RubyGems - arachni - Versions diffs - 1.2.1 → 1.3 - Mend

arachni 1.2.1 → 1.3

Files changed (373) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +66 -0
data/Gemfile +1 -1
data/README.md +16 -5
data/components/checks/active/ldap_injection/errors.txt +1 -0
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +6 -6
data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
data/components/checks/passive/grep/captcha.rb +14 -5
data/components/checks/passive/grep/form_upload.rb +7 -3
data/components/checks/passive/grep/hsts.rb +3 -3
data/components/checks/passive/grep/html_objects.rb +2 -3
data/components/checks/passive/grep/http_only_cookies.rb +2 -3
data/components/checks/passive/grep/insecure_cookies.rb +1 -1
data/components/checks/passive/grep/password_autocomplete.rb +2 -2
data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
data/components/checks/passive/grep/x_frame_options.rb +2 -2
data/components/checks/passive/http_put.rb +2 -3
data/components/path_extractors/comments.rb +3 -3
data/components/path_extractors/scripts.rb +10 -1
data/components/plugins/defaults/autothrottle.rb +27 -18
data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
data/components/plugins/login_script.rb +9 -3
data/components/plugins/proxy.rb +4 -3
data/components/reporters/html.rb +11 -14
data/components/reporters/html/default/issue.erb +13 -38
data/components/reporters/html/default/issue/info.erb +1 -1
data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
data/components/reporters/stdout.rb +62 -71
data/components/reporters/xml.rb +26 -40
data/components/reporters/xml/schema.xsd +43 -89
data/lib/arachni/browser.rb +52 -3
data/lib/arachni/browser/javascript.rb +3 -3
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
data/lib/arachni/browser_cluster.rb +61 -0
data/lib/arachni/browser_cluster/job.rb +21 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +5 -0
data/lib/arachni/check/auditor.rb +22 -12
data/lib/arachni/data/framework.rb +13 -1
data/lib/arachni/data/issues.rb +9 -25
data/lib/arachni/element/base.rb +9 -3
data/lib/arachni/element/capabilities/analyzable.rb +2 -6
data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
data/lib/arachni/element/capabilities/auditable.rb +0 -6
data/lib/arachni/element/capabilities/dom_only.rb +61 -0
data/lib/arachni/element/capabilities/with_dom.rb +3 -1
data/lib/arachni/element/cookie.rb +35 -5
data/lib/arachni/element/cookie/dom.rb +13 -4
data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
data/lib/arachni/element/form.rb +12 -1
data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/form/dom.rb +9 -3
data/lib/arachni/element/header.rb +14 -33
data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
data/lib/arachni/element/input/dom.rb +71 -0
data/lib/arachni/element/json.rb +2 -0
data/lib/arachni/element/link.rb +3 -0
data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link/dom.rb +16 -3
data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/link_template.rb +3 -5
data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link_template/dom.rb +16 -3
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/server.rb +3 -5
data/lib/arachni/element/ui_form.rb +106 -0
data/lib/arachni/element/ui_form/dom.rb +107 -0
data/lib/arachni/element/ui_input.rb +62 -0
data/lib/arachni/element/xml.rb +2 -1
data/lib/arachni/framework.rb +7 -5
data/lib/arachni/framework/parts/audit.rb +0 -1
data/lib/arachni/framework/parts/check.rb +1 -0
data/lib/arachni/framework/parts/data.rb +4 -0
data/lib/arachni/framework/parts/state.rb +0 -2
data/lib/arachni/http/client.rb +17 -6
data/lib/arachni/http/proxy_server.rb +52 -5
data/lib/arachni/http/request.rb +1 -1
data/lib/arachni/issue.rb +34 -179
data/lib/arachni/issue/severity.rb +2 -0
data/lib/arachni/option_groups/audit.rb +22 -2
data/lib/arachni/option_groups/browser_cluster.rb +15 -0
data/lib/arachni/page.rb +3 -2
data/lib/arachni/parser.rb +24 -5
data/lib/arachni/platform/manager.rb +1 -2
data/lib/arachni/rpc/server/framework.rb +3 -4
data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
data/lib/arachni/session.rb +1 -1
data/lib/arachni/trainer.rb +4 -7
data/lib/arachni/watir/element.rb +12 -1
data/lib/version +1 -1
data/spec/arachni/browser/element_locator_spec.rb +43 -43
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
data/spec/arachni/browser/javascript_spec.rb +73 -63
data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
data/spec/arachni/browser_cluster/job_spec.rb +68 -48
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
data/spec/arachni/browser_cluster_spec.rb +64 -39
data/spec/arachni/browser_spec.rb +692 -527
data/spec/arachni/check/auditor_spec.rb +177 -147
data/spec/arachni/check/base_spec.rb +33 -33
data/spec/arachni/check/manager_spec.rb +15 -15
data/spec/arachni/component/base_spec.rb +8 -8
data/spec/arachni/component/manager_spec.rb +100 -99
data/spec/arachni/component/options/address_spec.rb +3 -3
data/spec/arachni/component/options/base_spec.rb +7 -7
data/spec/arachni/component/options/bool_spec.rb +9 -9
data/spec/arachni/component/options/float_spec.rb +6 -6
data/spec/arachni/component/options/int_spec.rb +5 -5
data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
data/spec/arachni/component/options/object_spec.rb +2 -2
data/spec/arachni/component/options/path_spec.rb +3 -3
data/spec/arachni/component/options/port_spec.rb +5 -5
data/spec/arachni/component/options/string_spec.rb +3 -3
data/spec/arachni/component/options/url_spec.rb +4 -4
data/spec/arachni/component/utilities_spec.rb +2 -2
data/spec/arachni/data/framework/rpc_spec.rb +10 -9
data/spec/arachni/data/framework_spec.rb +65 -46
data/spec/arachni/data/issues_spec.rb +39 -77
data/spec/arachni/data/plugins_spec.rb +11 -11
data/spec/arachni/data/session_spec.rb +6 -6
data/spec/arachni/data_spec.rb +8 -8
data/spec/arachni/element/body_spec.rb +10 -10
data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
data/spec/arachni/element/cookie/dom_spec.rb +37 -18
data/spec/arachni/element/cookie_spec.rb +206 -139
data/spec/arachni/element/form/dom_spec.rb +36 -19
data/spec/arachni/element/form_spec.rb +210 -187
data/spec/arachni/element/generic_dom_spec.rb +14 -14
data/spec/arachni/element/header_spec.rb +35 -17
data/spec/arachni/element/json_spec.rb +53 -31
data/spec/arachni/element/link/dom_spec.rb +46 -28
data/spec/arachni/element/link_spec.rb +58 -40
data/spec/arachni/element/link_template/dom_spec.rb +47 -29
data/spec/arachni/element/link_template_spec.rb +79 -61
data/spec/arachni/element/path_spec.rb +1 -1
data/spec/arachni/element/server_spec.rb +33 -32
data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
data/spec/arachni/element/ui_form_spec.rb +242 -0
data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
data/spec/arachni/element/ui_input_spec.rb +136 -0
data/spec/arachni/element/xml_spec.rb +42 -24
data/spec/arachni/element_filter_spec.rb +49 -48
data/spec/arachni/error_spec.rb +3 -3
data/spec/arachni/framework/parts/audit_spec.rb +64 -63
data/spec/arachni/framework/parts/browser_spec.rb +16 -16
data/spec/arachni/framework/parts/check_spec.rb +3 -3
data/spec/arachni/framework/parts/data_spec.rb +48 -48
data/spec/arachni/framework/parts/platform_spec.rb +3 -3
data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
data/spec/arachni/framework/parts/report_spec.rb +7 -7
data/spec/arachni/framework/parts/scope_spec.rb +16 -16
data/spec/arachni/framework/parts/state_spec.rb +68 -69
data/spec/arachni/framework_spec.rb +39 -31
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
data/spec/arachni/http/client_spec.rb +219 -208
data/spec/arachni/http/cookie_jar_spec.rb +72 -72
data/spec/arachni/http/headers_spec.rb +14 -14
data/spec/arachni/http/proxy_server_spec.rb +43 -42
data/spec/arachni/http/request_spec.rb +105 -103
data/spec/arachni/http/response/scope_spec.rb +24 -24
data/spec/arachni/http/response_spec.rb +50 -49
data/spec/arachni/issue/severity_spec.rb +10 -9
data/spec/arachni/issue_spec.rb +71 -369
data/spec/arachni/option_groups/audit_spec.rb +114 -114
data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
data/spec/arachni/option_groups/datastore_spec.rb +6 -6
data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
data/spec/arachni/option_groups/http_spec.rb +11 -11
data/spec/arachni/option_groups/input_spec.rb +31 -27
data/spec/arachni/option_groups/output_spec.rb +2 -2
data/spec/arachni/option_groups/paths_spec.rb +17 -17
data/spec/arachni/option_groups/rpc_spec.rb +2 -2
data/spec/arachni/option_groups/scope_spec.rb +40 -40
data/spec/arachni/option_groups/session_spec.rb +6 -5
data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
data/spec/arachni/options_spec.rb +46 -45
data/spec/arachni/page/dom/transition_spec.rb +74 -72
data/spec/arachni/page/dom_spec.rb +35 -35
data/spec/arachni/page/scope_spec.rb +15 -15
data/spec/arachni/page_spec.rb +217 -217
data/spec/arachni/parser_spec.rb +106 -104
data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
data/spec/arachni/platform/list_spec.rb +33 -33
data/spec/arachni/platform/manager_spec.rb +67 -64
data/spec/arachni/plugin/base_spec.rb +10 -10
data/spec/arachni/plugin/manager_spec.rb +38 -37
data/spec/arachni/report_spec.rb +43 -40
data/spec/arachni/reporter/base_spec.rb +15 -15
data/spec/arachni/reporter/manager_spec.rb +4 -4
data/spec/arachni/reporter/options_spec.rb +6 -6
data/spec/arachni/rpc/client/base_spec.rb +6 -6
data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
data/spec/arachni/rpc/client/instance_spec.rb +6 -6
data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
data/spec/arachni/rpc/server/base_spec.rb +5 -5
data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
data/spec/arachni/rpc/server/framework_spec.rb +90 -85
data/spec/arachni/rpc/server/instance_spec.rb +126 -107
data/spec/arachni/rpc/server/output_spec.rb +1 -1
data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
data/spec/arachni/ruby/array_spec.rb +42 -42
data/spec/arachni/ruby/hash_spec.rb +20 -18
data/spec/arachni/ruby/io_spec.rb +2 -2
data/spec/arachni/ruby/object_spec.rb +1 -1
data/spec/arachni/ruby/set_spec.rb +3 -3
data/spec/arachni/ruby/string_spec.rb +30 -30
data/spec/arachni/ruby/webrick_spec.rb +2 -2
data/spec/arachni/scope_spec.rb +1 -1
data/spec/arachni/session_spec.rb +67 -64
data/spec/arachni/snapshot_spec.rb +15 -15
data/spec/arachni/state/audit_spec.rb +11 -11
data/spec/arachni/state/element_filter_spec.rb +6 -6
data/spec/arachni/state/framework/rpc_spec.rb +12 -12
data/spec/arachni/state/framework_spec.rb +125 -121
data/spec/arachni/state/http_spec.rb +7 -7
data/spec/arachni/state/options_spec.rb +7 -7
data/spec/arachni/state/plugins_spec.rb +8 -8
data/spec/arachni/state_spec.rb +10 -10
data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
data/spec/arachni/support/buffer/base_spec.rb +39 -39
data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
data/spec/arachni/support/cache/preference_spec.rb +4 -4
data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
data/spec/arachni/support/database/hash_spec.rb +44 -43
data/spec/arachni/support/database/queue_spec.rb +27 -27
data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
data/spec/arachni/support/mixins/observable_spec.rb +6 -6
data/spec/arachni/support/signature_spec.rb +19 -19
data/spec/arachni/trainer_spec.rb +39 -39
data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
data/spec/arachni/uri/scope_spec.rb +66 -66
data/spec/arachni/uri_spec.rb +107 -105
data/spec/arachni/utilities_spec.rb +40 -40
data/spec/components/checks/active/csrf_spec.rb +8 -8
data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
data/spec/components/checks/active/sql_injection_spec.rb +16 -16
data/spec/components/checks/active/trainer_spec.rb +4 -4
data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
data/spec/components/checks/active/xss_dom_spec.rb +46 -24
data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
data/spec/components/checks/passive/webdav_spec.rb +1 -1
data/spec/components/checks/passive/xst_spec.rb +1 -1
data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
data/spec/components/path_extractors/comments_spec.rb +5 -1
data/spec/components/path_extractors/scripts_spec.rb +5 -2
data/spec/components/plugins/autologin_spec.rb +22 -22
data/spec/components/plugins/autothrottle_spec.rb +6 -5
data/spec/components/plugins/content_types_spec.rb +4 -4
data/spec/components/plugins/cookie_collector_spec.rb +5 -5
data/spec/components/plugins/exec_spec.rb +12 -12
data/spec/components/plugins/form_dicattack_spec.rb +3 -3
data/spec/components/plugins/headers_collector_spec.rb +8 -8
data/spec/components/plugins/healthmap_spec.rb +3 -3
data/spec/components/plugins/http_dicattack_spec.rb +3 -3
data/spec/components/plugins/login_script_spec.rb +79 -22
data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
data/spec/components/plugins/script_spec.rb +1 -1
data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
data/spec/components/plugins/vector_collector_spec.rb +2 -2
data/spec/components/plugins/vector_feed_spec.rb +40 -40
data/spec/components/plugins/waf_detector_spec.rb +6 -6
data/spec/components/reporters/json_spec.rb +4 -4
data/spec/components/reporters/marshal_spec.rb +2 -2
data/spec/components/reporters/yaml_spec.rb +3 -2
data/spec/external/wavsep/active/sqli_spec.rb +1 -3
data/spec/spec_helper.rb +4 -0
data/spec/support/factories/element/ui_form.rb +14 -0
data/spec/support/factories/element/ui_input.rb +13 -0
data/spec/support/factories/issue.rb +0 -13
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/pages.rb +2 -2
data/spec/support/servers/arachni/browser.rb +139 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
data/spec/support/servers/checks/active/trainer_check.rb +7 -7
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
data/spec/support/servers/checks/active/xss_dom.rb +50 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
data/spec/support/shared/check.rb +10 -12
data/spec/support/shared/component/options/base.rb +24 -24
data/spec/support/shared/element/base.rb +25 -25
data/spec/support/shared/element/capabilities/auditable.rb +116 -140
data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
data/spec/support/shared/element/capabilities/mutable.rb +122 -111
data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
data/spec/support/shared/element/capabilities/with_node.rb +4 -6
data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
data/spec/support/shared/element/capabilities/with_source.rb +6 -8
data/spec/support/shared/element/dom.rb +144 -0
data/spec/support/shared/element/dom/auditable.rb +42 -0
data/spec/support/shared/element/dom/inputtable.rb +5 -0
data/spec/support/shared/element/dom/mutable.rb +3 -0
data/spec/support/shared/element/dom/submittable.rb +119 -0
data/spec/support/shared/external/wavsep.rb +3 -3
data/spec/support/shared/fingerprinter.rb +2 -2
data/spec/support/shared/framework.rb +1 -1
data/spec/support/shared/http/message.rb +9 -9
data/spec/support/shared/option_group.rb +17 -17
data/spec/support/shared/path_extractor.rb +1 -1
data/spec/support/shared/plugin.rb +2 -2
data/spec/support/shared/support/cache.rb +57 -57
data/spec/support/shared/support/lookup.rb +25 -25
data/ui/cli/framework.rb +22 -11
data/ui/cli/framework/option_parser.rb +15 -0
data/ui/cli/option_parser.rb +8 -1
data/ui/cli/output.rb +2 -1
metadata +54 -20
data/components/checks/active/xss_dom_inputs.rb +0 -236
data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322

data/lib/arachni/http/proxy_server.rb CHANGED

@@ -20,6 +20,8 @@ module HTTP
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class ProxyServer < WEBrick::HTTPProxyServer
+    include Arachni::UI::Output
+    personalize_output
     CACHE = {
         format_field_name: Support::Cache::LeastRecentlyPushed.new( 100 )
@@ -59,9 +61,9 @@ class ProxyServer < WEBrick::HTTPProxyServer
             ssl_certificate_name: [ [ 'CN', 'Arachni' ] ]
         }.merge( options )
-        @logger = WEBrick::Log.new( Arachni.null_device, 7 )
+        @logger = WEBrick::Log.new( $stderr, 5 )
         # Will force the proxy to stfu.
-        @logger.close
+        @logger.close if !Arachni::UI::Output.debug?( 3 )
         @interceptor_ports = {}
         @interceptors      = {}
@@ -86,8 +88,12 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # Starts the server without blocking, it'll only block until the server is
     # up and running and ready to accept connections.
     def start_async
+        print_debug_level_2 'Starting'
         Thread.new { start }
         sleep 0.1 while !running?
+        print_debug_level_2 'Started'
         nil
     end
@@ -115,11 +121,17 @@ class ProxyServer < WEBrick::HTTPProxyServer
     end
     def shutdown
+        print_debug_level_2 'Shutting down..'
+        print_debug_level_2 "-- Interceptors: #{@interceptors.size}"
         @interceptors.each do |_, interceptor|
+            print_debug_level_2 "---- Interceptor: #{interceptor}"
             interceptor.shutdown
         end
         super
+        print_debug_level_2 'Shutdown.'
     end
     private
@@ -185,13 +197,20 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # @see #service
     # @see Webrick::HTTPProxyServer#service
     def do_CONNECT( req, res )
+        print_debug_level_2 "[#{__method__}] Start: #{req.unparsed_uri}"
         host = req.unparsed_uri.split(':').first
         req.instance_variable_set( :@unparsed_uri, "127.0.0.1:#{interceptor_port( host )}" )
+        print_debug_level_2 "[#{__method__}] Intercepting via: #{req.unparsed_uri}"
         start_ssl_interceptor( host )
-        super( req, res )
+        r = super( req, res )
+        print_debug_level_2 "[#{__method__}] Done: #{req.unparsed_uri}"
+        r
     end
     # @param    [Hash]  options
@@ -222,7 +241,24 @@ class ProxyServer < WEBrick::HTTPProxyServer
     #
     # The interceptor will listen on {#interceptor_port}.
     def start_ssl_interceptor( host )
-        return @interceptors[host] if @interceptors[host]
+        if @interceptors[host]
+            print_debug_level_2 "[#{__method__}] [#{host}] Already started."
+            return @interceptors[host]
+        end
+        if @interceptors[host] == :pending
+            print_debug_level_2 "[#{__method__}] [#{host}] Another is already starting, waiting."
+            sleep 0.1 while @interceptors[host] == :pending
+            print_debug_level_2 "[#{__method__}] [#{host}] Started."
+            return @interceptors[host]
+        end
+        print_debug_level_2 "[#{__method__}] [#{host}] No interceptor available, starting new one."
+        @interceptors[host] = :pending
         ca     = OpenSSL::X509::Certificate.new( File.read( INTERCEPTOR_CA_CERTIFICATE ) )
         ca_key = OpenSSL::PKey::RSA.new( File.read( INTERCEPTOR_CA_KEY ) )
@@ -264,7 +300,7 @@ class ProxyServer < WEBrick::HTTPProxyServer
         # The interceptor is only used for SSL decryption/encryption, the actual
         # proxy functionality is forwarded to the plain proxy server.
-        @interceptors[host] = interceptor = self.class.new(
+        interceptor = self.class.new(
             address:        '127.0.0.1',
             port:            interceptor_port( host ),
             ssl_certificate: cert,
@@ -277,6 +313,9 @@ class ProxyServer < WEBrick::HTTPProxyServer
         end
         interceptor.start_async
+        @interceptors[host] = interceptor
+        print_debug_level_2 "[#{__method__}] [#{host}] Started."
     end
     # @return    [Integer]
@@ -288,6 +327,8 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # Communicates with the endpoint webapp and forwards its responses to the
     # proxy which then sends it to the browser.
     def perform_proxy_request( req, res )
+        print_debug_level_2 "[#{__method__}] Starting:  #{req.request_line.strip}"
         request  = yield( req.request_uri.to_s, setup_proxy_header( req, res ) )
         response = nil
@@ -317,6 +358,8 @@ class ProxyServer < WEBrick::HTTPProxyServer
             @options[:response_handler].call( request, response )
         end
+        print_debug_level_2 "[#{__method__}] Completed: #{req.request_line.strip}"
         # Disable persistent connections since they're not supported by the
         # server.
         res['proxy-connection'] = 'close'
@@ -348,6 +391,10 @@ class ProxyServer < WEBrick::HTTPProxyServer
             key = key.downcase
             next if SKIP_HEADERS.include?( key ) || connections.include?( key )
+            if key == 'cache-control' && value.is_a?( Array )
+                value = value.join( ', ' )
+            end
             dst[self.class.format_field_name( key )] = value
         end
     end

data/lib/arachni/http/request.rb CHANGED

@@ -512,7 +512,7 @@ class Request < Message
         headers.each { |k, v| headers[k] = Header.encode( v ) if v }
         headers['Cookie'] = effective_cookies.
-            map { |k, v| "#{Cookie.encode( k )}=#{Cookie.encode( v )}" }.
+            map { |k, v| "#{Cookie.encode( k, true )}=#{Cookie.encode( v )}" }.
             join( ';' )
         headers.delete( 'Cookie' ) if headers['Cookie'].empty?

data/lib/arachni/issue.rb CHANGED

@@ -15,12 +15,6 @@ require Options.paths.lib + 'issue/severity'
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class Issue
-    # Attributes removed from a parent issue (i.e. an issue with variations)
-    # and solely populating variations.
-    VARIATION_ATTRIBUTES = Set.new([
-        :@page, :@referring_page, :@proof, :@signature, :@remarks, :@trusted
-    ])
     # @return    [String]
     #   Name.
     attr_accessor :name
@@ -108,10 +102,6 @@ class Issue
     #   made the remark, value is an `Array` of remarks.
     attr_accessor :remarks
-    # @return   [Array<Issue>]
-    #   Variations of this issue.
-    attr_accessor :variations
     # @return   [Issue,nil]
     #   Parent of variation.
     attr_accessor :parent
@@ -132,9 +122,6 @@ class Issue
         @trusted      = true if @trusted.nil?
         @references ||= {}
         @tags       ||= []
-        @variations ||= []
-        @variation    = nil
-        @parent       = nil
     end
     # @note The whole environment needs to be fresh.
@@ -213,10 +200,6 @@ class Issue
     #
     # @see #passive?
     def active?
-        if variations && variations.any?
-            return variations.first.active?
-        end
         !!(vector.respond_to?( :affected_input_name ) && vector.affected_input_name)
     end
@@ -226,11 +209,6 @@ class Issue
     # @see #passive?
     def affected_input_name
         return if !active?
-        if variations && variations.any?
-            return variations.first.vector.affected_input_name
-        end
         vector.affected_input_name
     end
@@ -314,60 +292,40 @@ class Issue
         h[:vector] = vector.to_h
         h.delete( :unique_id )
-        if solo?
-            h.delete( :variation )
-        else
-            if variation?
-                h[:vector].delete :source
-                h[:vector].delete :type
-                h[:vector].delete :url
-                h[:vector].delete :action
-                h[:vector].delete :default_inputs
-                h[:vector].delete :affected_input_name
-            else
-                h[:vector][:inputs] = h[:vector].delete( :default_inputs )
-                h[:vector][:affected_input_name] = affected_input_name
-            end
-        end
-        if !variation? || solo?
-            h[:digest]   = digest
-            h[:severity] = severity.to_sym
-            h[:cwe_url]  = cwe_url if cwe_url
-            # Since we're doing the whole cross-platform hash thing better switch
-            # the Element classes in the check's info data to symbols.
-            h[:check][:elements] ||= []
-            h[:check][:elements]   = h[:check][:elements].map(&:type)
+        h[:vector][:affected_input_name] = affected_input_name
-            h[:variations] = @variations.map(&:to_h)
-        end
+        h[:digest]   = digest
+        h[:severity] = severity.to_sym
+        h[:cwe_url]  = cwe_url if cwe_url
-        if variation? || solo?
-            if page
-                dom_h = page.dom.to_h
-                dom_h.delete(:skip_states)
+        # Since we're doing the whole cross-platform hash thing better switch
+        # the Element classes in the check's info data to symbols.
+        h[:check][:elements] ||= []
+        h[:check][:elements]   = h[:check][:elements].map(&:type)
-                h[:page] = {
-                    body: page.body,
-                    dom:  dom_h
-                }
-            end
+        if page
+            dom_h = page.dom.to_h
+            dom_h.delete(:skip_states)
-            if referring_page
-                referring_page_dom_h = referring_page.dom.to_h
-                referring_page_dom_h.delete(:skip_states)
+            h[:page] = {
+                body: page.body,
+                dom:  dom_h
+            }
+        end
-                h[:referring_page] = {
-                    body: referring_page.body,
-                    dom:  referring_page_dom_h
-                }
-            end
+        if referring_page
+            referring_page_dom_h = referring_page.dom.to_h
+            referring_page_dom_h.delete(:skip_states)
-            h[:response] = response.to_h if response
-            h[:request]  = request.to_h  if request
+            h[:referring_page] = {
+                body: referring_page.body,
+                dom:  referring_page_dom_h
+            }
         end
+        h[:response] = response.to_h if response
+        h[:request]  = request.to_h  if request
         h.delete :parent
         h
@@ -378,7 +336,11 @@ class Issue
     #   A string uniquely identifying this issue.
     def unique_id
         return @unique_id if @unique_id
-        vector_info = active? ? "#{vector.method}:#{vector.affected_input_name}:" : nil
+        vector_info = active? ?
+            "#{vector.method}:#{vector.affected_input_name}:" :
+            "#{proof}:"
         "#{name}:#{vector_info}#{vector.action.split( '?' ).first}"
     end
@@ -390,90 +352,6 @@ class Issue
         unique_id.persistent_hash
     end
-    # @return   [Bool]
-    #   `true` if the issue neither has nor is a variation, `false` otherwise.
-    def solo?
-        @variation.nil?
-    end
-    # @return   [Bool]
-    #   `true` if `self` is a variation.
-    def variation?
-        !!@variation
-    end
-    # @return   [Issue]
-    #   A copy of `self` **without** {VARIATION_ATTRIBUTES specific} details
-    #   and an empty array of {#variations} to be populated.
-    #
-    #   Also, the {#vector} attribute will hold the original, non-mutated vector.
-    def with_variations
-        issue = self.deep_clone
-        instance_variables.each do |k|
-            next if k == :@trusted || !VARIATION_ATTRIBUTES.include?( k ) ||
-                !issue.instance_variable_defined?( k )
-            issue.remove_instance_variable k
-        end
-        issue.vector.reset
-        issue.unique_id = unique_id
-        issue.variation = false
-        issue.parent    = nil
-        issue
-    end
-    # @return   [Issue]
-    #   A copy of `self` with {VARIATION_ATTRIBUTES specific} details **only**
-    #   and the mutated {#vector}.
-    def as_variation
-        issue = self.deep_clone
-        instance_variables.each do |k|
-            next if k == :@vector || VARIATION_ATTRIBUTES.include?( k ) ||
-                !issue.instance_variable_defined?( k )
-            issue.remove_instance_variable k
-        end
-        issue.unique_id = unique_id
-        issue.variation = true
-        issue.parent    = self
-        issue
-    end
-    # Converts `self` to a solo issue, in place.
-    #
-    # @param    [Issue] issue
-    #   Parent issue.
-    # @return   [Issue]
-    #   Solo issue, with generic vulnerability data filled in from `issue`.
-    def to_solo!( issue )
-        issue.instance_variables.each do |k|
-            next if k == :@variations || k == :@vector || k == :@trusted
-            next if (val = issue.instance_variable_get(k)).nil?
-            instance_variable_set( k, val )
-        end
-        @variations = []
-        @variation  = nil
-        @parent     = nil
-        self
-    end
-    # Copy of `self` as a solo issue.
-    #
-    # @param    [Issue] issue
-    #   Parent issue.
-    # @return   [Issue]
-    #   Solo issue, with generic vulnerability data filled in from `issue`.
-    def to_solo( issue )
-        deep_clone.to_solo!( issue )
-    end
     def ==( other )
         hash == other.hash
     end
@@ -491,8 +369,6 @@ class Issue
     def to_rpc_data
         data = {}
         instance_variables.each do |ivar|
-            next if ivar == :@parent
             data[ivar.to_s.gsub('@','')] =
                 instance_variable_get( ivar ).to_rpc_data_or_self
         end
@@ -502,15 +378,9 @@ class Issue
             data['check'][:elements] = data['check'][:elements].map(&:to_s)
         end
-        if data['variations']
-            data['variations'] = data['variations'].map(&:to_rpc_data)
-        end
-        if !variation?
-            data['digest'] = digest
-        end
-        data['severity'] = data['severity'].to_s
+        data['unique_id'] = unique_id
+        data['digest']    = digest
+        data['severity']  = data['severity'].to_s
         data
     end
@@ -535,9 +405,6 @@ class Issue
                             value.my_symbolize_keys(false)
-                        when 'variations'
-                            value.map { |i| from_rpc_data i }
                         when 'remarks'
                             value.my_symbolize_keys
@@ -559,12 +426,6 @@ class Issue
             instance.instance_variable_set( "@#{name}", value )
         end
-        if instance.variations
-            instance.variations.each do |v|
-                v.parent = instance
-            end
-        end
         instance
     end
@@ -582,10 +443,6 @@ class Issue
         @unique_id = id
     end
-    def variation=( bool )
-        @variation = bool
-    end
     private
     def normalize_name( name )
@@ -599,5 +456,3 @@ class Issue
     protected :remove_instance_variable
 end
 end
-Arachni::Severity = Arachni::Issue::Severity