RubyGems - arachni - Versions diffs - 1.2.1 → 1.3 - Mend

arachni 1.2.1 → 1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (373) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +66 -0
data/Gemfile +1 -1
data/README.md +16 -5
data/components/checks/active/ldap_injection/errors.txt +1 -0
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +6 -6
data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
data/components/checks/passive/grep/captcha.rb +14 -5
data/components/checks/passive/grep/form_upload.rb +7 -3
data/components/checks/passive/grep/hsts.rb +3 -3
data/components/checks/passive/grep/html_objects.rb +2 -3
data/components/checks/passive/grep/http_only_cookies.rb +2 -3
data/components/checks/passive/grep/insecure_cookies.rb +1 -1
data/components/checks/passive/grep/password_autocomplete.rb +2 -2
data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
data/components/checks/passive/grep/x_frame_options.rb +2 -2
data/components/checks/passive/http_put.rb +2 -3
data/components/path_extractors/comments.rb +3 -3
data/components/path_extractors/scripts.rb +10 -1
data/components/plugins/defaults/autothrottle.rb +27 -18
data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
data/components/plugins/login_script.rb +9 -3
data/components/plugins/proxy.rb +4 -3
data/components/reporters/html.rb +11 -14
data/components/reporters/html/default/issue.erb +13 -38
data/components/reporters/html/default/issue/info.erb +1 -1
data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
data/components/reporters/stdout.rb +62 -71
data/components/reporters/xml.rb +26 -40
data/components/reporters/xml/schema.xsd +43 -89
data/lib/arachni/browser.rb +52 -3
data/lib/arachni/browser/javascript.rb +3 -3
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
data/lib/arachni/browser_cluster.rb +61 -0
data/lib/arachni/browser_cluster/job.rb +21 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +5 -0
data/lib/arachni/check/auditor.rb +22 -12
data/lib/arachni/data/framework.rb +13 -1
data/lib/arachni/data/issues.rb +9 -25
data/lib/arachni/element/base.rb +9 -3
data/lib/arachni/element/capabilities/analyzable.rb +2 -6
data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
data/lib/arachni/element/capabilities/auditable.rb +0 -6
data/lib/arachni/element/capabilities/dom_only.rb +61 -0
data/lib/arachni/element/capabilities/with_dom.rb +3 -1
data/lib/arachni/element/cookie.rb +35 -5
data/lib/arachni/element/cookie/dom.rb +13 -4
data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
data/lib/arachni/element/form.rb +12 -1
data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/form/dom.rb +9 -3
data/lib/arachni/element/header.rb +14 -33
data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
data/lib/arachni/element/input/dom.rb +71 -0
data/lib/arachni/element/json.rb +2 -0
data/lib/arachni/element/link.rb +3 -0
data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link/dom.rb +16 -3
data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/link_template.rb +3 -5
data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link_template/dom.rb +16 -3
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/server.rb +3 -5
data/lib/arachni/element/ui_form.rb +106 -0
data/lib/arachni/element/ui_form/dom.rb +107 -0
data/lib/arachni/element/ui_input.rb +62 -0
data/lib/arachni/element/xml.rb +2 -1
data/lib/arachni/framework.rb +7 -5
data/lib/arachni/framework/parts/audit.rb +0 -1
data/lib/arachni/framework/parts/check.rb +1 -0
data/lib/arachni/framework/parts/data.rb +4 -0
data/lib/arachni/framework/parts/state.rb +0 -2
data/lib/arachni/http/client.rb +17 -6
data/lib/arachni/http/proxy_server.rb +52 -5
data/lib/arachni/http/request.rb +1 -1
data/lib/arachni/issue.rb +34 -179
data/lib/arachni/issue/severity.rb +2 -0
data/lib/arachni/option_groups/audit.rb +22 -2
data/lib/arachni/option_groups/browser_cluster.rb +15 -0
data/lib/arachni/page.rb +3 -2
data/lib/arachni/parser.rb +24 -5
data/lib/arachni/platform/manager.rb +1 -2
data/lib/arachni/rpc/server/framework.rb +3 -4
data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
data/lib/arachni/session.rb +1 -1
data/lib/arachni/trainer.rb +4 -7
data/lib/arachni/watir/element.rb +12 -1
data/lib/version +1 -1
data/spec/arachni/browser/element_locator_spec.rb +43 -43
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
data/spec/arachni/browser/javascript_spec.rb +73 -63
data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
data/spec/arachni/browser_cluster/job_spec.rb +68 -48
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
data/spec/arachni/browser_cluster_spec.rb +64 -39
data/spec/arachni/browser_spec.rb +692 -527
data/spec/arachni/check/auditor_spec.rb +177 -147
data/spec/arachni/check/base_spec.rb +33 -33
data/spec/arachni/check/manager_spec.rb +15 -15
data/spec/arachni/component/base_spec.rb +8 -8
data/spec/arachni/component/manager_spec.rb +100 -99
data/spec/arachni/component/options/address_spec.rb +3 -3
data/spec/arachni/component/options/base_spec.rb +7 -7
data/spec/arachni/component/options/bool_spec.rb +9 -9
data/spec/arachni/component/options/float_spec.rb +6 -6
data/spec/arachni/component/options/int_spec.rb +5 -5
data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
data/spec/arachni/component/options/object_spec.rb +2 -2
data/spec/arachni/component/options/path_spec.rb +3 -3
data/spec/arachni/component/options/port_spec.rb +5 -5
data/spec/arachni/component/options/string_spec.rb +3 -3
data/spec/arachni/component/options/url_spec.rb +4 -4
data/spec/arachni/component/utilities_spec.rb +2 -2
data/spec/arachni/data/framework/rpc_spec.rb +10 -9
data/spec/arachni/data/framework_spec.rb +65 -46
data/spec/arachni/data/issues_spec.rb +39 -77
data/spec/arachni/data/plugins_spec.rb +11 -11
data/spec/arachni/data/session_spec.rb +6 -6
data/spec/arachni/data_spec.rb +8 -8
data/spec/arachni/element/body_spec.rb +10 -10
data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
data/spec/arachni/element/cookie/dom_spec.rb +37 -18
data/spec/arachni/element/cookie_spec.rb +206 -139
data/spec/arachni/element/form/dom_spec.rb +36 -19
data/spec/arachni/element/form_spec.rb +210 -187
data/spec/arachni/element/generic_dom_spec.rb +14 -14
data/spec/arachni/element/header_spec.rb +35 -17
data/spec/arachni/element/json_spec.rb +53 -31
data/spec/arachni/element/link/dom_spec.rb +46 -28
data/spec/arachni/element/link_spec.rb +58 -40
data/spec/arachni/element/link_template/dom_spec.rb +47 -29
data/spec/arachni/element/link_template_spec.rb +79 -61
data/spec/arachni/element/path_spec.rb +1 -1
data/spec/arachni/element/server_spec.rb +33 -32
data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
data/spec/arachni/element/ui_form_spec.rb +242 -0
data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
data/spec/arachni/element/ui_input_spec.rb +136 -0
data/spec/arachni/element/xml_spec.rb +42 -24
data/spec/arachni/element_filter_spec.rb +49 -48
data/spec/arachni/error_spec.rb +3 -3
data/spec/arachni/framework/parts/audit_spec.rb +64 -63
data/spec/arachni/framework/parts/browser_spec.rb +16 -16
data/spec/arachni/framework/parts/check_spec.rb +3 -3
data/spec/arachni/framework/parts/data_spec.rb +48 -48
data/spec/arachni/framework/parts/platform_spec.rb +3 -3
data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
data/spec/arachni/framework/parts/report_spec.rb +7 -7
data/spec/arachni/framework/parts/scope_spec.rb +16 -16
data/spec/arachni/framework/parts/state_spec.rb +68 -69
data/spec/arachni/framework_spec.rb +39 -31
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
data/spec/arachni/http/client_spec.rb +219 -208
data/spec/arachni/http/cookie_jar_spec.rb +72 -72
data/spec/arachni/http/headers_spec.rb +14 -14
data/spec/arachni/http/proxy_server_spec.rb +43 -42
data/spec/arachni/http/request_spec.rb +105 -103
data/spec/arachni/http/response/scope_spec.rb +24 -24
data/spec/arachni/http/response_spec.rb +50 -49
data/spec/arachni/issue/severity_spec.rb +10 -9
data/spec/arachni/issue_spec.rb +71 -369
data/spec/arachni/option_groups/audit_spec.rb +114 -114
data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
data/spec/arachni/option_groups/datastore_spec.rb +6 -6
data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
data/spec/arachni/option_groups/http_spec.rb +11 -11
data/spec/arachni/option_groups/input_spec.rb +31 -27
data/spec/arachni/option_groups/output_spec.rb +2 -2
data/spec/arachni/option_groups/paths_spec.rb +17 -17
data/spec/arachni/option_groups/rpc_spec.rb +2 -2
data/spec/arachni/option_groups/scope_spec.rb +40 -40
data/spec/arachni/option_groups/session_spec.rb +6 -5
data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
data/spec/arachni/options_spec.rb +46 -45
data/spec/arachni/page/dom/transition_spec.rb +74 -72
data/spec/arachni/page/dom_spec.rb +35 -35
data/spec/arachni/page/scope_spec.rb +15 -15
data/spec/arachni/page_spec.rb +217 -217
data/spec/arachni/parser_spec.rb +106 -104
data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
data/spec/arachni/platform/list_spec.rb +33 -33
data/spec/arachni/platform/manager_spec.rb +67 -64
data/spec/arachni/plugin/base_spec.rb +10 -10
data/spec/arachni/plugin/manager_spec.rb +38 -37
data/spec/arachni/report_spec.rb +43 -40
data/spec/arachni/reporter/base_spec.rb +15 -15
data/spec/arachni/reporter/manager_spec.rb +4 -4
data/spec/arachni/reporter/options_spec.rb +6 -6
data/spec/arachni/rpc/client/base_spec.rb +6 -6
data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
data/spec/arachni/rpc/client/instance_spec.rb +6 -6
data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
data/spec/arachni/rpc/server/base_spec.rb +5 -5
data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
data/spec/arachni/rpc/server/framework_spec.rb +90 -85
data/spec/arachni/rpc/server/instance_spec.rb +126 -107
data/spec/arachni/rpc/server/output_spec.rb +1 -1
data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
data/spec/arachni/ruby/array_spec.rb +42 -42
data/spec/arachni/ruby/hash_spec.rb +20 -18
data/spec/arachni/ruby/io_spec.rb +2 -2
data/spec/arachni/ruby/object_spec.rb +1 -1
data/spec/arachni/ruby/set_spec.rb +3 -3
data/spec/arachni/ruby/string_spec.rb +30 -30
data/spec/arachni/ruby/webrick_spec.rb +2 -2
data/spec/arachni/scope_spec.rb +1 -1
data/spec/arachni/session_spec.rb +67 -64
data/spec/arachni/snapshot_spec.rb +15 -15
data/spec/arachni/state/audit_spec.rb +11 -11
data/spec/arachni/state/element_filter_spec.rb +6 -6
data/spec/arachni/state/framework/rpc_spec.rb +12 -12
data/spec/arachni/state/framework_spec.rb +125 -121
data/spec/arachni/state/http_spec.rb +7 -7
data/spec/arachni/state/options_spec.rb +7 -7
data/spec/arachni/state/plugins_spec.rb +8 -8
data/spec/arachni/state_spec.rb +10 -10
data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
data/spec/arachni/support/buffer/base_spec.rb +39 -39
data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
data/spec/arachni/support/cache/preference_spec.rb +4 -4
data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
data/spec/arachni/support/database/hash_spec.rb +44 -43
data/spec/arachni/support/database/queue_spec.rb +27 -27
data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
data/spec/arachni/support/mixins/observable_spec.rb +6 -6
data/spec/arachni/support/signature_spec.rb +19 -19
data/spec/arachni/trainer_spec.rb +39 -39
data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
data/spec/arachni/uri/scope_spec.rb +66 -66
data/spec/arachni/uri_spec.rb +107 -105
data/spec/arachni/utilities_spec.rb +40 -40
data/spec/components/checks/active/csrf_spec.rb +8 -8
data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
data/spec/components/checks/active/sql_injection_spec.rb +16 -16
data/spec/components/checks/active/trainer_spec.rb +4 -4
data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
data/spec/components/checks/active/xss_dom_spec.rb +46 -24
data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
data/spec/components/checks/passive/webdav_spec.rb +1 -1
data/spec/components/checks/passive/xst_spec.rb +1 -1
data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
data/spec/components/path_extractors/comments_spec.rb +5 -1
data/spec/components/path_extractors/scripts_spec.rb +5 -2
data/spec/components/plugins/autologin_spec.rb +22 -22
data/spec/components/plugins/autothrottle_spec.rb +6 -5
data/spec/components/plugins/content_types_spec.rb +4 -4
data/spec/components/plugins/cookie_collector_spec.rb +5 -5
data/spec/components/plugins/exec_spec.rb +12 -12
data/spec/components/plugins/form_dicattack_spec.rb +3 -3
data/spec/components/plugins/headers_collector_spec.rb +8 -8
data/spec/components/plugins/healthmap_spec.rb +3 -3
data/spec/components/plugins/http_dicattack_spec.rb +3 -3
data/spec/components/plugins/login_script_spec.rb +79 -22
data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
data/spec/components/plugins/script_spec.rb +1 -1
data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
data/spec/components/plugins/vector_collector_spec.rb +2 -2
data/spec/components/plugins/vector_feed_spec.rb +40 -40
data/spec/components/plugins/waf_detector_spec.rb +6 -6
data/spec/components/reporters/json_spec.rb +4 -4
data/spec/components/reporters/marshal_spec.rb +2 -2
data/spec/components/reporters/yaml_spec.rb +3 -2
data/spec/external/wavsep/active/sqli_spec.rb +1 -3
data/spec/spec_helper.rb +4 -0
data/spec/support/factories/element/ui_form.rb +14 -0
data/spec/support/factories/element/ui_input.rb +13 -0
data/spec/support/factories/issue.rb +0 -13
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/pages.rb +2 -2
data/spec/support/servers/arachni/browser.rb +139 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
data/spec/support/servers/checks/active/trainer_check.rb +7 -7
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
data/spec/support/servers/checks/active/xss_dom.rb +50 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
data/spec/support/shared/check.rb +10 -12
data/spec/support/shared/component/options/base.rb +24 -24
data/spec/support/shared/element/base.rb +25 -25
data/spec/support/shared/element/capabilities/auditable.rb +116 -140
data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
data/spec/support/shared/element/capabilities/mutable.rb +122 -111
data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
data/spec/support/shared/element/capabilities/with_node.rb +4 -6
data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
data/spec/support/shared/element/capabilities/with_source.rb +6 -8
data/spec/support/shared/element/dom.rb +144 -0
data/spec/support/shared/element/dom/auditable.rb +42 -0
data/spec/support/shared/element/dom/inputtable.rb +5 -0
data/spec/support/shared/element/dom/mutable.rb +3 -0
data/spec/support/shared/element/dom/submittable.rb +119 -0
data/spec/support/shared/external/wavsep.rb +3 -3
data/spec/support/shared/fingerprinter.rb +2 -2
data/spec/support/shared/framework.rb +1 -1
data/spec/support/shared/http/message.rb +9 -9
data/spec/support/shared/option_group.rb +17 -17
data/spec/support/shared/path_extractor.rb +1 -1
data/spec/support/shared/plugin.rb +2 -2
data/spec/support/shared/support/cache.rb +57 -57
data/spec/support/shared/support/lookup.rb +25 -25
data/ui/cli/framework.rb +22 -11
data/ui/cli/framework/option_parser.rb +15 -0
data/ui/cli/option_parser.rb +8 -1
data/ui/cli/output.rb +2 -1
metadata +54 -20
data/components/checks/active/xss_dom_inputs.rb +0 -236
data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322

data/spec/support/shared/element/dom/auditable.rb ADDED

@@ -0,0 +1,42 @@
+shared_examples_for 'auditable_dom' do
+    it_should_behave_like 'auditable'
+    describe '#with_browser_cluster' do
+        context 'when a browser cluster is' do
+            context 'available' do
+                it 'passes a BrowserCluster to the given block' do
+                    worker = nil
+                    subject.with_browser_cluster do |cluster|
+                        worker = cluster
+                    end
+                    expect(worker).to eq(subject.auditor.browser_cluster)
+                end
+            end
+        end
+    end
+    describe '#with_browser' do
+        context 'when a browser cluster is' do
+            context 'available' do
+                it 'passes a BrowserCluster::Worker to the given block' do
+                    worker = nil
+                    expect(subject.with_browser do |browser|
+                        worker = browser
+                    end).to be_truthy
+                    subject.auditor.browser_cluster.wait
+                    expect(worker).to be_kind_of Arachni::BrowserCluster::Worker
+                end
+            end
+        end
+    end
+    describe '#auditor' do
+        it 'returns the assigned auditor' do
+            expect(subject.auditor).to be_kind_of Arachni::Check::Auditor
+        end
+    end
+end

data/spec/support/shared/element/dom/inputtable.rb ADDED

@@ -0,0 +1,5 @@
+shared_examples_for 'inputtable_dom' do |options = {}|
+    it_should_behave_like 'inputtable', options
+    it 'does not support null bytes'
+end

data/spec/support/shared/element/dom/mutable.rb ADDED

@@ -0,0 +1,3 @@
+shared_examples_for 'mutable_dom' do |options = {}|
+    it_should_behave_like 'mutable', options.merge( supports_nulls: false )
+end

data/spec/support/shared/element/dom/submittable.rb ADDED

@@ -0,0 +1,119 @@
+shared_examples_for 'submittable_dom' do
+    it_should_behave_like 'submittable'
+    describe '#submit' do
+        it 'submits the element' do
+            inputs = { subject.inputs.keys.first => subject.inputs.values.first + '1' }
+            subject.inputs = inputs
+            called = false
+            subject.submit do |page|
+                expect(inputs).to eq(auditable_extract_parameters( page ))
+                called = true
+            end
+            subject.auditor.browser_cluster.wait
+            expect(called).to be_truthy
+        end
+        it 'sets the #performer on the returned page' do
+            called = false
+            subject.submit do |page|
+                expect(page.performer).to be_kind_of described_class
+                called = true
+            end
+            subject.auditor.browser_cluster.wait
+            expect(called).to be_truthy
+        end
+        it 'sets the #browser on the #performer' do
+            called = false
+            subject.submit do |page|
+                expect(page.performer.browser).to be_kind_of Arachni::BrowserCluster::Worker
+                called = true
+            end
+            subject.auditor.browser_cluster.wait
+            expect(called).to be_truthy
+        end
+        it 'sets the #element on the #performer',
+           if: described_class.ancestors.include?( Arachni::Element::Capabilities::WithNode ) do
+            called = false
+            subject.submit do |page|
+                expect(page.performer.element).to be_kind_of Watir::HTMLElement
+                called = true
+            end
+            subject.auditor.browser_cluster.wait
+            expect(called).to be_truthy
+        end
+        it 'adds the submission transitions to the Page::DOM#transitions' do
+            transitions = []
+            subject.with_browser do |browser|
+                subject.browser = browser
+                browser.load subject.page
+                transitions = subject.trigger
+            end
+            subject.auditor.browser_cluster.wait
+            submitted_page = nil
+            subject.dup.submit do |page|
+                submitted_page = page
+            end
+            subject.auditor.browser_cluster.wait
+            transitions.each do |transition|
+                expect(subject.page.dom.transitions).not_to include transition
+                expect(submitted_page.dom.transitions).to include transition
+            end
+        end
+        context 'when the element could not be submitted' do
+            it 'does not call the block' do
+                allow(subject).to receive( :trigger ) { false }
+                called = false
+                subject.submit do
+                    called = true
+                end
+                subject.auditor.browser_cluster.wait
+                expect(called).to be_falsey
+            end
+        end
+        describe :options do
+            describe :custom_code do
+                it 'injects the given code' do
+                    called = false
+                    title = 'Injected title'
+                    subject.submit custom_code: "document.title = #{title.inspect}" do |page|
+                        expect(page.document.css('title').text).to eq(title)
+                        called = true
+                    end
+                    subject.auditor.browser_cluster.wait
+                    expect(called).to be_truthy
+                end
+            end
+            describe :taint do
+                it 'sets the Browser::Javascript#taint' do
+                    taint = Arachni::Utilities.generate_token
+                    set_taint = nil
+                    subject.submit taint: taint do |page|
+                        set_taint = page.performer.browser.javascript.taint
+                    end
+                    subject.auditor.browser_cluster.wait
+                    expect(set_taint).to eq(taint)
+                end
+            end
+        end
+    end
+end

data/spec/support/shared/external/wavsep.rb CHANGED

@@ -69,9 +69,9 @@ shared_examples_for 'wavsep' do
                         test_cases( http_method ).each do |description, info|
                             context description do
                                 it "logs #{(info[:vulnerable] || []).size + (info[:vulnerable_absolute] || []).size} unique resources using #{[info[:checks]].flatten.join( ', ' )}" do
-                                    pending "'WAVSEP_URL' env variable has not been set." if !wavsep_url
+                                    skip "'WAVSEP_URL' env variable has not been set." if !wavsep_url
-                                    Arachni::Data.issues.should be_empty
+                                    expect(Arachni::Data.issues).to be_empty
                                     if info[:root_url]
                                         @framework.options.url = wavsep_url
@@ -96,7 +96,7 @@ shared_examples_for 'wavsep' do
                                     # pp resources.map { |u| u.gsub( @framework.options.url, '' ) }
                                     # puts format_error( urls, resources, expected )
-                                    resources.should eq(expected), format_error( urls, resources, expected )
+                                    expect(resources).to eq(expected), format_error( urls, resources, expected )
                                     instance_eval &block if block_given?
                                 end

data/spec/support/shared/fingerprinter.rb CHANGED

@@ -7,13 +7,13 @@ shared_examples_for 'fingerprinter' do
     def check_platforms( page )
         platforms.each do |p|
-            platforms_for( page ).should include p
+            expect(platforms_for( page )).to include p
         end
     end
     def platforms_for( page )
         Arachni::Platform::Manager.reset
-        page.platforms.should be_empty
+        expect(page.platforms).to be_empty
         described_class.new( page ).run
         page.platforms

data/spec/support/shared/framework.rb CHANGED

@@ -10,7 +10,7 @@ shared_examples_for 'framework' do
     before( :each ) do
         reset_options
         @options.paths.reporters = fixtures_path + '/reporters/manager_spec/'
-        @options.paths.checks    = fixtures_path + '/taint_check/'
+        @options.paths.checks    = fixtures_path + '/signature_check/'
         @f = Arachni::Framework.new
         @f.options.url = @url

data/spec/support/shared/http/message.rb CHANGED

@@ -12,25 +12,25 @@ shared_examples_for 'Arachni::HTTP::Message' do
                 }
             }
             r = described_class.new(options)
-            r.headers.should == options[:headers]
+            expect(r.headers).to eq(options[:headers])
         end
     end
     describe '#scope' do
         it "returns #{described_class::Scope}" do
-            subject.scope.should be_kind_of described_class::Scope
+            expect(subject.scope).to be_kind_of described_class::Scope
         end
     end
     describe '#url=' do
         it 'sets the #url' do
             subject.url = "#{url}/2"
-            subject.url.should == "#{url}/2"
+            expect(subject.url).to eq("#{url}/2")
         end
         it 'forces it to a string' do
             subject.url = nil
-            subject.url.should == ''
+            expect(subject.url).to eq('')
         end
         it 'it freezes it' do
@@ -38,34 +38,34 @@ shared_examples_for 'Arachni::HTTP::Message' do
             r = described_class.new( url: url )
             r.url = url
-            r.url.should be_frozen
+            expect(r.url).to be_frozen
         end
         it 'normalizes it' do
             url = 'HttP://Stuff.Com/'
             r = described_class.new( url: url )
             r.url = url
-            r.url.should == url.downcase
+            expect(r.url).to eq(url.downcase)
         end
     end
     describe '#headers' do
         context 'when not configured' do
             it 'defaults to an empty Hash' do
-                subject.headers.should == {}
+                expect(subject.headers).to eq({})
             end
         end
         it 'returns the configured value' do
             headers = { 'Content-Type' => 'text/plain' }
-            described_class.new(url: url, headers: headers).headers.should == headers
+            expect(described_class.new(url: url, headers: headers).headers).to eq(headers)
         end
     end
     describe '#body' do
         it 'returns the configured body' do
             body = 'Stuff...'
-            described_class.new(url: url, body: body).body.should == body
+            expect(described_class.new(url: url, body: body).body).to eq(body)
         end
     end

data/spec/support/shared/option_group.rb CHANGED

@@ -1,23 +1,23 @@
 shared_examples_for 'option_group' do
-    it { should respond_to :to_h }
+    it { is_expected.to respond_to :to_h }
     describe '#to_rpc_data' do
         let(:data) { subject.to_rpc_data }
         it 'converts self to a serializable hash' do
-            data.should be_kind_of Hash
+            expect(data).to be_kind_of Hash
-            Arachni::RPC::Serializer.load(
+            expect(Arachni::RPC::Serializer.load(
                 Arachni::RPC::Serializer.dump( data )
-            ).should == data
+            )).to eq(data)
         end
     end
     described_class.defaults.each do |k, v|
         describe "##{k}" do
             it "defaults to #{v}" do
-                subject.instance_variable_get( "@#{k}".to_sym ).should == v
-                subject.send( k ).should == v
+                expect(subject.instance_variable_get( "@#{k}".to_sym )).to eq(v)
+                expect(subject.send( k )).to eq(v)
             end
         end
     end
@@ -25,35 +25,35 @@ shared_examples_for 'option_group' do
     it 'honors default values for attributes' do
         subject.defaults.each do |k, v|
             subject.send "#{k}=", nil
-            subject.instance_variable_get( "@#{k}".to_sym ).should == v
-            subject.send( k ).should == v
+            expect(subject.instance_variable_get( "@#{k}".to_sym )).to eq(v)
+            expect(subject.send( k )).to eq(v)
         end
     end
     describe '#to_hash' do
         it 'returns a hash' do
-            subject.to_hash.should be_kind_of Hash
+            expect(subject.to_hash).to be_kind_of Hash
         end
     end
     describe '#to_h' do
         it 'returns a hash' do
-            subject.to_h.should be_kind_of Hash
+            expect(subject.to_h).to be_kind_of Hash
         end
         it 'only includes attributes with accessors' do
             method = subject.methods.find { |m| m.to_s.end_with? '=' }
             if method == :=== || method == :==
-                subject.to_h.should be_empty
+                expect(subject.to_h).to be_empty
                 next
             end
             subject.send( method, subject.defaults[method.to_s[0..-1].to_sym] )
             hash = subject.to_h
-            hash.should be_any
+            expect(hash).to be_any
             hash.each do |k, v|
-                subject.should respond_to "#{k}="
+                expect(subject).to respond_to "#{k}="
             end
         end
     end
@@ -67,11 +67,11 @@ shared_examples_for 'option_group' do
             value  = subject.defaults[method.to_s[0..-1].to_sym]
             subject.update( { method => value } )
-            subject.send( method ).should == value
+            expect(subject.send( method )).to eq(value)
         end
         it 'returns self' do
-            subject.update({}).should == subject
+            expect(subject.update({})).to eq(subject)
         end
     end
@@ -87,12 +87,12 @@ shared_examples_for 'option_group' do
             group.update( { method => value } )
             subject.merge( group )
-            subject.send( method ).should == value
+            expect(subject.send( method )).to eq(value)
         end
         it 'returns self' do
             group = described_class.new
-            subject.merge( group ).should == subject
+            expect(subject.merge( group )).to eq(subject)
         end
     end
 end

data/spec/support/shared/path_extractor.rb CHANGED

@@ -19,7 +19,7 @@ shared_examples_for "path_extractor" do
         it "extracts the expected paths" do
             raise 'No paths provided via #results, use \':nil\' for \'nil\' results.' if !results
-            actual_results.sort.should == results.sort
+            expect(actual_results.sort).to eq results.sort
             instance_eval &block if block_given?
         end
     end

data/spec/support/shared/plugin.rb CHANGED

@@ -19,12 +19,12 @@ shared_examples_for 'plugin' do
     def results
     end
-    def self.easy_test( &block )
+    def self.easy_test( match = true, &block )
         it 'logs the expected results' do
             raise 'No results provided via #results, use \':nil\' for \'nil\' results.' if !results
             run
-            actual_results.should be_eql( expected_results )
+            expect(actual_results).to eq( expected_results ) if match
             instance_eval &block if block_given?
         end

data/spec/support/shared/support/cache.rb CHANGED

@@ -7,12 +7,12 @@ shared_examples_for 'cache' do
         describe 'max_size' do
             describe 'nil' do
                 it 'leaves the cache uncapped' do
-                    described_class.new.capped?.should be_false
+                    expect(described_class.new.capped?).to be_falsey
                 end
             end
             describe Integer do
                 it 'imposes a limit to the size of the cache' do
-                    described_class.new( 10 ).capped?.should be_true
+                    expect(described_class.new( 10 ).capped?).to be_truthy
                 end
             end
         end
@@ -21,13 +21,13 @@ shared_examples_for 'cache' do
     describe '#max_size' do
         context 'when just initialized' do
             it 'returns nil (unlimited)' do
-                subject.max_size.should be_nil
+                expect(subject.max_size).to be_nil
             end
         end
         context 'when set' do
             it 'returns the set value' do
-                (subject.max_size = 50).should == 50
-                subject.max_size.should == 50
+                expect(subject.max_size = 50).to eq(50)
+                expect(subject.max_size).to eq(50)
             end
         end
     end
@@ -44,14 +44,14 @@ shared_examples_for 'cache' do
         context 'when the cache has no size limit' do
             it 'returns false' do
                 subject.uncap
-                subject.capped?.should be_false
-                subject.max_size.should be_nil
+                expect(subject.capped?).to be_falsey
+                expect(subject.max_size).to be_nil
             end
         end
         context 'when the cache has a size limit' do
             it 'returns true' do
                 subject.max_size = 1
-                subject.capped?.should be_true
+                expect(subject.capped?).to be_truthy
             end
         end
     end
@@ -60,15 +60,15 @@ shared_examples_for 'cache' do
         context 'when the cache has no size limit' do
             it 'returns true' do
                 subject.uncap
-                subject.uncapped?.should be_true
-                subject.max_size.should be_nil
+                expect(subject.uncapped?).to be_truthy
+                expect(subject.max_size).to be_nil
             end
         end
         context 'when the cache has a size limit' do
             it 'returns false' do
                 subject.max_size = 1
-                subject.max_size.should == 1
-                subject.uncapped?.should be_false
+                expect(subject.max_size).to eq(1)
+                expect(subject.uncapped?).to be_falsey
             end
         end
     end
@@ -76,19 +76,19 @@ shared_examples_for 'cache' do
     describe '#uncap' do
         it 'removes the size limit' do
             subject.max_size = 1
-            subject.uncapped?.should be_false
-            subject.max_size.should == 1
+            expect(subject.uncapped?).to be_falsey
+            expect(subject.max_size).to eq(1)
             subject.uncap
-            subject.uncapped?.should be_true
-            subject.max_size.should be_nil
+            expect(subject.uncapped?).to be_truthy
+            expect(subject.max_size).to be_nil
         end
     end
     describe '#max_size=' do
         it 'sets the maximum size for the cache' do
-            (subject.max_size = 100).should == 100
-            subject.max_size.should == 100
+            expect(subject.max_size = 100).to eq(100)
+            expect(subject.max_size).to eq(100)
         end
         context 'when passed < 0' do
@@ -99,7 +99,7 @@ shared_examples_for 'cache' do
                 rescue
                     raised = true
                 end
-                raised.should be_true
+                expect(raised).to be_truthy
             end
         end
     end
@@ -107,14 +107,14 @@ shared_examples_for 'cache' do
     describe '#size' do
         context 'when the cache is empty' do
             it 'returns 0' do
-                subject.size.should == 0
+                expect(subject.size).to eq(0)
             end
         end
         context 'when the cache is not empty' do
             it 'returns a value > 0' do
                 subject['stuff'] = [ 'ff ' ]
-                subject.size.should > 0
+                expect(subject.size).to be > 0
             end
         end
     end
@@ -122,13 +122,13 @@ shared_examples_for 'cache' do
     describe '#empty?' do
         context 'when the cache is empty' do
             it 'returns true' do
-                subject.empty?.should be_true
+                expect(subject.empty?).to be_truthy
             end
         end
         context 'when the cache is not empty' do
             it 'returns false' do
                 subject['stuff2'] = 'ff'
-                subject.empty?.should be_false
+                expect(subject.empty?).to be_falsey
             end
         end
     end
@@ -136,13 +136,13 @@ shared_examples_for 'cache' do
     describe '#any?' do
         context 'when the cache is empty' do
             it 'returns true' do
-                subject.any?.should be_false
+                expect(subject.any?).to be_falsey
             end
         end
         context 'when the cache is not empty' do
             it 'returns false' do
                 subject['stuff3'] = [ 'ff ' ]
-                subject.any?.should be_true
+                expect(subject.any?).to be_truthy
             end
         end
     end
@@ -150,13 +150,13 @@ shared_examples_for 'cache' do
     describe '#[]=' do
         it 'stores an object' do
             v = 'val'
-            (subject[:key] = v).should == v
-            subject[:key].should == v
+            expect(subject[:key] = v).to eq(v)
+            expect(subject[:key]).to eq(v)
         end
         it 'is alias of #store' do
             v = 'val2'
-            subject.store( :key2, v ).should == v
-            subject[:key2].should == v
+            expect(subject.store( :key2, v )).to eq(v)
+            expect(subject[:key2]).to eq(v)
         end
     end
@@ -164,13 +164,13 @@ shared_examples_for 'cache' do
         it 'retrieves an object by key' do
             v = 'val2'
             subject[:key] = v
-            subject[:key].should == v
-            subject.empty?.should be_false
+            expect(subject[:key]).to eq(v)
+            expect(subject.empty?).to be_falsey
         end
         context 'when the key does not exist' do
             it 'returns nil' do
-                subject[:some_key].should be_nil
+                expect(subject[:some_key]).to be_nil
             end
         end
     end
@@ -185,7 +185,7 @@ shared_examples_for 'cache' do
                 cache[:my_key] = old_val
                 cache.fetch_or_store( :my_key ) { new_val }
-                cache[:my_key].should == old_val
+                expect(cache[:my_key]).to eq(old_val)
             end
         end
@@ -195,7 +195,7 @@ shared_examples_for 'cache' do
                 cache = described_class.new
                 cache.fetch_or_store( :my_key ) { new_val }
-                cache[:my_key].should == new_val
+                expect(cache[:my_key]).to eq(new_val)
             end
         end
     end
@@ -204,12 +204,12 @@ shared_examples_for 'cache' do
         context 'when the key exists' do
             it 'returns true' do
                 subject[:key1] = 'v'
-                subject.include?( :key1 ).should be_true
+                expect(subject.include?( :key1 )).to be_truthy
             end
         end
         context 'when the key does not exist' do
             it 'returns false' do
-                subject.include?( :key2 ).should be_false
+                expect(subject.include?( :key2 )).to be_falsey
             end
         end
     end
@@ -219,21 +219,21 @@ shared_examples_for 'cache' do
             it 'deletes a key' do
                 v = 'my_val'
                 subject[:my_key] = v
-                subject.delete( :my_key ).should == v
-                subject[:my_key].should be_nil
-                subject.include?( :my_key ).should be_false
+                expect(subject.delete( :my_key )).to eq(v)
+                expect(subject[:my_key]).to be_nil
+                expect(subject.include?( :my_key )).to be_falsey
             end
             it 'returns its value' do
                 v = 'my_val'
                 subject[:my_key] = v
-                subject.delete( :my_key ).should == v
-                subject[:my_key].should be_nil
-                subject.include?( :my_key ).should be_false
+                expect(subject.delete( :my_key )).to eq(v)
+                expect(subject[:my_key]).to be_nil
+                expect(subject.include?( :my_key )).to be_falsey
             end
         end
         context 'when the key does not exist' do
             it 'should return nil' do
-                subject.delete( :my_key2 ).should be_nil
+                expect(subject.delete( :my_key2 )).to be_nil
             end
         end
     end
@@ -241,13 +241,13 @@ shared_examples_for 'cache' do
     describe '#empty?' do
         context 'when cache is empty' do
             it 'returns true' do
-                subject.empty?.should be_true
+                expect(subject.empty?).to be_truthy
             end
         end
         context 'when cache is not empty' do
             it 'returns false' do
                 subject['ee'] = 'rr'
-                subject.empty?.should be_false
+                expect(subject.empty?).to be_falsey
             end
         end
     end
@@ -255,13 +255,13 @@ shared_examples_for 'cache' do
     describe '#any?' do
         context 'when cache is empty' do
             it 'returns false' do
-                subject.any?.should be_false
+                expect(subject.any?).to be_falsey
             end
         end
         context 'when cache is not empty' do
             it 'returns true' do
                 subject['ee'] = 'rr'
-                subject.any?.should be_true
+                expect(subject.any?).to be_truthy
             end
         end
     end
@@ -269,12 +269,12 @@ shared_examples_for 'cache' do
     describe '#clear' do
         it 'empties the cache' do
             subject[:my_key2] = 'v'
-            subject.size.should > 0
-            subject.empty?.should be_false
+            expect(subject.size).to be > 0
+            expect(subject.empty?).to be_falsey
             subject.clear
-            subject.size.should == 0
-            subject.empty?.should be_true
+            expect(subject.size).to eq(0)
+            expect(subject.empty?).to be_truthy
         end
     end
@@ -286,7 +286,7 @@ shared_examples_for 'cache' do
                 subject[:test_key] = 'test_val'
                 new[:test_key]     = 'test_val'
-                subject.should == new
+                expect(subject).to eq(new)
             end
         end
@@ -297,7 +297,7 @@ shared_examples_for 'cache' do
                 subject[:test_key] = 'test_val'
                 new[:test_key]     = 'test_val2'
-                subject.should_not == new
+                expect(subject).not_to eq(new)
             end
         end
     end
@@ -310,7 +310,7 @@ shared_examples_for 'cache' do
                 subject[:test_key] = 'test_val'
                 new[:test_key]     = 'test_val'
-                subject.hash.should == new.hash
+                expect(subject.hash).to eq(new.hash)
             end
         end
@@ -321,7 +321,7 @@ shared_examples_for 'cache' do
                 subject[:test_key] = 'test_val'
                 new[:test_key]     = 'test_val2'
-                subject.hash.should_not == new.hash
+                expect(subject.hash).not_to eq(new.hash)
             end
         end
     end
@@ -331,11 +331,11 @@ shared_examples_for 'cache' do
             subject[:test_key] = 'test_val'
             copy = subject.dup
-            copy.should == subject
+            expect(copy).to eq(subject)
             copy[:test_key] = 'test_val2'
-            copy.should_not == subject
+            expect(copy).not_to eq(subject)
         end
     end
 end