arachni 1.2.1 → 1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (373) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +66 -0
  3. data/Gemfile +1 -1
  4. data/README.md +16 -5
  5. data/components/checks/active/ldap_injection/errors.txt +1 -0
  6. data/components/checks/active/source_code_disclosure.rb +1 -1
  7. data/components/checks/active/unvalidated_redirect.rb +6 -6
  8. data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
  9. data/components/checks/passive/grep/captcha.rb +14 -5
  10. data/components/checks/passive/grep/form_upload.rb +7 -3
  11. data/components/checks/passive/grep/hsts.rb +3 -3
  12. data/components/checks/passive/grep/html_objects.rb +2 -3
  13. data/components/checks/passive/grep/http_only_cookies.rb +2 -3
  14. data/components/checks/passive/grep/insecure_cookies.rb +1 -1
  15. data/components/checks/passive/grep/password_autocomplete.rb +2 -2
  16. data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
  17. data/components/checks/passive/grep/x_frame_options.rb +2 -2
  18. data/components/checks/passive/http_put.rb +2 -3
  19. data/components/path_extractors/comments.rb +3 -3
  20. data/components/path_extractors/scripts.rb +10 -1
  21. data/components/plugins/defaults/autothrottle.rb +27 -18
  22. data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
  23. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
  24. data/components/plugins/login_script.rb +9 -3
  25. data/components/plugins/proxy.rb +4 -3
  26. data/components/reporters/html.rb +11 -14
  27. data/components/reporters/html/default/issue.erb +13 -38
  28. data/components/reporters/html/default/issue/info.erb +1 -1
  29. data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
  30. data/components/reporters/stdout.rb +62 -71
  31. data/components/reporters/xml.rb +26 -40
  32. data/components/reporters/xml/schema.xsd +43 -89
  33. data/lib/arachni/browser.rb +52 -3
  34. data/lib/arachni/browser/javascript.rb +3 -3
  35. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
  36. data/lib/arachni/browser_cluster.rb +61 -0
  37. data/lib/arachni/browser_cluster/job.rb +21 -1
  38. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
  39. data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
  40. data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
  41. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
  42. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  43. data/lib/arachni/browser_cluster/worker.rb +5 -0
  44. data/lib/arachni/check/auditor.rb +22 -12
  45. data/lib/arachni/data/framework.rb +13 -1
  46. data/lib/arachni/data/issues.rb +9 -25
  47. data/lib/arachni/element/base.rb +9 -3
  48. data/lib/arachni/element/capabilities/analyzable.rb +2 -6
  49. data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
  50. data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
  51. data/lib/arachni/element/capabilities/auditable.rb +0 -6
  52. data/lib/arachni/element/capabilities/dom_only.rb +61 -0
  53. data/lib/arachni/element/capabilities/with_dom.rb +3 -1
  54. data/lib/arachni/element/cookie.rb +35 -5
  55. data/lib/arachni/element/cookie/dom.rb +13 -4
  56. data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
  57. data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
  58. data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
  59. data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
  60. data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
  61. data/lib/arachni/element/form.rb +12 -1
  62. data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
  63. data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
  64. data/lib/arachni/element/form/dom.rb +9 -3
  65. data/lib/arachni/element/header.rb +14 -33
  66. data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
  67. data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
  68. data/lib/arachni/element/input/dom.rb +71 -0
  69. data/lib/arachni/element/json.rb +2 -0
  70. data/lib/arachni/element/link.rb +3 -0
  71. data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
  72. data/lib/arachni/element/link/dom.rb +16 -3
  73. data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
  74. data/lib/arachni/element/link_template.rb +3 -5
  75. data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
  76. data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
  77. data/lib/arachni/element/link_template/dom.rb +16 -3
  78. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
  79. data/lib/arachni/element/server.rb +3 -5
  80. data/lib/arachni/element/ui_form.rb +106 -0
  81. data/lib/arachni/element/ui_form/dom.rb +107 -0
  82. data/lib/arachni/element/ui_input.rb +62 -0
  83. data/lib/arachni/element/xml.rb +2 -1
  84. data/lib/arachni/framework.rb +7 -5
  85. data/lib/arachni/framework/parts/audit.rb +0 -1
  86. data/lib/arachni/framework/parts/check.rb +1 -0
  87. data/lib/arachni/framework/parts/data.rb +4 -0
  88. data/lib/arachni/framework/parts/state.rb +0 -2
  89. data/lib/arachni/http/client.rb +17 -6
  90. data/lib/arachni/http/proxy_server.rb +52 -5
  91. data/lib/arachni/http/request.rb +1 -1
  92. data/lib/arachni/issue.rb +34 -179
  93. data/lib/arachni/issue/severity.rb +2 -0
  94. data/lib/arachni/option_groups/audit.rb +22 -2
  95. data/lib/arachni/option_groups/browser_cluster.rb +15 -0
  96. data/lib/arachni/page.rb +3 -2
  97. data/lib/arachni/parser.rb +24 -5
  98. data/lib/arachni/platform/manager.rb +1 -2
  99. data/lib/arachni/rpc/server/framework.rb +3 -4
  100. data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
  101. data/lib/arachni/session.rb +1 -1
  102. data/lib/arachni/trainer.rb +4 -7
  103. data/lib/arachni/watir/element.rb +12 -1
  104. data/lib/version +1 -1
  105. data/spec/arachni/browser/element_locator_spec.rb +43 -43
  106. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
  107. data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
  108. data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
  109. data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
  110. data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
  111. data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
  112. data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
  113. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
  114. data/spec/arachni/browser/javascript_spec.rb +73 -63
  115. data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
  116. data/spec/arachni/browser_cluster/job_spec.rb +68 -48
  117. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
  118. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
  119. data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
  120. data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
  121. data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
  122. data/spec/arachni/browser_cluster_spec.rb +64 -39
  123. data/spec/arachni/browser_spec.rb +692 -527
  124. data/spec/arachni/check/auditor_spec.rb +177 -147
  125. data/spec/arachni/check/base_spec.rb +33 -33
  126. data/spec/arachni/check/manager_spec.rb +15 -15
  127. data/spec/arachni/component/base_spec.rb +8 -8
  128. data/spec/arachni/component/manager_spec.rb +100 -99
  129. data/spec/arachni/component/options/address_spec.rb +3 -3
  130. data/spec/arachni/component/options/base_spec.rb +7 -7
  131. data/spec/arachni/component/options/bool_spec.rb +9 -9
  132. data/spec/arachni/component/options/float_spec.rb +6 -6
  133. data/spec/arachni/component/options/int_spec.rb +5 -5
  134. data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
  135. data/spec/arachni/component/options/object_spec.rb +2 -2
  136. data/spec/arachni/component/options/path_spec.rb +3 -3
  137. data/spec/arachni/component/options/port_spec.rb +5 -5
  138. data/spec/arachni/component/options/string_spec.rb +3 -3
  139. data/spec/arachni/component/options/url_spec.rb +4 -4
  140. data/spec/arachni/component/utilities_spec.rb +2 -2
  141. data/spec/arachni/data/framework/rpc_spec.rb +10 -9
  142. data/spec/arachni/data/framework_spec.rb +65 -46
  143. data/spec/arachni/data/issues_spec.rb +39 -77
  144. data/spec/arachni/data/plugins_spec.rb +11 -11
  145. data/spec/arachni/data/session_spec.rb +6 -6
  146. data/spec/arachni/data_spec.rb +8 -8
  147. data/spec/arachni/element/body_spec.rb +10 -10
  148. data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
  149. data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
  150. data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
  151. data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
  152. data/spec/arachni/element/cookie/dom_spec.rb +37 -18
  153. data/spec/arachni/element/cookie_spec.rb +206 -139
  154. data/spec/arachni/element/form/dom_spec.rb +36 -19
  155. data/spec/arachni/element/form_spec.rb +210 -187
  156. data/spec/arachni/element/generic_dom_spec.rb +14 -14
  157. data/spec/arachni/element/header_spec.rb +35 -17
  158. data/spec/arachni/element/json_spec.rb +53 -31
  159. data/spec/arachni/element/link/dom_spec.rb +46 -28
  160. data/spec/arachni/element/link_spec.rb +58 -40
  161. data/spec/arachni/element/link_template/dom_spec.rb +47 -29
  162. data/spec/arachni/element/link_template_spec.rb +79 -61
  163. data/spec/arachni/element/path_spec.rb +1 -1
  164. data/spec/arachni/element/server_spec.rb +33 -32
  165. data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
  166. data/spec/arachni/element/ui_form_spec.rb +242 -0
  167. data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
  168. data/spec/arachni/element/ui_input_spec.rb +136 -0
  169. data/spec/arachni/element/xml_spec.rb +42 -24
  170. data/spec/arachni/element_filter_spec.rb +49 -48
  171. data/spec/arachni/error_spec.rb +3 -3
  172. data/spec/arachni/framework/parts/audit_spec.rb +64 -63
  173. data/spec/arachni/framework/parts/browser_spec.rb +16 -16
  174. data/spec/arachni/framework/parts/check_spec.rb +3 -3
  175. data/spec/arachni/framework/parts/data_spec.rb +48 -48
  176. data/spec/arachni/framework/parts/platform_spec.rb +3 -3
  177. data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
  178. data/spec/arachni/framework/parts/report_spec.rb +7 -7
  179. data/spec/arachni/framework/parts/scope_spec.rb +16 -16
  180. data/spec/arachni/framework/parts/state_spec.rb +68 -69
  181. data/spec/arachni/framework_spec.rb +39 -31
  182. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
  183. data/spec/arachni/http/client_spec.rb +219 -208
  184. data/spec/arachni/http/cookie_jar_spec.rb +72 -72
  185. data/spec/arachni/http/headers_spec.rb +14 -14
  186. data/spec/arachni/http/proxy_server_spec.rb +43 -42
  187. data/spec/arachni/http/request_spec.rb +105 -103
  188. data/spec/arachni/http/response/scope_spec.rb +24 -24
  189. data/spec/arachni/http/response_spec.rb +50 -49
  190. data/spec/arachni/issue/severity_spec.rb +10 -9
  191. data/spec/arachni/issue_spec.rb +71 -369
  192. data/spec/arachni/option_groups/audit_spec.rb +114 -114
  193. data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
  194. data/spec/arachni/option_groups/datastore_spec.rb +6 -6
  195. data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
  196. data/spec/arachni/option_groups/http_spec.rb +11 -11
  197. data/spec/arachni/option_groups/input_spec.rb +31 -27
  198. data/spec/arachni/option_groups/output_spec.rb +2 -2
  199. data/spec/arachni/option_groups/paths_spec.rb +17 -17
  200. data/spec/arachni/option_groups/rpc_spec.rb +2 -2
  201. data/spec/arachni/option_groups/scope_spec.rb +40 -40
  202. data/spec/arachni/option_groups/session_spec.rb +6 -5
  203. data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
  204. data/spec/arachni/options_spec.rb +46 -45
  205. data/spec/arachni/page/dom/transition_spec.rb +74 -72
  206. data/spec/arachni/page/dom_spec.rb +35 -35
  207. data/spec/arachni/page/scope_spec.rb +15 -15
  208. data/spec/arachni/page_spec.rb +217 -217
  209. data/spec/arachni/parser_spec.rb +106 -104
  210. data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
  211. data/spec/arachni/platform/list_spec.rb +33 -33
  212. data/spec/arachni/platform/manager_spec.rb +67 -64
  213. data/spec/arachni/plugin/base_spec.rb +10 -10
  214. data/spec/arachni/plugin/manager_spec.rb +38 -37
  215. data/spec/arachni/report_spec.rb +43 -40
  216. data/spec/arachni/reporter/base_spec.rb +15 -15
  217. data/spec/arachni/reporter/manager_spec.rb +4 -4
  218. data/spec/arachni/reporter/options_spec.rb +6 -6
  219. data/spec/arachni/rpc/client/base_spec.rb +6 -6
  220. data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
  221. data/spec/arachni/rpc/client/instance_spec.rb +6 -6
  222. data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
  223. data/spec/arachni/rpc/server/base_spec.rb +5 -5
  224. data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
  225. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
  226. data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
  227. data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
  228. data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
  229. data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
  230. data/spec/arachni/rpc/server/framework_spec.rb +90 -85
  231. data/spec/arachni/rpc/server/instance_spec.rb +126 -107
  232. data/spec/arachni/rpc/server/output_spec.rb +1 -1
  233. data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
  234. data/spec/arachni/ruby/array_spec.rb +42 -42
  235. data/spec/arachni/ruby/hash_spec.rb +20 -18
  236. data/spec/arachni/ruby/io_spec.rb +2 -2
  237. data/spec/arachni/ruby/object_spec.rb +1 -1
  238. data/spec/arachni/ruby/set_spec.rb +3 -3
  239. data/spec/arachni/ruby/string_spec.rb +30 -30
  240. data/spec/arachni/ruby/webrick_spec.rb +2 -2
  241. data/spec/arachni/scope_spec.rb +1 -1
  242. data/spec/arachni/session_spec.rb +67 -64
  243. data/spec/arachni/snapshot_spec.rb +15 -15
  244. data/spec/arachni/state/audit_spec.rb +11 -11
  245. data/spec/arachni/state/element_filter_spec.rb +6 -6
  246. data/spec/arachni/state/framework/rpc_spec.rb +12 -12
  247. data/spec/arachni/state/framework_spec.rb +125 -121
  248. data/spec/arachni/state/http_spec.rb +7 -7
  249. data/spec/arachni/state/options_spec.rb +7 -7
  250. data/spec/arachni/state/plugins_spec.rb +8 -8
  251. data/spec/arachni/state_spec.rb +10 -10
  252. data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
  253. data/spec/arachni/support/buffer/base_spec.rb +39 -39
  254. data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
  255. data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
  256. data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
  257. data/spec/arachni/support/cache/preference_spec.rb +4 -4
  258. data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
  259. data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
  260. data/spec/arachni/support/database/hash_spec.rb +44 -43
  261. data/spec/arachni/support/database/queue_spec.rb +27 -27
  262. data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
  263. data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
  264. data/spec/arachni/support/mixins/observable_spec.rb +6 -6
  265. data/spec/arachni/support/signature_spec.rb +19 -19
  266. data/spec/arachni/trainer_spec.rb +39 -39
  267. data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
  268. data/spec/arachni/uri/scope_spec.rb +66 -66
  269. data/spec/arachni/uri_spec.rb +107 -105
  270. data/spec/arachni/utilities_spec.rb +40 -40
  271. data/spec/components/checks/active/csrf_spec.rb +8 -8
  272. data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
  273. data/spec/components/checks/active/sql_injection_spec.rb +16 -16
  274. data/spec/components/checks/active/trainer_spec.rb +4 -4
  275. data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
  276. data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
  277. data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
  278. data/spec/components/checks/active/xss_dom_spec.rb +46 -24
  279. data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
  280. data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
  281. data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
  282. data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
  283. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
  284. data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
  285. data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
  286. data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
  287. data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
  288. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
  289. data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
  290. data/spec/components/checks/passive/webdav_spec.rb +1 -1
  291. data/spec/components/checks/passive/xst_spec.rb +1 -1
  292. data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
  293. data/spec/components/path_extractors/comments_spec.rb +5 -1
  294. data/spec/components/path_extractors/scripts_spec.rb +5 -2
  295. data/spec/components/plugins/autologin_spec.rb +22 -22
  296. data/spec/components/plugins/autothrottle_spec.rb +6 -5
  297. data/spec/components/plugins/content_types_spec.rb +4 -4
  298. data/spec/components/plugins/cookie_collector_spec.rb +5 -5
  299. data/spec/components/plugins/exec_spec.rb +12 -12
  300. data/spec/components/plugins/form_dicattack_spec.rb +3 -3
  301. data/spec/components/plugins/headers_collector_spec.rb +8 -8
  302. data/spec/components/plugins/healthmap_spec.rb +3 -3
  303. data/spec/components/plugins/http_dicattack_spec.rb +3 -3
  304. data/spec/components/plugins/login_script_spec.rb +79 -22
  305. data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
  306. data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
  307. data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
  308. data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
  309. data/spec/components/plugins/script_spec.rb +1 -1
  310. data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
  311. data/spec/components/plugins/vector_collector_spec.rb +2 -2
  312. data/spec/components/plugins/vector_feed_spec.rb +40 -40
  313. data/spec/components/plugins/waf_detector_spec.rb +6 -6
  314. data/spec/components/reporters/json_spec.rb +4 -4
  315. data/spec/components/reporters/marshal_spec.rb +2 -2
  316. data/spec/components/reporters/yaml_spec.rb +3 -2
  317. data/spec/external/wavsep/active/sqli_spec.rb +1 -3
  318. data/spec/spec_helper.rb +4 -0
  319. data/spec/support/factories/element/ui_form.rb +14 -0
  320. data/spec/support/factories/element/ui_input.rb +13 -0
  321. data/spec/support/factories/issue.rb +0 -13
  322. data/spec/support/fixtures/report.afr +0 -0
  323. data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
  324. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
  325. data/spec/support/helpers/framework.rb +1 -1
  326. data/spec/support/helpers/pages.rb +2 -2
  327. data/spec/support/servers/arachni/browser.rb +139 -0
  328. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
  329. data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
  330. data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
  331. data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
  332. data/spec/support/servers/checks/active/trainer_check.rb +7 -7
  333. data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
  334. data/spec/support/servers/checks/active/xss_dom.rb +50 -0
  335. data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
  336. data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
  337. data/spec/support/shared/check.rb +10 -12
  338. data/spec/support/shared/component/options/base.rb +24 -24
  339. data/spec/support/shared/element/base.rb +25 -25
  340. data/spec/support/shared/element/capabilities/auditable.rb +116 -140
  341. data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
  342. data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
  343. data/spec/support/shared/element/capabilities/mutable.rb +122 -111
  344. data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
  345. data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
  346. data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
  347. data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
  348. data/spec/support/shared/element/capabilities/with_node.rb +4 -6
  349. data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
  350. data/spec/support/shared/element/capabilities/with_source.rb +6 -8
  351. data/spec/support/shared/element/dom.rb +144 -0
  352. data/spec/support/shared/element/dom/auditable.rb +42 -0
  353. data/spec/support/shared/element/dom/inputtable.rb +5 -0
  354. data/spec/support/shared/element/dom/mutable.rb +3 -0
  355. data/spec/support/shared/element/dom/submittable.rb +119 -0
  356. data/spec/support/shared/external/wavsep.rb +3 -3
  357. data/spec/support/shared/fingerprinter.rb +2 -2
  358. data/spec/support/shared/framework.rb +1 -1
  359. data/spec/support/shared/http/message.rb +9 -9
  360. data/spec/support/shared/option_group.rb +17 -17
  361. data/spec/support/shared/path_extractor.rb +1 -1
  362. data/spec/support/shared/plugin.rb +2 -2
  363. data/spec/support/shared/support/cache.rb +57 -57
  364. data/spec/support/shared/support/lookup.rb +25 -25
  365. data/ui/cli/framework.rb +22 -11
  366. data/ui/cli/framework/option_parser.rb +15 -0
  367. data/ui/cli/option_parser.rb +8 -1
  368. data/ui/cli/output.rb +2 -1
  369. metadata +54 -20
  370. data/components/checks/active/xss_dom_inputs.rb +0 -236
  371. data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
  372. data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
  373. data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
@@ -28,35 +28,35 @@ describe Arachni::Element::GenericDOM do
28
28
 
29
29
  describe '#initialize' do
30
30
  it "sets #source form the #{Arachni::Browser::ElementLocator}" do
31
- subject.source.should == element.to_s
31
+ expect(subject.source).to eq(element.to_s)
32
32
  end
33
33
  end
34
34
 
35
35
  describe '#transition' do
36
36
  it 'returns the associated transition' do
37
- subject.transition.should == transition
37
+ expect(subject.transition).to eq(transition)
38
38
  end
39
39
  end
40
40
 
41
41
  describe '#event' do
42
42
  it 'returns the associated event' do
43
- subject.event.should == transition.event
43
+ expect(subject.event).to eq(transition.event)
44
44
  end
45
45
 
46
46
  it 'is aliased to #method' do
47
- subject.method.should == transition.event
47
+ expect(subject.method).to eq(transition.event)
48
48
  end
49
49
  end
50
50
 
51
51
  describe '#element' do
52
52
  it 'returns the associated element locator' do
53
- subject.element.should == transition.element
53
+ expect(subject.element).to eq(transition.element)
54
54
  end
55
55
  end
56
56
 
57
57
  describe '#attributes' do
58
58
  it 'returns the associated element attributes' do
59
- subject.attributes.should == transition.element.attributes
59
+ expect(subject.attributes).to eq(transition.element.attributes)
60
60
  end
61
61
  end
62
62
 
@@ -68,7 +68,7 @@ describe Arachni::Element::GenericDOM do
68
68
  end
69
69
 
70
70
  it 'returns the element name from the its attributes' do
71
- subject.name.should == 'my-name'
71
+ expect(subject.name).to eq('my-name')
72
72
  end
73
73
 
74
74
  context 'when an id is set instead of a name' do
@@ -79,12 +79,12 @@ describe Arachni::Element::GenericDOM do
79
79
  end
80
80
 
81
81
  it 'returns the id' do
82
- subject.name.should == 'my-id'
82
+ expect(subject.name).to eq('my-id')
83
83
  end
84
84
  end
85
85
 
86
86
  it 'is aliased to #affected_input_name' do
87
- subject.affected_input_name.should == subject.name
87
+ expect(subject.affected_input_name).to eq(subject.name)
88
88
  end
89
89
  end
90
90
 
@@ -96,25 +96,25 @@ describe Arachni::Element::GenericDOM do
96
96
  end
97
97
 
98
98
  it 'returns the value for the element' do
99
- subject.value.should == 'my-val'
99
+ expect(subject.value).to eq('my-val')
100
100
  end
101
101
 
102
102
  it 'is aliased to #affected_input_value' do
103
- subject.affected_input_value.should == subject.value
103
+ expect(subject.affected_input_value).to eq(subject.value)
104
104
  end
105
105
  end
106
106
 
107
107
  describe '#type' do
108
108
  it 'returns the #element tag name' do
109
- subject.type.should == element.tag_name
109
+ expect(subject.type).to eq(element.tag_name)
110
110
  end
111
111
  end
112
112
 
113
113
  describe '#to_h' do
114
114
  it 'includes the #transition' do
115
- subject.to_h[:transition].should == transition.to_h.tap do |h|
115
+ expect(subject.to_h[:transition]).to eq(transition.to_h.tap do |h|
116
116
  h[:element] = h[:element].to_h
117
- end
117
+ end)
118
118
  end
119
119
  end
120
120
  end
@@ -2,7 +2,25 @@ require 'spec_helper'
2
2
 
3
3
  describe Arachni::Element::Header do
4
4
  it_should_behave_like 'element'
5
- it_should_behave_like 'auditable', single_input: true, supports_nulls: false
5
+
6
+ it_should_behave_like 'with_auditor'
7
+
8
+ it_should_behave_like 'submittable'
9
+ it_should_behave_like 'inputtable', single_input: true
10
+ it_should_behave_like 'mutable', supports_nulls: false
11
+ it_should_behave_like 'auditable'
12
+
13
+ before :each do
14
+ @framework ||= Arachni::Framework.new
15
+ @auditor = Auditor.new( Arachni::Page.from_url( url ), @framework )
16
+ end
17
+
18
+ after :each do
19
+ @framework.reset
20
+ reset_options
21
+ end
22
+
23
+ let(:auditor) { @auditor }
6
24
 
7
25
  def auditable_extract_parameters( resource )
8
26
  YAML.load( resource.body )
@@ -19,56 +37,56 @@ describe Arachni::Element::Header do
19
37
  let(:utilities) { Arachni::Utilities }
20
38
 
21
39
  it 'is be assigned to Arachni::Header for easy access' do
22
- Arachni::Header.should == described_class
40
+ expect(Arachni::Header).to eq(described_class)
23
41
  end
24
42
 
25
43
  it 'retains its assigned inputs' do
26
- subject.inputs.should == inputs
44
+ expect(subject.inputs).to eq(inputs)
27
45
  end
28
46
 
29
47
  describe '#simple' do
30
48
  it 'returns the inputs as is' do
31
- subject.simple.should == inputs
49
+ expect(subject.simple).to eq(inputs)
32
50
  end
33
51
  end
34
52
 
35
53
  describe '#mutations' do
36
54
  describe :parameter_names do
37
55
  it 'creates a new header' do
38
- subject.mutations( 'seed', parameter_names: true ).last.
39
- inputs.keys.should == %w(seed)
56
+ expect(subject.mutations( 'seed', parameter_names: true ).last.
57
+ inputs.keys).to eq(%w(seed))
40
58
  end
41
59
  end
42
60
 
43
61
  describe :format do
44
62
  it 'does not include NULLs' do
45
- subject.mutations( 'seed' ).
46
- select { |m| m.affected_input_value.include? "\0" }.should be_empty
63
+ expect(subject.mutations( 'seed' ).
64
+ select { |m| m.affected_input_value.include? "\0" }).to be_empty
47
65
  end
48
66
  end
49
67
  end
50
68
 
51
69
  describe '#name' do
52
70
  it 'returns the header name' do
53
- subject.name.should == inputs.first.to_a.first
71
+ expect(subject.name).to eq(inputs.first.to_a.first)
54
72
  end
55
73
  end
56
74
 
57
75
  describe '#value' do
58
76
  it 'returns the header value' do
59
- subject.value.should == inputs.first.to_a.last
77
+ expect(subject.value).to eq(inputs.first.to_a.last)
60
78
  end
61
79
  end
62
80
 
63
81
  describe '#valid_input_data?' do
64
82
  it 'returns true' do
65
- subject.valid_input_data?( 'stuff' ).should be_true
83
+ expect(subject.valid_input_data?( 'stuff' )).to be_truthy
66
84
  end
67
85
 
68
86
  described_class::INVALID_INPUT_DATA.each do |invalid_data|
69
87
  context "when the value contains #{invalid_data.inspect}" do
70
88
  it 'returns false' do
71
- subject.valid_input_data?( "stuff #{invalid_data}" ).should be_false
89
+ expect(subject.valid_input_data?( "stuff #{invalid_data}" )).to be_falsey
72
90
  end
73
91
  end
74
92
  end
@@ -77,32 +95,32 @@ describe Arachni::Element::Header do
77
95
  describe '.encode' do
78
96
  it 'encodes the passed string' do
79
97
  v = "stuff \r\n"
80
- described_class.encode( v ).should == URI.encode( v, "\r\n" )
98
+ expect(described_class.encode( v )).to eq(URI.encode( v, "\r\n" ))
81
99
  end
82
100
  end
83
101
  describe '#encode' do
84
102
  it 'encodes the passed string' do
85
103
  v = "stuff \r\n"
86
- subject.encode( v ).should == described_class.encode( v )
104
+ expect(subject.encode( v )).to eq(described_class.encode( v ))
87
105
  end
88
106
  end
89
107
 
90
108
  describe '.decode' do
91
109
  it 'URL-decodes the passed string' do
92
110
  v = '%25+value%5C+%2B%3D%26%3B'
93
- described_class.decode( v ).should == URI.decode( v )
111
+ expect(described_class.decode( v )).to eq(URI.decode( v ))
94
112
  end
95
113
  end
96
114
  describe '#decode' do
97
115
  it 'URL-decodes the passed string' do
98
116
  v = '%25+value%5C+%2B%3D%26%3B'
99
- subject.decode( v ).should == described_class.decode( v )
117
+ expect(subject.decode( v )).to eq(described_class.decode( v ))
100
118
  end
101
119
  end
102
120
 
103
121
  describe '#type' do
104
122
  it 'is "header"' do
105
- subject.type.should == :header
123
+ expect(subject.type).to eq(:header)
106
124
  end
107
125
  end
108
126
 
@@ -2,8 +2,27 @@ require 'spec_helper'
2
2
 
3
3
  describe Arachni::Element::JSON do
4
4
  it_should_behave_like 'element'
5
+
6
+ it_should_behave_like 'with_source'
7
+ it_should_behave_like 'with_auditor'
8
+
9
+ it_should_behave_like 'submittable'
10
+ it_should_behave_like 'inputtable'
11
+ it_should_behave_like 'mutable'
5
12
  it_should_behave_like 'auditable'
6
13
 
14
+ before :each do
15
+ @framework ||= Arachni::Framework.new
16
+ @auditor = Auditor.new( Arachni::Page.from_url( url ), @framework )
17
+ end
18
+
19
+ after :each do
20
+ @framework.reset
21
+ reset_options
22
+ end
23
+
24
+ let(:auditor) { @auditor }
25
+
7
26
  def auditable_extract_parameters( resource )
8
27
  JSON.load( resource.body )
9
28
  end
@@ -19,7 +38,7 @@ describe Arachni::Element::JSON do
19
38
  let(:utilities) { Arachni::Utilities }
20
39
 
21
40
  it 'is be assigned to Arachni::JSON for easy access' do
22
- Arachni::JSON.should == described_class
41
+ expect(Arachni::JSON).to eq(described_class)
23
42
  end
24
43
 
25
44
  describe '#to_json' do
@@ -45,13 +64,13 @@ describe Arachni::Element::JSON do
45
64
  end
46
65
 
47
66
  it 'returns the input data as JSON' do
48
- subject.to_json.should == inputs.to_json
67
+ expect(subject.to_json).to eq(inputs.to_json)
49
68
  end
50
69
  end
51
70
 
52
71
  describe '#inputs=' do
53
72
  it 'sets inputs' do
54
- subject.inputs.should == inputs
73
+ expect(subject.inputs).to eq(inputs)
55
74
  end
56
75
 
57
76
  it 'recursively converts keys to string' do
@@ -62,12 +81,12 @@ describe Arachni::Element::JSON do
62
81
  }
63
82
  }
64
83
 
65
- subject.inputs.should == {
84
+ expect(subject.inputs).to eq({
66
85
  'stuff' => 1,
67
86
  'stuff2' => {
68
87
  'stuff2' => '2'
69
88
  }
70
- }
89
+ })
71
90
  end
72
91
 
73
92
  context 'when it has nested hashes' do
@@ -82,7 +101,7 @@ describe Arachni::Element::JSON do
82
101
  end
83
102
 
84
103
  it 'preserves them' do
85
- subject.inputs.should == inputs
104
+ expect(subject.inputs).to eq(inputs)
86
105
  end
87
106
  end
88
107
 
@@ -98,7 +117,7 @@ describe Arachni::Element::JSON do
98
117
  end
99
118
 
100
119
  it 'preserves them' do
101
- subject.inputs.should == inputs
120
+ expect(subject.inputs).to eq(inputs)
102
121
  end
103
122
  end
104
123
  end
@@ -109,7 +128,7 @@ describe Arachni::Element::JSON do
109
128
  it 'stores the item as a String' do
110
129
  affected_input_name = ['stuff']
111
130
  subject.affected_input_name = affected_input_name
112
- subject.affected_input_name.should == affected_input_name.first
131
+ expect(subject.affected_input_name).to eq(affected_input_name.first)
113
132
  end
114
133
  end
115
134
 
@@ -117,7 +136,7 @@ describe Arachni::Element::JSON do
117
136
  it 'sets the path to the fuzzed input' do
118
137
  affected_input_name = ['stuff', 'stuff2']
119
138
  subject.affected_input_name = affected_input_name
120
- subject.affected_input_name.should == affected_input_name
139
+ expect(subject.affected_input_name).to eq(affected_input_name)
121
140
  end
122
141
  end
123
142
  end
@@ -139,8 +158,9 @@ describe Arachni::Element::JSON do
139
158
  end
140
159
 
141
160
  it 'returns the input data at that path' do
142
- subject[['nested', 'nested-name', 'deep-nested']].should ==
161
+ expect(subject[['nested', 'nested-name', 'deep-nested']]).to eq(
143
162
  inputs['nested']['nested-name']['deep-nested']
163
+ )
144
164
  end
145
165
  end
146
166
 
@@ -162,8 +182,9 @@ describe Arachni::Element::JSON do
162
182
  end
163
183
 
164
184
  it 'returns the input data at that path' do
165
- subject[['nested', 'nested-name', 'deep-nested', 2]].should ==
185
+ expect(subject[['nested', 'nested-name', 'deep-nested', 2]]).to eq(
166
186
  inputs['nested']['nested-name']['deep-nested'][2]
187
+ )
167
188
  end
168
189
  end
169
190
  end
@@ -187,7 +208,7 @@ describe Arachni::Element::JSON do
187
208
  it 'sets the input data at that path' do
188
209
  subject[['nested', 'nested-name', 'deep-nested']] = 'foo'
189
210
 
190
- subject.inputs.should == {
211
+ expect(subject.inputs).to eq({
191
212
  'stuff' => 'blah',
192
213
  'nested' => {
193
214
  'nested-name' => {
@@ -195,7 +216,7 @@ describe Arachni::Element::JSON do
195
216
  },
196
217
  'nested-name2' => true
197
218
  }
198
- }
219
+ })
199
220
  end
200
221
  end
201
222
 
@@ -219,7 +240,7 @@ describe Arachni::Element::JSON do
219
240
  it 'returns the input data at that path' do
220
241
  subject[['nested', 'nested-name', 'deep-nested', 1]] = 'foo'
221
242
 
222
- subject.inputs.should ==
243
+ expect(subject.inputs).to eq(
223
244
  {
224
245
  'stuff' => 'blah',
225
246
  'nested' => {
@@ -233,6 +254,7 @@ describe Arachni::Element::JSON do
233
254
  'nested-name2' => true
234
255
  }
235
256
  }
257
+ )
236
258
  end
237
259
  end
238
260
  end
@@ -274,7 +296,7 @@ describe Arachni::Element::JSON do
274
296
  }
275
297
  })
276
298
 
277
- subject.inputs.should == {
299
+ expect(subject.inputs).to eq({
278
300
  'stuff' => 'new stuff',
279
301
  'nested' => {
280
302
  'nested-name' => {
@@ -291,7 +313,7 @@ describe Arachni::Element::JSON do
291
313
  },
292
314
  'nested-name2' => true
293
315
  }
294
- }
316
+ })
295
317
  end
296
318
  end
297
319
 
@@ -316,11 +338,11 @@ describe Arachni::Element::JSON do
316
338
  )
317
339
 
318
340
  mutations.each do |m|
319
- m[m.affected_input_name].should == 'seed'
320
- m.affected_input_value.should == 'seed'
341
+ expect(m[m.affected_input_name]).to eq('seed')
342
+ expect(m.affected_input_value).to eq('seed')
321
343
  end
322
344
 
323
- mutations.map { |m| Hash[m.affected_input_name, m.inputs]}.should == [
345
+ expect(mutations.map { |m| Hash[m.affected_input_name, m.inputs]}).to eq([
324
346
  {
325
347
  'stuff' => {
326
348
  'stuff' => 'seed',
@@ -354,7 +376,7 @@ describe Arachni::Element::JSON do
354
376
  }
355
377
  }
356
378
  }
357
- ]
379
+ ])
358
380
  end
359
381
  end
360
382
 
@@ -381,11 +403,11 @@ describe Arachni::Element::JSON do
381
403
  )
382
404
 
383
405
  mutations.each do |m|
384
- m[m.affected_input_name].should == 'seed'
385
- m.affected_input_value.should == 'seed'
406
+ expect(m[m.affected_input_name]).to eq('seed')
407
+ expect(m.affected_input_value).to eq('seed')
386
408
  end
387
409
 
388
- mutations.map { |m| Hash[m.affected_input_name, m.inputs]}.should == [
410
+ expect(mutations.map { |m| Hash[m.affected_input_name, m.inputs]}).to eq([
389
411
  {
390
412
  'stuff' => {
391
413
  'stuff' => 'seed',
@@ -461,7 +483,7 @@ describe Arachni::Element::JSON do
461
483
  }
462
484
  }
463
485
  }
464
- ]
486
+ ])
465
487
  end
466
488
  end
467
489
  end
@@ -469,41 +491,41 @@ describe Arachni::Element::JSON do
469
491
 
470
492
  describe '#simple' do
471
493
  it 'returns a simple Hash representation' do
472
- subject.simple.should == { subject.action => subject.inputs }
494
+ expect(subject.simple).to eq({ subject.action => subject.inputs })
473
495
  end
474
496
  end
475
497
 
476
498
  describe '#valid_input_data?' do
477
499
  it 'returns true' do
478
- subject.valid_input_data?( 'stuff' ).should be_true
500
+ expect(subject.valid_input_data?( 'stuff' )).to be_truthy
479
501
  end
480
502
  end
481
503
 
482
504
  describe '.encode' do
483
505
  it 'returns the string as is' do
484
- described_class.encode( 'stuff' ).should == 'stuff'
506
+ expect(described_class.encode( 'stuff' )).to eq('stuff')
485
507
  end
486
508
  end
487
509
  describe '#encode' do
488
510
  it 'returns the string as is' do
489
- subject.encode( 'stuff' ).should == 'stuff'
511
+ expect(subject.encode( 'stuff' )).to eq('stuff')
490
512
  end
491
513
  end
492
514
 
493
515
  describe '.decode' do
494
516
  it 'returns the string as is' do
495
- described_class.decode( 'stuff' ).should == 'stuff'
517
+ expect(described_class.decode( 'stuff' )).to eq('stuff')
496
518
  end
497
519
  end
498
520
  describe '#decode' do
499
521
  it 'returns the string as is' do
500
- subject.decode( 'stuff' ).should == 'stuff'
522
+ expect(subject.decode( 'stuff' )).to eq('stuff')
501
523
  end
502
524
  end
503
525
 
504
526
  describe '#type' do
505
527
  it 'is "json"' do
506
- subject.type.should == :json
528
+ expect(subject.type).to eq(:json)
507
529
  end
508
530
  end
509
531