc-Version' => '2.0' } }
|
|
27
|
+
)
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
end
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Arachni::Platform::Fingerprinters::CakePHP do
|
|
4
|
+
include_examples 'fingerprinter'
|
|
5
|
+
|
|
6
|
+
def platforms
|
|
7
|
+
[:php, :cakephp]
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
context 'when there is a CAKEPHP cookie' do
|
|
11
|
+
it 'identifies it as CakePHP' do
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
13
|
+
url: 'http://stuff.com/blah',
|
|
14
|
+
cookies: [Arachni::Cookie.new(
|
|
15
|
+
url: 'http://stuff.com/blah',
|
|
16
|
+
inputs: { 'CAKEPHP' => 'stuff' } )]
|
|
17
|
+
|
|
18
|
+
)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Arachni::Platform::Fingerprinters::CherryPy do
|
|
4
|
+
include_examples 'fingerprinter'
|
|
5
|
+
|
|
6
|
+
def platforms
|
|
7
|
+
[:python, :cherrypy]
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
context 'when there is a Server header' do
|
|
11
|
+
it 'identifies it as CherryPy' do
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
13
|
+
url: 'http://stuff.com/blah',
|
|
14
|
+
response: { headers: { 'Server' => 'CherryPy/0.1' } }
|
|
15
|
+
)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
context 'when there is an X-Powered-By header' do
|
|
20
|
+
it 'identifies it as CherryPy' do
|
|
21
|
+
check_platforms Arachni::Page.from_data(
|
|
22
|
+
url: 'http://stuff.com/blah',
|
|
23
|
+
response: { headers: { 'X-Powered-By' => 'CherryPy/0.1' } }
|
|
24
|
+
)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
end
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Arachni::Platform::Fingerprinters::Django do
|
|
4
|
+
include_examples 'fingerprinter'
|
|
5
|
+
|
|
6
|
+
def platforms
|
|
7
|
+
[:python, :django]
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
context 'when there is a Server header' do
|
|
11
|
+
it 'identifies it as Django' do
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
13
|
+
url: 'http://stuff.com/blah',
|
|
14
|
+
response: { headers: { 'Server' => 'WSGIServer/0.1mt Django/2.7.4' } }
|
|
15
|
+
)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
context 'when there is an X-Powered-By header' do
|
|
20
|
+
it 'identifies it as Django' do
|
|
21
|
+
check_platforms Arachni::Page.from_data(
|
|
22
|
+
url: 'http://stuff.com/blah',
|
|
23
|
+
response: { headers: { 'X-Powered-By' => 'Django' } }
|
|
24
|
+
)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
context 'when there are X-Django headers' do
|
|
29
|
+
it 'identifies it as Django' do
|
|
30
|
+
check_platforms Arachni::Page.from_data(
|
|
31
|
+
url: 'http://stuff.com/blah',
|
|
32
|
+
response: { headers: { 'X-Django-Stuff' => 'Blah' } }
|
|
33
|
+
)
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Arachni::Platform::Fingerprinters::JSF do
|
|
4
|
+
include_examples 'fingerprinter'
|
|
5
|
+
|
|
6
|
+
def platforms
|
|
7
|
+
[:java, :jsf]
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
context 'when there is an X-Powered-By header with JSF' do
|
|
11
|
+
it 'identifies it as JSF' do
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
13
|
+
url: 'http://stuff.com/blah',
|
|
14
|
+
response: { headers: { 'X-Powered-By' => 'JSF/2.1' } }
|
|
15
|
+
)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
context 'when there is a javax.faces.Token query parameter' do
|
|
20
|
+
it 'identifies it as JSF' do
|
|
21
|
+
check_platforms Arachni::Page.from_data(
|
|
22
|
+
url: 'http://stuff.com/blah?javax.faces.Token=stuff'
|
|
23
|
+
)
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
end
|
|
@@ -3,40 +3,37 @@ require 'spec_helper'
|
|
|
3
3
|
describe Arachni::Platform::Fingerprinters::Rack do
|
|
4
4
|
include_examples 'fingerprinter'
|
|
5
5
|
|
|
6
|
+
def platforms
|
|
7
|
+
[:ruby, :rack]
|
|
8
|
+
end
|
|
9
|
+
|
|
6
10
|
context 'when there is a rack.session cookie' do
|
|
7
11
|
it 'identifies it as Rack' do
|
|
8
|
-
|
|
12
|
+
check_platforms Arachni::Page.from_data(
|
|
9
13
|
url: 'http://stuff.com/blah',
|
|
10
14
|
cookies: [Arachni::Cookie.new(
|
|
11
15
|
url: 'http://stuff.com/blah',
|
|
12
16
|
inputs: { 'rack.session' => 'stuff' } )]
|
|
13
17
|
|
|
14
18
|
)
|
|
15
|
-
platforms_for( page ).should include :ruby
|
|
16
|
-
platforms_for( page ).should include :rack
|
|
17
19
|
end
|
|
18
20
|
end
|
|
19
21
|
|
|
20
|
-
context 'when there is
|
|
22
|
+
context 'when there is an X-Powered-By header' do
|
|
21
23
|
it 'identifies it as Rack' do
|
|
22
|
-
|
|
24
|
+
check_platforms Arachni::Page.from_data(
|
|
23
25
|
url: 'http://stuff.com/blah',
|
|
24
|
-
response: { headers: { '
|
|
26
|
+
response: { headers: { 'X-Powered-By' => 'mod_rack' } }
|
|
25
27
|
)
|
|
26
|
-
platforms_for( page ).should include :ruby
|
|
27
|
-
platforms_for( page ).should include :rack
|
|
28
28
|
end
|
|
29
29
|
end
|
|
30
30
|
|
|
31
|
-
context 'when there is an X-
|
|
31
|
+
context 'when there is an X-Rack-* header' do
|
|
32
32
|
it 'identifies it as Rack' do
|
|
33
|
-
|
|
33
|
+
check_platforms Arachni::Page.from_data(
|
|
34
34
|
url: 'http://stuff.com/blah',
|
|
35
|
-
response: { headers: { 'X-
|
|
35
|
+
response: { headers: { 'X-Rack-Stuff' => 'Blah' } }
|
|
36
36
|
)
|
|
37
|
-
platforms_for( page ).should include :ruby
|
|
38
|
-
platforms_for( page ).should include :rack
|
|
39
37
|
end
|
|
40
38
|
end
|
|
41
|
-
|
|
42
39
|
end
|