arachni 1.2.1 → 1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +66 -0
- data/Gemfile +1 -1
- data/README.md +16 -5
- data/components/checks/active/ldap_injection/errors.txt +1 -0
- data/components/checks/active/source_code_disclosure.rb +1 -1
- data/components/checks/active/unvalidated_redirect.rb +6 -6
- data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
- data/components/checks/passive/grep/captcha.rb +14 -5
- data/components/checks/passive/grep/form_upload.rb +7 -3
- data/components/checks/passive/grep/hsts.rb +3 -3
- data/components/checks/passive/grep/html_objects.rb +2 -3
- data/components/checks/passive/grep/http_only_cookies.rb +2 -3
- data/components/checks/passive/grep/insecure_cookies.rb +1 -1
- data/components/checks/passive/grep/password_autocomplete.rb +2 -2
- data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
- data/components/checks/passive/grep/x_frame_options.rb +2 -2
- data/components/checks/passive/http_put.rb +2 -3
- data/components/path_extractors/comments.rb +3 -3
- data/components/path_extractors/scripts.rb +10 -1
- data/components/plugins/defaults/autothrottle.rb +27 -18
- data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
- data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
- data/components/plugins/login_script.rb +9 -3
- data/components/plugins/proxy.rb +4 -3
- data/components/reporters/html.rb +11 -14
- data/components/reporters/html/default/issue.erb +13 -38
- data/components/reporters/html/default/issue/info.erb +1 -1
- data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
- data/components/reporters/stdout.rb +62 -71
- data/components/reporters/xml.rb +26 -40
- data/components/reporters/xml/schema.xsd +43 -89
- data/lib/arachni/browser.rb +52 -3
- data/lib/arachni/browser/javascript.rb +3 -3
- data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
- data/lib/arachni/browser_cluster.rb +61 -0
- data/lib/arachni/browser_cluster/job.rb +21 -1
- data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
- data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
- data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
- data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
- data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
- data/lib/arachni/browser_cluster/worker.rb +5 -0
- data/lib/arachni/check/auditor.rb +22 -12
- data/lib/arachni/data/framework.rb +13 -1
- data/lib/arachni/data/issues.rb +9 -25
- data/lib/arachni/element/base.rb +9 -3
- data/lib/arachni/element/capabilities/analyzable.rb +2 -6
- data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
- data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
- data/lib/arachni/element/capabilities/auditable.rb +0 -6
- data/lib/arachni/element/capabilities/dom_only.rb +61 -0
- data/lib/arachni/element/capabilities/with_dom.rb +3 -1
- data/lib/arachni/element/cookie.rb +35 -5
- data/lib/arachni/element/cookie/dom.rb +13 -4
- data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
- data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
- data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
- data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
- data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
- data/lib/arachni/element/form.rb +12 -1
- data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
- data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/form/dom.rb +9 -3
- data/lib/arachni/element/header.rb +14 -33
- data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
- data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
- data/lib/arachni/element/input/dom.rb +71 -0
- data/lib/arachni/element/json.rb +2 -0
- data/lib/arachni/element/link.rb +3 -0
- data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/link/dom.rb +16 -3
- data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
- data/lib/arachni/element/link_template.rb +3 -5
- data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
- data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
- data/lib/arachni/element/link_template/dom.rb +16 -3
- data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
- data/lib/arachni/element/server.rb +3 -5
- data/lib/arachni/element/ui_form.rb +106 -0
- data/lib/arachni/element/ui_form/dom.rb +107 -0
- data/lib/arachni/element/ui_input.rb +62 -0
- data/lib/arachni/element/xml.rb +2 -1
- data/lib/arachni/framework.rb +7 -5
- data/lib/arachni/framework/parts/audit.rb +0 -1
- data/lib/arachni/framework/parts/check.rb +1 -0
- data/lib/arachni/framework/parts/data.rb +4 -0
- data/lib/arachni/framework/parts/state.rb +0 -2
- data/lib/arachni/http/client.rb +17 -6
- data/lib/arachni/http/proxy_server.rb +52 -5
- data/lib/arachni/http/request.rb +1 -1
- data/lib/arachni/issue.rb +34 -179
- data/lib/arachni/issue/severity.rb +2 -0
- data/lib/arachni/option_groups/audit.rb +22 -2
- data/lib/arachni/option_groups/browser_cluster.rb +15 -0
- data/lib/arachni/page.rb +3 -2
- data/lib/arachni/parser.rb +24 -5
- data/lib/arachni/platform/manager.rb +1 -2
- data/lib/arachni/rpc/server/framework.rb +3 -4
- data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
- data/lib/arachni/session.rb +1 -1
- data/lib/arachni/trainer.rb +4 -7
- data/lib/arachni/watir/element.rb +12 -1
- data/lib/version +1 -1
- data/spec/arachni/browser/element_locator_spec.rb +43 -43
- data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
- data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
- data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
- data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
- data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
- data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
- data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
- data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
- data/spec/arachni/browser/javascript_spec.rb +73 -63
- data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
- data/spec/arachni/browser_cluster/job_spec.rb +68 -48
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
- data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
- data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
- data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
- data/spec/arachni/browser_cluster_spec.rb +64 -39
- data/spec/arachni/browser_spec.rb +692 -527
- data/spec/arachni/check/auditor_spec.rb +177 -147
- data/spec/arachni/check/base_spec.rb +33 -33
- data/spec/arachni/check/manager_spec.rb +15 -15
- data/spec/arachni/component/base_spec.rb +8 -8
- data/spec/arachni/component/manager_spec.rb +100 -99
- data/spec/arachni/component/options/address_spec.rb +3 -3
- data/spec/arachni/component/options/base_spec.rb +7 -7
- data/spec/arachni/component/options/bool_spec.rb +9 -9
- data/spec/arachni/component/options/float_spec.rb +6 -6
- data/spec/arachni/component/options/int_spec.rb +5 -5
- data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
- data/spec/arachni/component/options/object_spec.rb +2 -2
- data/spec/arachni/component/options/path_spec.rb +3 -3
- data/spec/arachni/component/options/port_spec.rb +5 -5
- data/spec/arachni/component/options/string_spec.rb +3 -3
- data/spec/arachni/component/options/url_spec.rb +4 -4
- data/spec/arachni/component/utilities_spec.rb +2 -2
- data/spec/arachni/data/framework/rpc_spec.rb +10 -9
- data/spec/arachni/data/framework_spec.rb +65 -46
- data/spec/arachni/data/issues_spec.rb +39 -77
- data/spec/arachni/data/plugins_spec.rb +11 -11
- data/spec/arachni/data/session_spec.rb +6 -6
- data/spec/arachni/data_spec.rb +8 -8
- data/spec/arachni/element/body_spec.rb +10 -10
- data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
- data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
- data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
- data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
- data/spec/arachni/element/cookie/dom_spec.rb +37 -18
- data/spec/arachni/element/cookie_spec.rb +206 -139
- data/spec/arachni/element/form/dom_spec.rb +36 -19
- data/spec/arachni/element/form_spec.rb +210 -187
- data/spec/arachni/element/generic_dom_spec.rb +14 -14
- data/spec/arachni/element/header_spec.rb +35 -17
- data/spec/arachni/element/json_spec.rb +53 -31
- data/spec/arachni/element/link/dom_spec.rb +46 -28
- data/spec/arachni/element/link_spec.rb +58 -40
- data/spec/arachni/element/link_template/dom_spec.rb +47 -29
- data/spec/arachni/element/link_template_spec.rb +79 -61
- data/spec/arachni/element/path_spec.rb +1 -1
- data/spec/arachni/element/server_spec.rb +33 -32
- data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
- data/spec/arachni/element/ui_form_spec.rb +242 -0
- data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
- data/spec/arachni/element/ui_input_spec.rb +136 -0
- data/spec/arachni/element/xml_spec.rb +42 -24
- data/spec/arachni/element_filter_spec.rb +49 -48
- data/spec/arachni/error_spec.rb +3 -3
- data/spec/arachni/framework/parts/audit_spec.rb +64 -63
- data/spec/arachni/framework/parts/browser_spec.rb +16 -16
- data/spec/arachni/framework/parts/check_spec.rb +3 -3
- data/spec/arachni/framework/parts/data_spec.rb +48 -48
- data/spec/arachni/framework/parts/platform_spec.rb +3 -3
- data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
- data/spec/arachni/framework/parts/report_spec.rb +7 -7
- data/spec/arachni/framework/parts/scope_spec.rb +16 -16
- data/spec/arachni/framework/parts/state_spec.rb +68 -69
- data/spec/arachni/framework_spec.rb +39 -31
- data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
- data/spec/arachni/http/client_spec.rb +219 -208
- data/spec/arachni/http/cookie_jar_spec.rb +72 -72
- data/spec/arachni/http/headers_spec.rb +14 -14
- data/spec/arachni/http/proxy_server_spec.rb +43 -42
- data/spec/arachni/http/request_spec.rb +105 -103
- data/spec/arachni/http/response/scope_spec.rb +24 -24
- data/spec/arachni/http/response_spec.rb +50 -49
- data/spec/arachni/issue/severity_spec.rb +10 -9
- data/spec/arachni/issue_spec.rb +71 -369
- data/spec/arachni/option_groups/audit_spec.rb +114 -114
- data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
- data/spec/arachni/option_groups/datastore_spec.rb +6 -6
- data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
- data/spec/arachni/option_groups/http_spec.rb +11 -11
- data/spec/arachni/option_groups/input_spec.rb +31 -27
- data/spec/arachni/option_groups/output_spec.rb +2 -2
- data/spec/arachni/option_groups/paths_spec.rb +17 -17
- data/spec/arachni/option_groups/rpc_spec.rb +2 -2
- data/spec/arachni/option_groups/scope_spec.rb +40 -40
- data/spec/arachni/option_groups/session_spec.rb +6 -5
- data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
- data/spec/arachni/options_spec.rb +46 -45
- data/spec/arachni/page/dom/transition_spec.rb +74 -72
- data/spec/arachni/page/dom_spec.rb +35 -35
- data/spec/arachni/page/scope_spec.rb +15 -15
- data/spec/arachni/page_spec.rb +217 -217
- data/spec/arachni/parser_spec.rb +106 -104
- data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
- data/spec/arachni/platform/list_spec.rb +33 -33
- data/spec/arachni/platform/manager_spec.rb +67 -64
- data/spec/arachni/plugin/base_spec.rb +10 -10
- data/spec/arachni/plugin/manager_spec.rb +38 -37
- data/spec/arachni/report_spec.rb +43 -40
- data/spec/arachni/reporter/base_spec.rb +15 -15
- data/spec/arachni/reporter/manager_spec.rb +4 -4
- data/spec/arachni/reporter/options_spec.rb +6 -6
- data/spec/arachni/rpc/client/base_spec.rb +6 -6
- data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
- data/spec/arachni/rpc/client/instance_spec.rb +6 -6
- data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
- data/spec/arachni/rpc/server/base_spec.rb +5 -5
- data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
- data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
- data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
- data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
- data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
- data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
- data/spec/arachni/rpc/server/framework_spec.rb +90 -85
- data/spec/arachni/rpc/server/instance_spec.rb +126 -107
- data/spec/arachni/rpc/server/output_spec.rb +1 -1
- data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
- data/spec/arachni/ruby/array_spec.rb +42 -42
- data/spec/arachni/ruby/hash_spec.rb +20 -18
- data/spec/arachni/ruby/io_spec.rb +2 -2
- data/spec/arachni/ruby/object_spec.rb +1 -1
- data/spec/arachni/ruby/set_spec.rb +3 -3
- data/spec/arachni/ruby/string_spec.rb +30 -30
- data/spec/arachni/ruby/webrick_spec.rb +2 -2
- data/spec/arachni/scope_spec.rb +1 -1
- data/spec/arachni/session_spec.rb +67 -64
- data/spec/arachni/snapshot_spec.rb +15 -15
- data/spec/arachni/state/audit_spec.rb +11 -11
- data/spec/arachni/state/element_filter_spec.rb +6 -6
- data/spec/arachni/state/framework/rpc_spec.rb +12 -12
- data/spec/arachni/state/framework_spec.rb +125 -121
- data/spec/arachni/state/http_spec.rb +7 -7
- data/spec/arachni/state/options_spec.rb +7 -7
- data/spec/arachni/state/plugins_spec.rb +8 -8
- data/spec/arachni/state_spec.rb +10 -10
- data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
- data/spec/arachni/support/buffer/base_spec.rb +39 -39
- data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
- data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
- data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
- data/spec/arachni/support/cache/preference_spec.rb +4 -4
- data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
- data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
- data/spec/arachni/support/database/hash_spec.rb +44 -43
- data/spec/arachni/support/database/queue_spec.rb +27 -27
- data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
- data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
- data/spec/arachni/support/mixins/observable_spec.rb +6 -6
- data/spec/arachni/support/signature_spec.rb +19 -19
- data/spec/arachni/trainer_spec.rb +39 -39
- data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
- data/spec/arachni/uri/scope_spec.rb +66 -66
- data/spec/arachni/uri_spec.rb +107 -105
- data/spec/arachni/utilities_spec.rb +40 -40
- data/spec/components/checks/active/csrf_spec.rb +8 -8
- data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
- data/spec/components/checks/active/sql_injection_spec.rb +16 -16
- data/spec/components/checks/active/trainer_spec.rb +4 -4
- data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
- data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
- data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
- data/spec/components/checks/active/xss_dom_spec.rb +46 -24
- data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
- data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
- data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
- data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
- data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
- data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
- data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
- data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
- data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
- data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
- data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
- data/spec/components/checks/passive/webdav_spec.rb +1 -1
- data/spec/components/checks/passive/xst_spec.rb +1 -1
- data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
- data/spec/components/path_extractors/comments_spec.rb +5 -1
- data/spec/components/path_extractors/scripts_spec.rb +5 -2
- data/spec/components/plugins/autologin_spec.rb +22 -22
- data/spec/components/plugins/autothrottle_spec.rb +6 -5
- data/spec/components/plugins/content_types_spec.rb +4 -4
- data/spec/components/plugins/cookie_collector_spec.rb +5 -5
- data/spec/components/plugins/exec_spec.rb +12 -12
- data/spec/components/plugins/form_dicattack_spec.rb +3 -3
- data/spec/components/plugins/headers_collector_spec.rb +8 -8
- data/spec/components/plugins/healthmap_spec.rb +3 -3
- data/spec/components/plugins/http_dicattack_spec.rb +3 -3
- data/spec/components/plugins/login_script_spec.rb +79 -22
- data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
- data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
- data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
- data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
- data/spec/components/plugins/script_spec.rb +1 -1
- data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
- data/spec/components/plugins/vector_collector_spec.rb +2 -2
- data/spec/components/plugins/vector_feed_spec.rb +40 -40
- data/spec/components/plugins/waf_detector_spec.rb +6 -6
- data/spec/components/reporters/json_spec.rb +4 -4
- data/spec/components/reporters/marshal_spec.rb +2 -2
- data/spec/components/reporters/yaml_spec.rb +3 -2
- data/spec/external/wavsep/active/sqli_spec.rb +1 -3
- data/spec/spec_helper.rb +4 -0
- data/spec/support/factories/element/ui_form.rb +14 -0
- data/spec/support/factories/element/ui_input.rb +13 -0
- data/spec/support/factories/issue.rb +0 -13
- data/spec/support/fixtures/report.afr +0 -0
- data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
- data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
- data/spec/support/helpers/framework.rb +1 -1
- data/spec/support/helpers/pages.rb +2 -2
- data/spec/support/servers/arachni/browser.rb +139 -0
- data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
- data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
- data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
- data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
- data/spec/support/servers/checks/active/trainer_check.rb +7 -7
- data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
- data/spec/support/servers/checks/active/xss_dom.rb +50 -0
- data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
- data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
- data/spec/support/shared/check.rb +10 -12
- data/spec/support/shared/component/options/base.rb +24 -24
- data/spec/support/shared/element/base.rb +25 -25
- data/spec/support/shared/element/capabilities/auditable.rb +116 -140
- data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
- data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
- data/spec/support/shared/element/capabilities/mutable.rb +122 -111
- data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
- data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
- data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
- data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
- data/spec/support/shared/element/capabilities/with_node.rb +4 -6
- data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
- data/spec/support/shared/element/capabilities/with_source.rb +6 -8
- data/spec/support/shared/element/dom.rb +144 -0
- data/spec/support/shared/element/dom/auditable.rb +42 -0
- data/spec/support/shared/element/dom/inputtable.rb +5 -0
- data/spec/support/shared/element/dom/mutable.rb +3 -0
- data/spec/support/shared/element/dom/submittable.rb +119 -0
- data/spec/support/shared/external/wavsep.rb +3 -3
- data/spec/support/shared/fingerprinter.rb +2 -2
- data/spec/support/shared/framework.rb +1 -1
- data/spec/support/shared/http/message.rb +9 -9
- data/spec/support/shared/option_group.rb +17 -17
- data/spec/support/shared/path_extractor.rb +1 -1
- data/spec/support/shared/plugin.rb +2 -2
- data/spec/support/shared/support/cache.rb +57 -57
- data/spec/support/shared/support/lookup.rb +25 -25
- data/ui/cli/framework.rb +22 -11
- data/ui/cli/framework/option_parser.rb +15 -0
- data/ui/cli/option_parser.rb +8 -1
- data/ui/cli/output.rb +2 -1
- metadata +54 -20
- data/components/checks/active/xss_dom_inputs.rb +0 -236
- data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
- data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
- data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
|
@@ -75,7 +75,8 @@ describe Arachni::Check::Auditor do
|
|
|
75
75
|
Arachni::Element::Cookie, Arachni::Element::Cookie::DOM,
|
|
76
76
|
Arachni::Element::Header, Arachni::Element::LinkTemplate,
|
|
77
77
|
Arachni::Element::LinkTemplate::DOM, Arachni::Element::JSON,
|
|
78
|
-
Arachni::Element::XML
|
|
78
|
+
Arachni::Element::XML, Arachni::Element::UIInput, Arachni::Element::UIInput::DOM,
|
|
79
|
+
Arachni::Element::UIForm, Arachni::Element::UIForm::DOM
|
|
79
80
|
]
|
|
80
81
|
|
|
81
82
|
let(:auditor) { AuditorTest.new( @framework ) }
|
|
@@ -86,28 +87,28 @@ describe Arachni::Check::Auditor do
|
|
|
86
87
|
|
|
87
88
|
describe '.has_timeout_candidates?' do
|
|
88
89
|
it "delegates to #{Arachni::Element::Capabilities::Analyzable}.has_timeout_candidates?" do
|
|
89
|
-
Arachni::Element::Capabilities::Analyzable.
|
|
90
|
+
expect(Arachni::Element::Capabilities::Analyzable).to receive(:has_timeout_candidates?)
|
|
90
91
|
described_class.has_timeout_candidates?
|
|
91
92
|
end
|
|
92
93
|
end
|
|
93
94
|
|
|
94
95
|
describe '.timeout_audit_run' do
|
|
95
96
|
it "delegates to #{Arachni::Element::Capabilities::Analyzable}.timeout_audit_run" do
|
|
96
|
-
Arachni::Element::Capabilities::Analyzable.
|
|
97
|
+
expect(Arachni::Element::Capabilities::Analyzable).to receive(:timeout_audit_run)
|
|
97
98
|
described_class.timeout_audit_run
|
|
98
99
|
end
|
|
99
100
|
end
|
|
100
101
|
|
|
101
102
|
describe '#preferred' do
|
|
102
103
|
it 'returns an empty array' do
|
|
103
|
-
subject.preferred.
|
|
104
|
+
expect(subject.preferred).to eq([])
|
|
104
105
|
end
|
|
105
106
|
end
|
|
106
107
|
|
|
107
108
|
describe '#max_issues' do
|
|
108
109
|
it 'returns the maximum amount of issues the auditor is allowed to log' do
|
|
109
110
|
subject.class.info[:max_issues] = 1
|
|
110
|
-
subject.max_issues.
|
|
111
|
+
expect(subject.max_issues).to eq(1)
|
|
111
112
|
end
|
|
112
113
|
end
|
|
113
114
|
|
|
@@ -115,20 +116,20 @@ describe Arachni::Check::Auditor do
|
|
|
115
116
|
it 'increments the issue counter' do
|
|
116
117
|
i = subject.class.issue_counter
|
|
117
118
|
subject.increment_issue_counter
|
|
118
|
-
subject.class.issue_counter.
|
|
119
|
+
expect(subject.class.issue_counter).to eq(i + 1)
|
|
119
120
|
end
|
|
120
121
|
end
|
|
121
122
|
|
|
122
123
|
describe '#issue_limit_reached?' do
|
|
123
124
|
it 'returns false' do
|
|
124
|
-
subject.issue_limit_reached
|
|
125
|
+
expect(subject.issue_limit_reached?).to be_falsey
|
|
125
126
|
end
|
|
126
127
|
|
|
127
128
|
context 'when the issue counter reaches the limit' do
|
|
128
129
|
it 'returns true' do
|
|
129
130
|
subject.class.info[:max_issues] = 1
|
|
130
131
|
subject.increment_issue_counter
|
|
131
|
-
subject.issue_limit_reached
|
|
132
|
+
expect(subject.issue_limit_reached?).to be_truthy
|
|
132
133
|
end
|
|
133
134
|
end
|
|
134
135
|
end
|
|
@@ -136,7 +137,7 @@ describe Arachni::Check::Auditor do
|
|
|
136
137
|
describe '#audited' do
|
|
137
138
|
it 'marks the given task as audited' do
|
|
138
139
|
subject.audited 'stuff'
|
|
139
|
-
subject.audited?( 'stuff' ).
|
|
140
|
+
expect(subject.audited?( 'stuff' )).to be_truthy
|
|
140
141
|
end
|
|
141
142
|
end
|
|
142
143
|
|
|
@@ -144,19 +145,19 @@ describe Arachni::Check::Auditor do
|
|
|
144
145
|
context 'when elements have been provided' do
|
|
145
146
|
it 'restricts the check' do
|
|
146
147
|
page = Arachni::Page.from_data( url: url, body: 'stuff' )
|
|
147
|
-
page.
|
|
148
|
+
allow(page).to receive(:has_script?) { true }
|
|
148
149
|
auditor.class.info[:elements] =
|
|
149
150
|
element_classes + [Arachni::Element::Body, Arachni::Element::GenericDOM]
|
|
150
151
|
|
|
151
|
-
auditor.class.check?( page, Arachni::Element::GenericDOM ).
|
|
152
|
-
auditor.class.check?( page, Arachni::Element::Body ).
|
|
152
|
+
expect(auditor.class.check?( page, Arachni::Element::GenericDOM )).to be_truthy
|
|
153
|
+
expect(auditor.class.check?( page, Arachni::Element::Body )).to be_truthy
|
|
153
154
|
|
|
154
155
|
element_classes.each do |element|
|
|
155
|
-
auditor.class.check?( page, element ).
|
|
156
|
+
expect(auditor.class.check?( page, element )).to be_falsey
|
|
156
157
|
end
|
|
157
158
|
|
|
158
|
-
auditor.class.check?( page, element_classes ).
|
|
159
|
-
auditor.class.check?( page, element_classes + [Arachni::Element::Body] ).
|
|
159
|
+
expect(auditor.class.check?( page, element_classes )).to be_falsey
|
|
160
|
+
expect(auditor.class.check?( page, element_classes + [Arachni::Element::Body] )).to be_truthy
|
|
160
161
|
end
|
|
161
162
|
end
|
|
162
163
|
|
|
@@ -166,14 +167,14 @@ describe Arachni::Check::Auditor do
|
|
|
166
167
|
context 'and page with a non-empty body' do
|
|
167
168
|
it 'returns true' do
|
|
168
169
|
p = Arachni::Page.from_data( url: url, body: 'stuff' )
|
|
169
|
-
auditor.class.check?( p ).
|
|
170
|
+
expect(auditor.class.check?( p )).to be_truthy
|
|
170
171
|
end
|
|
171
172
|
end
|
|
172
173
|
|
|
173
174
|
context 'and page with an empty body' do
|
|
174
175
|
it 'returns false' do
|
|
175
176
|
p = Arachni::Page.from_data( url: url, body: '' )
|
|
176
|
-
auditor.class.check?( p ).
|
|
177
|
+
expect(auditor.class.check?( p )).to be_falsey
|
|
177
178
|
end
|
|
178
179
|
end
|
|
179
180
|
end
|
|
@@ -185,15 +186,15 @@ describe Arachni::Check::Auditor do
|
|
|
185
186
|
context 'and Page#has_script? is' do
|
|
186
187
|
context true do
|
|
187
188
|
it 'returns true' do
|
|
188
|
-
page.
|
|
189
|
-
auditor.class.check?( page ).
|
|
189
|
+
allow(page).to receive(:has_script?) { true }
|
|
190
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
190
191
|
end
|
|
191
192
|
end
|
|
192
193
|
|
|
193
194
|
context false do
|
|
194
195
|
it 'returns false' do
|
|
195
|
-
page.
|
|
196
|
-
auditor.class.check?( page ).
|
|
196
|
+
allow(page).to receive(:has_script?) { false }
|
|
197
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
197
198
|
end
|
|
198
199
|
end
|
|
199
200
|
end
|
|
@@ -206,8 +207,8 @@ describe Arachni::Check::Auditor do
|
|
|
206
207
|
url: url,
|
|
207
208
|
"#{element.type}s".gsub( '_dom', '').to_sym => [Factory[element.type]]
|
|
208
209
|
)
|
|
209
|
-
p.dom.
|
|
210
|
-
p.
|
|
210
|
+
allow(p.dom).to receive(:depth) { 1 }
|
|
211
|
+
allow(p).to receive(:has_script?) { true }
|
|
211
212
|
p
|
|
212
213
|
end
|
|
213
214
|
before(:each) { auditor.class.info[:elements] = [element] }
|
|
@@ -232,15 +233,15 @@ describe Arachni::Check::Auditor do
|
|
|
232
233
|
context 'and Page::DOM#depth is' do
|
|
233
234
|
context '0' do
|
|
234
235
|
it 'returns false' do
|
|
235
|
-
page.dom.
|
|
236
|
-
auditor.class.check?( page ).
|
|
236
|
+
allow(page.dom).to receive(:depth) { 0 }
|
|
237
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
237
238
|
end
|
|
238
239
|
end
|
|
239
240
|
|
|
240
241
|
context '> 0' do
|
|
241
242
|
it 'returns true' do
|
|
242
|
-
page.dom.
|
|
243
|
-
auditor.class.check?( page ).
|
|
243
|
+
allow(page.dom).to receive(:depth) { 1 }
|
|
244
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
244
245
|
end
|
|
245
246
|
end
|
|
246
247
|
end
|
|
@@ -248,22 +249,26 @@ describe Arachni::Check::Auditor do
|
|
|
248
249
|
context 'and Page#has_script? is' do
|
|
249
250
|
context true do
|
|
250
251
|
it 'returns true' do
|
|
251
|
-
page.
|
|
252
|
-
auditor.class.check?( page ).
|
|
252
|
+
allow(page).to receive(:has_script?) { true }
|
|
253
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
253
254
|
end
|
|
254
255
|
end
|
|
255
256
|
|
|
256
257
|
context false do
|
|
257
258
|
it 'returns false' do
|
|
258
|
-
page.
|
|
259
|
-
auditor.class.check?( page ).
|
|
259
|
+
allow(page).to receive(:has_script?) { false }
|
|
260
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
260
261
|
end
|
|
261
262
|
end
|
|
262
263
|
end
|
|
263
|
-
|
|
264
|
+
elsif element == Arachni::Element::UIInput ||
|
|
265
|
+
element == Arachni::Element::UIForm
|
|
266
|
+
it 'returns false' do
|
|
267
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
268
|
+
end
|
|
264
269
|
else
|
|
265
270
|
it 'returns true' do
|
|
266
|
-
auditor.class.check?( page ).
|
|
271
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
267
272
|
end
|
|
268
273
|
end
|
|
269
274
|
end
|
|
@@ -275,7 +280,13 @@ describe Arachni::Check::Auditor do
|
|
|
275
280
|
|
|
276
281
|
it 'returns true' do
|
|
277
282
|
auditor.class.info[:elements] = e
|
|
278
|
-
auditor.class.check?( page ).
|
|
283
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
284
|
+
end
|
|
285
|
+
|
|
286
|
+
elsif element == Arachni::Element::UIInput ||
|
|
287
|
+
element == Arachni::Element::UIForm
|
|
288
|
+
it 'returns false' do
|
|
289
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
279
290
|
end
|
|
280
291
|
|
|
281
292
|
elsif element == Arachni::Element::Cookie &&
|
|
@@ -284,17 +295,17 @@ describe Arachni::Check::Auditor do
|
|
|
284
295
|
context 'and Page#has_script? is' do
|
|
285
296
|
context true do
|
|
286
297
|
it 'returns true' do
|
|
287
|
-
page.
|
|
298
|
+
allow(page).to receive(:has_script?) { true }
|
|
288
299
|
auditor.class.info[:elements] = e
|
|
289
|
-
auditor.class.check?( page ).
|
|
300
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
290
301
|
end
|
|
291
302
|
end
|
|
292
303
|
|
|
293
304
|
context false do
|
|
294
305
|
it 'returns false' do
|
|
295
|
-
page.
|
|
306
|
+
allow(page).to receive(:has_script?) { false }
|
|
296
307
|
auditor.class.info[:elements] = e
|
|
297
|
-
auditor.class.check?( page ).
|
|
308
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
298
309
|
end
|
|
299
310
|
end
|
|
300
311
|
end
|
|
@@ -304,12 +315,12 @@ describe Arachni::Check::Auditor do
|
|
|
304
315
|
e == Arachni::Element::Form
|
|
305
316
|
it 'returns true' do
|
|
306
317
|
auditor.class.info[:elements] = e
|
|
307
|
-
auditor.class.check?( page ).
|
|
318
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
308
319
|
end
|
|
309
320
|
else
|
|
310
321
|
it 'returns false' do
|
|
311
322
|
auditor.class.info[:elements] = e
|
|
312
|
-
auditor.class.check?( page ).
|
|
323
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
313
324
|
end
|
|
314
325
|
end
|
|
315
326
|
end
|
|
@@ -320,7 +331,7 @@ describe Arachni::Check::Auditor do
|
|
|
320
331
|
context "and the check supports #{e ? e : 'everything'}" do
|
|
321
332
|
it 'returns true' do
|
|
322
333
|
auditor.class.info[:elements] = e
|
|
323
|
-
auditor.class.check?( page ).
|
|
334
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
324
335
|
end
|
|
325
336
|
end
|
|
326
337
|
end
|
|
@@ -333,7 +344,7 @@ describe Arachni::Check::Auditor do
|
|
|
333
344
|
context "and the page contains #{element}" do
|
|
334
345
|
context "and the check only supports #{element}" do
|
|
335
346
|
it 'returns false' do
|
|
336
|
-
auditor.class.check?( page ).
|
|
347
|
+
expect(auditor.class.check?( page )).to be_falsey
|
|
337
348
|
end
|
|
338
349
|
end
|
|
339
350
|
|
|
@@ -341,7 +352,7 @@ describe Arachni::Check::Auditor do
|
|
|
341
352
|
context "and the check supports #{e ? e : 'everything'}" do
|
|
342
353
|
it 'returns true' do
|
|
343
354
|
auditor.class.info[:elements] = e
|
|
344
|
-
auditor.class.check?( page ).
|
|
355
|
+
expect(auditor.class.check?( page )).to be_truthy
|
|
345
356
|
end
|
|
346
357
|
end
|
|
347
358
|
end
|
|
@@ -357,9 +368,9 @@ describe Arachni::Check::Auditor do
|
|
|
357
368
|
received = nil
|
|
358
369
|
b = proc {}
|
|
359
370
|
|
|
360
|
-
Arachni::Element::Server.
|
|
371
|
+
allow_any_instance_of(Arachni::Element::Server).to receive(:log_remote_file_if_exists) { |instance, args, &block| received = [args, block]}
|
|
361
372
|
|
|
362
|
-
subject.log_remote_file_if_exists( *sent, &b ).
|
|
373
|
+
expect(subject.log_remote_file_if_exists( *sent, &b )).to eq(received)
|
|
363
374
|
end
|
|
364
375
|
end
|
|
365
376
|
|
|
@@ -369,31 +380,31 @@ describe Arachni::Check::Auditor do
|
|
|
369
380
|
received = nil
|
|
370
381
|
b = proc {}
|
|
371
382
|
|
|
372
|
-
Arachni::Element::Body.
|
|
383
|
+
allow_any_instance_of(Arachni::Element::Body).to receive(:match_and_log) { |instance, args, &block| received = [args, block]}
|
|
373
384
|
|
|
374
|
-
subject.match_and_log( *sent, &b ).
|
|
385
|
+
expect(subject.match_and_log( *sent, &b )).to eq(received)
|
|
375
386
|
end
|
|
376
387
|
end
|
|
377
388
|
|
|
378
389
|
describe '#log_remote_file' do
|
|
379
390
|
let(:page) { Arachni::Page.from_url @url }
|
|
380
|
-
let(:issue) { Arachni::Data.issues.last
|
|
391
|
+
let(:issue) { Arachni::Data.issues.last }
|
|
381
392
|
let(:vector) { Arachni::Element::Server.new( page.url ) }
|
|
382
393
|
|
|
383
394
|
context 'given a' do
|
|
384
395
|
describe Arachni::Page do
|
|
385
396
|
it 'logs it' do
|
|
386
397
|
subject.log_remote_file( page )
|
|
387
|
-
issue.page.
|
|
388
|
-
issue.vector.
|
|
398
|
+
expect(issue.page).to eq(page)
|
|
399
|
+
expect(issue.vector).to eq(vector)
|
|
389
400
|
end
|
|
390
401
|
end
|
|
391
402
|
|
|
392
403
|
describe Arachni::HTTP::Response do
|
|
393
404
|
it "logs it as a #{Arachni::Page}" do
|
|
394
405
|
subject.log_remote_file( page.response )
|
|
395
|
-
issue.page.
|
|
396
|
-
issue.vector.
|
|
406
|
+
expect(issue.page).to eq(page)
|
|
407
|
+
expect(issue.vector).to eq(vector)
|
|
397
408
|
end
|
|
398
409
|
end
|
|
399
410
|
end
|
|
@@ -403,13 +414,16 @@ describe Arachni::Check::Auditor do
|
|
|
403
414
|
before(:each) do
|
|
404
415
|
Arachni::Options.audit.link_templates = /link-template\/input\/(?<input>.+)/
|
|
405
416
|
auditor.load_page_from "#{@url}each_candidate_element"
|
|
406
|
-
|
|
407
|
-
auditor.page.
|
|
417
|
+
|
|
418
|
+
auditor.page.jsons = [Factory[:json]]
|
|
419
|
+
auditor.page.xmls = [Factory[:xml]]
|
|
420
|
+
auditor.page.ui_inputs = [Factory[:ui_input]]
|
|
421
|
+
auditor.page.ui_forms = [Factory[:ui_form]]
|
|
408
422
|
end
|
|
409
423
|
|
|
410
424
|
it 'sets the auditor' do
|
|
411
425
|
auditor.each_candidate_element [ Arachni::Link ] do |element|
|
|
412
|
-
element.auditor.
|
|
426
|
+
expect(element.auditor).to eq(auditor)
|
|
413
427
|
end
|
|
414
428
|
end
|
|
415
429
|
|
|
@@ -420,8 +434,8 @@ describe Arachni::Check::Auditor do
|
|
|
420
434
|
elements << element
|
|
421
435
|
end
|
|
422
436
|
|
|
423
|
-
elements.
|
|
424
|
-
select { |e| e.inputs.any? }
|
|
437
|
+
expect(elements).to eq((auditor.page.links | auditor.page.headers).
|
|
438
|
+
select { |e| e.inputs.any? })
|
|
425
439
|
end
|
|
426
440
|
|
|
427
441
|
context 'and are not supported' do
|
|
@@ -441,23 +455,27 @@ describe Arachni::Check::Auditor do
|
|
|
441
455
|
elements << element
|
|
442
456
|
end
|
|
443
457
|
|
|
444
|
-
auditor.class.elements.
|
|
445
|
-
elements.
|
|
446
|
-
select { |e| e.inputs.any? }
|
|
458
|
+
expect(auditor.class.elements).to eq([Arachni::Link, Arachni::Form])
|
|
459
|
+
expect(elements).to eq((auditor.page.links | auditor.page.forms).
|
|
460
|
+
select { |e| e.inputs.any? })
|
|
447
461
|
end
|
|
448
462
|
|
|
449
463
|
context 'and no types are specified by the check' do
|
|
450
|
-
it 'provides all types of elements'do
|
|
464
|
+
it 'provides all types of elements but :inputs and :ui_forms'do
|
|
451
465
|
auditor.class.info[:elements].clear
|
|
452
466
|
|
|
467
|
+
expected_elements = Arachni::Page::ELEMENTS
|
|
468
|
+
expected_elements.delete :ui_inputs
|
|
469
|
+
expected_elements.delete :ui_forms
|
|
470
|
+
|
|
453
471
|
elements = []
|
|
454
472
|
auditor.each_candidate_element do |element|
|
|
455
473
|
elements << element
|
|
456
474
|
end
|
|
457
475
|
|
|
458
|
-
elements.map { |e| "#{e.type}s".to_sym }.uniq.
|
|
459
|
-
elements.
|
|
460
|
-
select { |e| e.inputs.any? }
|
|
476
|
+
expect(elements.map { |e| "#{e.type}s".to_sym }.uniq).to eq(Arachni::Page::ELEMENTS)
|
|
477
|
+
expect(elements).to eq((auditor.page.elements).
|
|
478
|
+
select { |e| e.inputs.any? })
|
|
461
479
|
end
|
|
462
480
|
end
|
|
463
481
|
end
|
|
@@ -467,13 +485,16 @@ describe Arachni::Check::Auditor do
|
|
|
467
485
|
before(:each) do
|
|
468
486
|
Arachni::Options.audit.link_templates = /dom-link-template\/input\/(?<input>.+)/
|
|
469
487
|
auditor.load_page_from "#{@url}each_candidate_dom_element"
|
|
488
|
+
|
|
489
|
+
auditor.page.ui_inputs = [Factory[:ui_input]]
|
|
490
|
+
auditor.page.ui_forms = [Factory[:ui_form]]
|
|
470
491
|
end
|
|
471
492
|
|
|
472
493
|
it 'sets the auditor' do
|
|
473
494
|
auditor.class.info[:elements].clear
|
|
474
495
|
|
|
475
496
|
auditor.each_candidate_dom_element do |element|
|
|
476
|
-
element.auditor.
|
|
497
|
+
expect(element.auditor).to eq(auditor)
|
|
477
498
|
end
|
|
478
499
|
end
|
|
479
500
|
|
|
@@ -484,8 +505,8 @@ describe Arachni::Check::Auditor do
|
|
|
484
505
|
elements << element
|
|
485
506
|
end
|
|
486
507
|
|
|
487
|
-
elements.
|
|
488
|
-
elements.
|
|
508
|
+
expect(elements).to be_any
|
|
509
|
+
expect(elements).to eq(auditor.page.links.select { |l| l.dom }.map(&:dom))
|
|
489
510
|
end
|
|
490
511
|
|
|
491
512
|
context 'and are not supported' do
|
|
@@ -499,14 +520,14 @@ describe Arachni::Check::Auditor do
|
|
|
499
520
|
context 'when types have not been provided' do
|
|
500
521
|
it 'provides the types of elements specified by the check' do
|
|
501
522
|
auditor.class.info[:elements] = [Arachni::Form::DOM]
|
|
502
|
-
auditor.class.elements.
|
|
523
|
+
expect(auditor.class.elements).to eq([Arachni::Form::DOM])
|
|
503
524
|
|
|
504
525
|
elements = []
|
|
505
526
|
auditor.each_candidate_dom_element do |element|
|
|
506
527
|
elements << element
|
|
507
528
|
end
|
|
508
529
|
|
|
509
|
-
elements.
|
|
530
|
+
expect(elements).to eq(auditor.page.forms.map(&:dom))
|
|
510
531
|
end
|
|
511
532
|
|
|
512
533
|
context 'and no types are specified by the check' do
|
|
@@ -518,10 +539,12 @@ describe Arachni::Check::Auditor do
|
|
|
518
539
|
elements << element
|
|
519
540
|
end
|
|
520
541
|
|
|
521
|
-
elements.
|
|
542
|
+
expect(elements).to eq(
|
|
522
543
|
(auditor.page.links.select { |l| l.dom } |
|
|
523
544
|
auditor.page.forms | auditor.page.cookies |
|
|
524
|
-
auditor.page.link_templates
|
|
545
|
+
auditor.page.link_templates | auditor.page.ui_inputs |
|
|
546
|
+
auditor.page.ui_forms).map(&:dom)
|
|
547
|
+
)
|
|
525
548
|
end
|
|
526
549
|
end
|
|
527
550
|
end
|
|
@@ -533,11 +556,11 @@ describe Arachni::Check::Auditor do
|
|
|
533
556
|
it 'passes it to the given block' do
|
|
534
557
|
worker = nil
|
|
535
558
|
|
|
536
|
-
auditor.with_browser_cluster do |cluster|
|
|
559
|
+
expect(auditor.with_browser_cluster do |cluster|
|
|
537
560
|
worker = cluster
|
|
538
|
-
end.
|
|
561
|
+
end).to be_truthy
|
|
539
562
|
|
|
540
|
-
worker.
|
|
563
|
+
expect(worker).to eq(@framework.browser_cluster)
|
|
541
564
|
end
|
|
542
565
|
end
|
|
543
566
|
end
|
|
@@ -549,12 +572,12 @@ describe Arachni::Check::Auditor do
|
|
|
549
572
|
it 'passes a BrowserCluster::Worker to the given block' do
|
|
550
573
|
worker = nil
|
|
551
574
|
|
|
552
|
-
auditor.with_browser do |browser|
|
|
575
|
+
expect(auditor.with_browser do |browser|
|
|
553
576
|
worker = browser
|
|
554
|
-
end.
|
|
577
|
+
end).to be_truthy
|
|
555
578
|
@framework.browser_cluster.wait
|
|
556
579
|
|
|
557
|
-
worker.
|
|
580
|
+
expect(worker).to be_kind_of Arachni::BrowserCluster::Worker
|
|
558
581
|
end
|
|
559
582
|
end
|
|
560
583
|
end
|
|
@@ -563,8 +586,8 @@ describe Arachni::Check::Auditor do
|
|
|
563
586
|
describe '#skip?' do
|
|
564
587
|
context 'when there is no Arachni::Page#element_audit_whitelist' do
|
|
565
588
|
it 'returns false' do
|
|
566
|
-
auditor.page.element_audit_whitelist.
|
|
567
|
-
auditor.skip?( auditor.page.elements.first ).
|
|
589
|
+
expect(auditor.page.element_audit_whitelist).to be_empty
|
|
590
|
+
expect(auditor.skip?( auditor.page.elements.first )).to be_falsey
|
|
568
591
|
end
|
|
569
592
|
end
|
|
570
593
|
|
|
@@ -572,14 +595,14 @@ describe Arachni::Check::Auditor do
|
|
|
572
595
|
context 'and the element is in it' do
|
|
573
596
|
it 'returns false' do
|
|
574
597
|
auditor.page.update_element_audit_whitelist auditor.page.elements.first
|
|
575
|
-
auditor.skip?( auditor.page.elements.first ).
|
|
598
|
+
expect(auditor.skip?( auditor.page.elements.first )).to be_falsey
|
|
576
599
|
end
|
|
577
600
|
end
|
|
578
601
|
|
|
579
602
|
context 'and the element is not in it' do
|
|
580
603
|
it 'returns true' do
|
|
581
604
|
auditor.page.update_element_audit_whitelist auditor.page.elements.first
|
|
582
|
-
auditor.skip?( auditor.page.elements.last ).
|
|
605
|
+
expect(auditor.skip?( auditor.page.elements.last )).to be_truthy
|
|
583
606
|
end
|
|
584
607
|
end
|
|
585
608
|
end
|
|
@@ -595,7 +618,12 @@ describe Arachni::Check::Auditor do
|
|
|
595
618
|
|
|
596
619
|
describe '#create_issue' do
|
|
597
620
|
it 'creates an issue' do
|
|
598
|
-
|
|
621
|
+
expect(
|
|
622
|
+
auditor.class.create_issue(
|
|
623
|
+
proof: issue.proof,
|
|
624
|
+
vector: issue.vector
|
|
625
|
+
)
|
|
626
|
+
).to eq(issue)
|
|
599
627
|
end
|
|
600
628
|
end
|
|
601
629
|
|
|
@@ -603,11 +631,11 @@ describe Arachni::Check::Auditor do
|
|
|
603
631
|
it 'logs an issue' do
|
|
604
632
|
auditor.log_issue( issue_data )
|
|
605
633
|
|
|
606
|
-
logged_issue = Arachni::Data.issues.
|
|
634
|
+
logged_issue = Arachni::Data.issues.first
|
|
607
635
|
|
|
608
|
-
logged_issue.to_h.tap do |h|
|
|
636
|
+
expect(logged_issue.to_h.tap do |h|
|
|
609
637
|
h[:page][:dom][:transitions].each { |t| t.delete :time }
|
|
610
|
-
end.
|
|
638
|
+
end).to eq issue.to_h.merge( referring_page: {
|
|
611
639
|
body: auditor.page.body,
|
|
612
640
|
dom: auditor.page.dom.to_h.tap do |h|
|
|
613
641
|
h.delete :skip_states
|
|
@@ -618,20 +646,20 @@ describe Arachni::Check::Auditor do
|
|
|
618
646
|
it 'assigns a #referring_page' do
|
|
619
647
|
auditor.log_issue( issue_data )
|
|
620
648
|
|
|
621
|
-
logged_issue = Arachni::Data.issues.
|
|
622
|
-
logged_issue.referring_page.
|
|
649
|
+
logged_issue = Arachni::Data.issues.first
|
|
650
|
+
expect(logged_issue.referring_page).to eq(auditor.page)
|
|
623
651
|
end
|
|
624
652
|
|
|
625
653
|
it 'returns the issue' do
|
|
626
|
-
auditor.log_issue( issue_data ).
|
|
654
|
+
expect(auditor.log_issue( issue_data )).to be_kind_of Arachni::Issue
|
|
627
655
|
end
|
|
628
656
|
|
|
629
657
|
context 'when #issue_limit_reached?' do
|
|
630
658
|
it 'does not log the issue' do
|
|
631
|
-
subject.
|
|
659
|
+
allow(subject).to receive(:issue_limit_reached?) { true }
|
|
632
660
|
|
|
633
|
-
auditor.log_issue( issue_data ).
|
|
634
|
-
Arachni::Data.issues.
|
|
661
|
+
expect(auditor.log_issue( issue_data )).to be_falsey
|
|
662
|
+
expect(Arachni::Data.issues).to be_empty
|
|
635
663
|
end
|
|
636
664
|
end
|
|
637
665
|
end
|
|
@@ -640,12 +668,12 @@ describe Arachni::Check::Auditor do
|
|
|
640
668
|
it 'preserves the given remarks' do
|
|
641
669
|
auditor.log( issue_data )
|
|
642
670
|
|
|
643
|
-
logged_issue = Arachni::Data.issues.
|
|
644
|
-
logged_issue.remarks.first.
|
|
671
|
+
logged_issue = Arachni::Data.issues.first
|
|
672
|
+
expect(logged_issue.remarks.first).to be_any
|
|
645
673
|
end
|
|
646
674
|
|
|
647
675
|
it 'returns the issue' do
|
|
648
|
-
auditor.log( issue_data ).
|
|
676
|
+
expect(auditor.log( issue_data )).to be_kind_of Arachni::Issue
|
|
649
677
|
end
|
|
650
678
|
|
|
651
679
|
context 'when given a page' do
|
|
@@ -653,14 +681,16 @@ describe Arachni::Check::Auditor do
|
|
|
653
681
|
|
|
654
682
|
it 'includes response data' do
|
|
655
683
|
auditor.log( issue_data )
|
|
656
|
-
Arachni::Data.issues.
|
|
684
|
+
expect(Arachni::Data.issues.first.response).to eq(
|
|
657
685
|
issue_data[:page].response
|
|
686
|
+
)
|
|
658
687
|
end
|
|
659
688
|
|
|
660
689
|
it 'includes request data' do
|
|
661
690
|
auditor.log( issue_data )
|
|
662
|
-
Arachni::Data.issues.
|
|
691
|
+
expect(Arachni::Data.issues.first.request).to eq(
|
|
663
692
|
issue_data[:page].request
|
|
693
|
+
)
|
|
664
694
|
end
|
|
665
695
|
end
|
|
666
696
|
|
|
@@ -669,10 +699,10 @@ describe Arachni::Check::Auditor do
|
|
|
669
699
|
issue_data.delete(:page)
|
|
670
700
|
auditor.log( issue_data )
|
|
671
701
|
|
|
672
|
-
issue = Arachni::Data.issues.
|
|
673
|
-
issue.page.body.
|
|
674
|
-
issue.response.
|
|
675
|
-
issue.request.
|
|
702
|
+
issue = Arachni::Data.issues.first
|
|
703
|
+
expect(issue.page.body).to eq(auditor.page.body)
|
|
704
|
+
expect(issue.response).to eq(auditor.page.response)
|
|
705
|
+
expect(issue.request).to eq(auditor.page.request)
|
|
676
706
|
end
|
|
677
707
|
end
|
|
678
708
|
end
|
|
@@ -690,7 +720,7 @@ describe Arachni::Check::Auditor do
|
|
|
690
720
|
auditor.load_page_from( @url + '/link' )
|
|
691
721
|
auditor.audit( @seed )
|
|
692
722
|
@framework.http.run
|
|
693
|
-
Arachni::Data.issues.size.
|
|
723
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
694
724
|
end
|
|
695
725
|
end
|
|
696
726
|
|
|
@@ -699,10 +729,10 @@ describe Arachni::Check::Auditor do
|
|
|
699
729
|
auditor.load_page_from( @url + '/link' )
|
|
700
730
|
auditor.audit( { unix: @seed }, substring: @seed )
|
|
701
731
|
@framework.http.run
|
|
702
|
-
Arachni::Data.issues.size.
|
|
703
|
-
issue = Arachni::Data.issues.
|
|
704
|
-
issue.platform_name.
|
|
705
|
-
issue.platform_type.
|
|
732
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
733
|
+
issue = Arachni::Data.issues.first
|
|
734
|
+
expect(issue.platform_name).to eq(:unix)
|
|
735
|
+
expect(issue.platform_type).to eq(:os)
|
|
706
736
|
end
|
|
707
737
|
end
|
|
708
738
|
|
|
@@ -721,13 +751,13 @@ describe Arachni::Check::Auditor do
|
|
|
721
751
|
end
|
|
722
752
|
|
|
723
753
|
auditor.audit( @seed ){}
|
|
724
|
-
$audit_called.
|
|
754
|
+
expect($audit_called).to eq(auditor.page.elements.map(&:class))
|
|
725
755
|
end
|
|
726
756
|
end
|
|
727
757
|
|
|
728
758
|
context 'when called without a block' do
|
|
729
|
-
it 'delegates to #
|
|
730
|
-
auditor.
|
|
759
|
+
it 'delegates to #audit_signature' do
|
|
760
|
+
expect(auditor).to receive(:audit_signature).with( @seed, described_class::OPTIONS )
|
|
731
761
|
auditor.audit( @seed )
|
|
732
762
|
end
|
|
733
763
|
end
|
|
@@ -744,10 +774,10 @@ describe Arachni::Check::Auditor do
|
|
|
744
774
|
elements: [ Arachni::Element::Link ]
|
|
745
775
|
)
|
|
746
776
|
@framework.http.run
|
|
747
|
-
Arachni::Data.issues.size.
|
|
748
|
-
issue = Arachni::Data.issues.
|
|
749
|
-
issue.vector.class.
|
|
750
|
-
issue.vector.affected_input_name.
|
|
777
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
778
|
+
issue = Arachni::Data.issues.first
|
|
779
|
+
expect(issue.vector.class).to eq(Arachni::Element::Link)
|
|
780
|
+
expect(issue.vector.affected_input_name).to eq('link_input')
|
|
751
781
|
end
|
|
752
782
|
end
|
|
753
783
|
describe 'Arachni::Element::Form' do
|
|
@@ -757,10 +787,10 @@ describe Arachni::Check::Auditor do
|
|
|
757
787
|
elements: [ Arachni::Element::Form ]
|
|
758
788
|
)
|
|
759
789
|
@framework.http.run
|
|
760
|
-
Arachni::Data.issues.size.
|
|
761
|
-
issue = Arachni::Data.issues.
|
|
762
|
-
issue.vector.class.
|
|
763
|
-
issue.vector.affected_input_name.
|
|
790
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
791
|
+
issue = Arachni::Data.issues.first
|
|
792
|
+
expect(issue.vector.class).to eq(Arachni::Element::Form)
|
|
793
|
+
expect(issue.vector.affected_input_name).to eq('form_input')
|
|
764
794
|
end
|
|
765
795
|
end
|
|
766
796
|
describe 'Arachni::Element::Cookie' do
|
|
@@ -770,10 +800,10 @@ describe Arachni::Check::Auditor do
|
|
|
770
800
|
elements: [ Arachni::Element::Cookie ]
|
|
771
801
|
)
|
|
772
802
|
@framework.http.run
|
|
773
|
-
Arachni::Data.issues.size.
|
|
774
|
-
issue = Arachni::Data.issues.
|
|
775
|
-
issue.vector.class.
|
|
776
|
-
issue.vector.affected_input_name.
|
|
803
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
804
|
+
issue = Arachni::Data.issues.first
|
|
805
|
+
expect(issue.vector.class).to eq(Arachni::Element::Cookie)
|
|
806
|
+
expect(issue.vector.affected_input_name).to eq('cookie_input')
|
|
777
807
|
end
|
|
778
808
|
it 'maintains the session while auditing cookies' do
|
|
779
809
|
auditor.load_page_from( @url + '/session' )
|
|
@@ -782,10 +812,10 @@ describe Arachni::Check::Auditor do
|
|
|
782
812
|
elements: [ Arachni::Element::Cookie ]
|
|
783
813
|
)
|
|
784
814
|
@framework.http.run
|
|
785
|
-
Arachni::Data.issues.size.
|
|
786
|
-
issue = Arachni::Data.issues.
|
|
787
|
-
issue.vector.class.
|
|
788
|
-
issue.vector.affected_input_name.
|
|
815
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
816
|
+
issue = Arachni::Data.issues.first
|
|
817
|
+
expect(issue.vector.class).to eq(Arachni::Element::Cookie)
|
|
818
|
+
expect(issue.vector.affected_input_name).to eq('vulnerable')
|
|
789
819
|
end
|
|
790
820
|
|
|
791
821
|
end
|
|
@@ -796,10 +826,10 @@ describe Arachni::Check::Auditor do
|
|
|
796
826
|
elements: [ Arachni::Element::Header ]
|
|
797
827
|
)
|
|
798
828
|
@framework.http.run
|
|
799
|
-
Arachni::Data.issues.size.
|
|
800
|
-
issue = Arachni::Data.issues.
|
|
801
|
-
issue.vector.class.
|
|
802
|
-
issue.vector.affected_input_name.
|
|
829
|
+
expect(Arachni::Data.issues.size).to eq(1)
|
|
830
|
+
issue = Arachni::Data.issues.first
|
|
831
|
+
expect(issue.vector.class).to eq(Arachni::Element::Header)
|
|
832
|
+
expect(issue.vector.affected_input_name).to eq('Referer')
|
|
803
833
|
end
|
|
804
834
|
end
|
|
805
835
|
|
|
@@ -809,7 +839,7 @@ describe Arachni::Check::Auditor do
|
|
|
809
839
|
format: [ Arachni::Check::Auditor::Format::STRAIGHT ]
|
|
810
840
|
)
|
|
811
841
|
@framework.http.run
|
|
812
|
-
Arachni::Data.issues.size.
|
|
842
|
+
expect(Arachni::Data.issues.size).to eq(4)
|
|
813
843
|
end
|
|
814
844
|
end
|
|
815
845
|
end
|
|
@@ -834,9 +864,9 @@ describe Arachni::Check::Auditor do
|
|
|
834
864
|
@framework.http.run
|
|
835
865
|
end
|
|
836
866
|
|
|
837
|
-
Arachni::Data.issues.
|
|
867
|
+
expect(Arachni::Data.issues.all.find do |i|
|
|
838
868
|
i.vector.affected_input_name == 'you_made_it'
|
|
839
|
-
end.
|
|
869
|
+
end).to be_truthy
|
|
840
870
|
end
|
|
841
871
|
end
|
|
842
872
|
|
|
@@ -859,10 +889,10 @@ describe Arachni::Check::Auditor do
|
|
|
859
889
|
@framework.http.run
|
|
860
890
|
end
|
|
861
891
|
|
|
862
|
-
issue = issues.
|
|
863
|
-
issue.
|
|
864
|
-
issue.vector.class.
|
|
865
|
-
issue.vector.affected_input_name.
|
|
892
|
+
issue = issues.first
|
|
893
|
+
expect(issue).to be_truthy
|
|
894
|
+
expect(issue.vector.class).to eq(Arachni::Element::Form)
|
|
895
|
+
expect(issue.vector.affected_input_name).to eq('you_made_it')
|
|
866
896
|
end
|
|
867
897
|
end
|
|
868
898
|
|
|
@@ -881,29 +911,29 @@ describe Arachni::Check::Auditor do
|
|
|
881
911
|
auditor = Arachni::Check::Base.new( page, @framework )
|
|
882
912
|
auditor.audit( @seed, submit: { train: false } )
|
|
883
913
|
@framework.http.run
|
|
884
|
-
updated_pages.
|
|
914
|
+
expect(updated_pages).to be_empty
|
|
885
915
|
end
|
|
886
916
|
end
|
|
887
917
|
end
|
|
888
918
|
end
|
|
889
919
|
end
|
|
890
920
|
|
|
891
|
-
describe '#
|
|
892
|
-
it "delegates to #{Arachni::Element::Capabilities::Analyzable::
|
|
921
|
+
describe '#audit_signature' do
|
|
922
|
+
it "delegates to #{Arachni::Element::Capabilities::Analyzable::Signature}#signature_analysis" do
|
|
893
923
|
auditor.load_page_from( @url + '/link' )
|
|
894
924
|
|
|
895
|
-
$
|
|
925
|
+
$audit_signature_called = []
|
|
896
926
|
auditor.page.elements.each do |element|
|
|
897
927
|
element.class.class_eval do
|
|
898
|
-
def
|
|
899
|
-
$
|
|
928
|
+
def signature_analysis( *args, &block )
|
|
929
|
+
$audit_signature_called << self.class if $audit_signature_called
|
|
900
930
|
super( *args, &block )
|
|
901
931
|
end
|
|
902
932
|
end
|
|
903
933
|
end
|
|
904
934
|
|
|
905
|
-
auditor.
|
|
906
|
-
$
|
|
935
|
+
auditor.audit_signature( 'seed' )
|
|
936
|
+
expect($audit_signature_called).to eq(auditor.page.elements.map(&:class))
|
|
907
937
|
end
|
|
908
938
|
end
|
|
909
939
|
|
|
@@ -922,7 +952,7 @@ describe Arachni::Check::Auditor do
|
|
|
922
952
|
end
|
|
923
953
|
|
|
924
954
|
auditor.audit_differential( { false: '0', pairs: { '1' => '2' } } )
|
|
925
|
-
$audit_differential_called.
|
|
955
|
+
expect($audit_differential_called).to eq(auditor.page.elements.map(&:class))
|
|
926
956
|
end
|
|
927
957
|
end
|
|
928
958
|
|
|
@@ -941,7 +971,7 @@ describe Arachni::Check::Auditor do
|
|
|
941
971
|
end
|
|
942
972
|
|
|
943
973
|
auditor.audit_timeout( 'seed', timeout: 1 )
|
|
944
|
-
$audit_timeout_called.
|
|
974
|
+
expect($audit_timeout_called).to eq(auditor.page.elements.map(&:class))
|
|
945
975
|
end
|
|
946
976
|
end
|
|
947
977
|
|
|
@@ -1113,7 +1143,7 @@ describe Arachni::Check::Auditor do
|
|
|
1113
1143
|
true
|
|
1114
1144
|
end
|
|
1115
1145
|
auditor.browser_cluster.wait
|
|
1116
|
-
calls.
|
|
1146
|
+
expect(calls).to eq(1)
|
|
1117
1147
|
end
|
|
1118
1148
|
end
|
|
1119
1149
|
|
|
@@ -1125,7 +1155,7 @@ describe Arachni::Check::Auditor do
|
|
|
1125
1155
|
false
|
|
1126
1156
|
end
|
|
1127
1157
|
auditor.browser_cluster.wait
|
|
1128
|
-
calls.
|
|
1158
|
+
expect(calls).to be > 1
|
|
1129
1159
|
end
|
|
1130
1160
|
end
|
|
1131
1161
|
end
|