RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/components/checks/active/unvalidated_redirect.rb CHANGED

@@ -12,7 +12,7 @@
 # header field to determine whether the attack was successful.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.2.2
+# @version 0.2.3
 #
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
@@ -32,8 +32,17 @@ class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
         self.class.payload? url
     end
+    def self.options
+        @options ||= {
+            format: [ Format::STRAIGHT ],
+            submit: {
+                follow_location: false
+            }
+        }
+    end
     def run
-        audit( self.class.payloads, submit: { follow_location: false } ) do |response, element|
+        audit( self.class.payloads, self.class.options ) do |response, element|
             # If this was a sample/default value submission ignore it, we only
             # care about our payloads.
             next if !payload? element.seed
@@ -68,7 +77,7 @@ URL to determine whether the attack was successful.
 },
             elements:    ELEMENTS_WITH_INPUTS - [Element::LinkTemplate],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.2.2',
+            version:     '0.2.3',
             issue:       {
                 name:            %q{Unvalidated redirect},

data/components/checks/active/unvalidated_redirect_dom.rb CHANGED

@@ -9,7 +9,7 @@
 # Unvalidated redirect DOM check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 #
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirectDOM < Arachni::Check::Base
@@ -56,7 +56,7 @@ Injects URLs and checks the browser URL to determine whether the attack was succ
 },
             elements:    DOM_ELEMENTS_WITH_INPUTS - [Element::LinkTemplate::DOM],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             issue:       {
                 name:            %q{Unvalidated DOM redirect},
@@ -81,7 +81,7 @@ to redirecting the client to the injected value.
                 },
                 tags:            %w(unvalidated redirect dom injection),
                 cwe:             819,
-                severity:        Severity::MEDIUM,
+                severity:        Severity::HIGH,
                 remedy_guidance: %q{
 The application should ensure that the supplied value for a redirect is permitted.
 This can be achieved by performing whitelisting on the parameter value.

data/components/checks/active/xss.rb CHANGED

@@ -13,7 +13,7 @@
 # {BrowserCluster} for evaluation and {#trace_taint taint-tracing}.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.4.1
+# @version 0.4.4
 #
 # @see http://cwe.mitre.org/data/definitions/79.html
 # @see http://ha.ckers.org/xss.html
@@ -36,9 +36,9 @@ class Arachni::Checks::Xss < Arachni::Check::Base
             # Go for an error.
             "()\"&%1'-;#{tag}'",
-            # Break out of HTML comments.
-            "-->#{tag}<!--"
-        ]
+            # Break out of HTML comments and text areas.
+            "</textarea>-->#{tag}<!--<textarea>"
+        ].map{ |p| [p, Form.encode( p ) ]}.flatten.uniq
     end
     def self.options
@@ -67,6 +67,9 @@ class Arachni::Checks::Xss < Arachni::Check::Base
             return
         end
+        # No idea what was returned, but we can't work with it.
+        return if !response.to_page.has_script?
         with_browser_cluster do
             print_info 'Progressing to deferred browser evaluation of response.'
@@ -82,9 +85,19 @@ class Arachni::Checks::Xss < Arachni::Check::Base
     end
     def find_proof( resource )
-        proof = Nokogiri::HTML( resource.body ).css( self.class.tag_name )
-        return if proof.empty?
-        proof.to_s
+        proof_nodes = Nokogiri::HTML( resource.body ).css( self.class.tag_name )
+        return if proof_nodes.empty?
+        proof = nil
+        proof_nodes.each do |e|
+            # Text-areas have TEXT not nodes Nokogiri!
+            next if e.parent.name =='textarea'
+            proof = e.to_s
+        end
+        return if !proof
+        proof
     end
     def self.info
@@ -97,7 +110,7 @@ tainted responses to look for proof of vulnerability.
             elements:    [Element::Form, Element::Link, Element::Cookie,
                           Element::Header, Element::LinkTemplate],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.4.1',
+            version:     '0.4.4',
             issue:       {
                 name:            %q{Cross-Site Scripting (XSS)},
@@ -121,8 +134,8 @@ HTML element content.
                 references:  {
                     'ha.ckers' => 'http://ha.ckers.org/xss.html',
                     'Secunia'  => 'http://secunia.com/advisories/9716/',
-                    'WASC' => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
-                    'OWASP' => 'https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
+                    'WASC'     => 'http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting',
+                    'OWASP'    => 'https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet'
                 },
                 tags:            %w(xss regexp injection script),
                 cwe:             79,

data/components/checks/active/xss_dom_inputs.rb CHANGED

@@ -7,7 +7,7 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1.1
+# @version 0.2
 class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     INPUTS = Set.new([:input, :textarea])
@@ -23,38 +23,132 @@ class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     end
     def run
-        # If the page doesn't contain any supported inputs don't bother.
-        return if !page.document ||
-            !INPUTS.find { |type| page.document.css( type.to_s ).any? }
+        return if !page.document
+        # Everything past this point requires inputs to be present.
+        return if !page.has_elements?( INPUTS.to_a )
+        # Fill in inputs and trigger their associated events.
+        trigger_inputs
+        return if !page.has_elements?( :button )
+        # Fill in inputs and hit buttons.
+        trigger_buttons
+    end
+    def trigger_inputs
         with_browser do |browser|
             browser.load( page ).each_element_with_events do |locator, events|
-                next if !INPUTS.include? locator.tag_name
-                events.each do |event, _|
+                locator_id = "#{page.url}:#{locator.css}"
+                next if !INPUTS.include?( locator.tag_name ) || audited?( locator_id )
+                audited locator_id
+                filter_events( locator.tag_name, events ).each do |event, _|
+                    print_status "Scheduling '#{event}' on '#{locator}'"
                     # Instead of working with the same browser we do it this way
                     # in order to distribute the workload via the browser cluster.
                     with_browser do |b|
-                        b.javascript.taint = self.tag
+                        print_status "Triggering '#{event}' on '#{locator}'"
+                        b.javascript.taint = self.tag_name
                         b.load page
                         transition = b.fire_event( locator, event, value: self.tag )
-                        next if !transition
+                        if !transition
+                            print_bad "Could not '#{event}' on '#{locator}'"
+                            next
+                        end
                         # Page may be out of scope, some sort of JS redirection.
-                        next if !(p = b.to_page)
+                        if !(p = b.to_page)
+                            print_bad "Could not capture page snapshot after '#{event}' on '#{locator}'"
+                        end
                         p.dom.transitions << transition
-                        check_and_log p
+                        check_and_log( p )
+                        print_status "Finished '#{event}' on '#{locator}'"
+                    end
+                end
+            end
+        end
+    end
+    def trigger_buttons
+        with_browser do |browser|
+            browser.load( page ).each_element_with_events do |locator, events|
+                locator_id = "#{page.url}:#{locator.css}"
+                next if locator.tag_name != :button || audited?( locator_id )
+                audited locator_id
+                events.each do |event, _|
+                    print_status "Scheduling '#{event}' on '#{locator}' after filling in inputs"
+                    with_browser do |b|
+                        print_status "Triggering '#{event}' on '#{locator}' after filling in inputs"
+                        b.javascript.taint = self.tag_name
+                        b.load page
+                        transitions = fill_in_inputs( b )
+                        if transitions.empty?
+                            print_bad "Could not fill in any inputs for '#{event}' on '#{locator}'"
+                            next
+                        end
+                        transition = b.fire_event( locator, event )
+                        if !transition
+                            print_bad "Could not '#{event}' on '#{locator}'"
+                            next
+                        end
+                        transitions << transition
+                        # Page may be out of scope, some sort of JS redirection.
+                        if !(p = b.to_page)
+                            print_bad "Could not capture page snapshot after '#{event}' on '#{locator}'"
+                        end
+                        transitions.each do |t|
+                            p.dom.transitions << t
+                        end
+                        check_and_log( p )
+                        print_status "Finished '#{event}' on '#{locator}' after filling in inputs"
                     end
                 end
             end
         end
     end
+    def fill_in_inputs( browser )
+        transitions = []
+        INPUTS.each do |tag|
+            browser.watir.send("#{tag}s").each do |locator|
+                print_status "Filling in '#{locator.opening_tag}'"
+                transitions << fill_in_input( browser, locator )
+            end
+        end
+        transitions.compact
+    end
+    def fill_in_input( browser, locator )
+        browser.fire_event( locator, :input, value: self.tag )
+    end
     def check_and_log( page )
         return if !(proof = find_proof( page ))
         log(
             vector: Element::GenericDOM.new(
                 url:        page.url,
@@ -66,11 +160,19 @@ class Arachni::Checks::XssDomInputs < Arachni::Check::Base
     end
     def find_proof( page )
+        return if !page.has_elements?( self.tag_name )
         proof = page.document.css( self.tag_name )
         return if proof.empty?
         proof.to_s
     end
+    def filter_events( element, events )
+        supported = Set.new( Arachni::Browser::Javascript.events_for( element ) )
+        events.reject { |name, _| !supported.include? ('on' + name.to_s.gsub( /^on/, '' )).to_sym }
+    end
     def self.info
         {
             name:        'DOM XSS via input field',
@@ -79,7 +181,7 @@ Injects an HTML element into page text fields, triggers their associated events
 and inspects the DOM for proof of vulnerability.
 },
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1.1',
+            version:     '0.2',
             elements:    [Element::GenericDOM],
             issue:       {

data/components/checks/active/xxe.rb CHANGED

@@ -7,7 +7,7 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::Xxe < Arachni::Check::Base
     ENTITY = 'xxe_entity'
@@ -18,7 +18,7 @@ class Arachni::Checks::Xxe < Arachni::Check::Base
             regexp: {
                 unix: [
                     /DOCUMENT_ROOT.*HTTP_USER_AGENT/,
-                    /(root|mail):.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
+                    /:.+:\d+:\d+:.+:[0-9a-zA-Z\/]+/im
                 ],
                 windows: [
                     /\[boot loader\].*\[operating systems\]/im,
@@ -74,7 +74,7 @@ processed based on the resulting HTTP response.
 },
             elements:    [Element::XML],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             platforms:   options[:regexp].keys,
             issue:       {

data/components/checks/passive/backdoors.rb CHANGED

@@ -25,11 +25,12 @@ class Arachni::Checks::Backdoors < Arachni::Check::Base
     def self.info
         {
-            name:        'Backdoors',
-            description: %q{Tries to find common backdoors on the server.},
-            elements:    [Element::Server],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.2.3',
+            name:             'Backdoors',
+            description:      %q{Tries to find common backdoors on the server.},
+            elements:         [Element::Server],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.2.4',
+            exempt_platforms: [ :ruby, :aspx_mvc, :django, :cakephp ],
             issue:       {
                 name:            %q{A backdoor file exists on the server},

data/components/checks/passive/backup_directories.rb CHANGED

@@ -7,7 +7,6 @@
 =end
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
 class Arachni::Checks::BackupDirectories < Arachni::Check::Base
     def self.formats
@@ -35,11 +34,12 @@ class Arachni::Checks::BackupDirectories < Arachni::Check::Base
     def self.info
         {
-            name:        'Backup directories',
-            description: %q{Tries to find backed-up directories.},
-            elements:    [ Element::Server ],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1',
+            name:             'Backup directories',
+            description:      %q{Tries to find backed-up directories.},
+            elements:         [ Element::Server ],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.1.1',
+            exempt_platforms: Arachni::Platform::Manager::FRAMEWORKS,
             issue:       {
                 name:            %q{Backup directory},

data/components/checks/passive/backup_files.rb CHANGED

@@ -9,7 +9,6 @@
 # Backup file discovery check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.3
 class Arachni::Checks::BackupFiles < Arachni::Check::Base
     def self.formats
@@ -47,11 +46,12 @@ class Arachni::Checks::BackupFiles < Arachni::Check::Base
     def self.info
         {
-            name:        'Backup files',
-            description: %q{Tries to identify backup files.},
-            elements:    [ Element::Server ],
-            author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.3',
+            name:             'Backup files',
+            description:      %q{Tries to identify backup files.},
+            elements:         [ Element::Server ],
+            author:           'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
+            version:          '0.3.1',
+            exempt_platforms: Arachni::Platform::Manager::FRAMEWORKS,
             issue:       {
                 name:            %q{Backup file},

data/components/checks/passive/common_admin_interfaces.rb ADDED

@@ -0,0 +1,58 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+# Looks for common administration interfaces on the server.
+#
+# @author Brendan Coles <bcoles@gmail.com>
+# @author Tasos Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1
+class Arachni::Checks::CommonAdminInterfaces < Arachni::Check::Base
+    def self.resources
+        @filenames ||= read_file( 'admin-panels.txt' )
+    end
+    def run
+        path = get_path( page.url )
+        return if audited?( path )
+        self.class.resources.each do |file|
+            log_remote_file_if_exists( path + file )
+        end
+        audited( path )
+    end
+    def self.info
+        {
+            name:        'Common administration interfaces',
+            description: %q{Tries to find common admin interfaces on the server.},
+            elements:    [ Element::Server ],
+            author:      [
+                'Brendan Coles <bcoles@gmail.com>',
+                'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>'
+            ],
+            version:     '0.1',
+            targets:     %w(Generic),
+            references: {
+                'Apache.org' => 'http://httpd.apache.org/docs/2.0/mod/mod_access.html',
+                'WASC'       => 'http://projects.webappsec.org/w/page/13246953/Predictable%20Resource%20Location'
+            },
+            issue: {
+                name:            %q{Common administration interface},
+                description:     %q{An administration interface was identified and should be reviewed.},
+                tags:            %w(common path file discovery),
+                severity:        Severity::LOW,
+                remedy_guidance: %q{
+Access to administration interfaces should be restricted to trusted IP addresses only.
+}
+            }
+        }
+    end
+end