arachni 1.2.1 → 1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +66 -0
- data/Gemfile +1 -1
- data/README.md +16 -5
- data/components/checks/active/ldap_injection/errors.txt +1 -0
- data/components/checks/active/source_code_disclosure.rb +1 -1
- data/components/checks/active/unvalidated_redirect.rb +6 -6
- data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
- data/components/checks/passive/grep/captcha.rb +14 -5
- data/components/checks/passive/grep/form_upload.rb +7 -3
- data/components/checks/passive/grep/hsts.rb +3 -3
- data/components/checks/passive/grep/html_objects.rb +2 -3
- data/components/checks/passive/grep/http_only_cookies.rb +2 -3
- data/components/checks/passive/grep/insecure_cookies.rb +1 -1
- data/components/checks/passive/grep/password_autocomplete.rb +2 -2
- data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
- data/components/checks/passive/grep/x_frame_options.rb +2 -2
- data/components/checks/passive/http_put.rb +2 -3
- data/components/path_extractors/comments.rb +3 -3
- data/components/path_extractors/scripts.rb +10 -1
- data/components/plugins/defaults/autothrottle.rb +27 -18
- data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
- data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
- data/components/plugins/login_script.rb +9 -3
- data/components/plugins/proxy.rb +4 -3
- data/components/reporters/html.rb +11 -14
- data/components/reporters/html/default/issue.erb +13 -38
- data/components/reporters/html/default/issue/info.erb +1 -1
- data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
- data/components/reporters/stdout.rb +62 -71
- data/components/reporters/xml.rb +26 -40
- data/components/reporters/xml/schema.xsd +43 -89
- data/lib/arachni/browser.rb +52 -3
- data/lib/arachni/browser/javascript.rb +3 -3
- data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
- data/lib/arachni/browser_cluster.rb +61 -0
- data/lib/arachni/browser_cluster/job.rb +21 -1
- data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
- data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
- data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
- data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
- data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
- data/lib/arachni/browser_cluster/worker.rb +5 -0
- data/lib/arachni/check/auditor.rb +22 -12
- data/lib/arachni/data/framework.rb +13 -1
- data/lib/arachni/data/issues.rb +9 -25
- data/lib/arachni/element/base.rb +9 -3
- data/lib/arachni/element/capabilities/analyzable.rb +2 -6
- data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
- data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
- data/lib/arachni/element/capabilities/auditable.rb +0 -6
- data/lib/arachni/element/capabilities/dom_only.rb +61 -0
- data/lib/arachni/element/capabilities/with_dom.rb +3 -1
- data/lib/arachni/element/cookie.rb +35 -5
- data/lib/arachni/element/cookie/dom.rb +13 -4
- data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
- data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
- data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
- data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
- data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
- data/lib/arachni/element/form.rb +12 -1
- data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
- data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/form/dom.rb +9 -3
- data/lib/arachni/element/header.rb +14 -33
- data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
- data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
- data/lib/arachni/element/input/dom.rb +71 -0
- data/lib/arachni/element/json.rb +2 -0
- data/lib/arachni/element/link.rb +3 -0
- data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/link/dom.rb +16 -3
- data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
- data/lib/arachni/element/link_template.rb +3 -5
- data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
- data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/link_template/dom.rb +16 -3
- data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
- data/lib/arachni/element/server.rb +3 -5
- data/lib/arachni/element/ui_form.rb +106 -0
- data/lib/arachni/element/ui_form/dom.rb +107 -0
- data/lib/arachni/element/ui_input.rb +62 -0
- data/lib/arachni/element/xml.rb +2 -1
- data/lib/arachni/framework.rb +7 -5
- data/lib/arachni/framework/parts/audit.rb +0 -1
- data/lib/arachni/framework/parts/check.rb +1 -0
- data/lib/arachni/framework/parts/data.rb +4 -0
- data/lib/arachni/framework/parts/state.rb +0 -2
- data/lib/arachni/http/client.rb +17 -6
- data/lib/arachni/http/proxy_server.rb +52 -5
- data/lib/arachni/http/request.rb +1 -1
- data/lib/arachni/issue.rb +34 -179
- data/lib/arachni/issue/severity.rb +2 -0
- data/lib/arachni/option_groups/audit.rb +22 -2
- data/lib/arachni/option_groups/browser_cluster.rb +15 -0
- data/lib/arachni/page.rb +3 -2
- data/lib/arachni/parser.rb +24 -5
- data/lib/arachni/platform/manager.rb +1 -2
- data/lib/arachni/rpc/server/framework.rb +3 -4
- data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
- data/lib/arachni/session.rb +1 -1
- data/lib/arachni/trainer.rb +4 -7
- data/lib/arachni/watir/element.rb +12 -1
- data/lib/version +1 -1
- data/spec/arachni/browser/element_locator_spec.rb +43 -43
- data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
- data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
- data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
- data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
- data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
- data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
- data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
- data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
- data/spec/arachni/browser/javascript_spec.rb +73 -63
- data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
- data/spec/arachni/browser_cluster/job_spec.rb +68 -48
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
- data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
- data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
- data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
- data/spec/arachni/browser_cluster_spec.rb +64 -39
- data/spec/arachni/browser_spec.rb +692 -527
- data/spec/arachni/check/auditor_spec.rb +177 -147
- data/spec/arachni/check/base_spec.rb +33 -33
- data/spec/arachni/check/manager_spec.rb +15 -15
- data/spec/arachni/component/base_spec.rb +8 -8
- data/spec/arachni/component/manager_spec.rb +100 -99
- data/spec/arachni/component/options/address_spec.rb +3 -3
- data/spec/arachni/component/options/base_spec.rb +7 -7
- data/spec/arachni/component/options/bool_spec.rb +9 -9
- data/spec/arachni/component/options/float_spec.rb +6 -6
- data/spec/arachni/component/options/int_spec.rb +5 -5
- data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
- data/spec/arachni/component/options/object_spec.rb +2 -2
- data/spec/arachni/component/options/path_spec.rb +3 -3
- data/spec/arachni/component/options/port_spec.rb +5 -5
- data/spec/arachni/component/options/string_spec.rb +3 -3
- data/spec/arachni/component/options/url_spec.rb +4 -4
- data/spec/arachni/component/utilities_spec.rb +2 -2
- data/spec/arachni/data/framework/rpc_spec.rb +10 -9
- data/spec/arachni/data/framework_spec.rb +65 -46
- data/spec/arachni/data/issues_spec.rb +39 -77
- data/spec/arachni/data/plugins_spec.rb +11 -11
- data/spec/arachni/data/session_spec.rb +6 -6
- data/spec/arachni/data_spec.rb +8 -8
- data/spec/arachni/element/body_spec.rb +10 -10
- data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
- data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
- data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
- data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
- data/spec/arachni/element/cookie/dom_spec.rb +37 -18
- data/spec/arachni/element/cookie_spec.rb +206 -139
- data/spec/arachni/element/form/dom_spec.rb +36 -19
- data/spec/arachni/element/form_spec.rb +210 -187
- data/spec/arachni/element/generic_dom_spec.rb +14 -14
- data/spec/arachni/element/header_spec.rb +35 -17
- data/spec/arachni/element/json_spec.rb +53 -31
- data/spec/arachni/element/link/dom_spec.rb +46 -28
- data/spec/arachni/element/link_spec.rb +58 -40
- data/spec/arachni/element/link_template/dom_spec.rb +47 -29
- data/spec/arachni/element/link_template_spec.rb +79 -61
- data/spec/arachni/element/path_spec.rb +1 -1
- data/spec/arachni/element/server_spec.rb +33 -32
- data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
- data/spec/arachni/element/ui_form_spec.rb +242 -0
- data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
- data/spec/arachni/element/ui_input_spec.rb +136 -0
- data/spec/arachni/element/xml_spec.rb +42 -24
- data/spec/arachni/element_filter_spec.rb +49 -48
- data/spec/arachni/error_spec.rb +3 -3
- data/spec/arachni/framework/parts/audit_spec.rb +64 -63
- data/spec/arachni/framework/parts/browser_spec.rb +16 -16
- data/spec/arachni/framework/parts/check_spec.rb +3 -3
- data/spec/arachni/framework/parts/data_spec.rb +48 -48
- data/spec/arachni/framework/parts/platform_spec.rb +3 -3
- data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
- data/spec/arachni/framework/parts/report_spec.rb +7 -7
- data/spec/arachni/framework/parts/scope_spec.rb +16 -16
- data/spec/arachni/framework/parts/state_spec.rb +68 -69
- data/spec/arachni/framework_spec.rb +39 -31
- data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
- data/spec/arachni/http/client_spec.rb +219 -208
- data/spec/arachni/http/cookie_jar_spec.rb +72 -72
- data/spec/arachni/http/headers_spec.rb +14 -14
- data/spec/arachni/http/proxy_server_spec.rb +43 -42
- data/spec/arachni/http/request_spec.rb +105 -103
- data/spec/arachni/http/response/scope_spec.rb +24 -24
- data/spec/arachni/http/response_spec.rb +50 -49
- data/spec/arachni/issue/severity_spec.rb +10 -9
- data/spec/arachni/issue_spec.rb +71 -369
- data/spec/arachni/option_groups/audit_spec.rb +114 -114
- data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
- data/spec/arachni/option_groups/datastore_spec.rb +6 -6
- data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
- data/spec/arachni/option_groups/http_spec.rb +11 -11
- data/spec/arachni/option_groups/input_spec.rb +31 -27
- data/spec/arachni/option_groups/output_spec.rb +2 -2
- data/spec/arachni/option_groups/paths_spec.rb +17 -17
- data/spec/arachni/option_groups/rpc_spec.rb +2 -2
- data/spec/arachni/option_groups/scope_spec.rb +40 -40
- data/spec/arachni/option_groups/session_spec.rb +6 -5
- data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
- data/spec/arachni/options_spec.rb +46 -45
- data/spec/arachni/page/dom/transition_spec.rb +74 -72
- data/spec/arachni/page/dom_spec.rb +35 -35
- data/spec/arachni/page/scope_spec.rb +15 -15
- data/spec/arachni/page_spec.rb +217 -217
- data/spec/arachni/parser_spec.rb +106 -104
- data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
- data/spec/arachni/platform/list_spec.rb +33 -33
- data/spec/arachni/platform/manager_spec.rb +67 -64
- data/spec/arachni/plugin/base_spec.rb +10 -10
- data/spec/arachni/plugin/manager_spec.rb +38 -37
- data/spec/arachni/report_spec.rb +43 -40
- data/spec/arachni/reporter/base_spec.rb +15 -15
- data/spec/arachni/reporter/manager_spec.rb +4 -4
- data/spec/arachni/reporter/options_spec.rb +6 -6
- data/spec/arachni/rpc/client/base_spec.rb +6 -6
- data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
- data/spec/arachni/rpc/client/instance_spec.rb +6 -6
- data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
- data/spec/arachni/rpc/server/base_spec.rb +5 -5
- data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
- data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
- data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
- data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
- data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
- data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
- data/spec/arachni/rpc/server/framework_spec.rb +90 -85
- data/spec/arachni/rpc/server/instance_spec.rb +126 -107
- data/spec/arachni/rpc/server/output_spec.rb +1 -1
- data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
- data/spec/arachni/ruby/array_spec.rb +42 -42
- data/spec/arachni/ruby/hash_spec.rb +20 -18
- data/spec/arachni/ruby/io_spec.rb +2 -2
- data/spec/arachni/ruby/object_spec.rb +1 -1
- data/spec/arachni/ruby/set_spec.rb +3 -3
- data/spec/arachni/ruby/string_spec.rb +30 -30
- data/spec/arachni/ruby/webrick_spec.rb +2 -2
- data/spec/arachni/scope_spec.rb +1 -1
- data/spec/arachni/session_spec.rb +67 -64
- data/spec/arachni/snapshot_spec.rb +15 -15
- data/spec/arachni/state/audit_spec.rb +11 -11
- data/spec/arachni/state/element_filter_spec.rb +6 -6
- data/spec/arachni/state/framework/rpc_spec.rb +12 -12
- data/spec/arachni/state/framework_spec.rb +125 -121
- data/spec/arachni/state/http_spec.rb +7 -7
- data/spec/arachni/state/options_spec.rb +7 -7
- data/spec/arachni/state/plugins_spec.rb +8 -8
- data/spec/arachni/state_spec.rb +10 -10
- data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
- data/spec/arachni/support/buffer/base_spec.rb +39 -39
- data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
- data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
- data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
- data/spec/arachni/support/cache/preference_spec.rb +4 -4
- data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
- data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
- data/spec/arachni/support/database/hash_spec.rb +44 -43
- data/spec/arachni/support/database/queue_spec.rb +27 -27
- data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
- data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
- data/spec/arachni/support/mixins/observable_spec.rb +6 -6
- data/spec/arachni/support/signature_spec.rb +19 -19
- data/spec/arachni/trainer_spec.rb +39 -39
- data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
- data/spec/arachni/uri/scope_spec.rb +66 -66
- data/spec/arachni/uri_spec.rb +107 -105
- data/spec/arachni/utilities_spec.rb +40 -40
- data/spec/components/checks/active/csrf_spec.rb +8 -8
- data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
- data/spec/components/checks/active/sql_injection_spec.rb +16 -16
- data/spec/components/checks/active/trainer_spec.rb +4 -4
- data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
- data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
- data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
- data/spec/components/checks/active/xss_dom_spec.rb +46 -24
- data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
- data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
- data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
- data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
- data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
- data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
- data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
- data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
- data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
- data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
- data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
- data/spec/components/checks/passive/webdav_spec.rb +1 -1
- data/spec/components/checks/passive/xst_spec.rb +1 -1
- data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
- data/spec/components/path_extractors/comments_spec.rb +5 -1
- data/spec/components/path_extractors/scripts_spec.rb +5 -2
- data/spec/components/plugins/autologin_spec.rb +22 -22
- data/spec/components/plugins/autothrottle_spec.rb +6 -5
- data/spec/components/plugins/content_types_spec.rb +4 -4
- data/spec/components/plugins/cookie_collector_spec.rb +5 -5
- data/spec/components/plugins/exec_spec.rb +12 -12
- data/spec/components/plugins/form_dicattack_spec.rb +3 -3
- data/spec/components/plugins/headers_collector_spec.rb +8 -8
- data/spec/components/plugins/healthmap_spec.rb +3 -3
- data/spec/components/plugins/http_dicattack_spec.rb +3 -3
- data/spec/components/plugins/login_script_spec.rb +79 -22
- data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
- data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
- data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
- data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
- data/spec/components/plugins/script_spec.rb +1 -1
- data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
- data/spec/components/plugins/vector_collector_spec.rb +2 -2
- data/spec/components/plugins/vector_feed_spec.rb +40 -40
- data/spec/components/plugins/waf_detector_spec.rb +6 -6
- data/spec/components/reporters/json_spec.rb +4 -4
- data/spec/components/reporters/marshal_spec.rb +2 -2
- data/spec/components/reporters/yaml_spec.rb +3 -2
- data/spec/external/wavsep/active/sqli_spec.rb +1 -3
- data/spec/spec_helper.rb +4 -0
- data/spec/support/factories/element/ui_form.rb +14 -0
- data/spec/support/factories/element/ui_input.rb +13 -0
- data/spec/support/factories/issue.rb +0 -13
- data/spec/support/fixtures/report.afr +0 -0
- data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
- data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
- data/spec/support/helpers/framework.rb +1 -1
- data/spec/support/helpers/pages.rb +2 -2
- data/spec/support/servers/arachni/browser.rb +139 -0
- data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
- data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
- data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
- data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
- data/spec/support/servers/checks/active/trainer_check.rb +7 -7
- data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
- data/spec/support/servers/checks/active/xss_dom.rb +50 -0
- data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
- data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
- data/spec/support/shared/check.rb +10 -12
- data/spec/support/shared/component/options/base.rb +24 -24
- data/spec/support/shared/element/base.rb +25 -25
- data/spec/support/shared/element/capabilities/auditable.rb +116 -140
- data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
- data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
- data/spec/support/shared/element/capabilities/mutable.rb +122 -111
- data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
- data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
- data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
- data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
- data/spec/support/shared/element/capabilities/with_node.rb +4 -6
- data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
- data/spec/support/shared/element/capabilities/with_source.rb +6 -8
- data/spec/support/shared/element/dom.rb +144 -0
- data/spec/support/shared/element/dom/auditable.rb +42 -0
- data/spec/support/shared/element/dom/inputtable.rb +5 -0
- data/spec/support/shared/element/dom/mutable.rb +3 -0
- data/spec/support/shared/element/dom/submittable.rb +119 -0
- data/spec/support/shared/external/wavsep.rb +3 -3
- data/spec/support/shared/fingerprinter.rb +2 -2
- data/spec/support/shared/framework.rb +1 -1
- data/spec/support/shared/http/message.rb +9 -9
- data/spec/support/shared/option_group.rb +17 -17
- data/spec/support/shared/path_extractor.rb +1 -1
- data/spec/support/shared/plugin.rb +2 -2
- data/spec/support/shared/support/cache.rb +57 -57
- data/spec/support/shared/support/lookup.rb +25 -25
- data/ui/cli/framework.rb +22 -11
- data/ui/cli/framework/option_parser.rb +15 -0
- data/ui/cli/option_parser.rb +8 -1
- data/ui/cli/output.rb +2 -1
- metadata +54 -20
- data/components/checks/active/xss_dom_inputs.rb +0 -236
- data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
- data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
- data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
@@ -5,12 +5,12 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction do
|
|
5
5
|
subject { Factory[:called_function] }
|
6
6
|
|
7
7
|
%w(source name arguments).each do |m|
|
8
|
-
it {
|
9
|
-
it {
|
8
|
+
it { is_expected.to respond_to m }
|
9
|
+
it { is_expected.to respond_to "#{m}=" }
|
10
10
|
end
|
11
11
|
|
12
12
|
it "supports #{Arachni::RPC::Serializer}" do
|
13
|
-
subject.
|
13
|
+
expect(subject).to eq(Arachni::RPC::Serializer.deep_clone( subject ))
|
14
14
|
end
|
15
15
|
|
16
16
|
describe '#to_rpc_data' do
|
@@ -18,7 +18,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction do
|
|
18
18
|
|
19
19
|
%w(source name arguments).each do |attribute|
|
20
20
|
it "includes '#{attribute}'" do
|
21
|
-
data[attribute.to_sym].
|
21
|
+
expect(data[attribute.to_sym]).to eq(subject.send( attribute ))
|
22
22
|
end
|
23
23
|
end
|
24
24
|
end
|
@@ -29,7 +29,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction do
|
|
29
29
|
|
30
30
|
%w(source name arguments).each do |attribute|
|
31
31
|
it "restores '#{attribute}'" do
|
32
|
-
restored.send( attribute ).
|
32
|
+
expect(restored.send( attribute )).to eq(subject.send( attribute ))
|
33
33
|
end
|
34
34
|
end
|
35
35
|
end
|
@@ -37,14 +37,14 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction do
|
|
37
37
|
describe '#signature' do
|
38
38
|
context 'when #source is available' do
|
39
39
|
it 'returns the function signature' do
|
40
|
-
subject.signature.
|
40
|
+
expect(subject.signature).to eq('stuff(blah, blooh)')
|
41
41
|
end
|
42
42
|
end
|
43
43
|
|
44
44
|
context 'when #source is not available' do
|
45
45
|
it 'returns nil' do
|
46
46
|
subject.source = nil
|
47
|
-
subject.signature.
|
47
|
+
expect(subject.signature).to be_nil
|
48
48
|
end
|
49
49
|
end
|
50
50
|
end
|
@@ -52,21 +52,21 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction do
|
|
52
52
|
describe '#signature_arguments' do
|
53
53
|
context 'when #signature is available' do
|
54
54
|
it 'returns the function arguments' do
|
55
|
-
subject.signature_arguments.
|
55
|
+
expect(subject.signature_arguments).to eq(%w(blah blooh))
|
56
56
|
end
|
57
57
|
end
|
58
58
|
|
59
59
|
context 'when #source is not available' do
|
60
60
|
it 'returns nil' do
|
61
|
-
subject.
|
62
|
-
subject.signature_arguments.
|
61
|
+
allow(subject).to receive(:signature){ nil }
|
62
|
+
expect(subject.signature_arguments).to be_nil
|
63
63
|
end
|
64
64
|
end
|
65
65
|
end
|
66
66
|
|
67
67
|
describe '#to_h' do
|
68
68
|
it 'converts self to a hash' do
|
69
|
-
subject.to_h.
|
69
|
+
expect(subject.to_h).to eq(Factory[:called_function_data])
|
70
70
|
end
|
71
71
|
end
|
72
72
|
end
|
@@ -5,12 +5,12 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame do
|
|
5
5
|
subject { Factory[:frame] }
|
6
6
|
|
7
7
|
%w(function url line).each do |m|
|
8
|
-
it {
|
9
|
-
it {
|
8
|
+
it { is_expected.to respond_to m }
|
9
|
+
it { is_expected.to respond_to "#{m}=" }
|
10
10
|
end
|
11
11
|
|
12
12
|
it "supports #{Arachni::RPC::Serializer}" do
|
13
|
-
subject.
|
13
|
+
expect(subject).to eq(Arachni::RPC::Serializer.deep_clone( subject ))
|
14
14
|
end
|
15
15
|
|
16
16
|
describe '#to_rpc_data' do
|
@@ -18,7 +18,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame do
|
|
18
18
|
|
19
19
|
%w(function url line).each do |attribute|
|
20
20
|
it "includes '#{attribute}'" do
|
21
|
-
data[attribute.to_sym].
|
21
|
+
expect(data[attribute.to_sym]).to eq(subject.send( attribute ))
|
22
22
|
end
|
23
23
|
end
|
24
24
|
end
|
@@ -29,18 +29,18 @@ describe Arachni::Browser::Javascript::TaintTracer::Frame do
|
|
29
29
|
|
30
30
|
%w(function url line).each do |attribute|
|
31
31
|
it "restores '#{attribute}'" do
|
32
|
-
restored.send( attribute ).
|
32
|
+
expect(restored.send( attribute )).to eq(subject.send( attribute ))
|
33
33
|
end
|
34
34
|
end
|
35
35
|
end
|
36
36
|
|
37
37
|
describe '#to_h' do
|
38
38
|
it 'returns a hash containing frame data' do
|
39
|
-
subject.to_h.
|
39
|
+
expect(subject.to_h).to eq(Factory[:frame_data])
|
40
40
|
end
|
41
41
|
|
42
42
|
it 'is aliased to #to_hash' do
|
43
|
-
subject.to_h.
|
43
|
+
expect(subject.to_h).to eq(subject.to_hash)
|
44
44
|
end
|
45
45
|
end
|
46
46
|
end
|
@@ -6,12 +6,12 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::DataFlow do
|
|
6
6
|
subject { Factory[:data_flow] }
|
7
7
|
|
8
8
|
%w(function object tainted_argument_index tainted_value taint).each do |m|
|
9
|
-
it {
|
10
|
-
it {
|
9
|
+
it { is_expected.to respond_to m }
|
10
|
+
it { is_expected.to respond_to "#{m}=" }
|
11
11
|
end
|
12
12
|
|
13
13
|
it "supports #{Arachni::RPC::Serializer}" do
|
14
|
-
subject.
|
14
|
+
expect(subject).to eq(Arachni::RPC::Serializer.deep_clone( subject ))
|
15
15
|
end
|
16
16
|
|
17
17
|
describe '#to_rpc_data' do
|
@@ -19,7 +19,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::DataFlow do
|
|
19
19
|
|
20
20
|
%w(function object tainted_argument_index tainted_value taint).each do |attribute|
|
21
21
|
it "includes '#{attribute}'" do
|
22
|
-
data[attribute.to_sym].
|
22
|
+
expect(data[attribute.to_sym]).to eq(subject.send( attribute ))
|
23
23
|
end
|
24
24
|
end
|
25
25
|
end
|
@@ -30,7 +30,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::DataFlow do
|
|
30
30
|
|
31
31
|
%w(function object tainted_argument_index tainted_value taint).each do |attribute|
|
32
32
|
it "restores '#{attribute}'" do
|
33
|
-
restored.send( attribute ).
|
33
|
+
expect(restored.send( attribute )).to eq(subject.send( attribute ))
|
34
34
|
end
|
35
35
|
end
|
36
36
|
end
|
@@ -38,14 +38,14 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::DataFlow do
|
|
38
38
|
describe '#tainted_argument_value' do
|
39
39
|
context 'when there are #arguments' do
|
40
40
|
it 'returns the tainted argument' do
|
41
|
-
subject.tainted_argument_value.
|
41
|
+
expect(subject.tainted_argument_value).to eq('blah-val')
|
42
42
|
end
|
43
43
|
end
|
44
44
|
|
45
45
|
context 'when there are no #arguments' do
|
46
46
|
it 'returns nil' do
|
47
47
|
subject.function.arguments = nil
|
48
|
-
subject.tainted_argument_value.
|
48
|
+
expect(subject.tainted_argument_value).to be_nil
|
49
49
|
end
|
50
50
|
end
|
51
51
|
end
|
@@ -53,29 +53,29 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::DataFlow do
|
|
53
53
|
describe '#tainted_argument_name' do
|
54
54
|
context 'when there are #arguments' do
|
55
55
|
it 'returns the tainted argument' do
|
56
|
-
subject.tainted_argument_name.
|
56
|
+
expect(subject.tainted_argument_name).to eq('blah')
|
57
57
|
end
|
58
58
|
end
|
59
59
|
|
60
60
|
context "when there are are no #{Arachni::Browser::Javascript::TaintTracer::Frame::CalledFunction}#signature_arguments" do
|
61
61
|
it 'returns nil' do
|
62
|
-
subject.function.
|
63
|
-
subject.tainted_argument_name.
|
62
|
+
allow(subject.function).to receive(:signature_arguments){ nil }
|
63
|
+
expect(subject.tainted_argument_name).to be_nil
|
64
64
|
end
|
65
65
|
end
|
66
66
|
end
|
67
67
|
|
68
68
|
describe '#to_h' do
|
69
69
|
it 'returns a hash containing frame data' do
|
70
|
-
subject.to_h.
|
70
|
+
expect(subject.to_h).to eq(Factory[:data_flow])
|
71
71
|
end
|
72
72
|
|
73
73
|
it 'converts #function to hash' do
|
74
|
-
subject.to_h[:function].
|
74
|
+
expect(subject.to_h[:function]).to eq(Factory[:called_function_data])
|
75
75
|
end
|
76
76
|
|
77
77
|
it 'is aliased to #to_hash' do
|
78
|
-
subject.to_h.
|
78
|
+
expect(subject.to_h).to eq(subject.to_hash)
|
79
79
|
end
|
80
80
|
end
|
81
81
|
end
|
@@ -6,12 +6,12 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::ExecutionFlow do
|
|
6
6
|
subject { Factory[:execution_flow] }
|
7
7
|
|
8
8
|
%w(data).each do |m|
|
9
|
-
it {
|
10
|
-
it {
|
9
|
+
it { is_expected.to respond_to m }
|
10
|
+
it { is_expected.to respond_to "#{m}=" }
|
11
11
|
end
|
12
12
|
|
13
13
|
it "supports #{Arachni::RPC::Serializer}" do
|
14
|
-
subject.
|
14
|
+
expect(subject).to eq(Arachni::RPC::Serializer.deep_clone( subject ))
|
15
15
|
end
|
16
16
|
|
17
17
|
describe '#to_rpc_data' do
|
@@ -19,7 +19,7 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::ExecutionFlow do
|
|
19
19
|
|
20
20
|
%w(data).each do |attribute|
|
21
21
|
it "includes '#{attribute}'" do
|
22
|
-
data[attribute.to_sym].
|
22
|
+
expect(data[attribute.to_sym]).to eq(subject.send( attribute ))
|
23
23
|
end
|
24
24
|
end
|
25
25
|
end
|
@@ -30,18 +30,18 @@ describe Arachni::Browser::Javascript::TaintTracer::Sink::ExecutionFlow do
|
|
30
30
|
|
31
31
|
%w(data).each do |attribute|
|
32
32
|
it "restores '#{attribute}'" do
|
33
|
-
restored.send( attribute ).
|
33
|
+
expect(restored.send( attribute )).to eq(subject.send( attribute ))
|
34
34
|
end
|
35
35
|
end
|
36
36
|
end
|
37
37
|
|
38
38
|
describe '#to_h' do
|
39
39
|
it 'returns a hash containing frame data' do
|
40
|
-
subject.to_h.
|
40
|
+
expect(subject.to_h).to eq(Factory[:execution_flow])
|
41
41
|
end
|
42
42
|
|
43
43
|
it 'is aliased to #to_hash' do
|
44
|
-
subject.to_h.
|
44
|
+
expect(subject.to_h).to eq(subject.to_hash)
|
45
45
|
end
|
46
46
|
end
|
47
47
|
end
|
@@ -30,32 +30,32 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
30
30
|
|
31
31
|
describe '#initialized' do
|
32
32
|
it 'returns true' do
|
33
|
-
subject.initialized.
|
33
|
+
expect(subject.initialized).to be_truthy
|
34
34
|
end
|
35
35
|
end
|
36
36
|
|
37
37
|
describe '#class' do
|
38
38
|
it "returns #{described_class}" do
|
39
|
-
subject.class.
|
39
|
+
expect(subject.class).to eq(described_class)
|
40
40
|
end
|
41
41
|
end
|
42
42
|
|
43
43
|
it 'is aliased to _token_taint_tracer' do
|
44
44
|
load "debug?input=_#{@javascript.token}_taint_tracer.log_execution_flow_sink()"
|
45
45
|
@browser.watir.form.submit
|
46
|
-
subject.execution_flow_sinks.
|
46
|
+
expect(subject.execution_flow_sinks).to be_any
|
47
47
|
end
|
48
48
|
|
49
49
|
it 'is aliased to _tokentainttracer' do
|
50
50
|
load "debug?input=_#{@javascript.token}tainttracer.log_execution_flow_sink()"
|
51
51
|
@browser.watir.form.submit
|
52
|
-
subject.execution_flow_sinks.
|
52
|
+
expect(subject.execution_flow_sinks).to be_any
|
53
53
|
end
|
54
54
|
|
55
55
|
describe '#taints=' do
|
56
56
|
it 'sets the taints to be traced' do
|
57
57
|
subject.taints = [taint]
|
58
|
-
subject.taints.
|
58
|
+
expect(subject.taints).to eq([taint])
|
59
59
|
end
|
60
60
|
|
61
61
|
context 'when multiple taints are set' do
|
@@ -68,92 +68,100 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
68
68
|
load "/data_trace/multiple-taints?taint1=#{taint1}&taint2=#{taint2}"
|
69
69
|
|
70
70
|
sink = subject.data_flow_sinks[taint1]
|
71
|
-
sink.size.
|
71
|
+
expect(sink.size).to eq(2)
|
72
72
|
|
73
73
|
entry = sink[0]
|
74
|
-
entry.object.
|
75
|
-
entry.function.name.
|
76
|
-
entry.function.source.
|
77
|
-
entry.function.arguments.
|
74
|
+
expect(entry.object).to eq('DOMWindow')
|
75
|
+
expect(entry.function.name).to eq('process')
|
76
|
+
expect(entry.function.source).to start_with 'function process'
|
77
|
+
expect(entry.function.arguments).to eq([
|
78
78
|
{
|
79
79
|
'my_data11' => 'blah11',
|
80
80
|
'input11' => taint1
|
81
81
|
}
|
82
|
-
]
|
83
|
-
entry.tainted_value.
|
84
|
-
entry.taint.
|
85
|
-
@browser.source.split("\n")[entry.trace[0].line-1].
|
82
|
+
])
|
83
|
+
expect(entry.tainted_value).to eq(taint1)
|
84
|
+
expect(entry.taint).to eq(taint1)
|
85
|
+
expect(@browser.source.split("\n")[entry.trace[0].line-1]).to include 'process('
|
86
86
|
|
87
87
|
entry = sink[1]
|
88
|
-
entry.object.
|
89
|
-
entry.function.name.
|
90
|
-
entry.function.source.
|
91
|
-
entry.function.arguments.
|
88
|
+
expect(entry.object).to eq('DOMWindow')
|
89
|
+
expect(entry.function.name).to eq('process')
|
90
|
+
expect(entry.function.source).to start_with 'function process'
|
91
|
+
expect(entry.function.arguments).to eq([
|
92
92
|
{
|
93
93
|
'my_data12' => 'blah12',
|
94
94
|
'input12' => taint1
|
95
95
|
}
|
96
|
-
]
|
97
|
-
entry.tainted_value.
|
98
|
-
entry.taint.
|
99
|
-
@browser.source.split("\n")[entry.trace[0].line-1].
|
96
|
+
])
|
97
|
+
expect(entry.tainted_value).to eq(taint1)
|
98
|
+
expect(entry.taint).to eq(taint1)
|
99
|
+
expect(@browser.source.split("\n")[entry.trace[0].line-1]).to include 'process('
|
100
100
|
|
101
101
|
sink = subject.data_flow_sinks[taint2]
|
102
|
-
sink.size.
|
102
|
+
expect(sink.size).to eq(2)
|
103
103
|
|
104
104
|
entry = sink[0]
|
105
|
-
entry.object.
|
106
|
-
entry.function.name.
|
107
|
-
entry.function.source.
|
108
|
-
entry.function.arguments.
|
105
|
+
expect(entry.object).to eq('DOMWindow')
|
106
|
+
expect(entry.function.name).to eq('process')
|
107
|
+
expect(entry.function.source).to start_with 'function process'
|
108
|
+
expect(entry.function.arguments).to eq([
|
109
109
|
{
|
110
110
|
'my_data21' => 'blah21',
|
111
111
|
'input21' => taint2
|
112
112
|
}
|
113
|
-
]
|
114
|
-
entry.tainted_value.
|
115
|
-
entry.taint.
|
116
|
-
@browser.source.split("\n")[entry.trace[0].line].
|
113
|
+
])
|
114
|
+
expect(entry.tainted_value).to eq(taint2)
|
115
|
+
expect(entry.taint).to eq(taint2)
|
116
|
+
expect(@browser.source.split("\n")[entry.trace[0].line]).to include 'process('
|
117
117
|
|
118
118
|
entry = sink[1]
|
119
|
-
entry.object.
|
120
|
-
entry.function.name.
|
121
|
-
entry.function.source.
|
122
|
-
entry.function.arguments.
|
119
|
+
expect(entry.object).to eq('DOMWindow')
|
120
|
+
expect(entry.function.name).to eq('process')
|
121
|
+
expect(entry.function.source).to start_with 'function process'
|
122
|
+
expect(entry.function.arguments).to eq([
|
123
123
|
{
|
124
124
|
'my_data22' => 'blah22',
|
125
125
|
'input22' => taint2
|
126
126
|
}
|
127
|
-
]
|
128
|
-
entry.tainted_value.
|
129
|
-
entry.taint.
|
130
|
-
@browser.source.split("\n")[entry.trace[0].line].
|
127
|
+
])
|
128
|
+
expect(entry.tainted_value).to eq(taint2)
|
129
|
+
expect(entry.taint).to eq(taint2)
|
130
|
+
expect(@browser.source.split("\n")[entry.trace[0].line]).to include 'process('
|
131
131
|
end
|
132
132
|
end
|
133
133
|
|
134
134
|
context 'when tainted data pass through' do
|
135
135
|
before { @javascript.taint = taint }
|
136
136
|
|
137
|
+
it 'traces the taint up to a depth of 5' do
|
138
|
+
load_with_taint 'data_trace/taint_depth/4'
|
139
|
+
expect(subject.data_flow_sinks).to be_any
|
140
|
+
|
141
|
+
load_with_taint 'data_trace/taint_depth/5'
|
142
|
+
expect(subject.data_flow_sinks).to be_empty
|
143
|
+
end
|
144
|
+
|
137
145
|
context 'user-defined global functions' do
|
138
146
|
it 'logs it' do
|
139
147
|
load_with_taint 'data_trace/user-defined-global-functions'
|
140
148
|
|
141
149
|
sink = subject.data_flow_sinks[taint]
|
142
|
-
sink.size.
|
150
|
+
expect(sink.size).to eq(1)
|
143
151
|
|
144
152
|
entry = sink[0]
|
145
|
-
entry.object.
|
146
|
-
entry.function.name.
|
147
|
-
entry.function.source.
|
148
|
-
entry.function.arguments.
|
153
|
+
expect(entry.object).to eq('DOMWindow')
|
154
|
+
expect(entry.function.name).to eq('process')
|
155
|
+
expect(entry.function.source).to start_with 'function process'
|
156
|
+
expect(entry.function.arguments).to eq([
|
149
157
|
{
|
150
158
|
'my_data' => 'blah',
|
151
159
|
'input' => taint
|
152
160
|
}
|
153
|
-
]
|
154
|
-
entry.tainted_value.
|
155
|
-
entry.taint.
|
156
|
-
@browser.source.split("\n")[entry.trace[0].line-1].
|
161
|
+
])
|
162
|
+
expect(entry.tainted_value).to eq(taint)
|
163
|
+
expect(entry.taint).to eq(taint)
|
164
|
+
expect(@browser.source.split("\n")[entry.trace[0].line-1]).to include 'process('
|
157
165
|
end
|
158
166
|
end
|
159
167
|
|
@@ -164,16 +172,16 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
164
172
|
load_with_taint "data_trace/window.#{function}"
|
165
173
|
|
166
174
|
sink = subject.data_flow_sinks[taint]
|
167
|
-
sink.size.
|
175
|
+
expect(sink.size).to eq(1)
|
168
176
|
|
169
177
|
entry = sink[0]
|
170
|
-
entry.object.
|
171
|
-
entry.function.name.
|
172
|
-
entry.function.source.
|
173
|
-
entry.function.arguments.
|
174
|
-
entry.tainted_value.
|
175
|
-
entry.taint.
|
176
|
-
@browser.source.split("\n")[entry.trace[0].line].
|
178
|
+
expect(entry.object).to eq('DOMWindow')
|
179
|
+
expect(entry.function.name).to eq(function)
|
180
|
+
expect(entry.function.source).to start_with "function #{function}"
|
181
|
+
expect(entry.function.arguments).to eq([ taint ])
|
182
|
+
expect(entry.tainted_value).to eq(taint)
|
183
|
+
expect(entry.taint).to eq(taint)
|
184
|
+
expect(@browser.source.split("\n")[entry.trace[0].line]).to include "#{function}("
|
177
185
|
end
|
178
186
|
end
|
179
187
|
end
|
@@ -185,20 +193,20 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
185
193
|
load_with_taint 'data_trace/XMLHttpRequest.open'
|
186
194
|
|
187
195
|
sink = subject.data_flow_sinks[taint]
|
188
|
-
sink.size.
|
196
|
+
expect(sink.size).to eq(1)
|
189
197
|
|
190
198
|
entry = sink[0]
|
191
|
-
entry.object.
|
192
|
-
entry.function.name.
|
193
|
-
entry.function.arguments.
|
199
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
200
|
+
expect(entry.function.name).to eq('open')
|
201
|
+
expect(entry.function.arguments).to eq([
|
194
202
|
'GET', "/?taint=#{taint}", true
|
195
|
-
]
|
196
|
-
entry.tainted_value.
|
197
|
-
entry.taint.
|
203
|
+
])
|
204
|
+
expect(entry.tainted_value).to eq("/?taint=#{taint}")
|
205
|
+
expect(entry.taint).to eq(taint)
|
198
206
|
|
199
207
|
trace = entry.trace[0]
|
200
|
-
@browser.source.split("\n")[trace.line].
|
201
|
-
trace.url.
|
208
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'open('
|
209
|
+
expect(trace.url).to eq(@browser.url)
|
202
210
|
end
|
203
211
|
end
|
204
212
|
|
@@ -207,18 +215,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
207
215
|
load_with_taint 'data_trace/XMLHttpRequest.send'
|
208
216
|
|
209
217
|
sink = subject.data_flow_sinks[taint]
|
210
|
-
sink.size.
|
218
|
+
expect(sink.size).to eq(1)
|
211
219
|
|
212
220
|
entry = sink[0]
|
213
|
-
entry.object.
|
214
|
-
entry.function.name.
|
215
|
-
entry.function.arguments.
|
216
|
-
entry.tainted_value.
|
217
|
-
entry.taint.
|
221
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
222
|
+
expect(entry.function.name).to eq('send')
|
223
|
+
expect(entry.function.arguments).to eq([ "taint=#{taint}" ])
|
224
|
+
expect(entry.tainted_value).to eq("taint=#{taint}")
|
225
|
+
expect(entry.taint).to eq(taint)
|
218
226
|
|
219
227
|
trace = entry.trace[0]
|
220
|
-
@browser.source.split("\n")[trace.line].
|
221
|
-
trace.url.
|
228
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'send('
|
229
|
+
expect(trace.url).to eq(@browser.url)
|
222
230
|
end
|
223
231
|
end
|
224
232
|
|
@@ -227,18 +235,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
227
235
|
load_with_taint 'data_trace/XMLHttpRequest.setRequestHeader'
|
228
236
|
|
229
237
|
sink = subject.data_flow_sinks[taint]
|
230
|
-
sink.size.
|
238
|
+
expect(sink.size).to eq(1)
|
231
239
|
|
232
240
|
entry = sink[0]
|
233
|
-
entry.object.
|
234
|
-
entry.function.name.
|
235
|
-
entry.function.arguments.
|
236
|
-
entry.tainted_value.
|
237
|
-
entry.taint.
|
241
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
242
|
+
expect(entry.function.name).to eq('setRequestHeader')
|
243
|
+
expect(entry.function.arguments).to eq([ 'X-My-Header', "stuff-#{taint}" ])
|
244
|
+
expect(entry.tainted_value).to eq("stuff-#{taint}")
|
245
|
+
expect(entry.taint).to eq(taint)
|
238
246
|
|
239
247
|
trace = entry.trace[0]
|
240
|
-
@browser.source.split("\n")[trace.line].
|
241
|
-
trace.url.
|
248
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'setRequestHeader('
|
249
|
+
expect(trace.url).to eq(@browser.url)
|
242
250
|
end
|
243
251
|
end
|
244
252
|
end
|
@@ -249,18 +257,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
249
257
|
load_with_taint 'data_trace/AngularJS.element'
|
250
258
|
|
251
259
|
sink = subject.data_flow_sinks[taint]
|
252
|
-
sink.size.
|
260
|
+
expect(sink.size).to eq(2)
|
253
261
|
|
254
262
|
entry = sink[1]
|
255
|
-
entry.object.
|
256
|
-
entry.function.name.
|
257
|
-
entry.function.arguments.
|
258
|
-
entry.tainted_value.
|
259
|
-
entry.taint.
|
263
|
+
expect(entry.object).to eq('angular')
|
264
|
+
expect(entry.function.name).to eq('JQLite')
|
265
|
+
expect(entry.function.arguments).to eq(["<div>Stuff #{taint}</div>"])
|
266
|
+
expect(entry.tainted_value).to eq("<div>Stuff #{taint}</div>")
|
267
|
+
expect(entry.taint).to eq(taint)
|
260
268
|
|
261
269
|
trace = entry.trace[0]
|
262
|
-
@browser.source.split("\n")[trace.line].
|
263
|
-
trace.url.
|
270
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'angular.element('
|
271
|
+
expect(trace.url).to eq(@browser.url)
|
264
272
|
end
|
265
273
|
end
|
266
274
|
|
@@ -270,25 +278,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
270
278
|
load_with_taint 'data_trace/AngularJS/$http.delete'
|
271
279
|
|
272
280
|
sink = subject.data_flow_sinks[taint]
|
273
|
-
sink.size.
|
281
|
+
expect(sink.size).to eq(4)
|
274
282
|
|
275
283
|
entry = sink[1]
|
276
|
-
entry.object.
|
277
|
-
entry.function.name.
|
278
|
-
entry.function.arguments.
|
279
|
-
entry.tainted_value.
|
280
|
-
entry.taint.
|
281
|
-
entry.trace[0].url.
|
284
|
+
expect(entry.object).to eq('angular.$http')
|
285
|
+
expect(entry.function.name).to eq('delete')
|
286
|
+
expect(entry.function.arguments).to eq([ "/#{taint}" ])
|
287
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
288
|
+
expect(entry.taint).to eq(taint)
|
289
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
282
290
|
|
283
291
|
entry = sink[3]
|
284
|
-
entry.object.
|
285
|
-
entry.function.name.
|
286
|
-
entry.function.arguments.
|
292
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
293
|
+
expect(entry.function.name).to eq('open')
|
294
|
+
expect(entry.function.arguments).to eq([
|
287
295
|
'DELETE', "/#{taint}", true
|
288
|
-
]
|
289
|
-
entry.tainted_value.
|
290
|
-
entry.taint.
|
291
|
-
entry.trace[0].url.
|
296
|
+
])
|
297
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
298
|
+
expect(entry.taint).to eq(taint)
|
299
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
292
300
|
end
|
293
301
|
end
|
294
302
|
|
@@ -297,25 +305,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
297
305
|
load_with_taint 'data_trace/AngularJS/$http.head'
|
298
306
|
|
299
307
|
sink = subject.data_flow_sinks[taint]
|
300
|
-
sink.size.
|
308
|
+
expect(sink.size).to eq(4)
|
301
309
|
|
302
310
|
entry = sink[1]
|
303
|
-
entry.object.
|
304
|
-
entry.function.name.
|
305
|
-
entry.function.arguments.
|
306
|
-
entry.tainted_value.
|
307
|
-
entry.taint.
|
308
|
-
entry.trace[0].url.
|
311
|
+
expect(entry.object).to eq('angular.$http')
|
312
|
+
expect(entry.function.name).to eq('head')
|
313
|
+
expect(entry.function.arguments).to eq([ "/#{taint}" ])
|
314
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
315
|
+
expect(entry.taint).to eq(taint)
|
316
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
309
317
|
|
310
318
|
entry = sink[3]
|
311
|
-
entry.object.
|
312
|
-
entry.function.name.
|
313
|
-
entry.function.arguments.
|
319
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
320
|
+
expect(entry.function.name).to eq('open')
|
321
|
+
expect(entry.function.arguments).to eq([
|
314
322
|
'HEAD', "/#{taint}", true
|
315
|
-
]
|
316
|
-
entry.tainted_value.
|
317
|
-
entry.taint.
|
318
|
-
entry.trace[0].url.
|
323
|
+
])
|
324
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
325
|
+
expect(entry.taint).to eq(taint)
|
326
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
319
327
|
end
|
320
328
|
end
|
321
329
|
|
@@ -324,25 +332,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
324
332
|
load_with_taint 'data_trace/AngularJS/$http.jsonp'
|
325
333
|
|
326
334
|
sink = subject.data_flow_sinks[taint]
|
327
|
-
sink.size.
|
335
|
+
expect(sink.size).to eq(3)
|
328
336
|
|
329
337
|
entry = sink[1]
|
330
|
-
entry.object.
|
331
|
-
entry.function.name.
|
332
|
-
entry.function.arguments.
|
333
|
-
entry.tainted_value.
|
334
|
-
entry.taint.
|
335
|
-
entry.trace[0].url.
|
338
|
+
expect(entry.object).to eq('angular.$http')
|
339
|
+
expect(entry.function.name).to eq('jsonp')
|
340
|
+
expect(entry.function.arguments).to eq([ "/jsonp-#{taint}" ])
|
341
|
+
expect(entry.tainted_value).to eq("/jsonp-#{taint}")
|
342
|
+
expect(entry.taint).to eq(taint)
|
343
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
336
344
|
|
337
345
|
entry = sink[2]
|
338
|
-
entry.object.
|
339
|
-
entry.function.name.
|
340
|
-
entry.function.arguments.
|
346
|
+
expect(entry.object).to eq('ElementPrototype')
|
347
|
+
expect(entry.function.name).to eq('setAttribute')
|
348
|
+
expect(entry.function.arguments).to eq([
|
341
349
|
'href', "/jsonp-#{taint}"
|
342
|
-
]
|
343
|
-
entry.tainted_value.
|
344
|
-
entry.taint.
|
345
|
-
entry.trace[0].url.
|
350
|
+
])
|
351
|
+
expect(entry.tainted_value).to eq("/jsonp-#{taint}")
|
352
|
+
expect(entry.taint).to eq(taint)
|
353
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
346
354
|
end
|
347
355
|
end
|
348
356
|
|
@@ -351,25 +359,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
351
359
|
load_with_taint 'data_trace/AngularJS/$http.put'
|
352
360
|
|
353
361
|
sink = subject.data_flow_sinks[taint]
|
354
|
-
sink.size.
|
362
|
+
expect(sink.size).to eq(3)
|
355
363
|
|
356
364
|
entry = sink[1]
|
357
|
-
entry.object.
|
358
|
-
entry.function.name.
|
359
|
-
entry.function.arguments.
|
365
|
+
expect(entry.object).to eq('angular.$http')
|
366
|
+
expect(entry.function.name).to eq('put')
|
367
|
+
expect(entry.function.arguments).to eq([
|
360
368
|
'/', "Stuff #{taint}"
|
361
|
-
]
|
362
|
-
entry.tainted_value.
|
363
|
-
entry.taint.
|
364
|
-
entry.trace[0].url.
|
369
|
+
])
|
370
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
371
|
+
expect(entry.taint).to eq(taint)
|
372
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
365
373
|
|
366
374
|
entry = sink[2]
|
367
|
-
entry.object.
|
368
|
-
entry.function.name.
|
369
|
-
entry.function.arguments.
|
370
|
-
entry.tainted_value.
|
371
|
-
entry.taint.
|
372
|
-
entry.trace[0].url.
|
375
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
376
|
+
expect(entry.function.name).to eq('send')
|
377
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}" ])
|
378
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
379
|
+
expect(entry.taint).to eq(taint)
|
380
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
373
381
|
end
|
374
382
|
end
|
375
383
|
|
@@ -378,25 +386,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
378
386
|
load_with_taint 'data_trace/AngularJS/$http.get'
|
379
387
|
|
380
388
|
sink = subject.data_flow_sinks[taint]
|
381
|
-
sink.size.
|
389
|
+
expect(sink.size).to eq(4)
|
382
390
|
|
383
391
|
entry = sink[1]
|
384
|
-
entry.object.
|
385
|
-
entry.function.name.
|
386
|
-
entry.function.arguments.
|
387
|
-
entry.tainted_value.
|
388
|
-
entry.taint.
|
389
|
-
entry.trace[0].url.
|
392
|
+
expect(entry.object).to eq('angular.$http')
|
393
|
+
expect(entry.function.name).to eq('get')
|
394
|
+
expect(entry.function.arguments).to eq([ "/#{taint}" ])
|
395
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
396
|
+
expect(entry.taint).to eq(taint)
|
397
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
390
398
|
|
391
399
|
entry = sink[3]
|
392
|
-
entry.object.
|
393
|
-
entry.function.name.
|
394
|
-
entry.function.arguments.
|
400
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
401
|
+
expect(entry.function.name).to eq('open')
|
402
|
+
expect(entry.function.arguments).to eq([
|
395
403
|
'GET', "/#{taint}", true
|
396
|
-
]
|
397
|
-
entry.tainted_value.
|
398
|
-
entry.taint.
|
399
|
-
entry.trace[0].url.
|
404
|
+
])
|
405
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
406
|
+
expect(entry.taint).to eq(taint)
|
407
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
400
408
|
end
|
401
409
|
end
|
402
410
|
|
@@ -405,12 +413,12 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
405
413
|
load_with_taint 'data_trace/AngularJS/$http.post'
|
406
414
|
|
407
415
|
sink = subject.data_flow_sinks[taint]
|
408
|
-
sink.size.
|
416
|
+
expect(sink.size).to eq(4)
|
409
417
|
|
410
418
|
entry = sink[1]
|
411
|
-
entry.object.
|
412
|
-
entry.function.name.
|
413
|
-
entry.function.arguments.
|
419
|
+
expect(entry.object).to eq('angular.$http')
|
420
|
+
expect(entry.function.name).to eq('post')
|
421
|
+
expect(entry.function.arguments).to eq([
|
414
422
|
'/', '',
|
415
423
|
{
|
416
424
|
'params' => {
|
@@ -420,20 +428,20 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
420
428
|
'url' => '/',
|
421
429
|
'data' => ''
|
422
430
|
}
|
423
|
-
]
|
424
|
-
entry.tainted_value.
|
425
|
-
entry.taint.
|
426
|
-
entry.trace[0].url.
|
431
|
+
])
|
432
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
433
|
+
expect(entry.taint).to eq(taint)
|
434
|
+
expect(entry.trace[0].url).to eq(@browser.url)
|
427
435
|
|
428
436
|
entry = sink[3]
|
429
|
-
entry.object.
|
430
|
-
entry.function.name.
|
431
|
-
entry.function.arguments.
|
437
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
438
|
+
expect(entry.function.name).to eq('open')
|
439
|
+
expect(entry.function.arguments).to eq([
|
432
440
|
'POST', "/?stuff=Stuff+#{taint}", true
|
433
|
-
]
|
434
|
-
entry.tainted_value.
|
435
|
-
entry.taint.
|
436
|
-
entry.trace[0].url.
|
441
|
+
])
|
442
|
+
expect(entry.tainted_value).to eq("/?stuff=Stuff+#{taint}")
|
443
|
+
expect(entry.taint).to eq(taint)
|
444
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
437
445
|
end
|
438
446
|
end
|
439
447
|
end
|
@@ -444,28 +452,28 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
444
452
|
load_with_taint 'data_trace/AngularJS/ngRoute/'
|
445
453
|
|
446
454
|
sink = subject.data_flow_sinks[taint]
|
447
|
-
sink.size.
|
455
|
+
expect(sink.size).to eq(8)
|
448
456
|
|
449
457
|
# ngRoute module first schedules an HTTP request to grab
|
450
458
|
# the template from the given 'templateUrl'...
|
451
459
|
entry = sink[6]
|
452
|
-
entry.object.
|
453
|
-
entry.function.name.
|
454
|
-
entry.function.arguments.
|
460
|
+
expect(entry.object).to eq('XMLHttpRequestPrototype')
|
461
|
+
expect(entry.function.name).to eq('open')
|
462
|
+
expect(entry.function.arguments).to eq([
|
455
463
|
'GET', "template.html?taint=#{taint}", true
|
456
|
-
]
|
457
|
-
entry.tainted_value.
|
458
|
-
entry.taint.
|
459
|
-
entry.trace[0].url.
|
464
|
+
])
|
465
|
+
expect(entry.tainted_value).to eq("template.html?taint=#{taint}")
|
466
|
+
expect(entry.taint).to eq(taint)
|
467
|
+
expect(entry.trace[0].url).to eq("#{@url}angular.js")
|
460
468
|
|
461
469
|
#... and then updates the app with the (tainted) template content.
|
462
470
|
entry = sink[7]
|
463
|
-
entry.object.
|
464
|
-
entry.function.name.
|
465
|
-
entry.function.arguments.
|
466
|
-
entry.tainted_value.
|
467
|
-
entry.taint.
|
468
|
-
entry.trace[0].url.
|
471
|
+
expect(entry.object).to eq('angular.element')
|
472
|
+
expect(entry.function.name).to eq('html')
|
473
|
+
expect(entry.function.arguments).to eq(["Blah blah blah #{taint}\n"])
|
474
|
+
expect(entry.tainted_value).to eq("Blah blah blah #{taint}\n")
|
475
|
+
expect(entry.taint).to eq(taint)
|
476
|
+
expect(entry.trace[0].url).to eq("#{@url}angular-route.js")
|
469
477
|
end
|
470
478
|
end
|
471
479
|
end
|
@@ -476,18 +484,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
476
484
|
load_with_taint 'data_trace/AngularJS/jqLite.html'
|
477
485
|
|
478
486
|
sink = subject.data_flow_sinks[taint]
|
479
|
-
sink.size.
|
487
|
+
expect(sink.size).to eq(2)
|
480
488
|
|
481
489
|
entry = sink[1]
|
482
|
-
entry.object.
|
483
|
-
entry.function.name.
|
484
|
-
entry.function.arguments.
|
485
|
-
entry.tainted_value.
|
486
|
-
entry.taint.
|
490
|
+
expect(entry.object).to eq('angular.element')
|
491
|
+
expect(entry.function.name).to eq('html')
|
492
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
493
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
494
|
+
expect(entry.taint).to eq(taint)
|
487
495
|
|
488
496
|
trace = entry.trace[0]
|
489
|
-
@browser.source.split("\n")[trace.line-1].
|
490
|
-
trace.url.
|
497
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'html('
|
498
|
+
expect(trace.url).to eq(@browser.url)
|
491
499
|
end
|
492
500
|
end
|
493
501
|
|
@@ -496,18 +504,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
496
504
|
load_with_taint 'data_trace/AngularJS/jqLite.text'
|
497
505
|
|
498
506
|
sink = subject.data_flow_sinks[taint]
|
499
|
-
sink.size.
|
507
|
+
expect(sink.size).to eq(2)
|
500
508
|
|
501
509
|
entry = sink[1]
|
502
|
-
entry.object.
|
503
|
-
entry.function.name.
|
504
|
-
entry.function.arguments.
|
505
|
-
entry.tainted_value.
|
506
|
-
entry.taint.
|
510
|
+
expect(entry.object).to eq('angular.element')
|
511
|
+
expect(entry.function.name).to eq('text')
|
512
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
513
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
514
|
+
expect(entry.taint).to eq(taint)
|
507
515
|
|
508
516
|
trace = entry.trace[0]
|
509
|
-
@browser.source.split("\n")[trace.line-1].
|
510
|
-
trace.url.
|
517
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'text('
|
518
|
+
expect(trace.url).to eq(@browser.url)
|
511
519
|
end
|
512
520
|
end
|
513
521
|
|
@@ -516,18 +524,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
516
524
|
load_with_taint 'data_trace/AngularJS/jqLite.append'
|
517
525
|
|
518
526
|
sink = subject.data_flow_sinks[taint]
|
519
|
-
sink.size.
|
527
|
+
expect(sink.size).to eq(2)
|
520
528
|
|
521
529
|
entry = sink[1]
|
522
|
-
entry.object.
|
523
|
-
entry.function.name.
|
524
|
-
entry.function.arguments.
|
525
|
-
entry.tainted_value.
|
526
|
-
entry.taint.
|
530
|
+
expect(entry.object).to eq('angular.element')
|
531
|
+
expect(entry.function.name).to eq('append')
|
532
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
533
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
534
|
+
expect(entry.taint).to eq(taint)
|
527
535
|
|
528
536
|
trace = entry.trace[0]
|
529
|
-
@browser.source.split("\n")[trace.line].
|
530
|
-
trace.url.
|
537
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'append('
|
538
|
+
expect(trace.url).to eq(@browser.url)
|
531
539
|
end
|
532
540
|
end
|
533
541
|
|
@@ -536,18 +544,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
536
544
|
load_with_taint 'data_trace/AngularJS/jqLite.prepend'
|
537
545
|
|
538
546
|
sink = subject.data_flow_sinks[taint]
|
539
|
-
sink.size.
|
547
|
+
expect(sink.size).to eq(2)
|
540
548
|
|
541
549
|
entry = sink[1]
|
542
|
-
entry.object.
|
543
|
-
entry.function.name.
|
544
|
-
entry.function.arguments.
|
545
|
-
entry.tainted_value.
|
546
|
-
entry.taint.
|
550
|
+
expect(entry.object).to eq('angular.element')
|
551
|
+
expect(entry.function.name).to eq('prepend')
|
552
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
553
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
554
|
+
expect(entry.taint).to eq(taint)
|
547
555
|
|
548
556
|
trace = entry.trace[0]
|
549
|
-
@browser.source.split("\n")[trace.line].
|
550
|
-
trace.url.
|
557
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'prepend('
|
558
|
+
expect(trace.url).to eq(@browser.url)
|
551
559
|
end
|
552
560
|
end
|
553
561
|
|
@@ -556,18 +564,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
556
564
|
load_with_taint 'data_trace/AngularJS/jqLite.prop'
|
557
565
|
|
558
566
|
sink = subject.data_flow_sinks[taint]
|
559
|
-
sink.size.
|
567
|
+
expect(sink.size).to eq(2)
|
560
568
|
|
561
569
|
entry = sink[1]
|
562
|
-
entry.object.
|
563
|
-
entry.function.name.
|
564
|
-
entry.function.arguments.
|
565
|
-
entry.tainted_value.
|
566
|
-
entry.taint.
|
570
|
+
expect(entry.object).to eq('angular.element')
|
571
|
+
expect(entry.function.name).to eq('prop')
|
572
|
+
expect(entry.function.arguments).to eq([ 'stuff', "Stuff #{taint}"])
|
573
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
574
|
+
expect(entry.taint).to eq(taint)
|
567
575
|
|
568
576
|
trace = entry.trace[0]
|
569
|
-
@browser.source.split("\n")[trace.line].
|
570
|
-
trace.url.
|
577
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'prop('
|
578
|
+
expect(trace.url).to eq(@browser.url)
|
571
579
|
end
|
572
580
|
end
|
573
581
|
|
@@ -576,18 +584,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
576
584
|
load_with_taint 'data_trace/AngularJS/jqLite.replaceWith'
|
577
585
|
|
578
586
|
sink = subject.data_flow_sinks[taint]
|
579
|
-
sink.size.
|
587
|
+
expect(sink.size).to eq(2)
|
580
588
|
|
581
589
|
entry = sink[1]
|
582
|
-
entry.object.
|
583
|
-
entry.function.name.
|
584
|
-
entry.function.arguments.
|
585
|
-
entry.tainted_value.
|
586
|
-
entry.taint.
|
590
|
+
expect(entry.object).to eq('angular.element')
|
591
|
+
expect(entry.function.name).to eq('replaceWith')
|
592
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}"])
|
593
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
594
|
+
expect(entry.taint).to eq(taint)
|
587
595
|
|
588
596
|
trace = entry.trace[0]
|
589
|
-
@browser.source.split("\n")[trace.line-1].
|
590
|
-
trace.url.
|
597
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'replaceWith('
|
598
|
+
expect(trace.url).to eq(@browser.url)
|
591
599
|
end
|
592
600
|
end
|
593
601
|
|
@@ -596,18 +604,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
596
604
|
load_with_taint 'data_trace/AngularJS/jqLite.val'
|
597
605
|
|
598
606
|
sink = subject.data_flow_sinks[taint]
|
599
|
-
sink.size.
|
607
|
+
expect(sink.size).to eq(2)
|
600
608
|
|
601
609
|
entry = sink[1]
|
602
|
-
entry.object.
|
603
|
-
entry.function.name.
|
604
|
-
entry.function.arguments.
|
605
|
-
entry.tainted_value.
|
606
|
-
entry.taint.
|
610
|
+
expect(entry.object).to eq('angular.element')
|
611
|
+
expect(entry.function.name).to eq('val')
|
612
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}"])
|
613
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
614
|
+
expect(entry.taint).to eq(taint)
|
607
615
|
|
608
616
|
trace = entry.trace[0]
|
609
|
-
@browser.source.split("\n")[trace.line].
|
610
|
-
trace.url.
|
617
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'val('
|
618
|
+
expect(trace.url).to eq(@browser.url)
|
611
619
|
end
|
612
620
|
end
|
613
621
|
end
|
@@ -619,18 +627,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
619
627
|
load_with_taint 'data_trace/jQuery.cookie'
|
620
628
|
|
621
629
|
sink = subject.data_flow_sinks[taint]
|
622
|
-
sink.size.
|
630
|
+
expect(sink.size).to eq(2)
|
623
631
|
|
624
632
|
entry = sink[0]
|
625
|
-
entry.object.
|
626
|
-
entry.function.name.
|
627
|
-
entry.function.arguments.
|
628
|
-
entry.tainted_value.
|
629
|
-
entry.taint.
|
633
|
+
expect(entry.object).to eq('jQuery')
|
634
|
+
expect(entry.function.name).to eq('cookie')
|
635
|
+
expect(entry.function.arguments).to eq(['cname', "mystuff #{taint}"])
|
636
|
+
expect(entry.tainted_value).to eq("mystuff #{taint}")
|
637
|
+
expect(entry.taint).to eq(taint)
|
630
638
|
|
631
639
|
trace = entry.trace[0]
|
632
|
-
@browser.source.split("\n")[trace.line].
|
633
|
-
trace.url.
|
640
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'cookie('
|
641
|
+
expect(trace.url).to eq(@browser.url)
|
634
642
|
end
|
635
643
|
end
|
636
644
|
|
@@ -639,25 +647,25 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
639
647
|
load_with_taint 'data_trace/jQuery.ajax'
|
640
648
|
|
641
649
|
sink = subject.data_flow_sinks[taint]
|
642
|
-
sink.size.
|
650
|
+
expect(sink.size).to eq(3)
|
643
651
|
|
644
652
|
entry = sink[0]
|
645
|
-
entry.object.
|
646
|
-
entry.function.name.
|
647
|
-
entry.function.arguments.
|
653
|
+
expect(entry.object).to eq('jQuery')
|
654
|
+
expect(entry.function.name).to eq('ajax')
|
655
|
+
expect(entry.function.arguments).to eq([
|
648
656
|
{
|
649
657
|
'url' => '/',
|
650
658
|
'data' => {
|
651
659
|
'stuff' => "mystuff #{taint}"
|
652
660
|
}
|
653
661
|
}
|
654
|
-
]
|
655
|
-
entry.tainted_value.
|
656
|
-
entry.taint.
|
662
|
+
])
|
663
|
+
expect(entry.tainted_value).to eq("mystuff #{taint}")
|
664
|
+
expect(entry.taint).to eq(taint)
|
657
665
|
|
658
666
|
trace = entry.trace[0]
|
659
|
-
@browser.source.split("\n")[trace.line].
|
660
|
-
trace.url.
|
667
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'ajax('
|
668
|
+
expect(trace.url).to eq(@browser.url)
|
661
669
|
end
|
662
670
|
end
|
663
671
|
|
@@ -666,21 +674,21 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
666
674
|
load_with_taint 'data_trace/jQuery.get'
|
667
675
|
|
668
676
|
sink = subject.data_flow_sinks[taint]
|
669
|
-
sink.size.
|
677
|
+
expect(sink.size).to eq(4)
|
670
678
|
|
671
679
|
entry = sink[0]
|
672
|
-
entry.object.
|
673
|
-
entry.function.name.
|
674
|
-
entry.function.arguments.
|
680
|
+
expect(entry.object).to eq('jQuery')
|
681
|
+
expect(entry.function.name).to eq('get')
|
682
|
+
expect(entry.function.arguments).to eq([
|
675
683
|
'/',
|
676
684
|
{ 'stuff' => "mystuff #{taint}" }
|
677
|
-
]
|
678
|
-
entry.tainted_value.
|
679
|
-
entry.taint.
|
685
|
+
])
|
686
|
+
expect(entry.tainted_value).to eq("mystuff #{taint}")
|
687
|
+
expect(entry.taint).to eq(taint)
|
680
688
|
|
681
689
|
trace = entry.trace[0]
|
682
|
-
@browser.source.split("\n")[trace.line].
|
683
|
-
trace.url.
|
690
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'get('
|
691
|
+
expect(trace.url).to eq(@browser.url)
|
684
692
|
end
|
685
693
|
end
|
686
694
|
|
@@ -689,18 +697,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
689
697
|
load_with_taint 'data_trace/jQuery.post'
|
690
698
|
|
691
699
|
sink = subject.data_flow_sinks[taint]
|
692
|
-
sink.size.
|
700
|
+
expect(sink.size).to eq(3)
|
693
701
|
|
694
702
|
entry = sink[0]
|
695
|
-
entry.object.
|
696
|
-
entry.function.name.
|
697
|
-
entry.function.arguments.
|
698
|
-
entry.tainted_value.
|
699
|
-
entry.taint.
|
703
|
+
expect(entry.object).to eq('jQuery')
|
704
|
+
expect(entry.function.name).to eq('post')
|
705
|
+
expect(entry.function.arguments).to eq([ "/#{taint}" ])
|
706
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
707
|
+
expect(entry.taint).to eq(taint)
|
700
708
|
|
701
709
|
trace = entry.trace[0]
|
702
|
-
@browser.source.split("\n")[trace.line].
|
703
|
-
trace.url.
|
710
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'post('
|
711
|
+
expect(trace.url).to eq(@browser.url)
|
704
712
|
end
|
705
713
|
end
|
706
714
|
|
@@ -709,18 +717,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
709
717
|
load_with_taint 'data_trace/jQuery.load'
|
710
718
|
|
711
719
|
sink = subject.data_flow_sinks[taint]
|
712
|
-
sink.size.
|
720
|
+
expect(sink.size).to eq(3)
|
713
721
|
|
714
722
|
entry = sink[0]
|
715
|
-
entry.object.
|
716
|
-
entry.function.name.
|
717
|
-
entry.function.arguments.
|
718
|
-
entry.tainted_value.
|
719
|
-
entry.taint.
|
723
|
+
expect(entry.object).to eq('jQuery')
|
724
|
+
expect(entry.function.name).to eq('load')
|
725
|
+
expect(entry.function.arguments).to eq([ "/#{taint}" ])
|
726
|
+
expect(entry.tainted_value).to eq("/#{taint}")
|
727
|
+
expect(entry.taint).to eq(taint)
|
720
728
|
|
721
729
|
trace = entry.trace[0]
|
722
|
-
@browser.source.split("\n")[trace.line].
|
723
|
-
trace.url.
|
730
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'load('
|
731
|
+
expect(trace.url).to eq(@browser.url)
|
724
732
|
end
|
725
733
|
end
|
726
734
|
|
@@ -729,18 +737,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
729
737
|
load_with_taint 'data_trace/jQuery.html'
|
730
738
|
|
731
739
|
sink = subject.data_flow_sinks[taint]
|
732
|
-
sink.size.
|
740
|
+
expect(sink.size).to eq(1)
|
733
741
|
|
734
742
|
entry = sink[0]
|
735
|
-
entry.object.
|
736
|
-
entry.function.name.
|
737
|
-
entry.function.arguments.
|
738
|
-
entry.tainted_value.
|
739
|
-
entry.taint.
|
743
|
+
expect(entry.object).to eq('jQuery')
|
744
|
+
expect(entry.function.name).to eq('html')
|
745
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
746
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
747
|
+
expect(entry.taint).to eq(taint)
|
740
748
|
|
741
749
|
trace = entry.trace[0]
|
742
|
-
@browser.source.split("\n")[trace.line-1].
|
743
|
-
trace.url.
|
750
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'html('
|
751
|
+
expect(trace.url).to eq(@browser.url)
|
744
752
|
end
|
745
753
|
end
|
746
754
|
|
@@ -749,18 +757,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
749
757
|
load_with_taint 'data_trace/jQuery.text'
|
750
758
|
|
751
759
|
sink = subject.data_flow_sinks[taint]
|
752
|
-
sink.size.
|
760
|
+
expect(sink.size).to eq(2)
|
753
761
|
|
754
762
|
entry = sink[0]
|
755
|
-
entry.object.
|
756
|
-
entry.function.name.
|
757
|
-
entry.function.arguments.
|
758
|
-
entry.tainted_value.
|
759
|
-
entry.taint.
|
763
|
+
expect(entry.object).to eq('jQuery')
|
764
|
+
expect(entry.function.name).to eq('text')
|
765
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
766
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
767
|
+
expect(entry.taint).to eq(taint)
|
760
768
|
|
761
769
|
trace = entry.trace[0]
|
762
|
-
@browser.source.split("\n")[trace.line-1].
|
763
|
-
trace.url.
|
770
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'text('
|
771
|
+
expect(trace.url).to eq(@browser.url)
|
764
772
|
end
|
765
773
|
end
|
766
774
|
|
@@ -769,18 +777,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
769
777
|
load_with_taint 'data_trace/jQuery.append'
|
770
778
|
|
771
779
|
sink = subject.data_flow_sinks[taint]
|
772
|
-
sink.size.
|
780
|
+
expect(sink.size).to eq(2)
|
773
781
|
|
774
782
|
entry = sink[0]
|
775
|
-
entry.object.
|
776
|
-
entry.function.name.
|
777
|
-
entry.function.arguments.
|
778
|
-
entry.tainted_value.
|
779
|
-
entry.taint.
|
783
|
+
expect(entry.object).to eq('jQuery')
|
784
|
+
expect(entry.function.name).to eq('append')
|
785
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
786
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
787
|
+
expect(entry.taint).to eq(taint)
|
780
788
|
|
781
789
|
trace = entry.trace[0]
|
782
|
-
@browser.source.split("\n")[trace.line].
|
783
|
-
trace.url.
|
790
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'append('
|
791
|
+
expect(trace.url).to eq(@browser.url)
|
784
792
|
end
|
785
793
|
end
|
786
794
|
|
@@ -789,18 +797,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
789
797
|
load_with_taint 'data_trace/jQuery.prepend'
|
790
798
|
|
791
799
|
sink = subject.data_flow_sinks[taint]
|
792
|
-
sink.size.
|
800
|
+
expect(sink.size).to eq(2)
|
793
801
|
|
794
802
|
entry = sink[0]
|
795
|
-
entry.object.
|
796
|
-
entry.function.name.
|
797
|
-
entry.function.arguments.
|
798
|
-
entry.tainted_value.
|
799
|
-
entry.taint.
|
803
|
+
expect(entry.object).to eq('jQuery')
|
804
|
+
expect(entry.function.name).to eq('prepend')
|
805
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
806
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
807
|
+
expect(entry.taint).to eq(taint)
|
800
808
|
|
801
809
|
trace = entry.trace[0]
|
802
|
-
@browser.source.split("\n")[trace.line].
|
803
|
-
trace.url.
|
810
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'prepend('
|
811
|
+
expect(trace.url).to eq(@browser.url)
|
804
812
|
end
|
805
813
|
end
|
806
814
|
|
@@ -809,18 +817,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
809
817
|
load_with_taint 'data_trace/jQuery.before'
|
810
818
|
|
811
819
|
sink = subject.data_flow_sinks[taint]
|
812
|
-
sink.size.
|
820
|
+
expect(sink.size).to eq(2)
|
813
821
|
|
814
822
|
entry = sink[0]
|
815
|
-
entry.object.
|
816
|
-
entry.function.name.
|
817
|
-
entry.function.arguments.
|
818
|
-
entry.tainted_value.
|
819
|
-
entry.taint.
|
823
|
+
expect(entry.object).to eq('jQuery')
|
824
|
+
expect(entry.function.name).to eq('before')
|
825
|
+
expect(entry.function.arguments).to eq(["Stuff #{taint}"])
|
826
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
827
|
+
expect(entry.taint).to eq(taint)
|
820
828
|
|
821
829
|
trace = entry.trace[0]
|
822
|
-
@browser.source.split("\n")[trace.line].
|
823
|
-
trace.url.
|
830
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'before('
|
831
|
+
expect(trace.url).to eq(@browser.url)
|
824
832
|
end
|
825
833
|
end
|
826
834
|
|
@@ -829,18 +837,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
829
837
|
load_with_taint 'data_trace/jQuery.prop'
|
830
838
|
|
831
839
|
sink = subject.data_flow_sinks[taint]
|
832
|
-
sink.size.
|
840
|
+
expect(sink.size).to eq(1)
|
833
841
|
|
834
842
|
entry = sink[0]
|
835
|
-
entry.object.
|
836
|
-
entry.function.name.
|
837
|
-
entry.function.arguments.
|
838
|
-
entry.tainted_value.
|
839
|
-
entry.taint.
|
843
|
+
expect(entry.object).to eq('jQuery')
|
844
|
+
expect(entry.function.name).to eq('prop')
|
845
|
+
expect(entry.function.arguments).to eq([ 'stuff', "Stuff #{taint}"])
|
846
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
847
|
+
expect(entry.taint).to eq(taint)
|
840
848
|
|
841
849
|
trace = entry.trace[0]
|
842
|
-
@browser.source.split("\n")[trace.line].
|
843
|
-
trace.url.
|
850
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'prop('
|
851
|
+
expect(trace.url).to eq(@browser.url)
|
844
852
|
end
|
845
853
|
end
|
846
854
|
|
@@ -849,18 +857,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
849
857
|
load_with_taint 'data_trace/jQuery.replaceWith'
|
850
858
|
|
851
859
|
sink = subject.data_flow_sinks[taint]
|
852
|
-
sink.size.
|
860
|
+
expect(sink.size).to eq(2)
|
853
861
|
|
854
862
|
entry = sink[0]
|
855
|
-
entry.object.
|
856
|
-
entry.function.name.
|
857
|
-
entry.function.arguments.
|
858
|
-
entry.tainted_value.
|
859
|
-
entry.taint.
|
863
|
+
expect(entry.object).to eq('jQuery')
|
864
|
+
expect(entry.function.name).to eq('replaceWith')
|
865
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}"])
|
866
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
867
|
+
expect(entry.taint).to eq(taint)
|
860
868
|
|
861
869
|
trace = entry.trace[0]
|
862
|
-
@browser.source.split("\n")[trace.line-1].
|
863
|
-
trace.url.
|
870
|
+
expect(@browser.source.split("\n")[trace.line-1]).to include 'replaceWith('
|
871
|
+
expect(trace.url).to eq(@browser.url)
|
864
872
|
end
|
865
873
|
end
|
866
874
|
|
@@ -869,18 +877,18 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
869
877
|
load_with_taint 'data_trace/jQuery.val'
|
870
878
|
|
871
879
|
sink = subject.data_flow_sinks[taint]
|
872
|
-
sink.size.
|
880
|
+
expect(sink.size).to eq(1)
|
873
881
|
|
874
882
|
entry = sink[0]
|
875
|
-
entry.object.
|
876
|
-
entry.function.name.
|
877
|
-
entry.function.arguments.
|
878
|
-
entry.tainted_value.
|
879
|
-
entry.taint.
|
883
|
+
expect(entry.object).to eq('jQuery')
|
884
|
+
expect(entry.function.name).to eq('val')
|
885
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}"])
|
886
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
887
|
+
expect(entry.taint).to eq(taint)
|
880
888
|
|
881
889
|
trace = entry.trace[0]
|
882
|
-
@browser.source.split("\n")[trace.line].
|
883
|
-
trace.url.
|
890
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'val('
|
891
|
+
expect(trace.url).to eq(@browser.url)
|
884
892
|
end
|
885
893
|
end
|
886
894
|
end
|
@@ -891,21 +899,21 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
891
899
|
load_with_taint 'data_trace/String.replace'
|
892
900
|
|
893
901
|
sink = subject.data_flow_sinks[taint]
|
894
|
-
sink.size.
|
902
|
+
expect(sink.size).to eq(1)
|
895
903
|
|
896
904
|
entry = sink[0]
|
897
|
-
entry.object.
|
898
|
-
entry.function.name.
|
899
|
-
entry.function.source.
|
900
|
-
entry.function.arguments.
|
905
|
+
expect(entry.object).to eq('String')
|
906
|
+
expect(entry.function.name).to eq('replace')
|
907
|
+
expect(entry.function.source).to start_with 'function replace'
|
908
|
+
expect(entry.function.arguments).to eq([
|
901
909
|
'my', taint
|
902
|
-
]
|
903
|
-
entry.tainted_value.
|
904
|
-
entry.taint.
|
910
|
+
])
|
911
|
+
expect(entry.tainted_value).to eq(taint)
|
912
|
+
expect(entry.taint).to eq(taint)
|
905
913
|
|
906
914
|
trace = entry.trace[0]
|
907
|
-
@browser.source.split("\n")[trace.line].
|
908
|
-
trace.url.
|
915
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'replace('
|
916
|
+
expect(trace.url).to eq(@browser.url)
|
909
917
|
end
|
910
918
|
end
|
911
919
|
|
@@ -914,19 +922,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
914
922
|
load_with_taint 'data_trace/String.concat'
|
915
923
|
|
916
924
|
sink = subject.data_flow_sinks[taint]
|
917
|
-
sink.size.
|
925
|
+
expect(sink.size).to eq(1)
|
918
926
|
|
919
927
|
entry = sink[0]
|
920
|
-
entry.object.
|
921
|
-
entry.function.name.
|
922
|
-
entry.function.source.
|
923
|
-
entry.function.arguments.
|
924
|
-
entry.tainted_value.
|
925
|
-
entry.taint.
|
928
|
+
expect(entry.object).to eq('String')
|
929
|
+
expect(entry.function.name).to eq('concat')
|
930
|
+
expect(entry.function.source).to start_with 'function concat'
|
931
|
+
expect(entry.function.arguments).to eq([ "stuff #{taint}" ])
|
932
|
+
expect(entry.tainted_value).to eq("stuff #{taint}")
|
933
|
+
expect(entry.taint).to eq(taint)
|
926
934
|
|
927
935
|
trace = entry.trace[0]
|
928
|
-
@browser.source.split("\n")[trace.line].
|
929
|
-
trace.url.
|
936
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'concat('
|
937
|
+
expect(trace.url).to eq(@browser.url)
|
930
938
|
end
|
931
939
|
end
|
932
940
|
|
@@ -935,19 +943,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
935
943
|
load_with_taint 'data_trace/String.indexOf'
|
936
944
|
|
937
945
|
sink = subject.data_flow_sinks[taint]
|
938
|
-
sink.size.
|
946
|
+
expect(sink.size).to eq(1)
|
939
947
|
|
940
948
|
entry = sink[0]
|
941
|
-
entry.object.
|
942
|
-
entry.function.name.
|
943
|
-
entry.function.source.
|
944
|
-
entry.function.arguments.
|
945
|
-
entry.tainted_value.
|
946
|
-
entry.taint.
|
949
|
+
expect(entry.object).to eq('String')
|
950
|
+
expect(entry.function.name).to eq('indexOf')
|
951
|
+
expect(entry.function.source).to start_with 'function indexOf'
|
952
|
+
expect(entry.function.arguments).to eq([ "stuff #{taint}" ])
|
953
|
+
expect(entry.tainted_value).to eq("stuff #{taint}")
|
954
|
+
expect(entry.taint).to eq(taint)
|
947
955
|
|
948
956
|
trace = entry.trace[0]
|
949
|
-
@browser.source.split("\n")[trace.line].
|
950
|
-
trace.url.
|
957
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'indexOf('
|
958
|
+
expect(trace.url).to eq(@browser.url)
|
951
959
|
end
|
952
960
|
end
|
953
961
|
|
@@ -956,19 +964,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
956
964
|
load_with_taint 'data_trace/String.lastIndexOf'
|
957
965
|
|
958
966
|
sink = subject.data_flow_sinks[taint]
|
959
|
-
sink.size.
|
967
|
+
expect(sink.size).to eq(1)
|
960
968
|
|
961
969
|
entry = sink[0]
|
962
|
-
entry.object.
|
963
|
-
entry.function.name.
|
964
|
-
entry.function.source.
|
965
|
-
entry.function.arguments.
|
966
|
-
entry.tainted_value.
|
967
|
-
entry.taint.
|
970
|
+
expect(entry.object).to eq('String')
|
971
|
+
expect(entry.function.name).to eq('lastIndexOf')
|
972
|
+
expect(entry.function.source).to start_with 'function lastIndexOf'
|
973
|
+
expect(entry.function.arguments).to eq([ "stuff #{taint}" ])
|
974
|
+
expect(entry.tainted_value).to eq("stuff #{taint}")
|
975
|
+
expect(entry.taint).to eq(taint)
|
968
976
|
|
969
977
|
trace = entry.trace[0]
|
970
|
-
@browser.source.split("\n")[trace.line].
|
971
|
-
trace.url.
|
978
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'lastIndexOf('
|
979
|
+
expect(trace.url).to eq(@browser.url)
|
972
980
|
end
|
973
981
|
end
|
974
982
|
end
|
@@ -979,21 +987,21 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
979
987
|
load_with_taint 'data_trace/HTMLElement.insertAdjacentHTML'
|
980
988
|
|
981
989
|
sink = subject.data_flow_sinks[taint]
|
982
|
-
sink.size.
|
990
|
+
expect(sink.size).to eq(1)
|
983
991
|
|
984
992
|
entry = sink[0]
|
985
|
-
entry.object.
|
986
|
-
entry.function.name.
|
987
|
-
entry.function.source.
|
988
|
-
entry.function.arguments.
|
993
|
+
expect(entry.object).to eq('HTMLElementPrototype')
|
994
|
+
expect(entry.function.name).to eq('insertAdjacentHTML')
|
995
|
+
expect(entry.function.source).to start_with 'function insertAdjacentHTML'
|
996
|
+
expect(entry.function.arguments).to eq([
|
989
997
|
'AfterBegin', "stuff #{taint} more stuff"
|
990
|
-
]
|
991
|
-
entry.tainted_value.
|
992
|
-
entry.taint.
|
998
|
+
])
|
999
|
+
expect(entry.tainted_value).to eq("stuff #{taint} more stuff")
|
1000
|
+
expect(entry.taint).to eq(taint)
|
993
1001
|
|
994
1002
|
trace = entry.trace[0]
|
995
|
-
@browser.source.split("\n")[trace.line].
|
996
|
-
trace.url.
|
1003
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'insertAdjacentHTML('
|
1004
|
+
expect(trace.url).to eq(@browser.url)
|
997
1005
|
end
|
998
1006
|
end
|
999
1007
|
end
|
@@ -1004,21 +1012,21 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1004
1012
|
load_with_taint 'data_trace/Element.setAttribute'
|
1005
1013
|
|
1006
1014
|
sink = subject.data_flow_sinks[taint]
|
1007
|
-
sink.size.
|
1015
|
+
expect(sink.size).to eq(1)
|
1008
1016
|
|
1009
1017
|
entry = sink[0]
|
1010
|
-
entry.object.
|
1011
|
-
entry.function.name.
|
1012
|
-
entry.function.source.
|
1013
|
-
entry.function.arguments.
|
1018
|
+
expect(entry.object).to eq('ElementPrototype')
|
1019
|
+
expect(entry.function.name).to eq('setAttribute')
|
1020
|
+
expect(entry.function.source).to start_with 'function setAttribute'
|
1021
|
+
expect(entry.function.arguments).to eq([
|
1014
1022
|
'my-attribute', "stuff #{taint} more stuff"
|
1015
|
-
]
|
1016
|
-
entry.tainted_value.
|
1017
|
-
entry.taint.
|
1023
|
+
])
|
1024
|
+
expect(entry.tainted_value).to eq("stuff #{taint} more stuff")
|
1025
|
+
expect(entry.taint).to eq(taint)
|
1018
1026
|
|
1019
1027
|
trace = entry.trace[0]
|
1020
|
-
@browser.source.split("\n")[trace.line].
|
1021
|
-
trace.url.
|
1028
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'setAttribute('
|
1029
|
+
expect(trace.url).to eq(@browser.url)
|
1022
1030
|
end
|
1023
1031
|
end
|
1024
1032
|
end
|
@@ -1029,19 +1037,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1029
1037
|
load_with_taint 'data_trace/Document.createTextNode'
|
1030
1038
|
|
1031
1039
|
sink = subject.data_flow_sinks[taint]
|
1032
|
-
sink.size.
|
1040
|
+
expect(sink.size).to eq(1)
|
1033
1041
|
|
1034
1042
|
entry = sink[0]
|
1035
|
-
entry.object.
|
1036
|
-
entry.function.name.
|
1037
|
-
entry.function.source.
|
1038
|
-
entry.function.arguments.
|
1039
|
-
entry.tainted_value.
|
1040
|
-
entry.taint.
|
1043
|
+
expect(entry.object).to eq('DocumentPrototype')
|
1044
|
+
expect(entry.function.name).to eq('createTextNode')
|
1045
|
+
expect(entry.function.source).to start_with 'function createTextNode'
|
1046
|
+
expect(entry.function.arguments).to eq([ "node #{taint}" ])
|
1047
|
+
expect(entry.tainted_value).to eq("node #{taint}")
|
1048
|
+
expect(entry.taint).to eq(taint)
|
1041
1049
|
|
1042
1050
|
trace = entry.trace[0]
|
1043
|
-
@browser.source.split("\n")[trace.line].
|
1044
|
-
trace.url.
|
1051
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'document.createTextNode('
|
1052
|
+
expect(trace.url).to eq(@browser.url)
|
1045
1053
|
end
|
1046
1054
|
end
|
1047
1055
|
end
|
@@ -1052,19 +1060,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1052
1060
|
load_with_taint 'data_trace/CharacterData.insertData'
|
1053
1061
|
|
1054
1062
|
sink = subject.data_flow_sinks[taint]
|
1055
|
-
sink.size.
|
1063
|
+
expect(sink.size).to eq(1)
|
1056
1064
|
|
1057
1065
|
entry = sink[0]
|
1058
|
-
entry.object.
|
1059
|
-
entry.function.name.
|
1060
|
-
entry.function.source.
|
1061
|
-
entry.function.arguments.
|
1062
|
-
entry.tainted_value.
|
1063
|
-
entry.taint.
|
1066
|
+
expect(entry.object).to eq('CharacterDataPrototype')
|
1067
|
+
expect(entry.function.name).to eq('insertData')
|
1068
|
+
expect(entry.function.source).to start_with 'function insertData'
|
1069
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}" ])
|
1070
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
1071
|
+
expect(entry.taint).to eq(taint)
|
1064
1072
|
|
1065
1073
|
trace = entry.trace[0]
|
1066
|
-
@browser.source.split("\n")[trace.line].
|
1067
|
-
trace.url.
|
1074
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'insertData('
|
1075
|
+
expect(trace.url).to eq(@browser.url)
|
1068
1076
|
end
|
1069
1077
|
end
|
1070
1078
|
|
@@ -1073,19 +1081,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1073
1081
|
load_with_taint 'data_trace/CharacterData.appendData'
|
1074
1082
|
|
1075
1083
|
sink = subject.data_flow_sinks[taint]
|
1076
|
-
sink.size.
|
1084
|
+
expect(sink.size).to eq(1)
|
1077
1085
|
|
1078
1086
|
entry = sink[0]
|
1079
|
-
entry.object.
|
1080
|
-
entry.function.name.
|
1081
|
-
entry.function.source.
|
1082
|
-
entry.function.arguments.
|
1083
|
-
entry.tainted_value.
|
1084
|
-
entry.taint.
|
1087
|
+
expect(entry.object).to eq('CharacterDataPrototype')
|
1088
|
+
expect(entry.function.name).to eq('appendData')
|
1089
|
+
expect(entry.function.source).to start_with 'function appendData'
|
1090
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}" ])
|
1091
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
1092
|
+
expect(entry.taint).to eq(taint)
|
1085
1093
|
|
1086
1094
|
trace = entry.trace[0]
|
1087
|
-
@browser.source.split("\n")[trace.line].
|
1088
|
-
trace.url.
|
1095
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'appendData('
|
1096
|
+
expect(trace.url).to eq(@browser.url)
|
1089
1097
|
end
|
1090
1098
|
end
|
1091
1099
|
|
@@ -1094,19 +1102,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1094
1102
|
load_with_taint 'data_trace/CharacterData.replaceData'
|
1095
1103
|
|
1096
1104
|
sink = subject.data_flow_sinks[taint]
|
1097
|
-
sink.size.
|
1105
|
+
expect(sink.size).to eq(1)
|
1098
1106
|
|
1099
1107
|
entry = sink[0]
|
1100
|
-
entry.object.
|
1101
|
-
entry.function.name.
|
1102
|
-
entry.function.source.
|
1103
|
-
entry.function.arguments.
|
1104
|
-
entry.tainted_value.
|
1105
|
-
entry.taint.
|
1108
|
+
expect(entry.object).to eq('CharacterDataPrototype')
|
1109
|
+
expect(entry.function.name).to eq('replaceData')
|
1110
|
+
expect(entry.function.source).to start_with 'function replaceData'
|
1111
|
+
expect(entry.function.arguments).to eq([ 0, 0, "Stuff #{taint}" ])
|
1112
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
1113
|
+
expect(entry.taint).to eq(taint)
|
1106
1114
|
|
1107
1115
|
trace = entry.trace[0]
|
1108
|
-
@browser.source.split("\n")[trace.line].
|
1109
|
-
trace.url.
|
1116
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'replaceData('
|
1117
|
+
expect(trace.url).to eq(@browser.url)
|
1110
1118
|
end
|
1111
1119
|
end
|
1112
1120
|
end
|
@@ -1117,19 +1125,19 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1117
1125
|
load_with_taint 'data_trace/Text.replaceWholeText'
|
1118
1126
|
|
1119
1127
|
sink = subject.data_flow_sinks[taint]
|
1120
|
-
sink.size.
|
1128
|
+
expect(sink.size).to eq(1)
|
1121
1129
|
|
1122
1130
|
entry = sink[0]
|
1123
|
-
entry.object.
|
1124
|
-
entry.function.name.
|
1125
|
-
entry.function.source.
|
1126
|
-
entry.function.arguments.
|
1127
|
-
entry.tainted_value.
|
1128
|
-
entry.taint.
|
1131
|
+
expect(entry.object).to eq('TextPrototype')
|
1132
|
+
expect(entry.function.name).to eq('replaceWholeText')
|
1133
|
+
expect(entry.function.source).to start_with 'function replaceWholeText'
|
1134
|
+
expect(entry.function.arguments).to eq([ "Stuff #{taint}" ])
|
1135
|
+
expect(entry.tainted_value).to eq("Stuff #{taint}")
|
1136
|
+
expect(entry.taint).to eq(taint)
|
1129
1137
|
|
1130
1138
|
trace = entry.trace[0]
|
1131
|
-
@browser.source.split("\n")[trace.line].
|
1132
|
-
trace.url.
|
1139
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'replaceWholeText('
|
1140
|
+
expect(trace.url).to eq(@browser.url)
|
1133
1141
|
end
|
1134
1142
|
end
|
1135
1143
|
end
|
@@ -1140,22 +1148,23 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1140
1148
|
load_with_taint 'data_trace/HTMLDocument.write'
|
1141
1149
|
|
1142
1150
|
sink = subject.data_flow_sinks[taint]
|
1143
|
-
sink.size.
|
1151
|
+
expect(sink.size).to eq(1)
|
1144
1152
|
|
1145
1153
|
entry = sink[0]
|
1146
|
-
entry.object.
|
1147
|
-
entry.function.name.
|
1148
|
-
entry.function.source.
|
1149
|
-
entry.function.arguments.
|
1154
|
+
expect(entry.object).to eq('HTMLDocumentPrototype')
|
1155
|
+
expect(entry.function.name).to eq('write')
|
1156
|
+
expect(entry.function.source).to start_with 'function write'
|
1157
|
+
expect(entry.function.arguments).to eq([
|
1150
1158
|
"Stuff here blah #{taint} more stuff nlahblah..."
|
1151
|
-
]
|
1152
|
-
entry.tainted_value.
|
1159
|
+
])
|
1160
|
+
expect(entry.tainted_value).to eq(
|
1153
1161
|
"Stuff here blah #{taint} more stuff nlahblah..."
|
1154
|
-
|
1162
|
+
)
|
1163
|
+
expect(entry.taint).to eq(taint)
|
1155
1164
|
|
1156
1165
|
trace = entry.trace[0]
|
1157
|
-
@browser.source.split("\n")[trace.line].
|
1158
|
-
trace.url.
|
1166
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'document.write('
|
1167
|
+
expect(trace.url).to eq(@browser.url)
|
1159
1168
|
end
|
1160
1169
|
end
|
1161
1170
|
|
@@ -1164,22 +1173,23 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1164
1173
|
load_with_taint 'data_trace/HTMLDocument.writeln'
|
1165
1174
|
|
1166
1175
|
sink = subject.data_flow_sinks[taint]
|
1167
|
-
sink.size.
|
1176
|
+
expect(sink.size).to eq(1)
|
1168
1177
|
|
1169
1178
|
entry = sink[0]
|
1170
|
-
entry.object.
|
1171
|
-
entry.function.name.
|
1172
|
-
entry.function.source.
|
1173
|
-
entry.function.arguments.
|
1179
|
+
expect(entry.object).to eq('HTMLDocumentPrototype')
|
1180
|
+
expect(entry.function.name).to eq('writeln')
|
1181
|
+
expect(entry.function.source).to start_with 'function writeln'
|
1182
|
+
expect(entry.function.arguments).to eq([
|
1174
1183
|
"Stuff here blah #{taint} more stuff nlahblah..."
|
1175
|
-
]
|
1176
|
-
entry.tainted_value.
|
1184
|
+
])
|
1185
|
+
expect(entry.tainted_value).to eq(
|
1177
1186
|
"Stuff here blah #{taint} more stuff nlahblah..."
|
1178
|
-
|
1187
|
+
)
|
1188
|
+
expect(entry.taint).to eq(taint)
|
1179
1189
|
|
1180
1190
|
trace = entry.trace[0]
|
1181
|
-
@browser.source.split("\n")[trace.line].
|
1182
|
-
trace.url.
|
1191
|
+
expect(@browser.source.split("\n")[trace.line]).to include 'document.writeln('
|
1192
|
+
expect(trace.url).to eq(@browser.url)
|
1183
1193
|
end
|
1184
1194
|
end
|
1185
1195
|
end
|
@@ -1189,7 +1199,7 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1189
1199
|
describe '#taints' do
|
1190
1200
|
context 'by default' do
|
1191
1201
|
it 'returns []' do
|
1192
|
-
subject.taints.
|
1202
|
+
expect(subject.taints).to eq([])
|
1193
1203
|
end
|
1194
1204
|
end
|
1195
1205
|
end
|
@@ -1197,14 +1207,14 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1197
1207
|
describe '#enable_debugging=' do
|
1198
1208
|
it 'sets the debugging flag' do
|
1199
1209
|
subject.enable_debugging = false
|
1200
|
-
subject.enable_debugging.
|
1210
|
+
expect(subject.enable_debugging).to eq(false)
|
1201
1211
|
end
|
1202
1212
|
end
|
1203
1213
|
|
1204
1214
|
describe '#enable_debugging' do
|
1205
1215
|
context 'by default' do
|
1206
1216
|
it 'returns true' do
|
1207
|
-
subject.enable_debugging.
|
1217
|
+
expect(subject.enable_debugging).to eq(true)
|
1208
1218
|
end
|
1209
1219
|
end
|
1210
1220
|
end
|
@@ -1213,12 +1223,12 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1213
1223
|
it 'returns sink data' do
|
1214
1224
|
load "debug?input=#{subject.stub.function(:log_execution_flow_sink)}"
|
1215
1225
|
@browser.watir.form.submit
|
1216
|
-
subject.execution_flow_sinks.
|
1226
|
+
expect(subject.execution_flow_sinks).to be_any
|
1217
1227
|
end
|
1218
1228
|
|
1219
1229
|
context 'by default' do
|
1220
1230
|
it 'returns []' do
|
1221
|
-
subject.execution_flow_sinks.
|
1231
|
+
expect(subject.execution_flow_sinks).to eq([])
|
1222
1232
|
end
|
1223
1233
|
end
|
1224
1234
|
end
|
@@ -1227,12 +1237,12 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1227
1237
|
it 'returns sink data' do
|
1228
1238
|
load "debug?input=#{subject.stub.function(:log_data_flow_sink, 'taint', { function: 'blah' })}"
|
1229
1239
|
@browser.watir.form.submit
|
1230
|
-
subject.data_flow_sinks['taint'].
|
1240
|
+
expect(subject.data_flow_sinks['taint']).to be_any
|
1231
1241
|
end
|
1232
1242
|
|
1233
1243
|
context 'by default' do
|
1234
1244
|
it 'returns {}' do
|
1235
|
-
subject.data_flow_sinks.
|
1245
|
+
expect(subject.data_flow_sinks).to eq({})
|
1236
1246
|
end
|
1237
1247
|
end
|
1238
1248
|
end
|
@@ -1244,34 +1254,34 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1244
1254
|
sink_data = subject.flush_data_flow_sinks['taint']
|
1245
1255
|
|
1246
1256
|
first_entry = sink_data.first
|
1247
|
-
sink_data.
|
1257
|
+
expect(sink_data).to eq([first_entry])
|
1248
1258
|
|
1249
|
-
first_entry.function.name.
|
1250
|
-
first_entry.trace.size.
|
1259
|
+
expect(first_entry.function.name).to eq('blah')
|
1260
|
+
expect(first_entry.trace.size).to eq(2)
|
1251
1261
|
|
1252
|
-
first_entry.trace[0].function.name.
|
1253
|
-
first_entry.trace[0].function.source.
|
1254
|
-
@browser.source.split("\n")[first_entry.trace[0].line].
|
1255
|
-
first_entry.trace[0].function.arguments.
|
1262
|
+
expect(first_entry.trace[0].function.name).to eq('onClick')
|
1263
|
+
expect(first_entry.trace[0].function.source).to start_with 'function onClick'
|
1264
|
+
expect(@browser.source.split("\n")[first_entry.trace[0].line]).to include 'log_data_flow_sink'
|
1265
|
+
expect(first_entry.trace[0].function.arguments).to eq(%w(some-arg arguments-arg here-arg))
|
1256
1266
|
|
1257
|
-
first_entry.trace[1].function.name.
|
1258
|
-
first_entry.trace[1].function.source.
|
1259
|
-
@browser.source.split("\n")[first_entry.trace[1].line].
|
1260
|
-
first_entry.trace[1].function.arguments.size.
|
1267
|
+
expect(first_entry.trace[1].function.name).to eq('onsubmit')
|
1268
|
+
expect(first_entry.trace[1].function.source).to start_with 'function onsubmit'
|
1269
|
+
expect(@browser.source.split("\n")[first_entry.trace[1].line]).to include 'onsubmit'
|
1270
|
+
expect(first_entry.trace[1].function.arguments.size).to eq(1)
|
1261
1271
|
|
1262
1272
|
event = first_entry.trace[1].function.arguments.first
|
1263
1273
|
|
1264
1274
|
form = "<form id=\"my_form\" onsubmit=\"onClick('some-arg', 'arguments-arg', 'here-arg'); return false;\">\n </form>"
|
1265
|
-
event['target'].
|
1266
|
-
event['srcElement'].
|
1267
|
-
event['type'].
|
1275
|
+
expect(event['target']).to eq(form)
|
1276
|
+
expect(event['srcElement']).to eq(form)
|
1277
|
+
expect(event['type']).to eq('submit')
|
1268
1278
|
end
|
1269
1279
|
|
1270
1280
|
it 'empties the sink' do
|
1271
1281
|
load "debug?input=#{subject.stub.function(:log_data_flow_sink, { function: { name: 'blah' } })}"
|
1272
1282
|
@browser.watir.form.submit
|
1273
1283
|
subject.flush_data_flow_sinks
|
1274
|
-
subject.data_flow_sinks.
|
1284
|
+
expect(subject.data_flow_sinks).to be_empty
|
1275
1285
|
end
|
1276
1286
|
end
|
1277
1287
|
|
@@ -1282,34 +1292,34 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1282
1292
|
sink_data = subject.flush_execution_flow_sinks
|
1283
1293
|
|
1284
1294
|
first_entry = sink_data.first
|
1285
|
-
sink_data.
|
1295
|
+
expect(sink_data).to eq([first_entry])
|
1286
1296
|
|
1287
|
-
first_entry.data.
|
1288
|
-
first_entry.trace.size.
|
1297
|
+
expect(first_entry.data).to eq([1])
|
1298
|
+
expect(first_entry.trace.size).to eq(2)
|
1289
1299
|
|
1290
|
-
first_entry.trace[0].function.name.
|
1291
|
-
first_entry.trace[0].function.source.
|
1292
|
-
@browser.source.split("\n")[first_entry.trace[0].line].
|
1293
|
-
first_entry.trace[0].function.arguments.
|
1300
|
+
expect(first_entry.trace[0].function.name).to eq('onClick')
|
1301
|
+
expect(first_entry.trace[0].function.source).to start_with 'function onClick'
|
1302
|
+
expect(@browser.source.split("\n")[first_entry.trace[0].line]).to include 'log_execution_flow_sink(1)'
|
1303
|
+
expect(first_entry.trace[0].function.arguments).to eq(%w(some-arg arguments-arg here-arg))
|
1294
1304
|
|
1295
|
-
first_entry.trace[1].function.name.
|
1296
|
-
first_entry.trace[1].function.source.
|
1297
|
-
@browser.source.split("\n")[first_entry.trace[1].line].
|
1298
|
-
first_entry.trace[1].function.arguments.size.
|
1305
|
+
expect(first_entry.trace[1].function.name).to eq('onsubmit')
|
1306
|
+
expect(first_entry.trace[1].function.source).to start_with 'function onsubmit'
|
1307
|
+
expect(@browser.source.split("\n")[first_entry.trace[1].line]).to include 'onsubmit'
|
1308
|
+
expect(first_entry.trace[1].function.arguments.size).to eq(1)
|
1299
1309
|
|
1300
1310
|
event = first_entry.trace[1].function.arguments.first
|
1301
1311
|
|
1302
1312
|
form = "<form id=\"my_form\" onsubmit=\"onClick('some-arg', 'arguments-arg', 'here-arg'); return false;\">\n </form>"
|
1303
|
-
event['target'].
|
1304
|
-
event['srcElement'].
|
1305
|
-
event['type'].
|
1313
|
+
expect(event['target']).to eq(form)
|
1314
|
+
expect(event['srcElement']).to eq(form)
|
1315
|
+
expect(event['type']).to eq('submit')
|
1306
1316
|
end
|
1307
1317
|
|
1308
1318
|
it 'empties the sink' do
|
1309
1319
|
load "debug?input=#{subject.stub.function(:log_data_flow_sink)}"
|
1310
1320
|
@browser.watir.form.submit
|
1311
1321
|
subject.flush_execution_flow_sinks
|
1312
|
-
subject.execution_flow_sinks.
|
1322
|
+
expect(subject.execution_flow_sinks).to be_empty
|
1313
1323
|
end
|
1314
1324
|
end
|
1315
1325
|
|
@@ -1320,27 +1330,27 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1320
1330
|
sink_data = subject.execution_flow_sinks
|
1321
1331
|
|
1322
1332
|
first_entry = sink_data.first
|
1323
|
-
sink_data.
|
1333
|
+
expect(sink_data).to eq([first_entry])
|
1324
1334
|
|
1325
|
-
first_entry.data.
|
1326
|
-
first_entry.trace.size.
|
1335
|
+
expect(first_entry.data).to eq([1])
|
1336
|
+
expect(first_entry.trace.size).to eq(2)
|
1327
1337
|
|
1328
|
-
first_entry.trace[0].function.name.
|
1329
|
-
first_entry.trace[0].function.source.
|
1330
|
-
@browser.source.split("\n")[first_entry.trace[0].line].
|
1331
|
-
first_entry.trace[0].function.arguments.
|
1338
|
+
expect(first_entry.trace[0].function.name).to eq('onClick')
|
1339
|
+
expect(first_entry.trace[0].function.source).to start_with 'function onClick'
|
1340
|
+
expect(@browser.source.split("\n")[first_entry.trace[0].line]).to include 'log_execution_flow_sink(1)'
|
1341
|
+
expect(first_entry.trace[0].function.arguments).to eq(%w(some-arg arguments-arg here-arg))
|
1332
1342
|
|
1333
|
-
first_entry.trace[1].function.name.
|
1334
|
-
first_entry.trace[1].function.source.
|
1335
|
-
@browser.source.split("\n")[first_entry.trace[1].line].
|
1336
|
-
first_entry.trace[1].function.arguments.size.
|
1343
|
+
expect(first_entry.trace[1].function.name).to eq('onsubmit')
|
1344
|
+
expect(first_entry.trace[1].function.source).to start_with 'function onsubmit'
|
1345
|
+
expect(@browser.source.split("\n")[first_entry.trace[1].line]).to include 'onsubmit'
|
1346
|
+
expect(first_entry.trace[1].function.arguments.size).to eq(1)
|
1337
1347
|
|
1338
1348
|
event = first_entry.trace[1].function.arguments.first
|
1339
1349
|
|
1340
1350
|
form = "<form id=\"my_form\" onsubmit=\"onClick('some-arg', 'arguments-arg', 'here-arg'); return false;\">\n </form>"
|
1341
|
-
event['target'].
|
1342
|
-
event['srcElement'].
|
1343
|
-
event['type'].
|
1351
|
+
expect(event['target']).to eq(form)
|
1352
|
+
expect(event['srcElement']).to eq(form)
|
1353
|
+
expect(event['type']).to eq('submit')
|
1344
1354
|
end
|
1345
1355
|
|
1346
1356
|
it 'is limited to 50' do
|
@@ -1351,10 +1361,10 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1351
1361
|
end
|
1352
1362
|
|
1353
1363
|
sinks = subject.execution_flow_sinks
|
1354
|
-
sinks.size.
|
1364
|
+
expect(sinks.size).to eq(50)
|
1355
1365
|
|
1356
1366
|
50.times do |i|
|
1357
|
-
sinks[i].data.
|
1367
|
+
expect(sinks[i].data).to eq([50 + i])
|
1358
1368
|
end
|
1359
1369
|
end
|
1360
1370
|
end
|
@@ -1366,27 +1376,27 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1366
1376
|
sink_data = subject.data_flow_sinks['taint']
|
1367
1377
|
|
1368
1378
|
first_entry = sink_data.first
|
1369
|
-
sink_data.
|
1379
|
+
expect(sink_data).to eq([first_entry])
|
1370
1380
|
|
1371
|
-
first_entry.function.name.
|
1372
|
-
first_entry.trace.size.
|
1381
|
+
expect(first_entry.function.name).to eq('blah')
|
1382
|
+
expect(first_entry.trace.size).to eq(2)
|
1373
1383
|
|
1374
|
-
first_entry.trace[0].function.name.
|
1375
|
-
first_entry.trace[0].function.source.
|
1376
|
-
@browser.source.split("\n")[first_entry.trace[0].line].
|
1377
|
-
first_entry.trace[0].function.arguments.
|
1384
|
+
expect(first_entry.trace[0].function.name).to eq('onClick')
|
1385
|
+
expect(first_entry.trace[0].function.source).to start_with 'function onClick'
|
1386
|
+
expect(@browser.source.split("\n")[first_entry.trace[0].line]).to include 'log_data_flow_sink'
|
1387
|
+
expect(first_entry.trace[0].function.arguments).to eq(%w(some-arg arguments-arg here-arg))
|
1378
1388
|
|
1379
|
-
first_entry.trace[1].function.name.
|
1380
|
-
first_entry.trace[1].function.source.
|
1381
|
-
@browser.source.split("\n")[first_entry.trace[1].line].
|
1382
|
-
first_entry.trace[1].function.arguments.size.
|
1389
|
+
expect(first_entry.trace[1].function.name).to eq('onsubmit')
|
1390
|
+
expect(first_entry.trace[1].function.source).to start_with 'function onsubmit'
|
1391
|
+
expect(@browser.source.split("\n")[first_entry.trace[1].line]).to include 'onsubmit'
|
1392
|
+
expect(first_entry.trace[1].function.arguments.size).to eq(1)
|
1383
1393
|
|
1384
1394
|
event = first_entry.trace[1].function.arguments.first
|
1385
1395
|
|
1386
1396
|
form = "<form id=\"my_form\" onsubmit=\"onClick('some-arg', 'arguments-arg', 'here-arg'); return false;\">\n </form>"
|
1387
|
-
event['target'].
|
1388
|
-
event['srcElement'].
|
1389
|
-
event['type'].
|
1397
|
+
expect(event['target']).to eq(form)
|
1398
|
+
expect(event['srcElement']).to eq(form)
|
1399
|
+
expect(event['type']).to eq('submit')
|
1390
1400
|
end
|
1391
1401
|
|
1392
1402
|
it 'is limited to 50 per taint' do
|
@@ -1407,10 +1417,10 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1407
1417
|
end
|
1408
1418
|
|
1409
1419
|
sinks = subject.data_flow_sinks['taint']
|
1410
|
-
sinks.size.
|
1420
|
+
expect(sinks.size).to eq(50)
|
1411
1421
|
|
1412
1422
|
50.times do |i|
|
1413
|
-
sinks[i].function.name.
|
1423
|
+
expect(sinks[i].function.name).to eq("f_#{i+50}")
|
1414
1424
|
end
|
1415
1425
|
end
|
1416
1426
|
|
@@ -1420,12 +1430,12 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1420
1430
|
it 'returns debugging information' do
|
1421
1431
|
load "debug?input=#{subject.stub.function(:debug, 1)}"
|
1422
1432
|
@browser.watir.form.submit
|
1423
|
-
subject.debugging_data.
|
1433
|
+
expect(subject.debugging_data).to be_any
|
1424
1434
|
end
|
1425
1435
|
|
1426
1436
|
context 'by default' do
|
1427
1437
|
it 'returns []' do
|
1428
|
-
subject.debugging_data.
|
1438
|
+
expect(subject.debugging_data).to eq([])
|
1429
1439
|
end
|
1430
1440
|
end
|
1431
1441
|
end
|
@@ -1441,27 +1451,27 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1441
1451
|
debugging_data = subject.debugging_data
|
1442
1452
|
|
1443
1453
|
first_entry = debugging_data.first
|
1444
|
-
debugging_data.
|
1454
|
+
expect(debugging_data).to eq([first_entry])
|
1445
1455
|
|
1446
|
-
first_entry.data.
|
1447
|
-
first_entry.trace.size.
|
1456
|
+
expect(first_entry.data).to eq([1])
|
1457
|
+
expect(first_entry.trace.size).to eq(2)
|
1448
1458
|
|
1449
|
-
first_entry.trace[0].function.name.
|
1450
|
-
first_entry.trace[0].function.source.
|
1451
|
-
@browser.source.split("\n")[first_entry.trace[0].line].
|
1452
|
-
first_entry.trace[0].function.arguments.
|
1459
|
+
expect(first_entry.trace[0].function.name).to eq('onClick')
|
1460
|
+
expect(first_entry.trace[0].function.source).to start_with 'function onClick'
|
1461
|
+
expect(@browser.source.split("\n")[first_entry.trace[0].line]).to include 'debug(1)'
|
1462
|
+
expect(first_entry.trace[0].function.arguments).to eq(%w(some-arg arguments-arg here-arg))
|
1453
1463
|
|
1454
|
-
first_entry.trace[1].function.name.
|
1455
|
-
first_entry.trace[1].function.source.
|
1456
|
-
@browser.source.split("\n")[first_entry.trace[1].line].
|
1457
|
-
first_entry.trace[1].function.arguments.size.
|
1464
|
+
expect(first_entry.trace[1].function.name).to eq('onsubmit')
|
1465
|
+
expect(first_entry.trace[1].function.source).to start_with 'function onsubmit'
|
1466
|
+
expect(@browser.source.split("\n")[first_entry.trace[1].line]).to include 'onClick('
|
1467
|
+
expect(first_entry.trace[1].function.arguments.size).to eq(1)
|
1458
1468
|
|
1459
1469
|
event = first_entry.trace[1].function.arguments.first
|
1460
1470
|
|
1461
1471
|
form = "<form id=\"my_form\" onsubmit=\"onClick('some-arg', 'arguments-arg', 'here-arg'); return false;\">\n </form>"
|
1462
|
-
event['target'].
|
1463
|
-
event['srcElement'].
|
1464
|
-
event['type'].
|
1472
|
+
expect(event['target']).to eq(form)
|
1473
|
+
expect(event['srcElement']).to eq(form)
|
1474
|
+
expect(event['type']).to eq('submit')
|
1465
1475
|
end
|
1466
1476
|
end
|
1467
1477
|
|
@@ -1472,7 +1482,7 @@ describe Arachni::Browser::Javascript::TaintTracer do
|
|
1472
1482
|
subject.enable_debugging = false
|
1473
1483
|
|
1474
1484
|
@browser.watir.form.submit
|
1475
|
-
subject.debugging_data.
|
1485
|
+
expect(subject.debugging_data).to be_empty
|
1476
1486
|
end
|
1477
1487
|
end
|
1478
1488
|
end
|