RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/components/checks/active/unvalidated_redirect.rb CHANGED

@@ -12,7 +12,7 @@
 # header field to determine whether the attack was successful.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.2.2
+# @version 0.2.3
 #
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
@@ -32,8 +32,17 @@ class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
         self.class.payload? url
     end
+    def self.options
+        @options ||= {
+            format: [ Format::STRAIGHT ],
+            submit: {
+                follow_location: false
+            }
+        }
+    end
     def run
-        audit( self.class.payloads, submit: { follow_location: false } ) do |response, element|
+        audit( self.class.payloads, self.class.options ) do |response, element|
             # If this was a sample/default value submission ignore it, we only
             # care about our payloads.
             next if !payload? element.seed
@@ -68,7 +77,7 @@ URL to determine whether the attack was successful.
 },
             elements:    ELEMENTS_WITH_INPUTS - [Element::LinkTemplate],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.2.2',
+            version:     '0.2.3',
             issue:       {
                 name:            %q{Unvalidated redirect},

data/components/checks/active/unvalidated_redirect_dom.rb CHANGED

@@ -9,7 +9,7 @@
 # Unvalidated redirect DOM check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 #
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirectDOM < Arachni::Check::Base
@@ -56,7 +56,7 @@ Injects URLs and checks the browser URL to determine whether the attack was succ
 },
             elements:    DOM_ELEMENTS_WITH_INPUTS - [Element::LinkTemplate::DOM],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             issue:       {
                 name:            %q{Unvalidated DOM redirect},
@@ -81,7 +81,7 @@ to redirecting the client to the injected value.
                 },
                 tags:            %w(unvalidated redirect dom injection),
                 cwe:             819,
-                severity:        Severity::MEDIUM,
+                severity:        Severity::HIGH,
                 remedy_guidance: %q{
 The application should ensure that the supplied value for a redirect is permitted.
 This can be achieved by performing whitelisting on the parameter value.

data/components/checks/active/xss.rb CHANGED

@@ -13,7 +13,7 @@
 # {BrowserCluster} for evaluation and {#trace_taint taint-tracing}.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.4.1
+# @version 0.4.4
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
@@ -36,9 +36,9 @@ class Arachni::Checks::Xss < Arachni::Check::Base
             # Go for an error.
             "()\"&%1'-;#{tag}'",
-            # Break out of HTML comments.
-            "-->#{tag}<!--"
-        ]
+            # Break out of HTML comments and text areas.
+            "</textarea>-->#{tag}<!--<textarea>"
+        ].map{ |p| [p, Form.encode( p ) ]}.flatten.uniq
     end
     def self.options
@@ -67,6 +67,9 @@ class Arachni::Checks::Xss < Arachni::Check::Base
             return
         end
+        # No idea what was returned, but we can't work with it.
+        return if !response.to_page.has_script?
         with_browser_cluster do
             print_info 'Progressing to deferred browser evaluation of response.'
@@ -82,9 +85,19 @@ class Arachni::Checks::Xss < Arachni::Check::Base
     end
     def find_proof( resource )
-        proof = Nokogiri::HTML( resource.body ).css( self.class.tag_name )
-        return if proof.empty?
-        proof.to_s
+        proof_nodes = Nokogiri::HTML( resource.body ).css( self.class.tag_name )
+        return if proof_nodes.empty?
+        proof = nil
+        proof_nodes.each do |e|
+            # Text-areas have TEXT not nodes Nokogiri!
+            next if e.parent.name =='textarea'
+            proof = e.to_s
+        end
+        return if !proof
+        proof
     end
     def self.info
@@ -97,7 +110,7 @@ tainted responses to look for proof of vulnerability.
             elements:    [Element::Form, Element::Link, Element::Cookie,
                           Element::Header, Element::LinkTemplate],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.4.1',
+            version:     '0.4.4',
             issue:       {
                 name:            %q{Cross-Site Scripting (XSS)},
@@ -121,8 +134,8 @@ HTML element content.
                 references:  {
                     'ha.ckers' => 'http://ha.ckers.org/xss.html',
                     'Secunia'  => 'http://secunia.com/advisories/9716/',
-                    'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
-                    'OWASP' => 'https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
+                    'WASC'     => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                    'OWASP'    => 'https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
                 },
                 tags:            %w(xss regexp injection script),
                 cwe:             79,

data/components/checks/active/xss_dom_inputs.rb CHANGED

@@ -7,7 +7,7 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1.1
+# @version 0.2
 class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     INPUTS = Set.new([:input, :textarea])
@@ -23,38 +23,132 @@ class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     end
     def run
-        # If the page doesn't contain any supported inputs don't bother.
-        return if !page.document ||
-            !INPUTS.find { |type| page.document.css( type.to_s ).any? }
+        return if !page.document
+        # Everything past this point requires inputs to be present.
+        return if !page.has_elements?( INPUTS.to_a )
+        # Fill in inputs and trigger their associated events.
+        trigger_inputs
+        return if !page.has_elements?( :button )
+        # Fill in inputs and hit buttons.
+        trigger_buttons
+    end
+    def trigger_inputs
         with_browser do |browser|
             browser.load( page ).each_element_with_events do |locator, events|
-                next if !INPUTS.include? locator.tag_name
-                events.each do |event, _|
+                locator_id = "#{page.url}:#{locator.css}"
+                next if !INPUTS.include?( locator.tag_name ) || audited?( locator_id )
+                audited locator_id
+                filter_events( locator.tag_name, events ).each do |event, _|
+                    print_status "Scheduling '#{event}' on '#{locator}'"
                     # Instead of working with the same browser we do it this way
                     # in order to distribute the workload via the browser cluster.
                     with_browser do |b|
-                        b.javascript.taint = self.tag
+                        print_status "Triggering '#{event}' on '#{locator}'"
+                        b.javascript.taint = self.tag_name
                         b.load page
                         transition = b.fire_event( locator, event, value: self.tag )
-                        next if !transition
+                        if !transition
+                            print_bad "Could not '#{event}' on '#{locator}'"
+                            next
+                        end
                         # Page may be out of scope, some sort of JS redirection.
-                        next if !(p = b.to_page)
+                        if !(p = b.to_page)
+                            print_bad "Could not capture page snapshot after '#{event}' on '#{locator}'"
+                        end
                         p.dom.transitions << transition
-                        check_and_log p
+                        check_and_log( p )
+                        print_status "Finished '#{event}' on '#{locator}'"
+                    end
+                end
+            end
+        end
+    end
+    def trigger_buttons
+        with_browser do |browser|
+            browser.load( page ).each_element_with_events do |locator, events|
+                locator_id = "#{page.url}:#{locator.css}"
+                next if locator.tag_name != :button || audited?( locator_id )
+                audited locator_id
+                events.each do |event, _|
+                    print_status "Scheduling '#{event}' on '#{locator}' after filling in inputs"
+                    with_browser do |b|
+                        print_status "Triggering '#{event}' on '#{locator}' after filling in inputs"
+                        b.javascript.taint = self.tag_name
+                        b.load page
+                        transitions = fill_in_inputs( b )
+                        if transitions.empty?
+                            print_bad "Could not fill in any inputs for '#{event}' on '#{locator}'"
+                            next
+                        end
+                        transition = b.fire_event( locator, event )
+                        if !transition
+                            print_bad "Could not '#{event}' on '#{locator}'"
+                            next
+                        end
+                        transitions << transition
+                        # Page may be out of scope, some sort of JS redirection.
+                        if !(p = b.to_page)
+                            print_bad "Could not capture page snapshot after '#{event}' on '#{locator}'"
+                        end
+                        transitions.each do |t|
+                            p.dom.transitions << t
+                        end
+                        check_and_log( p )
+                        print_status "Finished '#{event}' on '#{locator}' after filling in inputs"
                     end
                 end
             end
         end
     end
+    def fill_in_inputs( browser )
+        transitions = []
+        INPUTS.each do |tag|
+            browser.watir.send("#{tag}s").each do |locator|
+                print_status "Filling in '#{locator.opening_tag}'"
+                transitions << fill_in_input( browser, locator )
+            end
+        end
+        transitions.compact
+    end
+    def fill_in_input( browser, locator )
+        browser.fire_event( locator, :input, value: self.tag )
+    end
     def check_and_log( page )
         return if !(proof = find_proof( page ))
         log(
             vector: Element::GenericDOM.new(
                 url:        page.url,
@@ -66,11 +160,19 @@ class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     end
     def find_proof( page )
+        return if !page.has_elements?( self.tag_name )
         proof = page.document.css( self.tag_name )
         return if proof.empty?
         proof.to_s
     end
+    def filter_events( element, events )
+        supported = Set.new( Arachni::Browser::Javascript.events_for( element ) )
+        events.reject { |name, _| !supported.include? ('on' + name.to_s.gsub( /^on/, '' )).to_sym }
+    end
     def self.info
         {
             name:        'DOM XSS via input field',
@@ -79,7 +181,7 @@ Injects an HTML element into page text fields, triggers their associated events
 and inspects the DOM for proof of vulnerability.
 },
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1.1',
+            version:     '0.2',
             elements:    [Element::GenericDOM],
             issue:       {

data/components/checks/active/xxe.rb CHANGED

@@ -7,7 +7,7 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::Xxe < Arachni::Check::Base
     ENTITY = 'xxe_entity'
@@ -18,7 +18,7 @@ class Arachni::Checks::Xxe < Arachni::Check::Base
             regexp: {
                 unix: [
                     /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
-                    /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
+                    /:.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
                 ],
                 windows: [
                     /\[boot loader\].*\[operating systems\]/im,
@@ -74,7 +74,7 @@ processed based on the resulting HTTP response.
 },
             elements:    [Element::XML],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             platforms:   options[:regexp].keys,
             issue:       {

data/components/checks/passive/backdoors.rb CHANGED

@@ -25,11 +25,12 @@ class Arachni::Checks::Backdoors < Arachni::Check::Base
     def self.info
         {
-            name:        'Backdoors',
-            description: %q{Tries to find common backdoors on the server.},
-            elements:    [Element::Server],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.2.3',
+            name:             'Backdoors',
+            description:      %q{Tries to find common backdoors on the server.},
+            elements:         [Element::Server],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.2.4',
+            exempt_platforms: [ :ruby, :aspx_mvc, :django, :cakephp ],
             issue:       {
                 name:            %q{A backdoor file exists on the server},

data/components/checks/passive/backup_directories.rb CHANGED

@@ -7,7 +7,6 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
 class Arachni::Checks::BackupDirectories < Arachni::Check::Base
     def self.formats
@@ -35,11 +34,12 @@ class Arachni::Checks::BackupDirectories < Arachni::Check::Base
     def self.info
         {
-            name:        'Backup directories',
-            description: %q{Tries to find backed-up directories.},
-            elements:    [ Element::Server ],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1',
+            name:             'Backup directories',
+            description:      %q{Tries to find backed-up directories.},
+            elements:         [ Element::Server ],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.1.1',
+            exempt_platforms: Arachni::Platform::Manager::FRAMEWORKS,
             issue:       {
                 name:            %q{Backup directory},

data/components/checks/passive/backup_files.rb CHANGED

@@ -9,7 +9,6 @@
 # Backup file discovery check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.3
 class Arachni::Checks::BackupFiles < Arachni::Check::Base
     def self.formats
@@ -47,11 +46,12 @@ class Arachni::Checks::BackupFiles < Arachni::Check::Base
     def self.info
         {
-            name:        'Backup files',
-            description: %q{Tries to identify backup files.},
-            elements:    [ Element::Server ],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.3',
+            name:             'Backup files',
+            description:      %q{Tries to identify backup files.},
+            elements:         [ Element::Server ],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.3.1',
+            exempt_platforms: Arachni::Platform::Manager::FRAMEWORKS,
             issue:       {
                 name:            %q{Backup file},

data/components/checks/passive/common_admin_interfaces.rb ADDED

@@ -0,0 +1,58 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+# Looks for common administration interfaces on the server.
+#
+# @author Brendan Coles <bcoles@gmail.com>
+# @author Tasos Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1
+class Arachni::Checks::CommonAdminInterfaces < Arachni::Check::Base
+    def self.resources
+        @filenames ||= read_file( 'admin-panels.txt' )
+    end
+    def run
+        path = get_path( page.url )
+        return if audited?( path )
+        self.class.resources.each do |file|
+            log_remote_file_if_exists( path + file )
+        end
+        audited( path )
+    end
+    def self.info
+        {
+            name:        'Common administration interfaces',
+            description: %q{Tries to find common admin interfaces on the server.},
+            elements:    [ Element::Server ],
+            author:      [
+                'Brendan Coles <bcoles@gmail.com>',
+                'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>'
+            ],
+            version:     '0.1',
+            targets:     %w(Generic),
+            references: {
+                'Apache.org' => 'http://httpd.apache.org/docs/2.0/mod/mod_access.html',
+                'WASC'       => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
+            },
+            issue: {
+                name:            %q{Common administration interface},
+                description:     %q{An administration interface was identified and should be reviewed.},
+                tags:            %w(common path file discovery),
+                severity:        Severity::LOW,
+                remedy_guidance: %q{
+Access to administration interfaces should be restricted to trusted IP addresses only.
+}
+            }
+        }
+    end
+end