RubyGems - arachni - Versions diffs - 1.1 → 1.2 - Mend

arachni 1.1 → 1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (287) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +159 -0
data/LICENSE.md +126 -196
data/README.md +32 -24
data/arachni.gemspec +7 -7
data/components/checks/active/code_injection_timing.rb +3 -3
data/components/checks/active/csrf.rb +2 -2
data/components/checks/active/file_inclusion.rb +6 -7
data/components/checks/active/os_cmd_injection.rb +3 -3
data/components/checks/active/path_traversal.rb +7 -7
data/components/checks/active/response_splitting.rb +9 -4
data/components/checks/active/session_fixation.rb +7 -3
data/components/checks/active/source_code_disclosure.rb +5 -5
data/components/checks/active/unvalidated_redirect.rb +12 -3
data/components/checks/active/unvalidated_redirect_dom.rb +3 -3
data/components/checks/active/xss.rb +23 -10
data/components/checks/active/xss_dom_inputs.rb +113 -11
data/components/checks/active/xxe.rb +3 -3
data/components/checks/passive/backdoors.rb +6 -5
data/components/checks/passive/backup_directories.rb +6 -6
data/components/checks/passive/backup_files.rb +6 -6
data/components/checks/passive/common_admin_interfaces.rb +58 -0
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +49 -0
data/components/checks/passive/common_directories/directories.txt +0 -16
data/components/checks/passive/common_files.rb +6 -5
data/components/checks/passive/common_files/filenames.txt +0 -2
data/components/checks/passive/directory_listing.rb +6 -6
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -3
data/components/checks/passive/grep/hsts.rb +6 -3
data/components/checks/passive/grep/http_only_cookies.rb +3 -3
data/components/checks/passive/grep/insecure_cookies.rb +2 -2
data/components/checks/passive/grep/insecure_cors_policy.rb +6 -4
data/components/checks/passive/grep/x_frame_options.rb +6 -4
data/components/checks/passive/htaccess_limit.rb +6 -2
data/components/checks/passive/http_put.rb +8 -4
data/components/checks/passive/interesting_responses.rb +3 -2
data/components/checks/passive/localstart_asp.rb +6 -2
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +5 -1
data/components/checks/passive/xst.rb +6 -2
data/components/fingerprinters/frameworks/aspx_mvc.rb +43 -0
data/components/fingerprinters/frameworks/cakephp.rb +28 -0
data/components/fingerprinters/frameworks/cherrypy.rb +31 -0
data/components/fingerprinters/frameworks/django.rb +33 -0
data/components/fingerprinters/frameworks/jsf.rb +30 -0
data/components/fingerprinters/frameworks/rack.rb +5 -7
data/components/fingerprinters/frameworks/rails.rb +43 -0
data/components/fingerprinters/languages/aspx.rb +11 -11
data/components/fingerprinters/languages/{jsp.rb → java.rb} +11 -7
data/components/fingerprinters/languages/php.rb +6 -6
data/components/fingerprinters/languages/python.rb +14 -6
data/components/fingerprinters/languages/ruby.rb +3 -5
data/components/fingerprinters/servers/apache.rb +5 -4
data/components/fingerprinters/servers/gunicorn.rb +33 -0
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +11 -4
data/components/path_extractors/anchors.rb +5 -12
data/components/path_extractors/areas.rb +5 -13
data/components/path_extractors/comments.rb +5 -3
data/components/path_extractors/data_url.rb +21 -0
data/components/path_extractors/forms.rb +5 -13
data/components/path_extractors/frames.rb +6 -13
data/components/path_extractors/generic.rb +3 -12
data/components/path_extractors/links.rb +5 -13
data/components/path_extractors/meta_refresh.rb +5 -13
data/components/path_extractors/scripts.rb +8 -14
data/components/plugins/autologin.rb +17 -5
data/components/plugins/defaults/meta/remedies/discovery.rb +11 -29
data/components/plugins/login_script.rb +40 -10
data/components/plugins/metrics.rb +235 -0
data/components/plugins/proxy.rb +21 -4
data/components/plugins/proxy/panel/page_accordion.html.erb +34 -2
data/components/plugins/restrict_to_dom_state.rb +70 -0
data/components/plugins/vector_feed.rb +38 -9
data/components/reporters/plugin_formatters/html/metrics.rb +290 -0
data/components/reporters/plugin_formatters/stdout/metrics.rb +80 -0
data/components/reporters/plugin_formatters/xml/metrics.rb +29 -0
data/components/reporters/stdout.rb +4 -2
data/components/reporters/xml.rb +4 -4
data/components/reporters/xml/schema.xsd +95 -0
data/lib/arachni.rb +2 -0
data/lib/arachni/browser.rb +132 -77
data/lib/arachni/browser/javascript.rb +173 -45
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +81 -6
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +31 -3
data/lib/arachni/browser_cluster.rb +41 -15
data/lib/arachni/browser_cluster/job.rb +4 -0
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +0 -9
data/lib/arachni/browser_cluster/worker.rb +8 -5
data/lib/arachni/check/auditor.rb +20 -8
data/lib/arachni/check/base.rb +38 -6
data/lib/arachni/element/base.rb +18 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +0 -1
data/lib/arachni/element/capabilities/analyzable/taint.rb +40 -10
data/lib/arachni/element/capabilities/analyzable/timeout.rb +27 -23
data/lib/arachni/element/capabilities/auditable/dom.rb +22 -0
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/cookie.rb +37 -23
data/lib/arachni/element/cookie/capabilities/mutable.rb +6 -6
data/lib/arachni/element/cookie/dom.rb +0 -8
data/lib/arachni/element/form.rb +28 -14
data/lib/arachni/element/form/capabilities/auditable.rb +2 -2
data/lib/arachni/element/form/capabilities/mutable.rb +5 -5
data/lib/arachni/element/form/dom.rb +0 -8
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/json.rb +2 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +6 -6
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +13 -16
data/lib/arachni/element/link/dom.rb +1 -14
data/lib/arachni/element/link_template.rb +3 -2
data/lib/arachni/element/link_template/dom.rb +0 -16
data/lib/arachni/element/server.rb +51 -9
data/lib/arachni/element/xml.rb +1 -0
data/lib/arachni/ethon/easy.rb +4 -1
data/lib/arachni/framework/parts/audit.rb +26 -77
data/lib/arachni/framework/parts/browser.rb +50 -55
data/lib/arachni/framework/parts/check.rb +4 -3
data/lib/arachni/framework/parts/data.rb +41 -6
data/lib/arachni/framework/parts/state.rb +16 -7
data/lib/arachni/http/client.rb +66 -38
data/lib/arachni/http/client/dynamic_404_handler.rb +46 -14
data/lib/arachni/http/headers.rb +22 -10
data/lib/arachni/http/proxy_server.rb +67 -22
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +34 -0
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +51 -0
data/lib/arachni/http/request.rb +71 -18
data/lib/arachni/issue.rb +17 -3
data/lib/arachni/option_groups/browser_cluster.rb +34 -1
data/lib/arachni/option_groups/http.rb +1 -1
data/lib/arachni/page.rb +26 -13
data/lib/arachni/page/dom/transition.rb +2 -2
data/lib/arachni/parser.rb +28 -11
data/lib/arachni/platform/fingerprinter.rb +5 -0
data/lib/arachni/platform/manager.rb +65 -32
data/lib/arachni/plugin/base.rb +8 -0
data/lib/arachni/processes/instances.rb +25 -11
data/lib/arachni/reporter/manager.rb +2 -2
data/lib/arachni/rpc/client/instance.rb +4 -0
data/lib/arachni/rpc/server/framework/master.rb +3 -3
data/lib/arachni/rpc/server/framework/multi_instance.rb +0 -8
data/lib/arachni/rpc/server/instance.rb +2 -1
data/lib/arachni/ruby/array.rb +5 -0
data/lib/arachni/ruby/hash.rb +5 -0
data/lib/arachni/ruby/string.rb +2 -3
data/lib/arachni/session.rb +32 -6
data/lib/arachni/state/framework.rb +6 -2
data/lib/arachni/support/cache.rb +1 -0
data/lib/arachni/support/cache/base.rb +12 -8
data/lib/arachni/support/cache/least_recently_pushed.rb +29 -0
data/lib/arachni/support/cache/least_recently_used.rb +5 -8
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -25
data/lib/arachni/support/database/queue.rb +21 -8
data/lib/arachni/support/lookup/base.rb +7 -1
data/lib/arachni/support/mixins/observable.rb +3 -1
data/lib/arachni/support/profiler.rb +51 -10
data/lib/arachni/support/signature.rb +11 -2
data/lib/arachni/trainer.rb +8 -2
data/lib/arachni/uri.rb +28 -25
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/utilities.rb +8 -0
data/lib/arachni/watir/element.rb +1 -1
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +388 -53
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +41 -0
data/spec/arachni/browser/javascript_spec.rb +235 -61
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +0 -9
data/spec/arachni/browser_cluster_spec.rb +58 -10
data/spec/arachni/browser_spec.rb +170 -26
data/spec/arachni/check/auditor_spec.rb +22 -3
data/spec/arachni/check/base_spec.rb +84 -0
data/spec/arachni/element/body_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +3 -3
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +1 -1
data/spec/arachni/element/cookie/dom_spec.rb +0 -9
data/spec/arachni/element/cookie_spec.rb +85 -0
data/spec/arachni/element/form/dom_spec.rb +0 -9
data/spec/arachni/element/form_spec.rb +46 -3
data/spec/arachni/element/json_spec.rb +20 -0
data/spec/arachni/element/link/dom_spec.rb +0 -9
data/spec/arachni/element/link_spec.rb +40 -15
data/spec/arachni/element/link_template/dom_spec.rb +0 -8
data/spec/arachni/element/link_template_spec.rb +2 -6
data/spec/arachni/element/server_spec.rb +94 -8
data/spec/arachni/element/xml_spec.rb +20 -0
data/spec/arachni/framework/parts/audit_spec.rb +12 -14
data/spec/arachni/framework/parts/browser_spec.rb +0 -171
data/spec/arachni/framework/parts/platform_spec.rb +14 -8
data/spec/arachni/framework/parts/report_spec.rb +1 -1
data/spec/arachni/framework/parts/state_spec.rb +0 -9
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +19 -0
data/spec/arachni/http/client_spec.rb +169 -42
data/spec/arachni/http/headers_spec.rb +18 -0
data/spec/arachni/http/request_spec.rb +23 -0
data/spec/arachni/issue_spec.rb +17 -6
data/spec/arachni/page_spec.rb +22 -2
data/spec/arachni/parser_spec.rb +5 -0
data/spec/arachni/platform/manager_spec.rb +57 -25
data/spec/arachni/reporter/manager_spec.rb +26 -0
data/spec/arachni/rpc/server/active_options_spec.rb +9 -4
data/spec/arachni/state/framework_spec.rb +2 -8
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +90 -0
data/spec/arachni/support/cache/least_recently_used_spec.rb +5 -13
data/spec/arachni/support/database/queue_spec.rb +7 -0
data/spec/arachni/support/mixins/observable_spec.rb +15 -1
data/spec/arachni/trainer_spec.rb +2 -2
data/spec/components/checks/active/code_injection_timing_spec.rb +1 -1
data/spec/components/checks/active/file_inclusion_spec.rb +6 -6
data/spec/components/checks/active/path_traversal_spec.rb +2 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +2 -2
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_inputs_spec.rb +3 -5
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -1
data/spec/components/checks/active/xss_spec.rb +5 -5
data/spec/components/checks/passive/common_admin_interfaces_spec.rb +15 -0
data/spec/components/checks/passive/interesting_responses_spec.rb +14 -1
data/spec/components/fingerprinters/frameworks/aspx_mvc_spec.rb +31 -0
data/spec/components/fingerprinters/frameworks/cakephp_spec.rb +22 -0
data/spec/components/fingerprinters/frameworks/cherrypy_spec.rb +28 -0
data/spec/components/fingerprinters/frameworks/django_spec.rb +37 -0
data/spec/components/fingerprinters/frameworks/jsf_spec.rb +27 -0
data/spec/components/fingerprinters/frameworks/rack_spec.rb +11 -14
data/spec/components/fingerprinters/frameworks/rails_spec.rb +53 -0
data/spec/components/fingerprinters/languages/asp_spec.rb +7 -9
data/spec/components/fingerprinters/languages/aspx_spec.rb +10 -24
data/spec/components/fingerprinters/languages/java_spec.rb +88 -0
data/spec/components/fingerprinters/languages/php_spec.rb +19 -12
data/spec/components/fingerprinters/languages/python_spec.rb +22 -9
data/spec/components/fingerprinters/languages/ruby.rb +6 -4
data/spec/components/fingerprinters/os/bsd_spec.rb +6 -4
data/spec/components/fingerprinters/os/linux_spec.rb +6 -4
data/spec/components/fingerprinters/os/solaris_spec.rb +6 -4
data/spec/components/fingerprinters/os/unix_spec.rb +6 -4
data/spec/components/fingerprinters/os/windows_spec.rb +6 -4
data/spec/components/fingerprinters/servers/apache_spec.rb +15 -4
data/spec/components/fingerprinters/servers/gunicorn_spec.rb +28 -0
data/spec/components/fingerprinters/servers/iis_spec.rb +6 -6
data/spec/components/fingerprinters/servers/jetty_spec.rb +6 -6
data/spec/components/fingerprinters/servers/nginx_spec.rb +6 -4
data/spec/components/fingerprinters/servers/tomcat_spec.rb +15 -6
data/spec/components/path_extractors/data_url_spec.rb +19 -0
data/spec/components/plugins/autologin_spec.rb +23 -0
data/spec/components/plugins/login_script_spec.rb +112 -24
data/spec/components/plugins/restrict_to_dom_state_spec.rb +16 -0
data/spec/components/plugins/vector_feed_spec.rb +39 -1
data/spec/support/factories/page/dom.rb +9 -4
data/spec/support/factories/page/dom/transition.rb +31 -9
data/spec/support/factories/scan_report.rb +8 -6
data/spec/support/fixtures/empty/placeholder +0 -0
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/manager_spec/error.rb +18 -0
data/spec/support/servers/arachni/browser.rb +117 -11
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +148 -4
data/spec/support/servers/arachni/check/auditor.rb +4 -0
data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +1 -1
data/spec/support/servers/arachni/http/client.rb +5 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +13 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +1 -1
data/spec/support/servers/checks/active/file_inclusion.rb +2 -2
data/spec/support/servers/checks/active/path_traversal.rb +2 -2
data/spec/support/servers/checks/active/source_code_disclosure.rb +40 -33
data/spec/support/servers/checks/active/trainer_check.rb +9 -10
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +7 -4
data/spec/support/servers/checks/active/xss.rb +35 -0
data/spec/support/servers/checks/active/xss_dom.rb +1 -1
data/spec/support/servers/checks/active/xss_dom_inputs.rb +24 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +1 -1
data/spec/support/servers/checks/passive/common_admin_interfaces.rb +6 -0
data/spec/support/servers/plugins/autologin.rb +9 -0
data/spec/support/servers/plugins/restrict_to_dom_state.rb +4 -0
data/spec/support/shared/element/base.rb +42 -0
data/spec/support/shared/element/capabilities/auditable.rb +4 -4
data/spec/support/shared/element/capabilities/auditable/dom.rb +26 -0
data/spec/support/shared/element/capabilities/inputtable.rb +16 -11
data/spec/support/shared/element/capabilities/submitable.rb +7 -2
data/spec/support/shared/fingerprinter.rb +8 -0
data/spec/support/shared/path_extractor.rb +1 -1
data/ui/cli/framework.rb +3 -3
data/ui/cli/framework/option_parser.rb +9 -0
data/ui/cli/output.rb +9 -0
data/ui/cli/reporter.rb +5 -2
data/ui/cli/utilities.rb +4 -2
metadata +76 -17
data/lib/arachni/http/proxy_server/ssl-interceptor-cert.pem +0 -34
data/lib/arachni/http/proxy_server/ssl-interceptor-pkey.pem +0 -51
data/spec/components/fingerprinters/languages/jsp_spec.rb +0 -56

data/components/reporters/plugin_formatters/xml/metrics.rb ADDED

@@ -0,0 +1,29 @@
+=begin
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+class Arachni::Reporters::XML
+# @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
+class PluginFormatters::Metrics < Arachni::Plugin::Formatter
+    def run( xml )
+        results.each do |category, data|
+            xml.send( category ) {
+                data.each do |k, v|
+                    if category == 'platforms'
+                        v = v.join( ',' )
+                    end
+                    xml.send k, v
+                end
+            }
+        end
+    end
+end
+end

data/components/reporters/stdout.rb CHANGED

@@ -10,7 +10,7 @@
 # All UIs must have a default report.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.3
+# @version 0.3.1
 class Arachni::Reporters::Stdout < Arachni::Reporter::Base
     def run
@@ -46,6 +46,8 @@ class Arachni::Reporters::Stdout < Arachni::Reporter::Base
         print_info '* Forms'    if report.options[:audit][:forms]
         print_info '* Cookies'  if report.options[:audit][:cookies]
         print_info '* Headers'  if report.options[:audit][:headers]
+        print_info '* XMLs'     if report.options[:audit][:xmls]
+        print_info '* JSONs'    if report.options[:audit][:jsons]
         print_line
         print_status "Checks: #{report.options[:checks].join( ', ' )}"
@@ -223,7 +225,7 @@ class Arachni::Reporters::Stdout < Arachni::Reporter::Base
             name:        'Stdout',
             description: %q{Prints the results to standard output.},
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.3'
+            version:     '0.3.1'
         }
     end

data/components/reporters/xml.rb CHANGED

@@ -11,7 +11,7 @@ require 'nokogiri'
 # Creates an XML report of the audit.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.3.3
+# @version 0.3.4
 class Arachni::Reporters::XML < Arachni::Reporter::Base
     LOCAL_SCHEMA  = File.dirname( __FILE__ ) + '/xml/schema.xsd'
@@ -77,8 +77,8 @@ class Arachni::Reporters::XML < Arachni::Reporter::Base
                                     xml.method_ vector.method
                                 end
-                                if vector.respond_to? :affected_input_name
-                                    xml.affected_input_name vector.affected_input_name
+                                if issue.variations.first.vector.respond_to? :affected_input_name
+                                    xml.affected_input_name issue.variations.first.vector.affected_input_name
                                 end
                                 if vector.respond_to? :inputs
@@ -166,7 +166,7 @@ class Arachni::Reporters::XML < Arachni::Reporter::Base
             description:  %q{Exports the audit results as an XML (.xml) file.},
             content_type: 'text/xml',
             author:       'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:      '0.3.3',
+            version:      '0.3.4',
             options:      [ Options.outfile( '.xml' ), Options.skip_responses ]
         }
     end

data/components/reporters/xml/schema.xsd CHANGED

@@ -35,9 +35,104 @@
             <xs:element name="waf_detector" type="plugin_waf_detector" maxOccurs="1"/>
             <xs:element name="vector_collector" type="plugin_vector_collector" maxOccurs="1"/>
             <xs:element name="exec" type="plugin_exec" maxOccurs="1"/>
+            <xs:element name="metrics" type="plugin_metrics" maxOccurs="1"/>
         </xs:choice>
     </xs:complexType>
+    <xs:complexType name="plugin_metrics">
+        <xs:all>
+            <xs:element name="name" type="xs:string"/>
+            <xs:element name="description" type="xs:string"/>
+            <xs:element name="results" type="plugin_metrics_results"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results">
+        <xs:all>
+            <xs:element name="general" type="plugin_metrics_results_general"/>
+            <xs:element name="scan" type="plugin_metrics_results_scan"/>
+            <xs:element name="http" type="plugin_metrics_results_http"/>
+            <xs:element name="resource" type="plugin_metrics_results_resource"/>
+            <xs:element name="element" type="plugin_metrics_results_element"/>
+            <xs:element name="dom" type="plugin_metrics_results_dom"/>
+            <xs:element name="platforms" type="plugin_metrics_results_platforms"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_general">
+        <xs:all>
+            <xs:element name="egress_traffic" type="xs:integer"/>
+            <xs:element name="ingress_traffic" type="xs:integer"/>
+            <xs:element name="uses_http" type="xs:boolean"/>
+            <xs:element name="uses_https" type="xs:boolean"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_scan">
+        <xs:all>
+            <xs:element name="duration" type="xs:float"/>
+            <xs:element name="authenticated" type="xs:boolean"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_http">
+        <xs:all>
+            <xs:element name="requests" type="xs:integer"/>
+            <xs:element name="response_time_min" type="xs:float"/>
+            <xs:element name="response_time_max" type="xs:float"/>
+            <xs:element name="response_time_average" type="xs:float"/>
+            <xs:element name="response_size_min" type="xs:float"/>
+            <xs:element name="response_size_max" type="xs:float"/>
+            <xs:element name="response_size_average" type="xs:float"/>
+            <xs:element name="request_size_min" type="xs:float"/>
+            <xs:element name="request_size_max" type="xs:float"/>
+            <xs:element name="request_size_average" type="xs:float"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_resource">
+        <xs:all>
+            <xs:element name="binary" type="xs:integer"/>
+            <xs:element name="without_parameters" type="xs:integer"/>
+            <xs:element name="with_parameters" type="xs:integer"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_element">
+        <xs:all>
+            <xs:element name="links" type="xs:integer"/>
+            <xs:element name="forms" type="xs:integer"/>
+            <xs:element name="has_forms_with_nonces" type="xs:boolean"/>
+            <xs:element name="has_forms_with_passwords" type="xs:boolean"/>
+            <xs:element name="cookies" type="xs:integer"/>
+            <xs:element name="headers" type="xs:integer"/>
+            <xs:element name="xmls" type="xs:integer"/>
+            <xs:element name="jsons" type="xs:integer"/>
+            <xs:element name="input_names_total" type="xs:integer"/>
+            <xs:element name="input_names_unique" type="xs:integer"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_dom">
+        <xs:all>
+            <xs:element name="event_listeners" type="xs:integer"/>
+            <xs:element name="swf_objects" type="xs:integer"/>
+        </xs:all>
+    </xs:complexType>
+    <xs:complexType name="plugin_metrics_results_platforms">
+        <xs:all>
+            <!-- CSV platform names for values in these fields. -->
+            <xs:element name="os" type="xs:string"/>
+            <xs:element name="db" type="xs:string"/>
+            <xs:element name="servers" type="xs:string"/>
+            <xs:element name="languages" type="xs:string"/>
+            <xs:element name="frameworks" type="xs:string"/>
+        </xs:all>
+    </xs:complexType>
     <xs:complexType name="plugin_exec">
         <xs:all>
             <xs:element name="name" type="xs:string"/>

data/lib/arachni.rb CHANGED

@@ -9,6 +9,8 @@
 require 'rubygems'
 require 'bundler/setup'
+require 'oj_mimic_json'
 def ap( obj )
     super obj, raw: true
 end

data/lib/arachni/browser.rb CHANGED

@@ -70,7 +70,16 @@ class Browser
     # Let the browser take as long as it needs to complete an operation.
     WATIR_COM_TIMEOUT = 3600 # 1 hour.
-    HTML_IDENTIFIERS = ['<!doctype html', '<html', '<head', '<body', '<title', '<script']
+    ASSET_EXTENSIONS = Set.new(
+        ['css', 'js', 'jpg', 'jpeg', 'png', 'gif', 'woff', 'json']
+    )
+    ASSET_EXTRACTORS = [
+        /<\s*link.*?href=['"](.*?)['"].*?>/im,
+        /<\s*script.*?src=['"](.*?)['"].*?>/im,
+        /<\s*img.*?src=['"](.*?)['"].*?>/im,
+        /<\s*input.*?src=['"](.*?)['"].*?>/im,
+    ]
     # @return   [Array<Page::DOM::Transition>]
     attr_reader :transitions
@@ -107,6 +116,10 @@ class Browser
     # @return   [Integer]
     attr_reader :pid
+    attr_reader :last_url
+    attr_reader :last_dom_url
     # @return   [Bool]
     #   `true` if a supported browser is in the OS PATH, `false` otherwise.
     def self.has_executable?
@@ -119,6 +132,19 @@ class Browser
         Selenium::WebDriver::PhantomJS.path
     end
+    def self.asset_domains
+        @asset_domains ||= Set.new
+    end
+    asset_domains
+    def self.add_asset_domain( url )
+        return if url.to_s.empty?
+        return if !(curl = Arachni::URI( url ))
+        return if !(domain = curl.domain)
+        asset_domains << domain
+    end
     # @param    [Hash]  options
     # @option options   [Integer]    :concurrency
     #   Maximum number of concurrent connections.
@@ -313,7 +339,8 @@ class Browser
             @add_request_transitions = false
         end
-        @last_url = url
+        @last_url = Arachni::URI( url ).to_s
+        self.class.add_asset_domain @last_url
         ensure_open_window
@@ -326,9 +353,23 @@ class Browser
             watir.goto url
             @javascript.wait_till_ready
+            wait_for_pending_requests
             wait_for_timers
-            wait_for_pending_requests
+            url = watir.url
+            Options.browser_cluster.css_to_wait_for( url ).each do |css|
+                print_info "Waiting for #{css.inspect} to appear for: #{url}"
+                begin
+                    watir.element( css: css ).
+                        wait_until_present( Options.browser_cluster.job_timeout )
+                    print_info "#{css.inspect} appeared for: #{url}"
+                rescue Watir::Wait::TimeoutError
+                    print_bad "#{css.inspect} did not appeared for: #{url}"
+                end
+            end
             javascript.set_element_ids
         end
@@ -771,32 +812,35 @@ class Browser
         # them if no events are associated with it.
         #
         # This can save **A LOT** of time during the audit.
-        if Options.audit.form_doms? && @javascript.supported?
-            page.forms.each do |form|
-                next if !form.node || !form.dom
+        if @javascript.supported?
+            if Options.audit.form_doms?
+                page.forms.each do |form|
+                    next if !form.node || !form.dom
-                action = form.node['action'].to_s
-                form.dom.browser = self
+                    action = form.node['action'].to_s
+                    form.dom.browser = self
-                next if action.downcase.start_with?( 'javascript:' ) ||
-                    form.dom.locate.events.any?
+                    next if action.downcase.start_with?( 'javascript:' ) ||
+                        form.dom.locate.events.any?
+                    form.skip_dom = true
+                end
-                form.skip_dom = true
+                page.update_metadata
+                page.clear_cache
             end
-            page.update_metadata
-        end
+            if Options.audit.cookie_doms?
+                sinks = @javascript.taint_tracer.data_flow_sinks
+                page.cookies.each do |cookie|
+                    next if sinks.include?( cookie.name ) ||
+                        sinks.include?( cookie.value )
-        if Options.audit.cookie_doms? && @javascript.supported?
-            sinks = @javascript.taint_tracer.data_flow_sinks
-            page.cookies.each do |cookie|
-                next if sinks.include?( cookie.name ) ||
-                    sinks.include?( cookie.value )
+                    cookie.skip_dom = true
+                end
-                cookie.skip_dom = true
+                page.update_metadata
             end
-            page.update_metadata
         end
         page
@@ -890,7 +934,7 @@ class Browser
             c[:path]     = '/' if c[:path] == '//'
             c[:name]     = Cookie.decode( c[:name].to_s )
-            c[:value]    = Cookie.decode( c[:value].to_s )
+            c[:value]    = Cookie.value_to_v0( c[:value].to_s )
             c[:httponly] = !js_cookies.include?( original_name )
             Cookie.new c.merge( url: @last_url || url )
@@ -1090,11 +1134,12 @@ class Browser
                         buff = ''
                         # Wait for PhantomJS to initialize.
                          while !buff.include?( 'running on port' )
-                             # It's silly to use #getc but it works consistently
-                             # across MRI, Rubinius and JRuby.
-                             buff << (out.getc rescue '').to_s
+                             # This can be problematic on something other than
+                             # MRI.
+                             buff << (out.readline rescue '').to_s
                          end
+                        buff = nil
                         print_debug 'Boot-up complete.'
                         done = true
                     end
@@ -1106,6 +1151,7 @@ class Browser
             if @process.io.stdout
                 last_attempt_output = IO.read( @process.io.stdout )
                 print_debug last_attempt_output
+                @process.io.stdout.close!
             end
             if done
@@ -1286,7 +1332,17 @@ class Browser
         request.performer = self
         return if request.headers['X-Arachni-Browser-Auth'] != auth_token
-        request.headers.delete( 'X-Arachni-Browser-Auth' )
+        request.headers.delete 'X-Arachni-Browser-Auth'
+        # We can't have 304 page responses in the framework, we need full request
+        # and response data, the browser cache doesn't help us here.
+        #
+        # Still, it's a nice feature to have when requesting assets or anything
+        # else.
+        if request.url == @last_url
+            request.headers.delete 'If-None-Match'
+            request.headers.delete 'If-Modified-Since'
+        end
         return if @javascript.serve( request, response )
@@ -1300,21 +1356,29 @@ class Browser
         # Signal the proxy to not actually perform the request if we have a
         # preloaded or cached response for it.
-        return if from_preloads( request, response ) || from_cache( request, response )
-        begin
-            # Capture the request as elements of pages -- let's us grab AJAX and
-            # other browser requests and convert them into elements we can analyze
-            # and audit.
-            capture( request )
-        rescue => e
-            print_debug "Could not capture: #{request.url}"
-            print_debug request.body.to_s
-            print_debug_exception e
+        if from_preloads( request, response ) || from_cache( request, response )
+            # There may be taints or custom JS code that need to be updated.
+            javascript.inject response
+            return
         end
+        # Capture the request as elements of pages -- let's us grab AJAX and
+        # other browser requests and convert them into elements we can analyze
+        # and audit.
+        capture( request )
         request.headers['user-agent'] = Options.http.user_agent
+        # The proxy has an unlimited response_max_size so if we're not requesting
+        # an asset remove the response_max_size option so that it'll end up using
+        # the system settings.
+        #
+        # However, this is not foolproof, a lot of assets don't have the expected
+        # extension.
+        if !request_for_asset?( request )
+            request.response_max_size = nil
+        end
         # Signal the proxy to continue with its request to the origin server.
         true
     end
@@ -1327,63 +1391,50 @@ class Browser
             transition.complete
         end
+        javascript.inject response
+        # Don't store assets, the browsers will cache them accordingly.
+        return if request_for_asset?( request ) || !response.text?
         # No-matter the scope, don't store resources for external domains.
         return if !response.scope.in_domain?
         return if enforce_scope? && response.scope.out?
-        intercept response
+        whitelist_asset_domains( response )
         save_response response
         nil
     end
-    def intercept( response )
-        return if !intercept?( response )
-        @javascript.inject( response )
-    end
+    def ignore_request?( request )
+        return if !enforce_scope?
-    def intercept?( response )
-        return false if response.body.empty?
+        return false if request_for_asset?( request )
-        # We only care about HTML.
-        return false if !response.headers.content_type.to_s.downcase.start_with?( 'text/html' )
+        return true if !request.scope.follow_protocol?
-        # Let's check that the response at least looks like it contains HTML
-        # code of interest.
-        body = response.body.downcase
-        return false if !HTML_IDENTIFIERS.find { |tag| body.include? tag.downcase }
+        return true if !request.scope.in_domain? &&
+            !self.class.asset_domains.include?( request.parsed_url.domain )
-        # The last check isn't fool-proof, so don't do it when loading the page
-        # for the first time, but only when the page loads stuff via AJAX and whatnot.
-        #
-        # Well, we can be pretty sure that the root page will be HTML anyways.
-        return true if @last_url == response.url
+        return true if request.scope.too_deep?
+        return true if !request.scope.include?
+        return true if request.scope.exclude?
+        return true if request.scope.redundant?
-        # Finally, verify that we're really working with markup (hopefully HTML)
-        # and that the previous checks weren't just flukes matching some other
-        # kind of document.
-        #
-        # For example, it may have been JSON with the wrong content-type that
-        # includes HTML -- it happens.
-        begin
-            return false if Nokogiri::XML( response.body ).children.empty?
-        rescue => e
-            print_debug "Javascript injection failed for: #{response.url}"
-            print_debug "\n#{response.body}"
-            print_debug_exception e
-            return false
-        end
-        true
+        false
     end
-    def ignore_request?( request )
-        return if !enforce_scope?
+    def request_for_asset?( request )
+        ASSET_EXTENSIONS.include?( request.parsed_url.resource_extension.to_s.downcase )
+    end
-        # Only allow CSS and JS resources to be loaded from out-of-scope domains.
-        !['css', 'js'].include?( request.parsed_url.resource_extension ) &&
-            (request.scope.out? || request.scope.redundant?)
+    def whitelist_asset_domains( response )
+        ASSET_EXTRACTORS.each do |regexp|
+            response.body.scan( regexp ).flatten.compact.each do |url|
+                self.class.add_asset_domain url
+            end
+        end
     end
     def capture( request )
@@ -1452,6 +1503,10 @@ class Browser
         @captured_pages << page if store_pages?
         notify_on_new_page( page )
+    rescue => e
+        print_debug "Could not capture: #{request.url}"
+        print_debug request.body.to_s
+        print_debug_exception e
     end
     def from_preloads( request, response )
@@ -1478,7 +1533,7 @@ class Browser
             destination.send "#{m}=", source.send( m )
         end
-        intercept destination
+        javascript.inject destination
         nil
     end