RubyGems - arachni - Versions diffs - 1.2.1 → 1.3 - Mend

arachni 1.2.1 → 1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (373) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +66 -0
data/Gemfile +1 -1
data/README.md +16 -5
data/components/checks/active/ldap_injection/errors.txt +1 -0
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +6 -6
data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
data/components/checks/passive/grep/captcha.rb +14 -5
data/components/checks/passive/grep/form_upload.rb +7 -3
data/components/checks/passive/grep/hsts.rb +3 -3
data/components/checks/passive/grep/html_objects.rb +2 -3
data/components/checks/passive/grep/http_only_cookies.rb +2 -3
data/components/checks/passive/grep/insecure_cookies.rb +1 -1
data/components/checks/passive/grep/password_autocomplete.rb +2 -2
data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
data/components/checks/passive/grep/x_frame_options.rb +2 -2
data/components/checks/passive/http_put.rb +2 -3
data/components/path_extractors/comments.rb +3 -3
data/components/path_extractors/scripts.rb +10 -1
data/components/plugins/defaults/autothrottle.rb +27 -18
data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
data/components/plugins/login_script.rb +9 -3
data/components/plugins/proxy.rb +4 -3
data/components/reporters/html.rb +11 -14
data/components/reporters/html/default/issue.erb +13 -38
data/components/reporters/html/default/issue/info.erb +1 -1
data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
data/components/reporters/stdout.rb +62 -71
data/components/reporters/xml.rb +26 -40
data/components/reporters/xml/schema.xsd +43 -89
data/lib/arachni/browser.rb +52 -3
data/lib/arachni/browser/javascript.rb +3 -3
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
data/lib/arachni/browser_cluster.rb +61 -0
data/lib/arachni/browser_cluster/job.rb +21 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +5 -0
data/lib/arachni/check/auditor.rb +22 -12
data/lib/arachni/data/framework.rb +13 -1
data/lib/arachni/data/issues.rb +9 -25
data/lib/arachni/element/base.rb +9 -3
data/lib/arachni/element/capabilities/analyzable.rb +2 -6
data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
data/lib/arachni/element/capabilities/auditable.rb +0 -6
data/lib/arachni/element/capabilities/dom_only.rb +61 -0
data/lib/arachni/element/capabilities/with_dom.rb +3 -1
data/lib/arachni/element/cookie.rb +35 -5
data/lib/arachni/element/cookie/dom.rb +13 -4
data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
data/lib/arachni/element/form.rb +12 -1
data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/form/dom.rb +9 -3
data/lib/arachni/element/header.rb +14 -33
data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
data/lib/arachni/element/input/dom.rb +71 -0
data/lib/arachni/element/json.rb +2 -0
data/lib/arachni/element/link.rb +3 -0
data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link/dom.rb +16 -3
data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/link_template.rb +3 -5
data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
data/lib/arachni/element/link_template/dom.rb +16 -3
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
data/lib/arachni/element/server.rb +3 -5
data/lib/arachni/element/ui_form.rb +106 -0
data/lib/arachni/element/ui_form/dom.rb +107 -0
data/lib/arachni/element/ui_input.rb +62 -0
data/lib/arachni/element/xml.rb +2 -1
data/lib/arachni/framework.rb +7 -5
data/lib/arachni/framework/parts/audit.rb +0 -1
data/lib/arachni/framework/parts/check.rb +1 -0
data/lib/arachni/framework/parts/data.rb +4 -0
data/lib/arachni/framework/parts/state.rb +0 -2
data/lib/arachni/http/client.rb +17 -6
data/lib/arachni/http/proxy_server.rb +52 -5
data/lib/arachni/http/request.rb +1 -1
data/lib/arachni/issue.rb +34 -179
data/lib/arachni/issue/severity.rb +2 -0
data/lib/arachni/option_groups/audit.rb +22 -2
data/lib/arachni/option_groups/browser_cluster.rb +15 -0
data/lib/arachni/page.rb +3 -2
data/lib/arachni/parser.rb +24 -5
data/lib/arachni/platform/manager.rb +1 -2
data/lib/arachni/rpc/server/framework.rb +3 -4
data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
data/lib/arachni/session.rb +1 -1
data/lib/arachni/trainer.rb +4 -7
data/lib/arachni/watir/element.rb +12 -1
data/lib/version +1 -1
data/spec/arachni/browser/element_locator_spec.rb +43 -43
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
data/spec/arachni/browser/javascript_spec.rb +73 -63
data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
data/spec/arachni/browser_cluster/job_spec.rb +68 -48
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
data/spec/arachni/browser_cluster_spec.rb +64 -39
data/spec/arachni/browser_spec.rb +692 -527
data/spec/arachni/check/auditor_spec.rb +177 -147
data/spec/arachni/check/base_spec.rb +33 -33
data/spec/arachni/check/manager_spec.rb +15 -15
data/spec/arachni/component/base_spec.rb +8 -8
data/spec/arachni/component/manager_spec.rb +100 -99
data/spec/arachni/component/options/address_spec.rb +3 -3
data/spec/arachni/component/options/base_spec.rb +7 -7
data/spec/arachni/component/options/bool_spec.rb +9 -9
data/spec/arachni/component/options/float_spec.rb +6 -6
data/spec/arachni/component/options/int_spec.rb +5 -5
data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
data/spec/arachni/component/options/object_spec.rb +2 -2
data/spec/arachni/component/options/path_spec.rb +3 -3
data/spec/arachni/component/options/port_spec.rb +5 -5
data/spec/arachni/component/options/string_spec.rb +3 -3
data/spec/arachni/component/options/url_spec.rb +4 -4
data/spec/arachni/component/utilities_spec.rb +2 -2
data/spec/arachni/data/framework/rpc_spec.rb +10 -9
data/spec/arachni/data/framework_spec.rb +65 -46
data/spec/arachni/data/issues_spec.rb +39 -77
data/spec/arachni/data/plugins_spec.rb +11 -11
data/spec/arachni/data/session_spec.rb +6 -6
data/spec/arachni/data_spec.rb +8 -8
data/spec/arachni/element/body_spec.rb +10 -10
data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
data/spec/arachni/element/cookie/dom_spec.rb +37 -18
data/spec/arachni/element/cookie_spec.rb +206 -139
data/spec/arachni/element/form/dom_spec.rb +36 -19
data/spec/arachni/element/form_spec.rb +210 -187
data/spec/arachni/element/generic_dom_spec.rb +14 -14
data/spec/arachni/element/header_spec.rb +35 -17
data/spec/arachni/element/json_spec.rb +53 -31
data/spec/arachni/element/link/dom_spec.rb +46 -28
data/spec/arachni/element/link_spec.rb +58 -40
data/spec/arachni/element/link_template/dom_spec.rb +47 -29
data/spec/arachni/element/link_template_spec.rb +79 -61
data/spec/arachni/element/path_spec.rb +1 -1
data/spec/arachni/element/server_spec.rb +33 -32
data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
data/spec/arachni/element/ui_form_spec.rb +242 -0
data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
data/spec/arachni/element/ui_input_spec.rb +136 -0
data/spec/arachni/element/xml_spec.rb +42 -24
data/spec/arachni/element_filter_spec.rb +49 -48
data/spec/arachni/error_spec.rb +3 -3
data/spec/arachni/framework/parts/audit_spec.rb +64 -63
data/spec/arachni/framework/parts/browser_spec.rb +16 -16
data/spec/arachni/framework/parts/check_spec.rb +3 -3
data/spec/arachni/framework/parts/data_spec.rb +48 -48
data/spec/arachni/framework/parts/platform_spec.rb +3 -3
data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
data/spec/arachni/framework/parts/report_spec.rb +7 -7
data/spec/arachni/framework/parts/scope_spec.rb +16 -16
data/spec/arachni/framework/parts/state_spec.rb +68 -69
data/spec/arachni/framework_spec.rb +39 -31
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
data/spec/arachni/http/client_spec.rb +219 -208
data/spec/arachni/http/cookie_jar_spec.rb +72 -72
data/spec/arachni/http/headers_spec.rb +14 -14
data/spec/arachni/http/proxy_server_spec.rb +43 -42
data/spec/arachni/http/request_spec.rb +105 -103
data/spec/arachni/http/response/scope_spec.rb +24 -24
data/spec/arachni/http/response_spec.rb +50 -49
data/spec/arachni/issue/severity_spec.rb +10 -9
data/spec/arachni/issue_spec.rb +71 -369
data/spec/arachni/option_groups/audit_spec.rb +114 -114
data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
data/spec/arachni/option_groups/datastore_spec.rb +6 -6
data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
data/spec/arachni/option_groups/http_spec.rb +11 -11
data/spec/arachni/option_groups/input_spec.rb +31 -27
data/spec/arachni/option_groups/output_spec.rb +2 -2
data/spec/arachni/option_groups/paths_spec.rb +17 -17
data/spec/arachni/option_groups/rpc_spec.rb +2 -2
data/spec/arachni/option_groups/scope_spec.rb +40 -40
data/spec/arachni/option_groups/session_spec.rb +6 -5
data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
data/spec/arachni/options_spec.rb +46 -45
data/spec/arachni/page/dom/transition_spec.rb +74 -72
data/spec/arachni/page/dom_spec.rb +35 -35
data/spec/arachni/page/scope_spec.rb +15 -15
data/spec/arachni/page_spec.rb +217 -217
data/spec/arachni/parser_spec.rb +106 -104
data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
data/spec/arachni/platform/list_spec.rb +33 -33
data/spec/arachni/platform/manager_spec.rb +67 -64
data/spec/arachni/plugin/base_spec.rb +10 -10
data/spec/arachni/plugin/manager_spec.rb +38 -37
data/spec/arachni/report_spec.rb +43 -40
data/spec/arachni/reporter/base_spec.rb +15 -15
data/spec/arachni/reporter/manager_spec.rb +4 -4
data/spec/arachni/reporter/options_spec.rb +6 -6
data/spec/arachni/rpc/client/base_spec.rb +6 -6
data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
data/spec/arachni/rpc/client/instance_spec.rb +6 -6
data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
data/spec/arachni/rpc/server/base_spec.rb +5 -5
data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
data/spec/arachni/rpc/server/framework_spec.rb +90 -85
data/spec/arachni/rpc/server/instance_spec.rb +126 -107
data/spec/arachni/rpc/server/output_spec.rb +1 -1
data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
data/spec/arachni/ruby/array_spec.rb +42 -42
data/spec/arachni/ruby/hash_spec.rb +20 -18
data/spec/arachni/ruby/io_spec.rb +2 -2
data/spec/arachni/ruby/object_spec.rb +1 -1
data/spec/arachni/ruby/set_spec.rb +3 -3
data/spec/arachni/ruby/string_spec.rb +30 -30
data/spec/arachni/ruby/webrick_spec.rb +2 -2
data/spec/arachni/scope_spec.rb +1 -1
data/spec/arachni/session_spec.rb +67 -64
data/spec/arachni/snapshot_spec.rb +15 -15
data/spec/arachni/state/audit_spec.rb +11 -11
data/spec/arachni/state/element_filter_spec.rb +6 -6
data/spec/arachni/state/framework/rpc_spec.rb +12 -12
data/spec/arachni/state/framework_spec.rb +125 -121
data/spec/arachni/state/http_spec.rb +7 -7
data/spec/arachni/state/options_spec.rb +7 -7
data/spec/arachni/state/plugins_spec.rb +8 -8
data/spec/arachni/state_spec.rb +10 -10
data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
data/spec/arachni/support/buffer/base_spec.rb +39 -39
data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
data/spec/arachni/support/cache/preference_spec.rb +4 -4
data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
data/spec/arachni/support/database/hash_spec.rb +44 -43
data/spec/arachni/support/database/queue_spec.rb +27 -27
data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
data/spec/arachni/support/mixins/observable_spec.rb +6 -6
data/spec/arachni/support/signature_spec.rb +19 -19
data/spec/arachni/trainer_spec.rb +39 -39
data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
data/spec/arachni/uri/scope_spec.rb +66 -66
data/spec/arachni/uri_spec.rb +107 -105
data/spec/arachni/utilities_spec.rb +40 -40
data/spec/components/checks/active/csrf_spec.rb +8 -8
data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
data/spec/components/checks/active/sql_injection_spec.rb +16 -16
data/spec/components/checks/active/trainer_spec.rb +4 -4
data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
data/spec/components/checks/active/xss_dom_spec.rb +46 -24
data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
data/spec/components/checks/passive/webdav_spec.rb +1 -1
data/spec/components/checks/passive/xst_spec.rb +1 -1
data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
data/spec/components/path_extractors/comments_spec.rb +5 -1
data/spec/components/path_extractors/scripts_spec.rb +5 -2
data/spec/components/plugins/autologin_spec.rb +22 -22
data/spec/components/plugins/autothrottle_spec.rb +6 -5
data/spec/components/plugins/content_types_spec.rb +4 -4
data/spec/components/plugins/cookie_collector_spec.rb +5 -5
data/spec/components/plugins/exec_spec.rb +12 -12
data/spec/components/plugins/form_dicattack_spec.rb +3 -3
data/spec/components/plugins/headers_collector_spec.rb +8 -8
data/spec/components/plugins/healthmap_spec.rb +3 -3
data/spec/components/plugins/http_dicattack_spec.rb +3 -3
data/spec/components/plugins/login_script_spec.rb +79 -22
data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
data/spec/components/plugins/script_spec.rb +1 -1
data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
data/spec/components/plugins/vector_collector_spec.rb +2 -2
data/spec/components/plugins/vector_feed_spec.rb +40 -40
data/spec/components/plugins/waf_detector_spec.rb +6 -6
data/spec/components/reporters/json_spec.rb +4 -4
data/spec/components/reporters/marshal_spec.rb +2 -2
data/spec/components/reporters/yaml_spec.rb +3 -2
data/spec/external/wavsep/active/sqli_spec.rb +1 -3
data/spec/spec_helper.rb +4 -0
data/spec/support/factories/element/ui_form.rb +14 -0
data/spec/support/factories/element/ui_input.rb +13 -0
data/spec/support/factories/issue.rb +0 -13
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/pages.rb +2 -2
data/spec/support/servers/arachni/browser.rb +139 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
data/spec/support/servers/checks/active/trainer_check.rb +7 -7
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
data/spec/support/servers/checks/active/xss_dom.rb +50 -0
data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
data/spec/support/shared/check.rb +10 -12
data/spec/support/shared/component/options/base.rb +24 -24
data/spec/support/shared/element/base.rb +25 -25
data/spec/support/shared/element/capabilities/auditable.rb +116 -140
data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
data/spec/support/shared/element/capabilities/mutable.rb +122 -111
data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
data/spec/support/shared/element/capabilities/with_node.rb +4 -6
data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
data/spec/support/shared/element/capabilities/with_source.rb +6 -8
data/spec/support/shared/element/dom.rb +144 -0
data/spec/support/shared/element/dom/auditable.rb +42 -0
data/spec/support/shared/element/dom/inputtable.rb +5 -0
data/spec/support/shared/element/dom/mutable.rb +3 -0
data/spec/support/shared/element/dom/submittable.rb +119 -0
data/spec/support/shared/external/wavsep.rb +3 -3
data/spec/support/shared/fingerprinter.rb +2 -2
data/spec/support/shared/framework.rb +1 -1
data/spec/support/shared/http/message.rb +9 -9
data/spec/support/shared/option_group.rb +17 -17
data/spec/support/shared/path_extractor.rb +1 -1
data/spec/support/shared/plugin.rb +2 -2
data/spec/support/shared/support/cache.rb +57 -57
data/spec/support/shared/support/lookup.rb +25 -25
data/ui/cli/framework.rb +22 -11
data/ui/cli/framework/option_parser.rb +15 -0
data/ui/cli/option_parser.rb +8 -1
data/ui/cli/output.rb +2 -1
metadata +54 -20
data/components/checks/active/xss_dom_inputs.rb +0 -236
data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322

data/lib/arachni/http/proxy_server.rb CHANGED

@@ -20,6 +20,8 @@ module HTTP
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class ProxyServer < WEBrick::HTTPProxyServer
+    include Arachni::UI::Output
+    personalize_output
     CACHE = {
         format_field_name: Support::Cache::LeastRecentlyPushed.new( 100 )
@@ -59,9 +61,9 @@ class ProxyServer < WEBrick::HTTPProxyServer
             ssl_certificate_name: [ [ 'CN', 'Arachni' ] ]
         }.merge( options )
-        @logger = WEBrick::Log.new( Arachni.null_device, 7 )
+        @logger = WEBrick::Log.new( $stderr, 5 )
         # Will force the proxy to stfu.
-        @logger.close
+        @logger.close if !Arachni::UI::Output.debug?( 3 )
         @interceptor_ports = {}
         @interceptors      = {}
@@ -86,8 +88,12 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # Starts the server without blocking, it'll only block until the server is
     # up and running and ready to accept connections.
     def start_async
+        print_debug_level_2 'Starting'
         Thread.new { start }
         sleep 0.1 while !running?
+        print_debug_level_2 'Started'
         nil
     end
@@ -115,11 +121,17 @@ class ProxyServer < WEBrick::HTTPProxyServer
     end
     def shutdown
+        print_debug_level_2 'Shutting down..'
+        print_debug_level_2 "-- Interceptors: #{@interceptors.size}"
         @interceptors.each do |_, interceptor|
+            print_debug_level_2 "---- Interceptor: #{interceptor}"
             interceptor.shutdown
         end
         super
+        print_debug_level_2 'Shutdown.'
     end
     private
@@ -185,13 +197,20 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # @see #service
     # @see Webrick::HTTPProxyServer#service
     def do_CONNECT( req, res )
+        print_debug_level_2 "[#{__method__}] Start: #{req.unparsed_uri}"
         host = req.unparsed_uri.split(':').first
         req.instance_variable_set( :@unparsed_uri, "127.0.0.1:#{interceptor_port( host )}" )
+        print_debug_level_2 "[#{__method__}] Intercepting via: #{req.unparsed_uri}"
         start_ssl_interceptor( host )
-        super( req, res )
+        r = super( req, res )
+        print_debug_level_2 "[#{__method__}] Done: #{req.unparsed_uri}"
+        r
     end
     # @param    [Hash]  options
@@ -222,7 +241,24 @@ class ProxyServer < WEBrick::HTTPProxyServer
     #
     # The interceptor will listen on {#interceptor_port}.
     def start_ssl_interceptor( host )
-        return @interceptors[host] if @interceptors[host]
+        if @interceptors[host]
+            print_debug_level_2 "[#{__method__}] [#{host}] Already started."
+            return @interceptors[host]
+        end
+        if @interceptors[host] == :pending
+            print_debug_level_2 "[#{__method__}] [#{host}] Another is already starting, waiting."
+            sleep 0.1 while @interceptors[host] == :pending
+            print_debug_level_2 "[#{__method__}] [#{host}] Started."
+            return @interceptors[host]
+        end
+        print_debug_level_2 "[#{__method__}] [#{host}] No interceptor available, starting new one."
+        @interceptors[host] = :pending
         ca     = OpenSSL::X509::Certificate.new( File.read( INTERCEPTOR_CA_CERTIFICATE ) )
         ca_key = OpenSSL::PKey::RSA.new( File.read( INTERCEPTOR_CA_KEY ) )
@@ -264,7 +300,7 @@ class ProxyServer < WEBrick::HTTPProxyServer
         # The interceptor is only used for SSL decryption/encryption, the actual
         # proxy functionality is forwarded to the plain proxy server.
-        @interceptors[host] = interceptor = self.class.new(
+        interceptor = self.class.new(
             address:        '127.0.0.1',
             port:            interceptor_port( host ),
             ssl_certificate: cert,
@@ -277,6 +313,9 @@ class ProxyServer < WEBrick::HTTPProxyServer
         end
         interceptor.start_async
+        @interceptors[host] = interceptor
+        print_debug_level_2 "[#{__method__}] [#{host}] Started."
     end
     # @return    [Integer]
@@ -288,6 +327,8 @@ class ProxyServer < WEBrick::HTTPProxyServer
     # Communicates with the endpoint webapp and forwards its responses to the
     # proxy which then sends it to the browser.
     def perform_proxy_request( req, res )
+        print_debug_level_2 "[#{__method__}] Starting:  #{req.request_line.strip}"
         request  = yield( req.request_uri.to_s, setup_proxy_header( req, res ) )
         response = nil
@@ -317,6 +358,8 @@ class ProxyServer < WEBrick::HTTPProxyServer
             @options[:response_handler].call( request, response )
         end
+        print_debug_level_2 "[#{__method__}] Completed: #{req.request_line.strip}"
         # Disable persistent connections since they're not supported by the
         # server.
         res['proxy-connection'] = 'close'
@@ -348,6 +391,10 @@ class ProxyServer < WEBrick::HTTPProxyServer
             key = key.downcase
             next if SKIP_HEADERS.include?( key ) || connections.include?( key )
+            if key == 'cache-control' && value.is_a?( Array )
+                value = value.join( ', ' )
+            end
             dst[self.class.format_field_name( key )] = value
         end
     end

data/lib/arachni/http/request.rb CHANGED

@@ -512,7 +512,7 @@ class Request < Message
         headers.each { |k, v| headers[k] = Header.encode( v ) if v }
         headers['Cookie'] = effective_cookies.
-            map { |k, v| "#{Cookie.encode( k )}=#{Cookie.encode( v )}" }.
+            map { |k, v| "#{Cookie.encode( k, true )}=#{Cookie.encode( v )}" }.
             join( ';' )
         headers.delete( 'Cookie' ) if headers['Cookie'].empty?

data/lib/arachni/issue.rb CHANGED

@@ -15,12 +15,6 @@ require Options.paths.lib + 'issue/severity'
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class Issue
-    # Attributes removed from a parent issue (i.e. an issue with variations)
-    # and solely populating variations.
-    VARIATION_ATTRIBUTES = Set.new([
-        :@page, :@referring_page, :@proof, :@signature, :@remarks, :@trusted
-    ])
     # @return    [String]
     #   Name.
     attr_accessor :name
@@ -108,10 +102,6 @@ class Issue
     #   made the remark, value is an `Array` of remarks.
     attr_accessor :remarks
-    # @return   [Array<Issue>]
-    #   Variations of this issue.
-    attr_accessor :variations
     # @return   [Issue,nil]
     #   Parent of variation.
     attr_accessor :parent
@@ -132,9 +122,6 @@ class Issue
         @trusted      = true if @trusted.nil?
         @references ||= {}
         @tags       ||= []
-        @variations ||= []
-        @variation    = nil
-        @parent       = nil
     end
     # @note The whole environment needs to be fresh.
@@ -213,10 +200,6 @@ class Issue
     #
     # @see #passive?
     def active?
-        if variations && variations.any?
-            return variations.first.active?
-        end
         !!(vector.respond_to?( :affected_input_name ) && vector.affected_input_name)
     end
@@ -226,11 +209,6 @@ class Issue
     # @see #passive?
     def affected_input_name
         return if !active?
-        if variations && variations.any?
-            return variations.first.vector.affected_input_name
-        end
         vector.affected_input_name
     end
@@ -314,60 +292,40 @@ class Issue
         h[:vector] = vector.to_h
         h.delete( :unique_id )
-        if solo?
-            h.delete( :variation )
-        else
-            if variation?
-                h[:vector].delete :source
-                h[:vector].delete :type
-                h[:vector].delete :url
-                h[:vector].delete :action
-                h[:vector].delete :default_inputs
-                h[:vector].delete :affected_input_name
-            else
-                h[:vector][:inputs] = h[:vector].delete( :default_inputs )
-                h[:vector][:affected_input_name] = affected_input_name
-            end
-        end
-        if !variation? || solo?
-            h[:digest]   = digest
-            h[:severity] = severity.to_sym
-            h[:cwe_url]  = cwe_url if cwe_url
-            # Since we're doing the whole cross-platform hash thing better switch
-            # the Element classes in the check's info data to symbols.
-            h[:check][:elements] ||= []
-            h[:check][:elements]   = h[:check][:elements].map(&:type)
+        h[:vector][:affected_input_name] = affected_input_name
-            h[:variations] = @variations.map(&:to_h)
-        end
+        h[:digest]   = digest
+        h[:severity] = severity.to_sym
+        h[:cwe_url]  = cwe_url if cwe_url
-        if variation? || solo?
-            if page
-                dom_h = page.dom.to_h
-                dom_h.delete(:skip_states)
+        # Since we're doing the whole cross-platform hash thing better switch
+        # the Element classes in the check's info data to symbols.
+        h[:check][:elements] ||= []
+        h[:check][:elements]   = h[:check][:elements].map(&:type)
-                h[:page] = {
-                    body: page.body,
-                    dom:  dom_h
-                }
-            end
+        if page
+            dom_h = page.dom.to_h
+            dom_h.delete(:skip_states)
-            if referring_page
-                referring_page_dom_h = referring_page.dom.to_h
-                referring_page_dom_h.delete(:skip_states)
+            h[:page] = {
+                body: page.body,
+                dom:  dom_h
+            }
+        end
-                h[:referring_page] = {
-                    body: referring_page.body,
-                    dom:  referring_page_dom_h
-                }
-            end
+        if referring_page
+            referring_page_dom_h = referring_page.dom.to_h
+            referring_page_dom_h.delete(:skip_states)
-            h[:response] = response.to_h if response
-            h[:request]  = request.to_h  if request
+            h[:referring_page] = {
+                body: referring_page.body,
+                dom:  referring_page_dom_h
+            }
         end
+        h[:response] = response.to_h if response
+        h[:request]  = request.to_h  if request
         h.delete :parent
         h
@@ -378,7 +336,11 @@ class Issue
     #   A string uniquely identifying this issue.
     def unique_id
         return @unique_id if @unique_id
-        vector_info = active? ? "#{vector.method}:#{vector.affected_input_name}:" : nil
+        vector_info = active? ?
+            "#{vector.method}:#{vector.affected_input_name}:" :
+            "#{proof}:"
         "#{name}:#{vector_info}#{vector.action.split( '?' ).first}"
     end
@@ -390,90 +352,6 @@ class Issue
         unique_id.persistent_hash
     end
-    # @return   [Bool]
-    #   `true` if the issue neither has nor is a variation, `false` otherwise.
-    def solo?
-        @variation.nil?
-    end
-    # @return   [Bool]
-    #   `true` if `self` is a variation.
-    def variation?
-        !!@variation
-    end
-    # @return   [Issue]
-    #   A copy of `self` **without** {VARIATION_ATTRIBUTES specific} details
-    #   and an empty array of {#variations} to be populated.
-    #
-    #   Also, the {#vector} attribute will hold the original, non-mutated vector.
-    def with_variations
-        issue = self.deep_clone
-        instance_variables.each do |k|
-            next if k == :@trusted || !VARIATION_ATTRIBUTES.include?( k ) ||
-                !issue.instance_variable_defined?( k )
-            issue.remove_instance_variable k
-        end
-        issue.vector.reset
-        issue.unique_id = unique_id
-        issue.variation = false
-        issue.parent    = nil
-        issue
-    end
-    # @return   [Issue]
-    #   A copy of `self` with {VARIATION_ATTRIBUTES specific} details **only**
-    #   and the mutated {#vector}.
-    def as_variation
-        issue = self.deep_clone
-        instance_variables.each do |k|
-            next if k == :@vector || VARIATION_ATTRIBUTES.include?( k ) ||
-                !issue.instance_variable_defined?( k )
-            issue.remove_instance_variable k
-        end
-        issue.unique_id = unique_id
-        issue.variation = true
-        issue.parent    = self
-        issue
-    end
-    # Converts `self` to a solo issue, in place.
-    #
-    # @param    [Issue] issue
-    #   Parent issue.
-    # @return   [Issue]
-    #   Solo issue, with generic vulnerability data filled in from `issue`.
-    def to_solo!( issue )
-        issue.instance_variables.each do |k|
-            next if k == :@variations || k == :@vector || k == :@trusted
-            next if (val = issue.instance_variable_get(k)).nil?
-            instance_variable_set( k, val )
-        end
-        @variations = []
-        @variation  = nil
-        @parent     = nil
-        self
-    end
-    # Copy of `self` as a solo issue.
-    #
-    # @param    [Issue] issue
-    #   Parent issue.
-    # @return   [Issue]
-    #   Solo issue, with generic vulnerability data filled in from `issue`.
-    def to_solo( issue )
-        deep_clone.to_solo!( issue )
-    end
     def ==( other )
         hash == other.hash
     end
@@ -491,8 +369,6 @@ class Issue
     def to_rpc_data
         data = {}
         instance_variables.each do |ivar|
-            next if ivar == :@parent
             data[ivar.to_s.gsub('@','')] =
                 instance_variable_get( ivar ).to_rpc_data_or_self
         end
@@ -502,15 +378,9 @@ class Issue
             data['check'][:elements] = data['check'][:elements].map(&:to_s)
         end
-        if data['variations']
-            data['variations'] = data['variations'].map(&:to_rpc_data)
-        end
-        if !variation?
-            data['digest'] = digest
-        end
-        data['severity'] = data['severity'].to_s
+        data['unique_id'] = unique_id
+        data['digest']    = digest
+        data['severity']  = data['severity'].to_s
         data
     end
@@ -535,9 +405,6 @@ class Issue
                             value.my_symbolize_keys(false)
-                        when 'variations'
-                            value.map { |i| from_rpc_data i }
                         when 'remarks'
                             value.my_symbolize_keys
@@ -559,12 +426,6 @@ class Issue
             instance.instance_variable_set( "@#{name}", value )
         end
-        if instance.variations
-            instance.variations.each do |v|
-                v.parent = instance
-            end
-        end
         instance
     end
@@ -582,10 +443,6 @@ class Issue
         @unique_id = id
     end
-    def variation=( bool )
-        @variation = bool
-    end
     private
     def normalize_name( name )
@@ -599,5 +456,3 @@ class Issue
     protected :remove_instance_variable
 end
 end
-Arachni::Severity = Arachni::Issue::Severity