RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/components/checks/passive/xst.rb CHANGED

@@ -33,7 +33,11 @@ class Arachni::Checks::Xst < Arachni::Check::Base
         http.trace( page.url ) do |response|
             next if response.code != 200 || response.body.to_s.empty?
-            log vector: Element::Server.new( response.url ), response: response
+            log(
+                vector:   Element::Server.new( response.url ),
+                response: response,
+                proof:    response.status_line
+            )
             print_ok 'TRACE is enabled.'
         end
     end
@@ -48,7 +52,7 @@ class Arachni::Checks::Xst < Arachni::Check::Base
             description: %q{Sends an HTTP TRACE request and checks if it succeeded.},
             elements:    [ Element::Server ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1.6',
+            version:     '0.1.7',
             issue:       {
                 name:            %q{HTTP TRACE},

data/components/fingerprinters/frameworks/aspx_mvc.rb ADDED

@@ -0,0 +1,43 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies ASP.NET MVC resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1
+class ASPXMVC < Platform::Fingerprinter
+    ANTI_CSRF_NONCE = '__requestverificationtoken'
+    HEADER_FIELDS   = %w(x-aspnetmvc-version)
+    def run
+        # Naive but enough, I think.
+        if html? && page.body =~ /input.*#{ANTI_CSRF_NONCE}/i
+            return update_platforms
+        end
+        if (headers.keys & HEADER_FIELDS).any?
+            return update_platforms
+        end
+        if cookies.include?( ANTI_CSRF_NONCE )
+            update_platforms
+        end
+    end
+    def update_platforms
+        platforms << :asp << :aspx << :windows << :aspx_mvc
+    end
+end
+end
+end

data/components/fingerprinters/frameworks/cakephp.rb ADDED

@@ -0,0 +1,28 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies CakePHP resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+#
+# @version 0.1
+class CakePHP < Platform::Fingerprinter
+    def run
+        if cookies.include?( 'cakephp' )
+            platforms << :php << :cakephp
+        end
+    end
+end
+end
+end

data/components/fingerprinters/frameworks/cherrypy.rb ADDED

@@ -0,0 +1,31 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies CherryPy resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1
+class CherryPy < Platform::Fingerprinter
+    def run
+        return if !server_or_powered_by_include?( 'cherrypy' )
+        update_platforms
+    end
+    def update_platforms
+        platforms << :python << :cherrypy
+    end
+end
+end
+end

data/components/fingerprinters/frameworks/django.rb ADDED

@@ -0,0 +1,33 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies Django resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1
+class Django < Platform::Fingerprinter
+    def run
+        return update_platforms if server_or_powered_by_include?( 'django' )
+        headers.keys.each do |header|
+            return update_platforms if header.start_with?( 'x-django')
+        end
+    end
+    def update_platforms
+        platforms << :python << :django
+    end
+end
+end
+end

data/components/fingerprinters/frameworks/jsf.rb ADDED

@@ -0,0 +1,30 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies JSF resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+#
+# @version 0.1
+class JSF < Platform::Fingerprinter
+    def run
+        if server_or_powered_by_include?( 'jsf' ) ||
+            parameters.include?( 'javax.faces.token')
+            platforms << :java << :jsf
+        end
+    end
+end
+end
+end

data/components/fingerprinters/frameworks/rack.rb CHANGED

@@ -9,21 +9,19 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies Rack applications.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1
-#
+# @version 0.1.2
 class Rack < Platform::Fingerprinter
     SESSIONID = 'rack.session'
-    ID        = 'mod_rack'
     def run
-        return if !cookies.include?( SESSIONID ) &&
-            !server_or_powered_by_include?( ID )
+        return if !powered_by.include?( 'mod_rack' ) &&
+            !headers.keys.find { |h| h.include? 'x-rack' } &&
+            !cookies.include?( SESSIONID )
         platforms << :ruby << :rack
     end

data/components/fingerprinters/frameworks/rails.rb ADDED

@@ -0,0 +1,43 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+module Arachni
+module Platform::Fingerprinters
+# Identifies Rails resources.
+#
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+# @version 0.1.1
+class Rails < Platform::Fingerprinter
+    IDs = %w(rails)
+    def run
+        headers.keys.each do |header|
+            return update_platforms if header.start_with?( 'x-rails' )
+        end
+        IDs.each do |id|
+            next if !server_or_powered_by_include? id
+            return update_platforms
+        end
+        if cookies.include?( '_rails_admin_session' )
+            update_platforms
+        end
+    end
+    def update_platforms
+        platforms << :ruby << :rack << :rails
+    end
+end
+end
+end

data/components/fingerprinters/languages/aspx.rb CHANGED

@@ -9,38 +9,38 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies ASPX resources.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1
-#
+# @version 0.1.1
 class ASPX < Platform::Fingerprinter
     EXTENSION       = 'aspx'
     SESSION_COOKIE  = 'asp.net_sessionid'
     X_POWERED_BY    = 'asp.net'
-    VIEWSTATE       = 'viewstate'
+    VIEWSTATE       = '__viewstate'
     HEADER_FIELDS   = %w(x-aspnet-version x-aspnetmvc-version)
     def run
         if extension == EXTENSION ||
             # Session ID in URL, like:
             #   http://blah.com/(S(yn5cby55lgzstcen0ng2b4iq))/stuff.aspx
-            uri.path =~ /\/\(s\([a-z0-9]+\)\)\//i ||
-            cookies.include?( SESSION_COOKIE )
+            uri.path =~ /\/\(s\([a-z0-9]+\)\)\//i
             return update_platforms
         end
-        page.forms.each do |form|
-            form.inputs.each do |k, v|
-                return update_platforms if k.downcase.include? VIEWSTATE
-            end
+        # Naive but enough, I think.
+        if html? && page.body =~ /input.*#{VIEWSTATE}/i
+            return update_platforms
         end
         if server_or_powered_by_include?( X_POWERED_BY ) ||
             (headers.keys & HEADER_FIELDS).any?
+            return update_platforms
+        end
+        if cookies.include?( SESSION_COOKIE )
             update_platforms
         end
     end

data/components/fingerprinters/languages/{jsp.rb → java.rb} RENAMED

@@ -9,22 +9,26 @@
 module Arachni
 module Platform::Fingerprinters
-# Identifies JSP resources.
+# Identifies Java resources.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1.1
-class JSP < Platform::Fingerprinter
+# @version 0.1.3
+class Java < Platform::Fingerprinter
     EXTENSION = 'jsp'
     SESSIONID = 'jsessionid'
     def run
         if extension == EXTENSION || parameters.include?( SESSIONID ) ||
-            cookies.include?( SESSIONID ) ||
+            server_or_powered_by_include?( 'java' ) ||
             server_or_powered_by_include?( 'servlet' ) ||
-            server_or_powered_by_include?( 'jsp' )
-            platforms << :jsp << :tomcat
+            server_or_powered_by_include?( 'jsp' ) ||
+            server_or_powered_by_include?( 'jboss' ) ||
+            server_or_powered_by_include?( 'glassfish' ) ||
+            server_or_powered_by_include?( 'oracle' ) ||
+            cookies.include?( SESSIONID )
+            platforms << :java
         end
     end

data/components/fingerprinters/languages/php.rb CHANGED

@@ -9,13 +9,10 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies PHP resources.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1
-#
+# @version 0.1.1
 class PHP < Platform::Fingerprinter
     EXTENSION = /php\d*/  # In case it's php5 or something.
@@ -23,8 +20,11 @@ class PHP < Platform::Fingerprinter
     def run
         if uri.path =~ /.php\d*\/*/ || extension =~ EXTENSION ||
-            parameters.include?( SESSIONID ) || cookies.include?( SESSIONID ) ||
-            server_or_powered_by_include?( 'php' )
+            parameters.include?( SESSIONID ) ||
+            server_or_powered_by_include?( 'php' ) ||
+            headers.include?( 'x-php-pid' ) ||
+            cookies.include?( SESSIONID )
             platforms << :php
         end
     end

data/components/fingerprinters/languages/python.rb CHANGED

@@ -9,21 +9,29 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies Python resources.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1
-#
+# @version 0.1.2
 class Python < Platform::Fingerprinter
+    IDS       = %w(python zope zserver wsgi plone)
     EXTENSION = 'py'
     def run
-        if extension == EXTENSION || powered_by.include?( 'python' )
-            platforms << :python
+        return update_platforms if extension == EXTENSION
+        IDS.each do |id|
+            return update_platforms if server_or_powered_by_include?( id )
         end
+        if cookies.include?( '_ZopeId' )
+            update_platforms
+        end
+    end
+    def update_platforms
+        platforms << :python
     end
 end

data/components/fingerprinters/languages/ruby.rb CHANGED

@@ -9,21 +9,19 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies Ruby resources.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
 # @version 0.1
-#
 class Ruby < Platform::Fingerprinter
-    IDs = %w(mod_rails mod_rack phusion passenger)
+    IDs = %w(mod_rack phusion passenger)
     def run
         IDs.each do |id|
-            next if !server_or_powered_by_include? id
-            return platforms << :ruby
+            next if !powered_by.include? id
+            return platforms << :ruby << :rack
         end
     end

data/components/fingerprinters/servers/apache.rb CHANGED

@@ -9,17 +9,18 @@
 module Arachni
 module Platform::Fingerprinters
-#
 # Identifies Apache web servers.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
 # @version 0.1
-#
 class Apache < Platform::Fingerprinter
     def run
-        platforms << :apache if server_or_powered_by_include? 'apache'
+        if server_or_powered_by_include?( 'apache' ) &&
+            !server_or_powered_by_include?( 'coyote' )
+            platforms << :apache
+        end
     end
 end