arachni 1.1 → 1.2

data/spec/support/servers/arachni/check/auditor.rb

@@ -6,6 +6,10 @@ get '/' do
     'Match this!'
 end
 
+get '/s.php' do
+    'OK'
+end
+
 get '/each_candidate_element' do
     cookies['cookie-input'] = 'blah'
 

data/spec/support/servers/arachni/element/cookie/cookie_dom.rb

@@ -13,7 +13,7 @@ get '/' do
         </div>
 
         <script>
-            document.getElementById('container').innerHTML = document.cookie;
+            document.getElementById('container').innerHTML = decodeURIComponent(document.cookie);
         </script>
     </body>
 </html>

data/spec/support/servers/arachni/http/client.rb

@@ -37,6 +37,11 @@ get '/http_response_max_size' do
     '1' * 1000000
 end
 
+get '/http_response_max_size/without_content_length' do
+    headers 'Content-Type' => ''
+    '1' * 1000000
+end
+
 get '/auth/simple-chars' do
     simple_protected!
     'authenticated!'

data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb

@@ -1,5 +1,7 @@
 require 'sinatra'
 
+@@erratic = 0
+
 def handler_response_1
     "Random #{rand( 999 ).to_s} bits #{rand( 999 ).to_s} go #{rand( 999 ).to_s} here #{rand( 999 ).to_s}"
 end
@@ -21,6 +23,17 @@ get '/static/*' do
     'This is a custom 404, try to catch it. ;)'
 end
 
+get '/dynamic/erratic/*' do
+    if @@erratic > 3
+        return 500
+    end
+
+    @@erratic += 1
+
+    'This is a custom 404 which includes the requested resource, try to catch it. ;)' +
+        '<br/>You asked for "' + params[:splat].first.to_s + '", which could not be found.'
+end
+
 get '/dynamic/*' do
     'This is a custom 404 which includes the requested resource, try to catch it. ;)' +
         '<br/>You asked for "' + params[:splat].first.to_s + '", which could not be found.'

data/spec/support/servers/checks/active/code_injection_timing.rb

@@ -8,7 +8,7 @@ REGEXP = {
     perl:   'sleep\s?\((\d+)\/(\d+)\s?\);',
     python: 'import time;time.sleep\s?\((\d+)\/(\d+)\s?\);',
     asp:    'Thread\.Sleep\s?\((\d+)\s?\);',
-    jsp:    'Thread\.sleep\s?\((\d+)\s?\);',
+    java:   'Thread\.sleep\s?\((\d+)\s?\);',
     ruby:   'sleep\s?\((\d+)\/(\d+)\s?\)'
 }
 

data/spec/support/servers/checks/active/file_inclusion.rb

@@ -13,7 +13,7 @@ FILE_TO_PLATFORM = {
     '/winnt/win.ini'     => :windows,
     '/etc/passwd'        => :unix,
     '/proc/self/environ' => :unix,
-    '/WEB-INF/web.xml'   => :tomcat
+    '/WEB-INF/web.xml'   => :java
 }
 
 OUT = {
@@ -43,7 +43,7 @@ CMCDLLNAME32=mapi32.dll
 CMCDLLNAME=mapi.dll
 MAPIX=1
 ',
-    tomcat: '<?xml version="1.0" encoding="UTF-8"?>
+    java: '<?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
   <display-name>VulnerabilityDetectionChallenge</display-name>
   <welcome-file-list>

data/spec/support/servers/checks/active/path_traversal.rb

@@ -13,7 +13,7 @@ FILE_TO_PLATFORM = {
     '/winnt/win.ini'     => :windows,
     '/etc/passwd'        => :unix,
     '/proc/self/environ' => :unix,
-    '/WEB-INF/web.xml'   => :tomcat
+    '/WEB-INF/web.xml'   => :java
 }
 
 OUT = {
@@ -43,7 +43,7 @@ CMCDLLNAME32=mapi32.dll
 CMCDLLNAME=mapi.dll
 MAPIX=1
 ',
-    tomcat: '<?xml version="1.0" encoding="UTF-8"?>
+    java: '<?xml version="1.0" encoding="UTF-8"?>
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
   <display-name>VulnerabilityDetectionChallenge</display-name>
   <welcome-file-list>

data/spec/support/servers/checks/active/source_code_disclosure.rb

@@ -5,18 +5,24 @@ require 'sinatra'
 require 'sinatra/contrib'
 
 def default
-    "default.html"
+    'default.html'
 end
 
 OUT = {
-    php: '<?php
+    php:  '<?php
     $q = $_GET["q"];',
-    jsp: 'response.setIntHeader( "test" )',
-    asp: 'Response.Write "stuff"'
+    java: 'response.setIntHeader( "test" )',
+    asp:  'Response.Write "stuff"'
+}
+
+EXTENSIONS = {
+    php:  'php',
+    java: 'jsp',
+    asp:  'asp'
 }
 
 def get_variations( language, str )
-    return if !str.to_s.end_with? ".#{language}"
+    return if !str.to_s.end_with? ".#{EXTENSIONS[language]}"
     OUT[language]
 end
 
@@ -36,6 +42,7 @@ before do
 end
 
 OUT.keys.each do |language|
+    ext = EXTENSIONS[language]
 
     get "/#{language}" do
         cookies['cookie'] ||= default
@@ -53,29 +60,29 @@ OUT.keys.each do |language|
 
     get "/#{language}/link" do
         <<-EOHTML
-            <a href="/#{language}/link/straight.#{language}?input=#{default}">Link</a>
-            <a href="/#{language}/link/with_null.#{language}?input=#{default}">Link</a>
+            <a href="/#{language}/link/straight.#{ext}?input=#{default}">Link</a>
+            <a href="/#{language}/link/with_null.#{ext}?input=#{default}">Link</a>
         EOHTML
     end
 
-    get "/#{language}/link/straight.#{language}" do
+    get "/#{language}/link/straight.#{ext}" do
         return if params['input'].include?( "\0" )
         get_variations( language, params['input'] )
     end
 
-    get "/#{language}/link/with_null.#{language}" do
+    get "/#{language}/link/with_null.#{ext}" do
         return if !params['input'].end_with?( "\00.html" )
         get_variations( language, params['input'].split( "\0.html" ).first )
     end
 
     get "/#{language}/link-template" do
         <<-EOHTML
-        <a href="/#{language}/link-template/straight/input/default/stuff.#{language}">Link</a>
-        <a href="/#{language}/link-template/append/input/default/stuff.#{language}">Link</a>
+        <a href="/#{language}/link-template/straight/input/default/stuff.#{ext}">Link</a>
+        <a href="/#{language}/link-template/append/input/default/stuff.#{ext}">Link</a>
         EOHTML
     end
 
-    get "/#{language}/link-template/straight/input/*/stuff.#{language}" do
+    get "/#{language}/link-template/straight/input/*/stuff.#{ext}" do
         val = params[:splat].first
         default = 'default'
         return if val.start_with?( default )
@@ -83,7 +90,7 @@ OUT.keys.each do |language|
         get_variations( language, val.split( default ).last )
     end
 
-    get "/#{language}/link-template/with_null/input/*/stuff.#{language}" do
+    get "/#{language}/link-template/with_null/input/*/stuff.#{ext}" do
         val = params[:splat].first
         return if !val.end_with?( "\00.html" )
         get_variations( language, val.split( "\0.html" ).first )
@@ -91,44 +98,44 @@ OUT.keys.each do |language|
 
     get "/#{language}/form" do
         <<-EOHTML
-            <form action="/#{language}/form/straight.#{language}" method='post'>
+            <form action="/#{language}/form/straight.#{ext}" method='post'>
                 <input name='input' value='#{default}' />
             </form>
 
-            <form action="/#{language}/form/with_null.#{language}" method='post'>
+            <form action="/#{language}/form/with_null.#{ext}" method='post'>
                 <input name='input' value='#{default}' />
             </form>
 
         EOHTML
     end
 
-    post "/#{language}/form/straight.#{language}" do
+    post "/#{language}/form/straight.#{ext}" do
         return if params['input'].include?( "\0" )
         get_variations( language, params['input'] )
     end
 
-    post "/#{language}/form/with_null.#{language}" do
+    post "/#{language}/form/with_null.#{ext}" do
         return if !params['input'].end_with?( "\00.html" )
         get_variations( language, params['input'].split( "\0.html" ).first )
     end
 
     get "/#{language}/cookie" do
         <<-HTML
-            <a href="/#{language}/cookie/straight.#{language}">Cookie</a>
+            <a href="/#{language}/cookie/straight.#{ext}">Cookie</a>
         HTML
     end
 
-    get "/#{language}/cookie/straight.#{language}" do
+    get "/#{language}/cookie/straight.#{ext}" do
         get_variations( language, cookies['cookie'] )
     end
 
     get "/#{language}/header" do
         <<-EOHTML
-            <a href="/#{language}/header/straight.#{language}">Header</a>
+            <a href="/#{language}/header/straight.#{ext}">Header</a>
         EOHTML
     end
 
-    get "/#{language}/header/straight.#{language}" do
+    get "/#{language}/header/straight.#{ext}" do
         default = 'arachni_user'
         return if env['HTTP_USER_AGENT'].start_with?( default ) || env['HTTP_USER_AGENT'].include?( "\0" )
 
@@ -139,23 +146,23 @@ OUT.keys.each do |language|
         <<-EOHTML
             <script type="application/javascript">
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/json/straight.#{language}", true);
+                http_request.open( "POST", "/#{language}/json/straight.#{ext}", true);
                 http_request.send( '{"input": "#{default}"}' );
 
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/json/with_null.#{language}", true);
+                http_request.open( "POST", "/#{language}/json/with_null.#{ext}", true);
                 http_request.send( '{"input": "#{default}"}' );
             </script>
         EOHTML
     end
 
-    post "/#{language}/json/straight.#{language}" do
+    post "/#{language}/json/straight.#{ext}" do
         return if !@json
         return if @json['input'].include?( "\0" )
         get_variations( language, @json['input'] )
     end
 
-    post "/#{language}/json/with_null.#{language}" do
+    post "/#{language}/json/with_null.#{ext}" do
         return if !@json
         return if !@json['input'].end_with?( "\00.html" )
 
@@ -166,25 +173,25 @@ OUT.keys.each do |language|
         <<-EOHTML
             <script type="application/javascript">
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/xml/text/straight.#{language}", true);
+                http_request.open( "POST", "/#{language}/xml/text/straight.#{ext}", true);
                 http_request.send( '<input>#{default}</input>' );
 
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/xml/text/with_null.#{language}", true);
+                http_request.open( "POST", "/#{language}/xml/text/with_null.#{ext}", true);
                 http_request.send( '<input>#{default}</input>' );
 
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/xml/attribute/straight.#{language}", true);
+                http_request.open( "POST", "/#{language}/xml/attribute/straight.#{ext}", true);
                 http_request.send( '<input my-attribute="#{default}">stuff</input>' );
 
                 http_request = new XMLHttpRequest();
-                http_request.open( "POST", "/#{language}/xml/attribute/with_null.#{language}", true);
+                http_request.open( "POST", "/#{language}/xml/attribute/with_null.#{ext}", true);
                 http_request.send( '<input my-attribute="#{default}">stuff</input>' );
             </script>
         EOHTML
     end
 
-    post "/#{language}/xml/text/straight.#{language}" do
+    post "/#{language}/xml/text/straight.#{ext}" do
         return if !@xml
 
         input = @xml.css('input').first.content
@@ -194,7 +201,7 @@ OUT.keys.each do |language|
         get_variations( language, input )
     end
 
-    post "/#{language}/xml/text/with_null.#{language}" do
+    post "/#{language}/xml/text/with_null.#{ext}" do
         return if !@xml
 
         input = @xml.css('input').first.content
@@ -204,7 +211,7 @@ OUT.keys.each do |language|
         get_variations( language, input.split( "\00.html" ).last )
     end
 
-    post "/#{language}/xml/attribute/straight.#{language}" do
+    post "/#{language}/xml/attribute/straight.#{ext}" do
         return if !@xml
 
         input = @xml.css('input').first['my-attribute']
@@ -214,7 +221,7 @@ OUT.keys.each do |language|
         get_variations( language, input )
     end
 
-    post "/#{language}/xml/attribute/with_null.#{language}" do
+    post "/#{language}/xml/attribute/with_null.#{ext}" do
         return if !@xml
 
         input = @xml.css('input').first['my-attribute']

data/spec/support/servers/checks/active/trainer_check.rb

@@ -1,8 +1,7 @@
+require 'ap'
 require 'sinatra'
 require 'sinatra/contrib'
 
-require 'ap'
-
 get '/' do
     <<-EOHTML
         <a href="/link?input=default">Link</a>
@@ -24,12 +23,12 @@ get "/link/straight" do
     return if params['input'].start_with?( default ) ||
         !params['input'].include?( '_arachni_trainer_' )
 
-    redirect "/link/straight/trained"
+    redirect "/link/straight/redir"
 end
 
-get "/link/straight/trained" do
+get "/link/straight/redir" do
     <<-EOHTML
-        <a href="new stuff">Stuff</a>
+        <a href="trained">Stuff</a>
     EOHTML
 end
 
@@ -38,12 +37,12 @@ get "/link/append" do
     return if !params['input'].start_with?( default ) ||
         !params['input'].include?( '_arachni_trainer_' )
 
-    redirect "/link/append/trained"
+    redirect "/link/append/redir"
 end
 
-get "/link/append/trained" do
+get "/link/append/redir" do
     <<-EOHTML
-        <a href="more new stuff">Stuff</a>
+        <a href="trained">Stuff</a>
     EOHTML
 end
 
@@ -68,7 +67,7 @@ end
 
 get "/form/straight/trained" do
     <<-EOHTML
-        <form action="?new stuff"/>Stuff</form>
+        <form action="?new_stuff"/>Stuff</form>
     EOHTML
 end
 
@@ -81,7 +80,7 @@ end
 
 get "/form/append/trained" do
     <<-EOHTML
-        <form action="?more new stuff"/>Stuff</form>
+        <form action="?more_new_stuff"/>Stuff</form>
     EOHTML
 end
 

data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb

@@ -77,7 +77,7 @@ get '/form/straight' do
 end
 
 get '/cookie' do
-    headers 'Set-Cookie' => 'input=value'
+    headers 'Set-Cookie' => 'input=default'
 
     <<-EOHTML
         <a href="/cookie/straight">Form</a>
@@ -99,7 +99,7 @@ get '/cookie/straight' do
                         var c = ca[i].trim();
 
                         if( c.indexOf( name ) == 0 ) {
-                            return c.substring( name.length, c.length )
+                            return decodeURIComponent( c.substring( name.length, c.length ) )
                         }
                     }
 
@@ -107,8 +107,11 @@ get '/cookie/straight' do
                 }
 
                 url = getCookie('input');
-                if( url.indexOf( 'http' ) != 0 ) url = 'http://' + url;
-                window.location = url;
+
+                if( url != 'default' ) {
+                    if( url.indexOf( 'http' ) != 0 ) url = 'http://' + url;
+                    window.location = url;
+                }
             </script>
         </body>
     EOHTML

data/spec/support/servers/checks/active/xss.rb

@@ -52,6 +52,7 @@ get '/link' do
         <a href="/link/in_comment?input=default">Link</a>
         <a href="/link/in_textfield?input=default">Link</a>
         <a href="/link/straight?input=default">Link</a>
+        <a href="/link/double_encoded?input=default">Link</a>
         <a href="/link/append?input=default">Link</a>
         <a href="/link/dom?input=default">Link</a>
     EOHTML
@@ -76,6 +77,10 @@ get '/link/straight' do
     get_variations( params['input'].split( default ).last )
 end
 
+get '/link/double_encoded' do
+    get_variations( URI.decode( params['input'] ) )
+end
+
 get '/link/append' do
     default = 'default'
     return if !params['input'].start_with?( default )
@@ -91,6 +96,7 @@ get '/link-template' do
     <<-EOHTML
         <a href="/link-template/in_comment/input/default/stuff">Link</a>
         <a href="/link-template/straight/input/default/stuff">Link</a>
+        <a href="/link-template/double_encoded/input/default/stuff">Link</a>
         <a href="/link-template/append/input/default/stuff">Link</a>
         <a href="/link-template/dom/input/default/stuff">Link</a>
     EOHTML
@@ -112,6 +118,11 @@ get '/link-template/straight/input/*/stuff' do
     get_variations( val.split( default ).last )
 end
 
+get '/link-template/double_encoded/input/*/stuff' do
+    val = params[:splat].first
+    get_variations( URI.decode( val ) )
+end
+
 get '/link-template/append/input/*/stuff' do
     val = params[:splat].first
     default = 'default'
@@ -135,6 +146,10 @@ get '/form' do
             <input name='input' value='default' />
         </form>
 
+        <form action="/form/double_encoded">
+            <input name='input' value='default' />
+        </form>
+
         <form action="/form/append">
             <input name='input' value='default' />
         </form>
@@ -162,6 +177,10 @@ get '/form/straight' do
     get_variations( params['input'].split( default ).last )
 end
 
+get '/form/double_encoded' do
+    get_variations( URI.decode( params['input'].to_s ) )
+end
+
 get '/form/append' do
     default = 'default'
     return if !params['input'] || !params['input'].start_with?( default )
@@ -174,6 +193,7 @@ get '/cookie' do
     <<-EOHTML
         <a href="/cookie/in_comment">Cookie</a>
         <a href="/cookie/straight">Cookie</a>
+        <a href="/cookie/double_encoded">Cookie</a>
         <a href="/cookie/append">Cookie</a>
         <a href="/cookie/dom">Cookie</a>
     EOHTML
@@ -204,6 +224,13 @@ get '/cookie/straight' do
     get_variations( cookies['cookie'].split( default ).last )
 end
 
+get '/cookie/double_encoded' do
+    default = 'cookie value'
+    cookies['cookie'] ||= default
+
+    get_variations( URI.decode( cookies['cookie'] ) )
+end
+
 get '/cookie/append' do
     default = 'cookie value'
     cookies['cookie2'] ||= default
@@ -216,6 +243,7 @@ get '/header' do
     <<-EOHTML
         <a href="/header/straight">Header</a>
         <a href="/header/append">Header</a>
+        <a href="/header/double_encoded">Header</a>
         <a href="/header/dom">Header</a>
     EOHTML
 end
@@ -231,6 +259,13 @@ get '/header/straight' do
     get_variations( env['HTTP_USER_AGENT'].split( default ).last )
 end
 
+get '/header/double_encoded' do
+    default = 'arachni_user'
+    return if !env['HTTP_USER_AGENT']
+
+    get_variations( URI.decode( env['HTTP_USER_AGENT'] ) )
+end
+
 get '/header/append' do
     default = 'arachni_user'
     return if !env['HTTP_USER_AGENT'] || !env['HTTP_USER_AGENT'].start_with?( default )