arachni 1.2.1 → 1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (373) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +66 -0
  3. data/Gemfile +1 -1
  4. data/README.md +16 -5
  5. data/components/checks/active/ldap_injection/errors.txt +1 -0
  6. data/components/checks/active/source_code_disclosure.rb +1 -1
  7. data/components/checks/active/unvalidated_redirect.rb +6 -6
  8. data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
  9. data/components/checks/passive/grep/captcha.rb +14 -5
  10. data/components/checks/passive/grep/form_upload.rb +7 -3
  11. data/components/checks/passive/grep/hsts.rb +3 -3
  12. data/components/checks/passive/grep/html_objects.rb +2 -3
  13. data/components/checks/passive/grep/http_only_cookies.rb +2 -3
  14. data/components/checks/passive/grep/insecure_cookies.rb +1 -1
  15. data/components/checks/passive/grep/password_autocomplete.rb +2 -2
  16. data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
  17. data/components/checks/passive/grep/x_frame_options.rb +2 -2
  18. data/components/checks/passive/http_put.rb +2 -3
  19. data/components/path_extractors/comments.rb +3 -3
  20. data/components/path_extractors/scripts.rb +10 -1
  21. data/components/plugins/defaults/autothrottle.rb +27 -18
  22. data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
  23. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
  24. data/components/plugins/login_script.rb +9 -3
  25. data/components/plugins/proxy.rb +4 -3
  26. data/components/reporters/html.rb +11 -14
  27. data/components/reporters/html/default/issue.erb +13 -38
  28. data/components/reporters/html/default/issue/info.erb +1 -1
  29. data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
  30. data/components/reporters/stdout.rb +62 -71
  31. data/components/reporters/xml.rb +26 -40
  32. data/components/reporters/xml/schema.xsd +43 -89
  33. data/lib/arachni/browser.rb +52 -3
  34. data/lib/arachni/browser/javascript.rb +3 -3
  35. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
  36. data/lib/arachni/browser_cluster.rb +61 -0
  37. data/lib/arachni/browser_cluster/job.rb +21 -1
  38. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
  39. data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
  40. data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
  41. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
  42. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  43. data/lib/arachni/browser_cluster/worker.rb +5 -0
  44. data/lib/arachni/check/auditor.rb +22 -12
  45. data/lib/arachni/data/framework.rb +13 -1
  46. data/lib/arachni/data/issues.rb +9 -25
  47. data/lib/arachni/element/base.rb +9 -3
  48. data/lib/arachni/element/capabilities/analyzable.rb +2 -6
  49. data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
  50. data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
  51. data/lib/arachni/element/capabilities/auditable.rb +0 -6
  52. data/lib/arachni/element/capabilities/dom_only.rb +61 -0
  53. data/lib/arachni/element/capabilities/with_dom.rb +3 -1
  54. data/lib/arachni/element/cookie.rb +35 -5
  55. data/lib/arachni/element/cookie/dom.rb +13 -4
  56. data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
  57. data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
  58. data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
  59. data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
  60. data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
  61. data/lib/arachni/element/form.rb +12 -1
  62. data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
  63. data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
  64. data/lib/arachni/element/form/dom.rb +9 -3
  65. data/lib/arachni/element/header.rb +14 -33
  66. data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
  67. data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
  68. data/lib/arachni/element/input/dom.rb +71 -0
  69. data/lib/arachni/element/json.rb +2 -0
  70. data/lib/arachni/element/link.rb +3 -0
  71. data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
  72. data/lib/arachni/element/link/dom.rb +16 -3
  73. data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
  74. data/lib/arachni/element/link_template.rb +3 -5
  75. data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
  76. data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
  77. data/lib/arachni/element/link_template/dom.rb +16 -3
  78. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
  79. data/lib/arachni/element/server.rb +3 -5
  80. data/lib/arachni/element/ui_form.rb +106 -0
  81. data/lib/arachni/element/ui_form/dom.rb +107 -0
  82. data/lib/arachni/element/ui_input.rb +62 -0
  83. data/lib/arachni/element/xml.rb +2 -1
  84. data/lib/arachni/framework.rb +7 -5
  85. data/lib/arachni/framework/parts/audit.rb +0 -1
  86. data/lib/arachni/framework/parts/check.rb +1 -0
  87. data/lib/arachni/framework/parts/data.rb +4 -0
  88. data/lib/arachni/framework/parts/state.rb +0 -2
  89. data/lib/arachni/http/client.rb +17 -6
  90. data/lib/arachni/http/proxy_server.rb +52 -5
  91. data/lib/arachni/http/request.rb +1 -1
  92. data/lib/arachni/issue.rb +34 -179
  93. data/lib/arachni/issue/severity.rb +2 -0
  94. data/lib/arachni/option_groups/audit.rb +22 -2
  95. data/lib/arachni/option_groups/browser_cluster.rb +15 -0
  96. data/lib/arachni/page.rb +3 -2
  97. data/lib/arachni/parser.rb +24 -5
  98. data/lib/arachni/platform/manager.rb +1 -2
  99. data/lib/arachni/rpc/server/framework.rb +3 -4
  100. data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
  101. data/lib/arachni/session.rb +1 -1
  102. data/lib/arachni/trainer.rb +4 -7
  103. data/lib/arachni/watir/element.rb +12 -1
  104. data/lib/version +1 -1
  105. data/spec/arachni/browser/element_locator_spec.rb +43 -43
  106. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
  107. data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
  108. data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
  109. data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
  110. data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
  111. data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
  112. data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
  113. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
  114. data/spec/arachni/browser/javascript_spec.rb +73 -63
  115. data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
  116. data/spec/arachni/browser_cluster/job_spec.rb +68 -48
  117. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
  118. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
  119. data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
  120. data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
  121. data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
  122. data/spec/arachni/browser_cluster_spec.rb +64 -39
  123. data/spec/arachni/browser_spec.rb +692 -527
  124. data/spec/arachni/check/auditor_spec.rb +177 -147
  125. data/spec/arachni/check/base_spec.rb +33 -33
  126. data/spec/arachni/check/manager_spec.rb +15 -15
  127. data/spec/arachni/component/base_spec.rb +8 -8
  128. data/spec/arachni/component/manager_spec.rb +100 -99
  129. data/spec/arachni/component/options/address_spec.rb +3 -3
  130. data/spec/arachni/component/options/base_spec.rb +7 -7
  131. data/spec/arachni/component/options/bool_spec.rb +9 -9
  132. data/spec/arachni/component/options/float_spec.rb +6 -6
  133. data/spec/arachni/component/options/int_spec.rb +5 -5
  134. data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
  135. data/spec/arachni/component/options/object_spec.rb +2 -2
  136. data/spec/arachni/component/options/path_spec.rb +3 -3
  137. data/spec/arachni/component/options/port_spec.rb +5 -5
  138. data/spec/arachni/component/options/string_spec.rb +3 -3
  139. data/spec/arachni/component/options/url_spec.rb +4 -4
  140. data/spec/arachni/component/utilities_spec.rb +2 -2
  141. data/spec/arachni/data/framework/rpc_spec.rb +10 -9
  142. data/spec/arachni/data/framework_spec.rb +65 -46
  143. data/spec/arachni/data/issues_spec.rb +39 -77
  144. data/spec/arachni/data/plugins_spec.rb +11 -11
  145. data/spec/arachni/data/session_spec.rb +6 -6
  146. data/spec/arachni/data_spec.rb +8 -8
  147. data/spec/arachni/element/body_spec.rb +10 -10
  148. data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
  149. data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
  150. data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
  151. data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
  152. data/spec/arachni/element/cookie/dom_spec.rb +37 -18
  153. data/spec/arachni/element/cookie_spec.rb +206 -139
  154. data/spec/arachni/element/form/dom_spec.rb +36 -19
  155. data/spec/arachni/element/form_spec.rb +210 -187
  156. data/spec/arachni/element/generic_dom_spec.rb +14 -14
  157. data/spec/arachni/element/header_spec.rb +35 -17
  158. data/spec/arachni/element/json_spec.rb +53 -31
  159. data/spec/arachni/element/link/dom_spec.rb +46 -28
  160. data/spec/arachni/element/link_spec.rb +58 -40
  161. data/spec/arachni/element/link_template/dom_spec.rb +47 -29
  162. data/spec/arachni/element/link_template_spec.rb +79 -61
  163. data/spec/arachni/element/path_spec.rb +1 -1
  164. data/spec/arachni/element/server_spec.rb +33 -32
  165. data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
  166. data/spec/arachni/element/ui_form_spec.rb +242 -0
  167. data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
  168. data/spec/arachni/element/ui_input_spec.rb +136 -0
  169. data/spec/arachni/element/xml_spec.rb +42 -24
  170. data/spec/arachni/element_filter_spec.rb +49 -48
  171. data/spec/arachni/error_spec.rb +3 -3
  172. data/spec/arachni/framework/parts/audit_spec.rb +64 -63
  173. data/spec/arachni/framework/parts/browser_spec.rb +16 -16
  174. data/spec/arachni/framework/parts/check_spec.rb +3 -3
  175. data/spec/arachni/framework/parts/data_spec.rb +48 -48
  176. data/spec/arachni/framework/parts/platform_spec.rb +3 -3
  177. data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
  178. data/spec/arachni/framework/parts/report_spec.rb +7 -7
  179. data/spec/arachni/framework/parts/scope_spec.rb +16 -16
  180. data/spec/arachni/framework/parts/state_spec.rb +68 -69
  181. data/spec/arachni/framework_spec.rb +39 -31
  182. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
  183. data/spec/arachni/http/client_spec.rb +219 -208
  184. data/spec/arachni/http/cookie_jar_spec.rb +72 -72
  185. data/spec/arachni/http/headers_spec.rb +14 -14
  186. data/spec/arachni/http/proxy_server_spec.rb +43 -42
  187. data/spec/arachni/http/request_spec.rb +105 -103
  188. data/spec/arachni/http/response/scope_spec.rb +24 -24
  189. data/spec/arachni/http/response_spec.rb +50 -49
  190. data/spec/arachni/issue/severity_spec.rb +10 -9
  191. data/spec/arachni/issue_spec.rb +71 -369
  192. data/spec/arachni/option_groups/audit_spec.rb +114 -114
  193. data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
  194. data/spec/arachni/option_groups/datastore_spec.rb +6 -6
  195. data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
  196. data/spec/arachni/option_groups/http_spec.rb +11 -11
  197. data/spec/arachni/option_groups/input_spec.rb +31 -27
  198. data/spec/arachni/option_groups/output_spec.rb +2 -2
  199. data/spec/arachni/option_groups/paths_spec.rb +17 -17
  200. data/spec/arachni/option_groups/rpc_spec.rb +2 -2
  201. data/spec/arachni/option_groups/scope_spec.rb +40 -40
  202. data/spec/arachni/option_groups/session_spec.rb +6 -5
  203. data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
  204. data/spec/arachni/options_spec.rb +46 -45
  205. data/spec/arachni/page/dom/transition_spec.rb +74 -72
  206. data/spec/arachni/page/dom_spec.rb +35 -35
  207. data/spec/arachni/page/scope_spec.rb +15 -15
  208. data/spec/arachni/page_spec.rb +217 -217
  209. data/spec/arachni/parser_spec.rb +106 -104
  210. data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
  211. data/spec/arachni/platform/list_spec.rb +33 -33
  212. data/spec/arachni/platform/manager_spec.rb +67 -64
  213. data/spec/arachni/plugin/base_spec.rb +10 -10
  214. data/spec/arachni/plugin/manager_spec.rb +38 -37
  215. data/spec/arachni/report_spec.rb +43 -40
  216. data/spec/arachni/reporter/base_spec.rb +15 -15
  217. data/spec/arachni/reporter/manager_spec.rb +4 -4
  218. data/spec/arachni/reporter/options_spec.rb +6 -6
  219. data/spec/arachni/rpc/client/base_spec.rb +6 -6
  220. data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
  221. data/spec/arachni/rpc/client/instance_spec.rb +6 -6
  222. data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
  223. data/spec/arachni/rpc/server/base_spec.rb +5 -5
  224. data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
  225. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
  226. data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
  227. data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
  228. data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
  229. data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
  230. data/spec/arachni/rpc/server/framework_spec.rb +90 -85
  231. data/spec/arachni/rpc/server/instance_spec.rb +126 -107
  232. data/spec/arachni/rpc/server/output_spec.rb +1 -1
  233. data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
  234. data/spec/arachni/ruby/array_spec.rb +42 -42
  235. data/spec/arachni/ruby/hash_spec.rb +20 -18
  236. data/spec/arachni/ruby/io_spec.rb +2 -2
  237. data/spec/arachni/ruby/object_spec.rb +1 -1
  238. data/spec/arachni/ruby/set_spec.rb +3 -3
  239. data/spec/arachni/ruby/string_spec.rb +30 -30
  240. data/spec/arachni/ruby/webrick_spec.rb +2 -2
  241. data/spec/arachni/scope_spec.rb +1 -1
  242. data/spec/arachni/session_spec.rb +67 -64
  243. data/spec/arachni/snapshot_spec.rb +15 -15
  244. data/spec/arachni/state/audit_spec.rb +11 -11
  245. data/spec/arachni/state/element_filter_spec.rb +6 -6
  246. data/spec/arachni/state/framework/rpc_spec.rb +12 -12
  247. data/spec/arachni/state/framework_spec.rb +125 -121
  248. data/spec/arachni/state/http_spec.rb +7 -7
  249. data/spec/arachni/state/options_spec.rb +7 -7
  250. data/spec/arachni/state/plugins_spec.rb +8 -8
  251. data/spec/arachni/state_spec.rb +10 -10
  252. data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
  253. data/spec/arachni/support/buffer/base_spec.rb +39 -39
  254. data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
  255. data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
  256. data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
  257. data/spec/arachni/support/cache/preference_spec.rb +4 -4
  258. data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
  259. data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
  260. data/spec/arachni/support/database/hash_spec.rb +44 -43
  261. data/spec/arachni/support/database/queue_spec.rb +27 -27
  262. data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
  263. data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
  264. data/spec/arachni/support/mixins/observable_spec.rb +6 -6
  265. data/spec/arachni/support/signature_spec.rb +19 -19
  266. data/spec/arachni/trainer_spec.rb +39 -39
  267. data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
  268. data/spec/arachni/uri/scope_spec.rb +66 -66
  269. data/spec/arachni/uri_spec.rb +107 -105
  270. data/spec/arachni/utilities_spec.rb +40 -40
  271. data/spec/components/checks/active/csrf_spec.rb +8 -8
  272. data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
  273. data/spec/components/checks/active/sql_injection_spec.rb +16 -16
  274. data/spec/components/checks/active/trainer_spec.rb +4 -4
  275. data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
  276. data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
  277. data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
  278. data/spec/components/checks/active/xss_dom_spec.rb +46 -24
  279. data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
  280. data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
  281. data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
  282. data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
  283. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
  284. data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
  285. data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
  286. data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
  287. data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
  288. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
  289. data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
  290. data/spec/components/checks/passive/webdav_spec.rb +1 -1
  291. data/spec/components/checks/passive/xst_spec.rb +1 -1
  292. data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
  293. data/spec/components/path_extractors/comments_spec.rb +5 -1
  294. data/spec/components/path_extractors/scripts_spec.rb +5 -2
  295. data/spec/components/plugins/autologin_spec.rb +22 -22
  296. data/spec/components/plugins/autothrottle_spec.rb +6 -5
  297. data/spec/components/plugins/content_types_spec.rb +4 -4
  298. data/spec/components/plugins/cookie_collector_spec.rb +5 -5
  299. data/spec/components/plugins/exec_spec.rb +12 -12
  300. data/spec/components/plugins/form_dicattack_spec.rb +3 -3
  301. data/spec/components/plugins/headers_collector_spec.rb +8 -8
  302. data/spec/components/plugins/healthmap_spec.rb +3 -3
  303. data/spec/components/plugins/http_dicattack_spec.rb +3 -3
  304. data/spec/components/plugins/login_script_spec.rb +79 -22
  305. data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
  306. data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
  307. data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
  308. data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
  309. data/spec/components/plugins/script_spec.rb +1 -1
  310. data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
  311. data/spec/components/plugins/vector_collector_spec.rb +2 -2
  312. data/spec/components/plugins/vector_feed_spec.rb +40 -40
  313. data/spec/components/plugins/waf_detector_spec.rb +6 -6
  314. data/spec/components/reporters/json_spec.rb +4 -4
  315. data/spec/components/reporters/marshal_spec.rb +2 -2
  316. data/spec/components/reporters/yaml_spec.rb +3 -2
  317. data/spec/external/wavsep/active/sqli_spec.rb +1 -3
  318. data/spec/spec_helper.rb +4 -0
  319. data/spec/support/factories/element/ui_form.rb +14 -0
  320. data/spec/support/factories/element/ui_input.rb +13 -0
  321. data/spec/support/factories/issue.rb +0 -13
  322. data/spec/support/fixtures/report.afr +0 -0
  323. data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
  324. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
  325. data/spec/support/helpers/framework.rb +1 -1
  326. data/spec/support/helpers/pages.rb +2 -2
  327. data/spec/support/servers/arachni/browser.rb +139 -0
  328. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
  329. data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
  330. data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
  331. data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
  332. data/spec/support/servers/checks/active/trainer_check.rb +7 -7
  333. data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
  334. data/spec/support/servers/checks/active/xss_dom.rb +50 -0
  335. data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
  336. data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
  337. data/spec/support/shared/check.rb +10 -12
  338. data/spec/support/shared/component/options/base.rb +24 -24
  339. data/spec/support/shared/element/base.rb +25 -25
  340. data/spec/support/shared/element/capabilities/auditable.rb +116 -140
  341. data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
  342. data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
  343. data/spec/support/shared/element/capabilities/mutable.rb +122 -111
  344. data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
  345. data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
  346. data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
  347. data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
  348. data/spec/support/shared/element/capabilities/with_node.rb +4 -6
  349. data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
  350. data/spec/support/shared/element/capabilities/with_source.rb +6 -8
  351. data/spec/support/shared/element/dom.rb +144 -0
  352. data/spec/support/shared/element/dom/auditable.rb +42 -0
  353. data/spec/support/shared/element/dom/inputtable.rb +5 -0
  354. data/spec/support/shared/element/dom/mutable.rb +3 -0
  355. data/spec/support/shared/element/dom/submittable.rb +119 -0
  356. data/spec/support/shared/external/wavsep.rb +3 -3
  357. data/spec/support/shared/fingerprinter.rb +2 -2
  358. data/spec/support/shared/framework.rb +1 -1
  359. data/spec/support/shared/http/message.rb +9 -9
  360. data/spec/support/shared/option_group.rb +17 -17
  361. data/spec/support/shared/path_extractor.rb +1 -1
  362. data/spec/support/shared/plugin.rb +2 -2
  363. data/spec/support/shared/support/cache.rb +57 -57
  364. data/spec/support/shared/support/lookup.rb +25 -25
  365. data/ui/cli/framework.rb +22 -11
  366. data/ui/cli/framework/option_parser.rb +15 -0
  367. data/ui/cli/option_parser.rb +8 -1
  368. data/ui/cli/output.rb +2 -1
  369. metadata +54 -20
  370. data/components/checks/active/xss_dom_inputs.rb +0 -236
  371. data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
  372. data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
  373. data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
data/spec/components/plugins/content_types_spec.rb CHANGED
@@ -60,7 +60,7 @@ YAML
60
60
  context 'with default options' do
61
61
  it "skips 'text' content types" do
62
62
  run
63
- actual_results.should eq default_results
63
+ expect(actual_results).to eq default_results
64
64
  end
65
65
  end
66
66
 
@@ -69,7 +69,7 @@ YAML
69
69
  options.plugins[component_name] = { 'exclude' => 'image|excel' }
70
70
 
71
71
  run
72
- actual_results.should eq results_with_options
72
+ expect(actual_results).to eq results_with_options
73
73
  end
74
74
  end
75
75
 
@@ -78,14 +78,14 @@ YAML
78
78
  options.plugins[component_name] = { 'exclude' => '' }
79
79
 
80
80
  run
81
- actual_results.should eq results_with_empty_options
81
+ expect(actual_results).to eq results_with_empty_options
82
82
  end
83
83
  end
84
84
 
85
85
  describe '.merge' do
86
86
  it 'merges an array of results' do
87
87
  results = plugin.merge( [default_results, results_with_options] )
88
- results.should eq results_with_empty_options
88
+ expect(results).to eq results_with_empty_options
89
89
  end
90
90
  end
91
91
  end
data/spec/components/plugins/cookie_collector_spec.rb CHANGED
@@ -10,7 +10,7 @@ describe name_from_filename do
10
10
  it 'logs the expected results' do
11
11
  run
12
12
 
13
- actual_results.size.should == 3
13
+ expect(actual_results.size).to eq(3)
14
14
 
15
15
  oks = 0
16
16
  actual_results.each do |result|
@@ -24,7 +24,7 @@ describe name_from_filename do
24
24
  end
25
25
  end
26
26
 
27
- oks.should == 3
27
+ expect(oks).to eq(3)
28
28
  end
29
29
 
30
30
  context 'when a filter has been specified' do
@@ -33,9 +33,9 @@ describe name_from_filename do
33
33
 
34
34
  run
35
35
 
36
- actual_results.size.should == 2
37
- actual_results.map { |r| r['cookies'].keys }.flatten.
38
- uniq.sort.should == %w(link_followed)
36
+ expect(actual_results.size).to eq(2)
37
+ expect(actual_results.map { |r| r['cookies'].keys }.flatten.
38
+ uniq.sort).to eq(%w(link_followed))
39
39
  end
40
40
  end
41
41
  end
data/spec/components/plugins/exec_spec.rb CHANGED
@@ -21,36 +21,36 @@ describe name_from_filename do
21
21
  port = parsed_url.port
22
22
 
23
23
  pre = actual_results['pre']
24
- pre.delete('runtime').should be_kind_of Float
25
- pre.delete('pid').should be_kind_of Integer
24
+ expect(pre.delete('runtime')).to be_kind_of Float
25
+ expect(pre.delete('pid')).to be_kind_of Integer
26
26
 
27
- pre.should == {
27
+ expect(pre).to eq({
28
28
  "status" => 0,
29
29
  "executable" => "echo \"#{options.url} #{scheme} #{host} #{port} pre 0 0 preparing\"",
30
30
  "stdout" => "#{options.url} #{scheme} #{host} #{port} pre 0 0 preparing\n",
31
31
  "stderr" => ""
32
- }
32
+ })
33
33
 
34
34
  during = actual_results['during']
35
- during.delete('runtime').should be_kind_of Float
36
- during.delete('pid').should be_kind_of Integer
35
+ expect(during.delete('runtime')).to be_kind_of Float
36
+ expect(during.delete('pid')).to be_kind_of Integer
37
37
 
38
- during.should == {
38
+ expect(during).to eq({
39
39
  "status" => 0,
40
40
  "executable" => "echo \"#{options.url} #{scheme} #{host} #{port} during 0 0 preparing\"",
41
41
  "stdout" => "#{options.url} #{scheme} #{host} #{port} during 0 0 preparing\n",
42
42
  "stderr" => ""
43
- }
43
+ })
44
44
 
45
45
  post = actual_results['post']
46
- post.delete('runtime').should be_kind_of Float
47
- post.delete('pid').should be_kind_of Integer
46
+ expect(post.delete('runtime')).to be_kind_of Float
47
+ expect(post.delete('pid')).to be_kind_of Integer
48
48
 
49
- post.should == {
49
+ expect(post).to eq({
50
50
  "status" => 0,
51
51
  "executable" => "echo \"#{options.url} #{scheme} #{host} #{port} post 0 2 cleanup\"",
52
52
  "stdout" => "#{options.url} #{scheme} #{host} #{port} post 0 2 cleanup\n",
53
53
  "stderr" => ""
54
- }
54
+ })
55
55
  end
56
56
  end
data/spec/components/plugins/form_dicattack_spec.rb CHANGED
@@ -18,7 +18,7 @@ describe name_from_filename do
18
18
  }
19
19
 
20
20
  run
21
- actual_results.should == { 'username' => 'sys', 'password' => 'admin' }
21
+ expect(actual_results).to eq({ 'username' => 'sys', 'password' => 'admin' })
22
22
  end
23
23
  end
24
24
 
@@ -33,7 +33,7 @@ describe name_from_filename do
33
33
  }
34
34
 
35
35
  run
36
- actual_results.should be_nil
36
+ expect(actual_results).to be_nil
37
37
  end
38
38
  end
39
39
 
@@ -48,7 +48,7 @@ describe name_from_filename do
48
48
  }
49
49
 
50
50
  run
51
- actual_results.should be_nil
51
+ expect(actual_results).to be_nil
52
52
  end
53
53
  end
54
54
  end
data/spec/components/plugins/headers_collector_spec.rb CHANGED
@@ -11,7 +11,7 @@ describe name_from_filename do
11
11
  it 'logs all headers' do
12
12
  run
13
13
 
14
- actual_results.should == {
14
+ expect(actual_results).to eq({
15
15
  url => {
16
16
  "Content-Type" => "text/html;charset=utf-8",
17
17
  "X-Xss-Protection" => "1; mode=block",
@@ -35,7 +35,7 @@ describe name_from_filename do
35
35
  "X-Frame-Options" => "SAMEORIGIN",
36
36
  "Content-Length" => "6"
37
37
  }
38
- }
38
+ })
39
39
  end
40
40
  end
41
41
 
@@ -47,7 +47,7 @@ describe name_from_filename do
47
47
 
48
48
  run
49
49
 
50
- actual_results.should == {
50
+ expect(actual_results).to eq({
51
51
  url => {
52
52
  "X-Frame-Options" => "SAMEORIGIN"
53
53
  },
@@ -59,7 +59,7 @@ describe name_from_filename do
59
59
  "Weird2" => "Value2",
60
60
  "X-Frame-Options" => "SAMEORIGIN"
61
61
  }
62
- }
62
+ })
63
63
  end
64
64
  end
65
65
 
@@ -71,7 +71,7 @@ describe name_from_filename do
71
71
 
72
72
  run
73
73
 
74
- actual_results.should == {
74
+ expect(actual_results).to eq({
75
75
  url => {
76
76
  "Content-Type" => "text/html;charset=utf-8",
77
77
  "X-Xss-Protection" => "1; mode=block",
@@ -90,7 +90,7 @@ describe name_from_filename do
90
90
  "X-Content-Type-Options" => "nosniff",
91
91
  "Content-Length" => "6"
92
92
  }
93
- }
93
+ })
94
94
  end
95
95
  end
96
96
 
@@ -112,7 +112,7 @@ describe name_from_filename do
112
112
  },
113
113
  ]
114
114
 
115
- framework.plugins[component_name].merge( results ).should == {
115
+ expect(framework.plugins[component_name].merge( results )).to eq({
116
116
  "#{url}" => {
117
117
  "Name" => "Value",
118
118
  "Name2" => "Value2"
@@ -120,7 +120,7 @@ describe name_from_filename do
120
120
  "#{url}2" => {
121
121
  "Name22" => "Value22"
122
122
  }
123
- }
123
+ })
124
124
  end
125
125
  end
126
126
  end
data/spec/components/plugins/healthmap_spec.rb CHANGED
@@ -32,9 +32,9 @@ YAML
32
32
  actual_map = results.delete( 'map' )
33
33
  expected_map = exp_results.delete( 'map' )
34
34
 
35
- actual_map.select { |k, v| k == 'without_issues' }.should be_eql expected_map.select { |k, v| k == 'without_issues' }
36
- actual_map.select { |k, v| k == 'with_issues' }.should be_eql expected_map.select { |k, v| k == 'with_issues' }
35
+ expect(actual_map.select { |k, v| k == 'without_issues' }).to be_eql expected_map.select { |k, v| k == 'without_issues' }
36
+ expect(actual_map.select { |k, v| k == 'with_issues' }).to be_eql expected_map.select { |k, v| k == 'with_issues' }
37
37
 
38
- results.should be_eql exp_results
38
+ expect(results).to be_eql exp_results
39
39
  end
40
40
  end
data/spec/components/plugins/http_dicattack_spec.rb CHANGED
@@ -18,7 +18,7 @@ describe name_from_filename do
18
18
  it 'logins successfully' do
19
19
  options.url = web_server_url_for( name_from_filename )
20
20
  run
21
- results.should == { 'username' => 'admin', 'password' => 'pass' }
21
+ expect(results).to eq({ 'username' => 'admin', 'password' => 'pass' })
22
22
  end
23
23
  end
24
24
 
@@ -26,7 +26,7 @@ describe name_from_filename do
26
26
  it 'logs nothing' do
27
27
  options.url = web_server_url_for( "#{name_from_filename}_secure" )
28
28
  run
29
- results.should be_nil
29
+ expect(results).to be_nil
30
30
  end
31
31
  end
32
32
 
@@ -34,7 +34,7 @@ describe name_from_filename do
34
34
  it 'logs nothing' do
35
35
  options.url = web_server_url_for( "#{name_from_filename}_unprotected" )
36
36
  run
37
- results.should be_nil
37
+ expect(results).to be_nil
38
38
  end
39
39
  end
40
40
  end
data/spec/components/plugins/login_script_spec.rb CHANGED
@@ -35,7 +35,7 @@ EOSCRIPT
35
35
  it "exposes a Watir::Browser interface via the 'browser' variable" do
36
36
  run
37
37
 
38
- options.datastore.browser.should be_kind_of Watir::Browser
38
+ expect(options.datastore.browser).to be_kind_of Watir::Browser
39
39
  end
40
40
  end
41
41
 
@@ -50,8 +50,8 @@ EOSCRIPT
50
50
  it 'runs the code' do
51
51
  run
52
52
 
53
- framework.http.cookies.
54
- find { |c| c.name == 'mycookie' }.value.should == 'myvalue'
53
+ expect(framework.http.cookies.
54
+ find { |c| c.name == 'mycookie' }.value).to eq('myvalue')
55
55
  end
56
56
  end
57
57
  end
@@ -71,7 +71,7 @@ EOSCRIPT
71
71
  it "sets 'browser' to 'nil'" do
72
72
  run
73
73
 
74
- options.datastore.browser.should be_nil
74
+ expect(options.datastore.browser).to be_nil
75
75
  end
76
76
  end
77
77
 
@@ -86,19 +86,19 @@ EOSCRIPT
86
86
  it 'sets the status' do
87
87
  run
88
88
 
89
- actual_results['status'].should == 'missing_browser'
89
+ expect(actual_results['status']).to eq('missing_browser')
90
90
  end
91
91
 
92
92
  it 'sets the message' do
93
93
  run
94
94
 
95
- actual_results['message'].should == plugin::STATUSES[:missing_browser]
95
+ expect(actual_results['message']).to eq(plugin::STATUSES[:missing_browser])
96
96
  end
97
97
 
98
98
  it 'aborts the scan' do
99
99
  run
100
100
 
101
- framework.status.should == :aborted
101
+ expect(framework.status).to eq(:aborted)
102
102
  end
103
103
  end
104
104
 
@@ -120,19 +120,19 @@ EOSCRIPT
120
120
  it 'sets the status' do
121
121
  run
122
122
 
123
- actual_results['status'].should == 'success'
123
+ expect(actual_results['status']).to eq('success')
124
124
  end
125
125
 
126
126
  it 'sets the message' do
127
127
  run
128
128
 
129
- actual_results['message'].should == plugin::STATUSES[:success]
129
+ expect(actual_results['message']).to eq(plugin::STATUSES[:success])
130
130
  end
131
131
 
132
132
  it 'sets the cookies' do
133
133
  run
134
134
 
135
- actual_results['cookies'].should == { 'success' => 'true' }
135
+ expect(actual_results['cookies']).to eq({ 'success' => 'true' })
136
136
  end
137
137
  end
138
138
 
@@ -146,19 +146,19 @@ EOSCRIPT
146
146
  it 'sets the status' do
147
147
  run
148
148
 
149
- actual_results['status'].should == 'missing_check'
149
+ expect(actual_results['status']).to eq('missing_check')
150
150
  end
151
151
 
152
152
  it 'sets the message' do
153
153
  run
154
154
 
155
- actual_results['message'].should == plugin::STATUSES[:missing_check]
155
+ expect(actual_results['message']).to eq(plugin::STATUSES[:missing_check])
156
156
  end
157
157
 
158
158
  it 'aborts the scan' do
159
159
  run
160
160
 
161
- framework.status.should == :aborted
161
+ expect(framework.status).to eq(:aborted)
162
162
  end
163
163
  end
164
164
 
@@ -171,19 +171,19 @@ EOSCRIPT
171
171
  it 'sets the status' do
172
172
  run
173
173
 
174
- actual_results['status'].should == 'failure'
174
+ expect(actual_results['status']).to eq('failure')
175
175
  end
176
176
 
177
177
  it 'sets the message' do
178
178
  run
179
179
 
180
- actual_results['message'].should == plugin::STATUSES[:failure]
180
+ expect(actual_results['message']).to eq(plugin::STATUSES[:failure])
181
181
  end
182
182
 
183
183
  it 'aborts the scan' do
184
184
  run
185
185
 
186
- framework.status.should == :aborted
186
+ expect(framework.status).to eq(:aborted)
187
187
  end
188
188
  end
189
189
 
@@ -198,19 +198,76 @@ EOSCRIPT
198
198
  it 'sets the status' do
199
199
  run
200
200
 
201
- actual_results['status'].should == 'error'
201
+ expect(actual_results['status']).to eq('error')
202
202
  end
203
203
 
204
204
  it 'sets the message' do
205
205
  run
206
206
 
207
- actual_results['message'].should == plugin::STATUSES[:error]
207
+ expect(actual_results['message']).to eq(plugin::STATUSES[:error])
208
208
  end
209
209
 
210
210
  it 'aborts the scan' do
211
211
  run
212
212
 
213
- framework.status.should == :aborted
213
+ expect(framework.status).to eq(:aborted)
214
+ end
215
+ end
216
+
217
+ context 'when using Javascript' do
218
+ let(:script) do
219
+ <<EOSCRIPT
220
+ doesNotExist()
221
+ EOSCRIPT
222
+ end
223
+ let(:script_path) { "#{super()}.js" }
224
+
225
+ it 'sets the status' do
226
+ run
227
+
228
+ expect(actual_results['status']).to eq('error')
229
+ end
230
+
231
+ it 'sets the message' do
232
+ run
233
+
234
+ expect(actual_results['message']).to eq(plugin::STATUSES[:error])
235
+ end
236
+
237
+ it 'aborts the scan' do
238
+ run
239
+
240
+ expect(framework.status).to eq(:aborted)
241
+ end
242
+ end
243
+ end
244
+
245
+ context 'when there is a syntax error in the script' do
246
+ context 'when using Ruby' do
247
+ let(:script) do
248
+ <<EOSCRIPT
249
+ {
250
+ id: => stuff
251
+ }
252
+ EOSCRIPT
253
+ end
254
+
255
+ it 'sets the status' do
256
+ run
257
+
258
+ expect(actual_results['status']).to eq('error')
259
+ end
260
+
261
+ it 'sets the message' do
262
+ run
263
+
264
+ expect(actual_results['message']).to eq(plugin::STATUSES[:error])
265
+ end
266
+
267
+ it 'aborts the scan' do
268
+ run
269
+
270
+ expect(framework.status).to eq(:aborted)
214
271
  end
215
272
  end
216
273
 
@@ -225,19 +282,19 @@ EOSCRIPT
225
282
  it 'sets the status' do
226
283
  run
227
284
 
228
- actual_results['status'].should == 'error'
285
+ expect(actual_results['status']).to eq('error')
229
286
  end
230
287
 
231
288
  it 'sets the message' do
232
289
  run
233
290
 
234
- actual_results['message'].should == plugin::STATUSES[:error]
291
+ expect(actual_results['message']).to eq(plugin::STATUSES[:error])
235
292
  end
236
293
 
237
294
  it 'aborts the scan' do
238
295
  run
239
296
 
240
- framework.status.should == :aborted
297
+ expect(framework.status).to eq(:aborted)
241
298
  end
242
299
  end
243
300
  end