arachni 1.2.1 → 1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (373) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +66 -0
  3. data/Gemfile +1 -1
  4. data/README.md +16 -5
  5. data/components/checks/active/ldap_injection/errors.txt +1 -0
  6. data/components/checks/active/source_code_disclosure.rb +1 -1
  7. data/components/checks/active/unvalidated_redirect.rb +6 -6
  8. data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
  9. data/components/checks/passive/grep/captcha.rb +14 -5
  10. data/components/checks/passive/grep/form_upload.rb +7 -3
  11. data/components/checks/passive/grep/hsts.rb +3 -3
  12. data/components/checks/passive/grep/html_objects.rb +2 -3
  13. data/components/checks/passive/grep/http_only_cookies.rb +2 -3
  14. data/components/checks/passive/grep/insecure_cookies.rb +1 -1
  15. data/components/checks/passive/grep/password_autocomplete.rb +2 -2
  16. data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
  17. data/components/checks/passive/grep/x_frame_options.rb +2 -2
  18. data/components/checks/passive/http_put.rb +2 -3
  19. data/components/path_extractors/comments.rb +3 -3
  20. data/components/path_extractors/scripts.rb +10 -1
  21. data/components/plugins/defaults/autothrottle.rb +27 -18
  22. data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
  23. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
  24. data/components/plugins/login_script.rb +9 -3
  25. data/components/plugins/proxy.rb +4 -3
  26. data/components/reporters/html.rb +11 -14
  27. data/components/reporters/html/default/issue.erb +13 -38
  28. data/components/reporters/html/default/issue/info.erb +1 -1
  29. data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
  30. data/components/reporters/stdout.rb +62 -71
  31. data/components/reporters/xml.rb +26 -40
  32. data/components/reporters/xml/schema.xsd +43 -89
  33. data/lib/arachni/browser.rb +52 -3
  34. data/lib/arachni/browser/javascript.rb +3 -3
  35. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
  36. data/lib/arachni/browser_cluster.rb +61 -0
  37. data/lib/arachni/browser_cluster/job.rb +21 -1
  38. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
  39. data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
  40. data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
  41. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
  42. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  43. data/lib/arachni/browser_cluster/worker.rb +5 -0
  44. data/lib/arachni/check/auditor.rb +22 -12
  45. data/lib/arachni/data/framework.rb +13 -1
  46. data/lib/arachni/data/issues.rb +9 -25
  47. data/lib/arachni/element/base.rb +9 -3
  48. data/lib/arachni/element/capabilities/analyzable.rb +2 -6
  49. data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
  50. data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
  51. data/lib/arachni/element/capabilities/auditable.rb +0 -6
  52. data/lib/arachni/element/capabilities/dom_only.rb +61 -0
  53. data/lib/arachni/element/capabilities/with_dom.rb +3 -1
  54. data/lib/arachni/element/cookie.rb +35 -5
  55. data/lib/arachni/element/cookie/dom.rb +13 -4
  56. data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
  57. data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
  58. data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
  59. data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
  60. data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
  61. data/lib/arachni/element/form.rb +12 -1
  62. data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
  63. data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
  64. data/lib/arachni/element/form/dom.rb +9 -3
  65. data/lib/arachni/element/header.rb +14 -33
  66. data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
  67. data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
  68. data/lib/arachni/element/input/dom.rb +71 -0
  69. data/lib/arachni/element/json.rb +2 -0
  70. data/lib/arachni/element/link.rb +3 -0
  71. data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
  72. data/lib/arachni/element/link/dom.rb +16 -3
  73. data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
  74. data/lib/arachni/element/link_template.rb +3 -5
  75. data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
  76. data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
  77. data/lib/arachni/element/link_template/dom.rb +16 -3
  78. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
  79. data/lib/arachni/element/server.rb +3 -5
  80. data/lib/arachni/element/ui_form.rb +106 -0
  81. data/lib/arachni/element/ui_form/dom.rb +107 -0
  82. data/lib/arachni/element/ui_input.rb +62 -0
  83. data/lib/arachni/element/xml.rb +2 -1
  84. data/lib/arachni/framework.rb +7 -5
  85. data/lib/arachni/framework/parts/audit.rb +0 -1
  86. data/lib/arachni/framework/parts/check.rb +1 -0
  87. data/lib/arachni/framework/parts/data.rb +4 -0
  88. data/lib/arachni/framework/parts/state.rb +0 -2
  89. data/lib/arachni/http/client.rb +17 -6
  90. data/lib/arachni/http/proxy_server.rb +52 -5
  91. data/lib/arachni/http/request.rb +1 -1
  92. data/lib/arachni/issue.rb +34 -179
  93. data/lib/arachni/issue/severity.rb +2 -0
  94. data/lib/arachni/option_groups/audit.rb +22 -2
  95. data/lib/arachni/option_groups/browser_cluster.rb +15 -0
  96. data/lib/arachni/page.rb +3 -2
  97. data/lib/arachni/parser.rb +24 -5
  98. data/lib/arachni/platform/manager.rb +1 -2
  99. data/lib/arachni/rpc/server/framework.rb +3 -4
  100. data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
  101. data/lib/arachni/session.rb +1 -1
  102. data/lib/arachni/trainer.rb +4 -7
  103. data/lib/arachni/watir/element.rb +12 -1
  104. data/lib/version +1 -1
  105. data/spec/arachni/browser/element_locator_spec.rb +43 -43
  106. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
  107. data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
  108. data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
  109. data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
  110. data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
  111. data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
  112. data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
  113. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
  114. data/spec/arachni/browser/javascript_spec.rb +73 -63
  115. data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
  116. data/spec/arachni/browser_cluster/job_spec.rb +68 -48
  117. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
  118. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
  119. data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
  120. data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
  121. data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
  122. data/spec/arachni/browser_cluster_spec.rb +64 -39
  123. data/spec/arachni/browser_spec.rb +692 -527
  124. data/spec/arachni/check/auditor_spec.rb +177 -147
  125. data/spec/arachni/check/base_spec.rb +33 -33
  126. data/spec/arachni/check/manager_spec.rb +15 -15
  127. data/spec/arachni/component/base_spec.rb +8 -8
  128. data/spec/arachni/component/manager_spec.rb +100 -99
  129. data/spec/arachni/component/options/address_spec.rb +3 -3
  130. data/spec/arachni/component/options/base_spec.rb +7 -7
  131. data/spec/arachni/component/options/bool_spec.rb +9 -9
  132. data/spec/arachni/component/options/float_spec.rb +6 -6
  133. data/spec/arachni/component/options/int_spec.rb +5 -5
  134. data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
  135. data/spec/arachni/component/options/object_spec.rb +2 -2
  136. data/spec/arachni/component/options/path_spec.rb +3 -3
  137. data/spec/arachni/component/options/port_spec.rb +5 -5
  138. data/spec/arachni/component/options/string_spec.rb +3 -3
  139. data/spec/arachni/component/options/url_spec.rb +4 -4
  140. data/spec/arachni/component/utilities_spec.rb +2 -2
  141. data/spec/arachni/data/framework/rpc_spec.rb +10 -9
  142. data/spec/arachni/data/framework_spec.rb +65 -46
  143. data/spec/arachni/data/issues_spec.rb +39 -77
  144. data/spec/arachni/data/plugins_spec.rb +11 -11
  145. data/spec/arachni/data/session_spec.rb +6 -6
  146. data/spec/arachni/data_spec.rb +8 -8
  147. data/spec/arachni/element/body_spec.rb +10 -10
  148. data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
  149. data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
  150. data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
  151. data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
  152. data/spec/arachni/element/cookie/dom_spec.rb +37 -18
  153. data/spec/arachni/element/cookie_spec.rb +206 -139
  154. data/spec/arachni/element/form/dom_spec.rb +36 -19
  155. data/spec/arachni/element/form_spec.rb +210 -187
  156. data/spec/arachni/element/generic_dom_spec.rb +14 -14
  157. data/spec/arachni/element/header_spec.rb +35 -17
  158. data/spec/arachni/element/json_spec.rb +53 -31
  159. data/spec/arachni/element/link/dom_spec.rb +46 -28
  160. data/spec/arachni/element/link_spec.rb +58 -40
  161. data/spec/arachni/element/link_template/dom_spec.rb +47 -29
  162. data/spec/arachni/element/link_template_spec.rb +79 -61
  163. data/spec/arachni/element/path_spec.rb +1 -1
  164. data/spec/arachni/element/server_spec.rb +33 -32
  165. data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
  166. data/spec/arachni/element/ui_form_spec.rb +242 -0
  167. data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
  168. data/spec/arachni/element/ui_input_spec.rb +136 -0
  169. data/spec/arachni/element/xml_spec.rb +42 -24
  170. data/spec/arachni/element_filter_spec.rb +49 -48
  171. data/spec/arachni/error_spec.rb +3 -3
  172. data/spec/arachni/framework/parts/audit_spec.rb +64 -63
  173. data/spec/arachni/framework/parts/browser_spec.rb +16 -16
  174. data/spec/arachni/framework/parts/check_spec.rb +3 -3
  175. data/spec/arachni/framework/parts/data_spec.rb +48 -48
  176. data/spec/arachni/framework/parts/platform_spec.rb +3 -3
  177. data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
  178. data/spec/arachni/framework/parts/report_spec.rb +7 -7
  179. data/spec/arachni/framework/parts/scope_spec.rb +16 -16
  180. data/spec/arachni/framework/parts/state_spec.rb +68 -69
  181. data/spec/arachni/framework_spec.rb +39 -31
  182. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
  183. data/spec/arachni/http/client_spec.rb +219 -208
  184. data/spec/arachni/http/cookie_jar_spec.rb +72 -72
  185. data/spec/arachni/http/headers_spec.rb +14 -14
  186. data/spec/arachni/http/proxy_server_spec.rb +43 -42
  187. data/spec/arachni/http/request_spec.rb +105 -103
  188. data/spec/arachni/http/response/scope_spec.rb +24 -24
  189. data/spec/arachni/http/response_spec.rb +50 -49
  190. data/spec/arachni/issue/severity_spec.rb +10 -9
  191. data/spec/arachni/issue_spec.rb +71 -369
  192. data/spec/arachni/option_groups/audit_spec.rb +114 -114
  193. data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
  194. data/spec/arachni/option_groups/datastore_spec.rb +6 -6
  195. data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
  196. data/spec/arachni/option_groups/http_spec.rb +11 -11
  197. data/spec/arachni/option_groups/input_spec.rb +31 -27
  198. data/spec/arachni/option_groups/output_spec.rb +2 -2
  199. data/spec/arachni/option_groups/paths_spec.rb +17 -17
  200. data/spec/arachni/option_groups/rpc_spec.rb +2 -2
  201. data/spec/arachni/option_groups/scope_spec.rb +40 -40
  202. data/spec/arachni/option_groups/session_spec.rb +6 -5
  203. data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
  204. data/spec/arachni/options_spec.rb +46 -45
  205. data/spec/arachni/page/dom/transition_spec.rb +74 -72
  206. data/spec/arachni/page/dom_spec.rb +35 -35
  207. data/spec/arachni/page/scope_spec.rb +15 -15
  208. data/spec/arachni/page_spec.rb +217 -217
  209. data/spec/arachni/parser_spec.rb +106 -104
  210. data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
  211. data/spec/arachni/platform/list_spec.rb +33 -33
  212. data/spec/arachni/platform/manager_spec.rb +67 -64
  213. data/spec/arachni/plugin/base_spec.rb +10 -10
  214. data/spec/arachni/plugin/manager_spec.rb +38 -37
  215. data/spec/arachni/report_spec.rb +43 -40
  216. data/spec/arachni/reporter/base_spec.rb +15 -15
  217. data/spec/arachni/reporter/manager_spec.rb +4 -4
  218. data/spec/arachni/reporter/options_spec.rb +6 -6
  219. data/spec/arachni/rpc/client/base_spec.rb +6 -6
  220. data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
  221. data/spec/arachni/rpc/client/instance_spec.rb +6 -6
  222. data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
  223. data/spec/arachni/rpc/server/base_spec.rb +5 -5
  224. data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
  225. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
  226. data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
  227. data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
  228. data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
  229. data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
  230. data/spec/arachni/rpc/server/framework_spec.rb +90 -85
  231. data/spec/arachni/rpc/server/instance_spec.rb +126 -107
  232. data/spec/arachni/rpc/server/output_spec.rb +1 -1
  233. data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
  234. data/spec/arachni/ruby/array_spec.rb +42 -42
  235. data/spec/arachni/ruby/hash_spec.rb +20 -18
  236. data/spec/arachni/ruby/io_spec.rb +2 -2
  237. data/spec/arachni/ruby/object_spec.rb +1 -1
  238. data/spec/arachni/ruby/set_spec.rb +3 -3
  239. data/spec/arachni/ruby/string_spec.rb +30 -30
  240. data/spec/arachni/ruby/webrick_spec.rb +2 -2
  241. data/spec/arachni/scope_spec.rb +1 -1
  242. data/spec/arachni/session_spec.rb +67 -64
  243. data/spec/arachni/snapshot_spec.rb +15 -15
  244. data/spec/arachni/state/audit_spec.rb +11 -11
  245. data/spec/arachni/state/element_filter_spec.rb +6 -6
  246. data/spec/arachni/state/framework/rpc_spec.rb +12 -12
  247. data/spec/arachni/state/framework_spec.rb +125 -121
  248. data/spec/arachni/state/http_spec.rb +7 -7
  249. data/spec/arachni/state/options_spec.rb +7 -7
  250. data/spec/arachni/state/plugins_spec.rb +8 -8
  251. data/spec/arachni/state_spec.rb +10 -10
  252. data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
  253. data/spec/arachni/support/buffer/base_spec.rb +39 -39
  254. data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
  255. data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
  256. data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
  257. data/spec/arachni/support/cache/preference_spec.rb +4 -4
  258. data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
  259. data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
  260. data/spec/arachni/support/database/hash_spec.rb +44 -43
  261. data/spec/arachni/support/database/queue_spec.rb +27 -27
  262. data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
  263. data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
  264. data/spec/arachni/support/mixins/observable_spec.rb +6 -6
  265. data/spec/arachni/support/signature_spec.rb +19 -19
  266. data/spec/arachni/trainer_spec.rb +39 -39
  267. data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
  268. data/spec/arachni/uri/scope_spec.rb +66 -66
  269. data/spec/arachni/uri_spec.rb +107 -105
  270. data/spec/arachni/utilities_spec.rb +40 -40
  271. data/spec/components/checks/active/csrf_spec.rb +8 -8
  272. data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
  273. data/spec/components/checks/active/sql_injection_spec.rb +16 -16
  274. data/spec/components/checks/active/trainer_spec.rb +4 -4
  275. data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
  276. data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
  277. data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
  278. data/spec/components/checks/active/xss_dom_spec.rb +46 -24
  279. data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
  280. data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
  281. data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
  282. data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
  283. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
  284. data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
  285. data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
  286. data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
  287. data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
  288. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
  289. data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
  290. data/spec/components/checks/passive/webdav_spec.rb +1 -1
  291. data/spec/components/checks/passive/xst_spec.rb +1 -1
  292. data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
  293. data/spec/components/path_extractors/comments_spec.rb +5 -1
  294. data/spec/components/path_extractors/scripts_spec.rb +5 -2
  295. data/spec/components/plugins/autologin_spec.rb +22 -22
  296. data/spec/components/plugins/autothrottle_spec.rb +6 -5
  297. data/spec/components/plugins/content_types_spec.rb +4 -4
  298. data/spec/components/plugins/cookie_collector_spec.rb +5 -5
  299. data/spec/components/plugins/exec_spec.rb +12 -12
  300. data/spec/components/plugins/form_dicattack_spec.rb +3 -3
  301. data/spec/components/plugins/headers_collector_spec.rb +8 -8
  302. data/spec/components/plugins/healthmap_spec.rb +3 -3
  303. data/spec/components/plugins/http_dicattack_spec.rb +3 -3
  304. data/spec/components/plugins/login_script_spec.rb +79 -22
  305. data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
  306. data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
  307. data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
  308. data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
  309. data/spec/components/plugins/script_spec.rb +1 -1
  310. data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
  311. data/spec/components/plugins/vector_collector_spec.rb +2 -2
  312. data/spec/components/plugins/vector_feed_spec.rb +40 -40
  313. data/spec/components/plugins/waf_detector_spec.rb +6 -6
  314. data/spec/components/reporters/json_spec.rb +4 -4
  315. data/spec/components/reporters/marshal_spec.rb +2 -2
  316. data/spec/components/reporters/yaml_spec.rb +3 -2
  317. data/spec/external/wavsep/active/sqli_spec.rb +1 -3
  318. data/spec/spec_helper.rb +4 -0
  319. data/spec/support/factories/element/ui_form.rb +14 -0
  320. data/spec/support/factories/element/ui_input.rb +13 -0
  321. data/spec/support/factories/issue.rb +0 -13
  322. data/spec/support/fixtures/report.afr +0 -0
  323. data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
  324. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
  325. data/spec/support/helpers/framework.rb +1 -1
  326. data/spec/support/helpers/pages.rb +2 -2
  327. data/spec/support/servers/arachni/browser.rb +139 -0
  328. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
  329. data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
  330. data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
  331. data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
  332. data/spec/support/servers/checks/active/trainer_check.rb +7 -7
  333. data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
  334. data/spec/support/servers/checks/active/xss_dom.rb +50 -0
  335. data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
  336. data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
  337. data/spec/support/shared/check.rb +10 -12
  338. data/spec/support/shared/component/options/base.rb +24 -24
  339. data/spec/support/shared/element/base.rb +25 -25
  340. data/spec/support/shared/element/capabilities/auditable.rb +116 -140
  341. data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
  342. data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
  343. data/spec/support/shared/element/capabilities/mutable.rb +122 -111
  344. data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
  345. data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
  346. data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
  347. data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
  348. data/spec/support/shared/element/capabilities/with_node.rb +4 -6
  349. data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
  350. data/spec/support/shared/element/capabilities/with_source.rb +6 -8
  351. data/spec/support/shared/element/dom.rb +144 -0
  352. data/spec/support/shared/element/dom/auditable.rb +42 -0
  353. data/spec/support/shared/element/dom/inputtable.rb +5 -0
  354. data/spec/support/shared/element/dom/mutable.rb +3 -0
  355. data/spec/support/shared/element/dom/submittable.rb +119 -0
  356. data/spec/support/shared/external/wavsep.rb +3 -3
  357. data/spec/support/shared/fingerprinter.rb +2 -2
  358. data/spec/support/shared/framework.rb +1 -1
  359. data/spec/support/shared/http/message.rb +9 -9
  360. data/spec/support/shared/option_group.rb +17 -17
  361. data/spec/support/shared/path_extractor.rb +1 -1
  362. data/spec/support/shared/plugin.rb +2 -2
  363. data/spec/support/shared/support/cache.rb +57 -57
  364. data/spec/support/shared/support/lookup.rb +25 -25
  365. data/ui/cli/framework.rb +22 -11
  366. data/ui/cli/framework/option_parser.rb +15 -0
  367. data/ui/cli/option_parser.rb +8 -1
  368. data/ui/cli/output.rb +2 -1
  369. metadata +54 -20
  370. data/components/checks/active/xss_dom_inputs.rb +0 -236
  371. data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
  372. data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
  373. data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
data/spec/components/checks/active/xss_dom_spec.rb CHANGED
@@ -5,7 +5,7 @@ describe name_from_filename do
5
5
 
6
6
  def self.elements
7
7
  [ Element::Form::DOM, Element::Link::DOM, Element::Cookie::DOM,
8
- Element::LinkTemplate::DOM ]
8
+ Element::LinkTemplate::DOM, Element::UIInput::DOM, Element::UIForm::DOM ]
9
9
  end
10
10
 
11
11
  def issue_count_per_element
@@ -13,7 +13,9 @@ describe name_from_filename do
13
13
  Element::Form::DOM => 2,
14
14
  Element::Link::DOM => 2,
15
15
  Element::Cookie::DOM => 2,
16
- Element::LinkTemplate::DOM => 2
16
+ Element::LinkTemplate::DOM => 2,
17
+ Element::UIInput::DOM => 2,
18
+ Element::UIForm::DOM => 2
17
19
  }
18
20
  end
19
21
 
@@ -25,41 +27,61 @@ describe name_from_filename do
25
27
  case issue.vector
26
28
 
27
29
  when Element::Form::DOM
28
- transition.element.tag_name.should == :form
29
- transition.event.should == :submit
30
+ expect(transition.element.tag_name).to eq :form
31
+ expect(transition.event).to eq :submit
30
32
 
31
- data_flow_sinks.should be_empty
33
+ expect(data_flow_sinks).to be_empty
32
34
 
33
35
  when Element::LinkTemplate::DOM
34
- transition.element.should == :page
35
- transition.event.should == :load
36
+ expect(transition.element).to eq :page
37
+ expect(transition.event).to eq :load
36
38
 
37
- data_flow_sinks.size.should == 1
39
+ expect(data_flow_sinks.size).to eq 1
38
40
  data_flow_sink = data_flow_sinks.first
39
41
 
40
- data_flow_sink.function.source.should start_with 'function decodeURI()'
41
- data_flow_sink.function.name.should == 'decodeURI'
42
- data_flow_sink.object.should == 'DOMWindow'
43
- data_flow_sink.tainted_value.should include Arachni::URI(issue.vector.seed).to_s
44
- data_flow_sink.function.arguments.should == [data_flow_sink.tainted_value]
42
+ expect(data_flow_sink.function.source).to start_with 'function decodeURI()'
43
+ expect(data_flow_sink.function.name).to eq 'decodeURI'
44
+ expect(data_flow_sink.object).to eq 'DOMWindow'
45
+ expect(data_flow_sink.tainted_value).to include Arachni::URI(issue.vector.seed).to_s
46
+ expect(data_flow_sink.function.arguments).to eq [data_flow_sink.tainted_value]
45
47
 
46
48
  when Element::Link::DOM
47
- transition.element.should == :page
48
- transition.event.should == :load
49
+ expect(transition.element).to eq :page
50
+ expect(transition.event).to eq :load
49
51
 
50
- data_flow_sinks.size.should == 1
52
+ expect(data_flow_sinks.size).to eq 1
51
53
  data_flow_sink = data_flow_sinks.first
52
54
 
53
- data_flow_sink.function.source.should start_with 'function decodeURIComponent()'
54
- data_flow_sink.function.name.should == 'decodeURIComponent'
55
- data_flow_sink.object.should == 'DOMWindow'
56
- data_flow_sink.tainted_value.should include Arachni::URI(issue.vector.seed).to_s
57
- data_flow_sink.function.arguments.should == [data_flow_sink.tainted_value]
55
+ expect(data_flow_sink.function.source).to start_with 'function decodeURIComponent()'
56
+ expect(data_flow_sink.function.name).to eq 'decodeURIComponent'
57
+ expect(data_flow_sink.object).to eq 'DOMWindow'
58
+ expect(data_flow_sink.tainted_value).to include Arachni::URI(issue.vector.seed).to_s
59
+ expect(data_flow_sink.function.arguments).to eq [data_flow_sink.tainted_value]
58
60
 
59
61
  when Element::Cookie::DOM
60
- transition.element.should == :page
61
- transition.event.should == :load
62
- transition.options[:cookies].should == issue.vector.inputs
62
+ expect(transition.element).to eq :page
63
+ expect(transition.event).to eq :load
64
+ expect(transition.options[:cookies]).to eq issue.vector.inputs
65
+
66
+ when Element::UIInput::DOM
67
+ expect(transition.element.tag_name).to eq :input
68
+ expect(transition.event).to eq :input
69
+
70
+ expect(data_flow_sinks).to be_empty
71
+
72
+ when Element::UIForm::DOM
73
+ transitions = [
74
+ issue.page.dom.transitions.pop,
75
+ issue.page.dom.transitions.pop
76
+ ].reverse
77
+
78
+ expect(transitions[0].element.tag_name).to eq :input
79
+ expect(transitions[0].event).to eq :input
80
+
81
+ expect(transitions[1].element.tag_name).to eq :button
82
+ expect(transitions[1].event).to eq :click
83
+
84
+ expect(data_flow_sinks).to be_empty
63
85
  end
64
86
 
65
87
  end
data/spec/components/checks/passive/allowed_methods_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  1
12
12
  end
13
13
 
14
- easy_test { issues.first.proof.should == 'OPTIONS, TRACE, GET, HEAD' }
14
+ easy_test { expect(issues.first.proof).to eq 'OPTIONS, TRACE, GET, HEAD' }
15
15
  end
data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  2
12
12
  end
13
13
 
14
- easy_test { issues.map { |i| i.vector.name }.sort.should == %w(cookie cookie2).sort }
14
+ easy_test { expect(issues.map { |i| i.vector.name }.sort).to eq %w(cookie cookie2).sort }
15
15
  end
data/spec/components/checks/passive/grep/hsts_spec.rb CHANGED
@@ -14,12 +14,12 @@ describe name_from_filename do
14
14
  it 'logs hosts missing the header' do
15
15
  options.url = "#{url}/vulnerable"
16
16
  run
17
- issues.should be_any
17
+ expect(issues).to be_any
18
18
  end
19
19
 
20
20
  it 'logs hosts missing the header' do
21
21
  options.url = "#{url}/safe"
22
22
  run
23
- issues.should be_empty
23
+ expect(issues).to be_empty
24
24
  end
25
25
  end
data/spec/components/checks/passive/grep/http_only_cookies_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  2
12
12
  end
13
13
 
14
- easy_test { issues.map { |i| i.vector.name }.sort.should == %w(cookie cookie2).sort }
14
+ easy_test { expect(issues.map { |i| i.vector.name }.sort).to eq %w(cookie cookie2).sort }
15
15
  end
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  2
12
12
  end
13
13
 
14
- easy_test { issues.map { |i| i.vector.name }.sort.should == %w(cookie cookie2).sort }
14
+ easy_test { expect(issues.map { |i| i.vector.name }.sort).to eq %w(cookie cookie2).sort }
15
15
  end
data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb CHANGED
@@ -14,12 +14,12 @@ describe name_from_filename do
14
14
  it 'logs hosts with a wildcard Access-Control-Allow-Origin' do
15
15
  options.url = "#{url}/vulnerable"
16
16
  run
17
- issues.should be_any
17
+ expect(issues).to be_any
18
18
  end
19
19
 
20
20
  it 'does not log hosts without a wildcard Access-Control-Allow-Origin' do
21
21
  options.url = "#{url}/safe"
22
22
  run
23
- issues.should be_empty
23
+ expect(issues).to be_empty
24
24
  end
25
25
  end
data/spec/components/checks/passive/grep/password_autocomplete_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  2
12
12
  end
13
13
 
14
- easy_test { issues.map { |i| i.vector.name_or_id }.sort.should == %w(insecure insecure_2).sort }
14
+ easy_test { expect(issues.map { |i| i.vector.name_or_id }.sort).to eq %w(insecure insecure_2).sort }
15
15
  end
data/spec/components/checks/passive/grep/private_ip_spec.rb CHANGED
@@ -13,10 +13,10 @@ describe name_from_filename do
13
13
 
14
14
  easy_test( false ) do
15
15
  header_issue = issues.select { |i| i.vector.class == Element::Header }.first
16
- header_issue.vector.name.should == 'Disclosure'
17
- header_issue.proof.should == '192.168.1.121'
16
+ expect(header_issue.vector.name).to eq 'Disclosure'
17
+ expect(header_issue.proof).to eq '192.168.1.121'
18
18
 
19
19
  body_issue = issues.select { |i| i.vector.class == Element::Body }.first
20
- body_issue.proof.should == '192.168.1.12'
20
+ expect(body_issue.proof).to eq '192.168.1.12'
21
21
  end
22
22
  end
data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  2
12
12
  end
13
13
 
14
- easy_test { issues.map { |i| i.vector.affected_input_name }.sort.should == %w(insecure insecure_2).sort }
14
+ easy_test { expect(issues.map { |i| i.vector.affected_input_name }.sort).to eq %w(insecure insecure_2).sort }
15
15
  end
data/spec/components/checks/passive/grep/x_frame_options_spec.rb CHANGED
@@ -14,12 +14,12 @@ describe name_from_filename do
14
14
  it 'logs hosts missing the header' do
15
15
  options.url = "#{url}/vulnerable"
16
16
  run
17
- issues.should be_any
17
+ expect(issues).to be_any
18
18
  end
19
19
 
20
20
  it 'does not log hosts with the header' do
21
21
  options.url = "#{url}/safe"
22
22
  run
23
- issues.should be_empty
23
+ expect(issues).to be_empty
24
24
  end
25
25
  end
data/spec/components/checks/passive/interesting_responses_spec.rb CHANGED
@@ -18,7 +18,7 @@ describe name_from_filename do
18
18
  http.run
19
19
 
20
20
  max_issues = current_check.max_issues
21
- issues.size.should == max_issues
21
+ expect(issues.size).to eq(max_issues)
22
22
  end
23
23
 
24
24
  it 'skips HTTP responses which are out of scope' do
@@ -31,6 +31,6 @@ describe name_from_filename do
31
31
  end
32
32
  http.run
33
33
 
34
- issues.should be_empty
34
+ expect(issues).to be_empty
35
35
  end
36
36
  end
data/spec/components/checks/passive/webdav_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  1
12
12
  end
13
13
 
14
- easy_test { issues.first.vector.url.should == url }
14
+ easy_test { expect(issues.first.vector.url).to eq url }
15
15
  end
data/spec/components/checks/passive/xst_spec.rb CHANGED
@@ -11,5 +11,5 @@ describe name_from_filename do
11
11
  1
12
12
  end
13
13
 
14
- easy_test { issues.first.vector.url.should == url }
14
+ easy_test { expect(issues.first.vector.url).to eq url }
15
15
  end
data/spec/components/fingerprinters/servers/apache_spec.rb CHANGED
@@ -27,10 +27,10 @@ describe Arachni::Platform::Fingerprinters::Apache do
27
27
 
28
28
  context 'when there is an Server header that includes Coyote' do
29
29
  it 'does not identify it as Apache' do
30
- platforms_for( Arachni::Page.from_data(
30
+ expect(platforms_for( Arachni::Page.from_data(
31
31
  url: 'http://stuff.com/blah',
32
32
  response: { headers: { 'Server' => 'Apache-Coyote/1.1' } }
33
- )).to_a.should be_empty
33
+ )).to_a).to be_empty
34
34
  end
35
35
  end
36
36
 
data/spec/components/path_extractors/comments_spec.rb CHANGED
@@ -6,13 +6,17 @@ describe name_from_filename do
6
6
  def results
7
7
  [
8
8
  '/stuff/here.php',
9
- '/stuff/here'
9
+ '/stuff/here',
10
+ '/other/stuff/here.php'
10
11
  ]
11
12
  end
12
13
 
13
14
  def text
14
15
  <<-HTML
15
16
  <!-- Blah blah: /stuff/here.php -->
17
+ <!--
18
+ /other/stuff/here.php
19
+ -->
16
20
  <!-- <style type="text/css"> stuff: here; </style> -->
17
21
  Blah blah...
18
22
  <!--Pre blah /stuff/here post blah -->
data/spec/components/path_extractors/scripts_spec.rb CHANGED
@@ -8,14 +8,17 @@ describe name_from_filename do
8
8
  'http://test.com',
9
9
  'test',
10
10
  'test.com',
11
- 'test/stuff2.php'
11
+ '/test/stuff2.php'
12
12
  ]
13
13
  end
14
14
 
15
15
  def text
16
16
  s = <<SCRIPT
17
17
  <script>
18
- var path = "test/stuff2.php"
18
+ /*Blah.1*/
19
+ //Blah.2
20
+ var path = "/test/stuff2.php"
21
+ var ignore = "test/stuff2"
19
22
  </script>
20
23
  SCRIPT
21
24
 
data/spec/components/plugins/autologin_spec.rb CHANGED
@@ -22,11 +22,11 @@ describe name_from_filename do
22
22
 
23
23
  run
24
24
 
25
- actual_results['status'].should == 'ok'
26
- actual_results['message'].should == plugin::STATUSES[:ok]
27
- actual_results['cookies']['success'].should == 'true'
25
+ expect(actual_results['status']).to eq('ok')
26
+ expect(actual_results['message']).to eq(plugin::STATUSES[:ok])
27
+ expect(actual_results['cookies']['success']).to eq('true')
28
28
 
29
- framework.sitemap.include?( url + 'congrats' ).should be_true
29
+ expect(framework.sitemap.include?( url + 'congrats' )).to be_truthy
30
30
  end
31
31
 
32
32
  it 'provides a login sequence and login check to the framework' do
@@ -39,17 +39,17 @@ describe name_from_filename do
39
39
  # The framework will call #clean_up which nil out the session...
40
40
  session = framework.session
41
41
  # ...in addition to removing its configuration.
42
- session.stub(:clean_up)
42
+ allow(session).to receive(:clean_up)
43
43
 
44
44
  run
45
45
 
46
- session.logged_in?.should be_true
46
+ expect(session.logged_in?).to be_truthy
47
47
 
48
48
  http.cookie_jar.clear
49
49
 
50
- session.logged_in?.should be_false
51
- session.login.should be_true
52
- session.logged_in?.should be_true
50
+ expect(session.logged_in?).to be_falsey
51
+ expect(session.login).to be_truthy
52
+ expect(session.logged_in?).to be_truthy
53
53
  end
54
54
  end
55
55
 
@@ -65,14 +65,14 @@ describe name_from_filename do
65
65
  it 'complains about not being able to find the form' do
66
66
  run
67
67
 
68
- actual_results['status'].should == 'form_not_found'
69
- actual_results['message'].should == plugin::STATUSES[:form_not_found]
68
+ expect(actual_results['status']).to eq('form_not_found')
69
+ expect(actual_results['message']).to eq(plugin::STATUSES[:form_not_found])
70
70
  end
71
71
 
72
72
  it 'aborts the scan' do
73
73
  run
74
74
 
75
- framework.status.should == :aborted
75
+ expect(framework.status).to eq(:aborted)
76
76
  end
77
77
  end
78
78
 
@@ -88,14 +88,14 @@ describe name_from_filename do
88
88
  it 'complains about not the form being invisible' do
89
89
  run
90
90
 
91
- actual_results['status'].should == 'form_not_visible'
92
- actual_results['message'].should == plugin::STATUSES[:form_not_visible]
91
+ expect(actual_results['status']).to eq('form_not_visible')
92
+ expect(actual_results['message']).to eq(plugin::STATUSES[:form_not_visible])
93
93
  end
94
94
 
95
95
  it 'aborts the scan' do
96
96
  run
97
97
 
98
- framework.status.should == :aborted
98
+ expect(framework.status).to eq(:aborted)
99
99
  end
100
100
  end
101
101
 
@@ -111,14 +111,14 @@ describe name_from_filename do
111
111
  it 'complains about not being able to verify the login' do
112
112
  run
113
113
 
114
- actual_results['status'].should == 'check_failed'
115
- actual_results['message'].should == plugin::STATUSES[:check_failed]
114
+ expect(actual_results['status']).to eq('check_failed')
115
+ expect(actual_results['message']).to eq(plugin::STATUSES[:check_failed])
116
116
  end
117
117
 
118
118
  it 'aborts the scan' do
119
119
  run
120
120
 
121
- framework.status.should == :aborted
121
+ expect(framework.status).to eq(:aborted)
122
122
  end
123
123
  end
124
124
 
@@ -135,7 +135,7 @@ describe name_from_filename do
135
135
  it 'sets it to the login response URL' do
136
136
  framework.options.session.check_url = nil
137
137
  run
138
- framework.options.session.check_url.should == url
138
+ expect(framework.options.session.check_url).to eq(url)
139
139
  end
140
140
  end
141
141
 
@@ -144,7 +144,7 @@ describe name_from_filename do
144
144
  option_url = url + '/stuff'
145
145
  framework.options.session.check_url = option_url
146
146
  run
147
- framework.options.session.check_url.should == option_url
147
+ expect(framework.options.session.check_url).to eq(option_url)
148
148
  end
149
149
  end
150
150
  end
@@ -162,7 +162,7 @@ describe name_from_filename do
162
162
  it 'sets it to the plugin pattern' do
163
163
  framework.options.session.check_pattern = nil
164
164
  run
165
- framework.options.session.check_pattern.should == /Hi there logged-in user/
165
+ expect(framework.options.session.check_pattern).to eq(/Hi there logged-in user/)
166
166
  end
167
167
  end
168
168
 
@@ -170,7 +170,7 @@ describe name_from_filename do
170
170
  it 'does not change it' do
171
171
  framework.options.session.check_pattern = /stuff/
172
172
  run
173
- framework.options.session.check_pattern.should == /stuff/
173
+ expect(framework.options.session.check_pattern).to eq(/stuff/)
174
174
  end
175
175
  end
176
176
  end
data/spec/components/plugins/autothrottle_spec.rb CHANGED
@@ -24,7 +24,7 @@ describe name_from_filename do
24
24
  http.max_concurrency.times { http.get( url ) }
25
25
  http.run
26
26
 
27
- http.max_concurrency.should == pre
27
+ expect(http.max_concurrency).to eq(pre)
28
28
  end
29
29
  end
30
30
  context 'above threshold' do
@@ -34,21 +34,22 @@ describe name_from_filename do
34
34
  http.max_concurrency.times { http.get( url + 'slow' ) }
35
35
  http.run
36
36
 
37
- http.max_concurrency.should < pre
37
+ expect(http.max_concurrency).to be < pre
38
38
  end
39
+
39
40
  context 'and then fall bellow threshold' do
40
41
  it 'increases the max concurrency (without exceeding http_request_concurrency)' do
41
42
  http.max_concurrency.times { http.get( url + 'slow' ) }
42
43
  http.run
43
- http.max_concurrency.should < options.http.request_concurrency
44
+ expect(http.max_concurrency).to be < options.http.request_concurrency
44
45
 
45
46
  pre = http.max_concurrency
46
47
 
47
48
  (10 * http.max_concurrency).times { http.get( url ) }
48
49
  http.run
49
50
 
50
- http.max_concurrency.should > pre
51
- http.max_concurrency.should <= options.http.request_concurrency
51
+ expect(http.max_concurrency).to be > pre
52
+ expect(http.max_concurrency).to be <= options.http.request_concurrency
52
53
  end
53
54
  end
54
55
  end