arachni 1.4 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (748) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +195 -0
  3. data/Gemfile +4 -4
  4. data/LICENSE.md +1 -1
  5. data/README.md +7 -3
  6. data/Rakefile +1 -43
  7. data/arachni.gemspec +35 -30
  8. data/bin/arachni +1 -1
  9. data/bin/arachni_console +1 -1
  10. data/bin/arachni_multi +6 -1
  11. data/bin/arachni_reporter +1 -1
  12. data/bin/arachni_reproduce +12 -0
  13. data/bin/arachni_rest_server +1 -1
  14. data/bin/arachni_restore +1 -1
  15. data/bin/arachni_rpc +6 -1
  16. data/bin/arachni_rpcd +1 -1
  17. data/bin/arachni_rpcd_monitor +6 -1
  18. data/bin/arachni_script +1 -1
  19. data/components/checks/active/code_injection.rb +1 -1
  20. data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
  21. data/components/checks/active/code_injection_timing.rb +1 -1
  22. data/components/checks/active/csrf.rb +20 -75
  23. data/components/checks/active/file_inclusion.rb +1 -1
  24. data/components/checks/active/ldap_injection.rb +1 -1
  25. data/components/checks/active/no_sql_injection.rb +1 -1
  26. data/components/checks/active/no_sql_injection_differential.rb +3 -3
  27. data/components/checks/active/os_cmd_injection.rb +1 -1
  28. data/components/checks/active/os_cmd_injection_timing.rb +1 -1
  29. data/components/checks/active/path_traversal.rb +3 -3
  30. data/components/checks/active/response_splitting.rb +1 -1
  31. data/components/checks/active/rfi.rb +1 -1
  32. data/components/checks/active/session_fixation.rb +1 -1
  33. data/components/checks/active/source_code_disclosure.rb +1 -1
  34. data/components/checks/active/sql_injection/regexps/hsqldb.yaml +1 -0
  35. data/components/checks/active/sql_injection/substrings/hsqldb +1 -0
  36. data/components/checks/active/sql_injection/substrings/java +4 -0
  37. data/components/checks/active/sql_injection/substrings/oracle +0 -1
  38. data/components/checks/active/sql_injection/substrings/sqlite +1 -0
  39. data/components/checks/active/sql_injection.rb +1 -1
  40. data/components/checks/active/sql_injection_differential.rb +3 -3
  41. data/components/checks/active/sql_injection_timing.rb +1 -1
  42. data/components/checks/active/trainer.rb +1 -1
  43. data/components/checks/active/unvalidated_redirect.rb +34 -11
  44. data/components/checks/active/unvalidated_redirect_dom.rb +4 -4
  45. data/components/checks/active/xpath_injection.rb +1 -1
  46. data/components/checks/active/xss.rb +54 -29
  47. data/components/checks/active/xss_dom.rb +15 -11
  48. data/components/checks/active/xss_dom_script_context.rb +4 -6
  49. data/components/checks/active/xss_event.rb +46 -34
  50. data/components/checks/active/xss_path.rb +9 -6
  51. data/components/checks/active/xss_script_context.rb +100 -47
  52. data/components/checks/active/xss_tag.rb +41 -15
  53. data/components/checks/active/xxe.rb +1 -1
  54. data/components/checks/passive/allowed_methods.rb +1 -1
  55. data/components/checks/passive/backdoors.rb +1 -1
  56. data/components/checks/passive/backup_directories.rb +15 -3
  57. data/components/checks/passive/backup_files.rb +39 -6
  58. data/components/checks/passive/common_admin_interfaces/admin-panels.txt +1 -0
  59. data/components/checks/passive/common_admin_interfaces.rb +1 -1
  60. data/components/checks/passive/common_directories/directories.txt +1 -0
  61. data/components/checks/passive/common_directories.rb +1 -1
  62. data/components/checks/passive/common_files.rb +1 -1
  63. data/components/checks/passive/directory_listing.rb +1 -1
  64. data/components/checks/passive/grep/captcha.rb +8 -9
  65. data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
  66. data/components/checks/passive/grep/credit_card.rb +1 -1
  67. data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
  68. data/components/checks/passive/grep/emails.rb +1 -1
  69. data/components/checks/passive/grep/form_upload.rb +3 -5
  70. data/components/checks/passive/grep/hsts.rb +1 -1
  71. data/components/checks/passive/grep/html_objects.rb +1 -1
  72. data/components/checks/passive/grep/http_only_cookies.rb +1 -1
  73. data/components/checks/passive/grep/insecure_cookies.rb +5 -5
  74. data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
  75. data/components/checks/passive/grep/mixed_resource.rb +4 -4
  76. data/components/checks/passive/grep/password_autocomplete.rb +1 -1
  77. data/components/checks/passive/grep/private_ip.rb +1 -1
  78. data/components/checks/passive/grep/ssn.rb +1 -1
  79. data/components/checks/passive/grep/unencrypted_password_forms.rb +3 -3
  80. data/components/checks/passive/grep/x_frame_options.rb +4 -4
  81. data/components/checks/passive/htaccess_limit.rb +1 -1
  82. data/components/checks/passive/http_put.rb +1 -1
  83. data/components/checks/passive/insecure_client_access_policy.rb +2 -2
  84. data/components/checks/passive/insecure_cross_domain_policy_access.rb +2 -2
  85. data/components/checks/passive/insecure_cross_domain_policy_headers.rb +2 -2
  86. data/components/checks/passive/interesting_responses.rb +1 -1
  87. data/components/checks/passive/localstart_asp.rb +1 -1
  88. data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
  89. data/components/checks/passive/webdav.rb +1 -1
  90. data/components/checks/passive/xst.rb +10 -12
  91. data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
  92. data/components/fingerprinters/frameworks/cakephp.rb +1 -1
  93. data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
  94. data/components/fingerprinters/frameworks/django.rb +1 -1
  95. data/components/fingerprinters/frameworks/jsf.rb +1 -1
  96. data/components/fingerprinters/frameworks/nette.rb +1 -1
  97. data/components/fingerprinters/frameworks/rack.rb +1 -1
  98. data/components/fingerprinters/frameworks/rails.rb +1 -1
  99. data/components/fingerprinters/frameworks/symfony.rb +1 -1
  100. data/components/fingerprinters/languages/asp.rb +1 -1
  101. data/components/fingerprinters/languages/aspx.rb +1 -1
  102. data/components/fingerprinters/languages/java.rb +1 -1
  103. data/components/fingerprinters/languages/php.rb +1 -1
  104. data/components/fingerprinters/languages/python.rb +1 -1
  105. data/components/fingerprinters/languages/ruby.rb +1 -1
  106. data/components/fingerprinters/os/bsd.rb +1 -1
  107. data/components/fingerprinters/os/linux.rb +1 -1
  108. data/components/fingerprinters/os/solaris.rb +1 -1
  109. data/components/fingerprinters/os/unix.rb +1 -1
  110. data/components/fingerprinters/os/windows.rb +1 -1
  111. data/components/fingerprinters/servers/apache.rb +1 -1
  112. data/components/fingerprinters/servers/gunicorn.rb +1 -1
  113. data/components/fingerprinters/servers/iis.rb +1 -1
  114. data/components/fingerprinters/servers/jetty.rb +1 -1
  115. data/components/fingerprinters/servers/nginx.rb +1 -1
  116. data/components/fingerprinters/servers/tomcat.rb +1 -1
  117. data/components/path_extractors/anchors.rb +3 -5
  118. data/components/path_extractors/areas.rb +3 -4
  119. data/components/path_extractors/comments.rb +4 -5
  120. data/components/path_extractors/data_url.rb +4 -5
  121. data/components/path_extractors/forms.rb +3 -4
  122. data/components/path_extractors/frames.rb +3 -5
  123. data/components/path_extractors/generic.rb +3 -1
  124. data/components/path_extractors/links.rb +3 -4
  125. data/components/path_extractors/meta_refresh.rb +11 -17
  126. data/components/path_extractors/scripts.rb +18 -15
  127. data/components/plugins/autologin.rb +3 -2
  128. data/components/plugins/beep_notify.rb +1 -1
  129. data/components/plugins/content_types.rb +1 -1
  130. data/components/plugins/cookie_collector.rb +1 -1
  131. data/components/plugins/debug/browser_cluster_job_monitor.rb +60 -0
  132. data/components/plugins/defaults/autothrottle.rb +1 -1
  133. data/components/plugins/defaults/healthmap.rb +3 -1
  134. data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
  135. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
  136. data/components/plugins/defaults/meta/uniformity.rb +1 -1
  137. data/components/plugins/email_notify.rb +26 -9
  138. data/components/plugins/exec.rb +1 -1
  139. data/components/plugins/form_dicattack.rb +3 -4
  140. data/components/plugins/headers_collector.rb +1 -1
  141. data/components/plugins/http_dicattack.rb +4 -5
  142. data/components/plugins/login_script.rb +2 -2
  143. data/components/plugins/metrics.rb +44 -18
  144. data/components/plugins/page_dump.rb +60 -0
  145. data/components/plugins/proxy/panel/verify_login_sequence.html.erb +1 -1
  146. data/components/plugins/proxy/template_scope.rb +6 -1
  147. data/components/plugins/proxy.rb +44 -31
  148. data/components/plugins/rate_limiter.rb +80 -0
  149. data/components/plugins/restrict_to_dom_state.rb +1 -1
  150. data/components/plugins/script.rb +1 -1
  151. data/components/plugins/uncommon_headers.rb +1 -1
  152. data/components/plugins/vector_collector.rb +1 -1
  153. data/components/plugins/vector_feed.rb +1 -1
  154. data/components/plugins/waf_detector.rb +3 -3
  155. data/components/plugins/webhook_notify.rb +99 -0
  156. data/components/reporters/ap.rb +1 -1
  157. data/components/reporters/html/default/configuration.erb +2 -0
  158. data/components/reporters/html/default.erb +3 -2
  159. data/components/reporters/html.rb +5 -8
  160. data/components/reporters/json.rb +1 -1
  161. data/components/reporters/marshal.rb +1 -1
  162. data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
  163. data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
  164. data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
  165. data/components/reporters/plugin_formatters/html/exec.rb +1 -1
  166. data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
  167. data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
  168. data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
  169. data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
  170. data/components/reporters/plugin_formatters/html/metrics.rb +46 -1
  171. data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
  172. data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
  173. data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
  174. data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
  175. data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
  176. data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
  177. data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
  178. data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
  179. data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
  180. data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
  181. data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
  182. data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
  183. data/components/reporters/plugin_formatters/stdout/metrics.rb +11 -1
  184. data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
  185. data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
  186. data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
  187. data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
  188. data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
  189. data/components/reporters/plugin_formatters/xml/content_types.rb +10 -7
  190. data/components/reporters/plugin_formatters/xml/cookie_collector.rb +6 -3
  191. data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
  192. data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
  193. data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
  194. data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
  195. data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
  196. data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
  197. data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +5 -2
  198. data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
  199. data/components/reporters/plugin_formatters/xml/vector_collector.rb +8 -5
  200. data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
  201. data/components/reporters/stdout.rb +3 -2
  202. data/components/reporters/txt.rb +1 -1
  203. data/components/reporters/xml/schema.xsd +29 -13
  204. data/components/reporters/xml.rb +40 -23
  205. data/components/reporters/yaml.rb +1 -1
  206. data/config/write_paths.yml +4 -0
  207. data/lib/arachni/banner.rb +1 -1
  208. data/lib/arachni/browser/element_locator.rb +9 -5
  209. data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
  210. data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
  211. data/lib/arachni/browser/javascript/proxy.rb +1 -1
  212. data/lib/arachni/browser/javascript/scripts/dom_monitor.js +329 -72
  213. data/lib/arachni/browser/javascript/scripts/polyfills.js +0 -28
  214. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +81 -25
  215. data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
  216. data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
  217. data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
  218. data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
  219. data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
  220. data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
  221. data/lib/arachni/browser/javascript.rb +111 -198
  222. data/lib/arachni/browser.rb +309 -382
  223. data/lib/arachni/browser_cluster/job/result.rb +1 -1
  224. data/lib/arachni/browser_cluster/job.rb +9 -2
  225. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +8 -2
  226. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
  227. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
  228. data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
  229. data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +13 -1
  230. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
  231. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  232. data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
  233. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
  234. data/lib/arachni/browser_cluster/worker.rb +97 -87
  235. data/lib/arachni/browser_cluster.rb +79 -62
  236. data/lib/arachni/check/auditor.rb +161 -155
  237. data/lib/arachni/check/base.rb +1 -1
  238. data/lib/arachni/check/manager.rb +1 -1
  239. data/lib/arachni/check.rb +1 -1
  240. data/lib/arachni/component/base.rb +3 -1
  241. data/lib/arachni/component/manager.rb +1 -1
  242. data/lib/arachni/component/options/address.rb +1 -1
  243. data/lib/arachni/component/options/base.rb +1 -1
  244. data/lib/arachni/component/options/bool.rb +1 -1
  245. data/lib/arachni/component/options/float.rb +1 -1
  246. data/lib/arachni/component/options/int.rb +1 -1
  247. data/lib/arachni/component/options/multiple_choice.rb +1 -1
  248. data/lib/arachni/component/options/object.rb +1 -1
  249. data/lib/arachni/component/options/path.rb +1 -1
  250. data/lib/arachni/component/options/port.rb +1 -1
  251. data/lib/arachni/component/options/string.rb +1 -1
  252. data/lib/arachni/component/options/url.rb +1 -1
  253. data/lib/arachni/component/options.rb +1 -1
  254. data/lib/arachni/component/output.rb +8 -2
  255. data/lib/arachni/component/utilities.rb +1 -1
  256. data/lib/arachni/component.rb +1 -1
  257. data/lib/arachni/data/framework/rpc.rb +2 -2
  258. data/lib/arachni/data/framework.rb +3 -2
  259. data/lib/arachni/data/issues.rb +1 -1
  260. data/lib/arachni/data/plugins.rb +1 -1
  261. data/lib/arachni/data/session.rb +1 -1
  262. data/lib/arachni/data.rb +1 -1
  263. data/lib/arachni/element/base.rb +1 -1
  264. data/lib/arachni/element/body.rb +1 -1
  265. data/lib/arachni/element/capabilities/analyzable/differential.rb +142 -175
  266. data/lib/arachni/element/capabilities/analyzable/signature.rb +40 -18
  267. data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
  268. data/lib/arachni/element/capabilities/analyzable.rb +1 -1
  269. data/lib/arachni/element/capabilities/auditable/buffered.rb +92 -0
  270. data/lib/arachni/element/capabilities/auditable/line_buffered.rb +103 -0
  271. data/lib/arachni/element/capabilities/auditable.rb +2 -8
  272. data/lib/arachni/element/capabilities/dom_only.rb +1 -1
  273. data/lib/arachni/element/capabilities/inputtable.rb +6 -2
  274. data/lib/arachni/element/capabilities/mutable.rb +1 -1
  275. data/lib/arachni/element/capabilities/refreshable.rb +1 -1
  276. data/lib/arachni/element/capabilities/submittable.rb +1 -1
  277. data/lib/arachni/element/capabilities/with_auditor/output.rb +4 -3
  278. data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
  279. data/lib/arachni/element/capabilities/with_dom.rb +1 -1
  280. data/lib/arachni/element/capabilities/with_node.rb +3 -3
  281. data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
  282. data/lib/arachni/element/capabilities/with_scope.rb +1 -1
  283. data/lib/arachni/element/capabilities/with_source.rb +2 -2
  284. data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
  285. data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
  286. data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
  287. data/lib/arachni/element/cookie/dom.rb +1 -1
  288. data/lib/arachni/element/cookie.rb +49 -24
  289. data/lib/arachni/element/dom/capabilities/auditable.rb +44 -3
  290. data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
  291. data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
  292. data/lib/arachni/element/dom/capabilities/mutable.rb +7 -3
  293. data/lib/arachni/element/dom/capabilities/submittable.rb +51 -22
  294. data/lib/arachni/element/dom.rb +1 -1
  295. data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
  296. data/lib/arachni/element/form/capabilities/mutable.rb +16 -11
  297. data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
  298. data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
  299. data/lib/arachni/element/form/dom.rb +1 -1
  300. data/lib/arachni/element/form.rb +21 -32
  301. data/lib/arachni/element/generic_dom.rb +1 -1
  302. data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
  303. data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
  304. data/lib/arachni/element/header.rb +3 -1
  305. data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
  306. data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
  307. data/lib/arachni/element/json.rb +4 -8
  308. data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
  309. data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
  310. data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
  311. data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
  312. data/lib/arachni/element/link/dom.rb +1 -1
  313. data/lib/arachni/element/link.rb +11 -30
  314. data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
  315. data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
  316. data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
  317. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
  318. data/lib/arachni/element/link_template/dom.rb +2 -2
  319. data/lib/arachni/element/link_template.rb +10 -19
  320. data/lib/arachni/element/nested_cookie/capabilities/submittable.rb +35 -0
  321. data/lib/arachni/element/nested_cookie.rb +370 -0
  322. data/lib/arachni/element/path.rb +1 -1
  323. data/lib/arachni/element/server.rb +11 -11
  324. data/lib/arachni/element/ui_form/dom.rb +1 -1
  325. data/lib/arachni/element/ui_form.rb +5 -6
  326. data/lib/arachni/element/ui_input/dom.rb +1 -1
  327. data/lib/arachni/element/ui_input.rb +4 -6
  328. data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
  329. data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
  330. data/lib/arachni/element/xml.rb +3 -7
  331. data/lib/arachni/element_filter.rb +1 -1
  332. data/lib/arachni/error.rb +1 -1
  333. data/lib/arachni/ethon/easy.rb +1 -1
  334. data/lib/arachni/framework/parts/audit.rb +6 -1
  335. data/lib/arachni/framework/parts/browser.rb +14 -14
  336. data/lib/arachni/framework/parts/check.rb +1 -1
  337. data/lib/arachni/framework/parts/data.rb +1 -1
  338. data/lib/arachni/framework/parts/platform.rb +1 -1
  339. data/lib/arachni/framework/parts/plugin.rb +1 -1
  340. data/lib/arachni/framework/parts/report.rb +3 -3
  341. data/lib/arachni/framework/parts/scope.rb +1 -1
  342. data/lib/arachni/framework/parts/state.rb +1 -1
  343. data/lib/arachni/framework.rb +1 -1
  344. data/lib/arachni/http/client/dynamic_404_handler.rb +74 -16
  345. data/lib/arachni/http/client.rb +38 -11
  346. data/lib/arachni/http/cookie_jar.rb +13 -8
  347. data/lib/arachni/http/headers.rb +11 -5
  348. data/lib/arachni/http/message/scope.rb +1 -1
  349. data/lib/arachni/http/message.rb +10 -9
  350. data/lib/arachni/http/proxy_server/connection.rb +110 -82
  351. data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +18 -32
  352. data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +28 -49
  353. data/lib/arachni/http/proxy_server/ssl_interceptor.rb +8 -6
  354. data/lib/arachni/http/proxy_server/tunnel.rb +4 -4
  355. data/lib/arachni/http/proxy_server.rb +44 -11
  356. data/lib/arachni/http/request/scope.rb +1 -1
  357. data/lib/arachni/http/request.rb +239 -41
  358. data/lib/arachni/http/response/scope.rb +1 -1
  359. data/lib/arachni/http/response.rb +73 -10
  360. data/lib/arachni/http.rb +1 -1
  361. data/lib/arachni/issue/severity/base.rb +1 -1
  362. data/lib/arachni/issue/severity.rb +1 -1
  363. data/lib/arachni/issue.rb +42 -14
  364. data/lib/arachni/option_group.rb +1 -1
  365. data/lib/arachni/option_groups/audit.rb +11 -2
  366. data/lib/arachni/option_groups/browser_cluster.rb +32 -4
  367. data/lib/arachni/option_groups/datastore.rb +1 -1
  368. data/lib/arachni/option_groups/dispatcher.rb +1 -1
  369. data/lib/arachni/option_groups/http.rb +39 -10
  370. data/lib/arachni/option_groups/input.rb +1 -1
  371. data/lib/arachni/option_groups/output.rb +1 -1
  372. data/lib/arachni/option_groups/paths.rb +12 -1
  373. data/lib/arachni/option_groups/rpc.rb +1 -1
  374. data/lib/arachni/option_groups/scope.rb +58 -4
  375. data/lib/arachni/option_groups/session.rb +1 -1
  376. data/lib/arachni/option_groups/snapshot.rb +1 -1
  377. data/lib/arachni/option_groups.rb +1 -1
  378. data/lib/arachni/options.rb +23 -4
  379. data/lib/arachni/page/dom/transition.rb +5 -2
  380. data/lib/arachni/page/dom.rb +46 -54
  381. data/lib/arachni/page/scope.rb +1 -1
  382. data/lib/arachni/page.rb +10 -8
  383. data/lib/arachni/parser/document.rb +34 -0
  384. data/lib/arachni/parser/extractors/base.rb +48 -0
  385. data/lib/arachni/parser/nodes/base.rb +22 -0
  386. data/lib/arachni/parser/nodes/comment.rb +32 -0
  387. data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +31 -0
  388. data/lib/arachni/parser/nodes/element/with_attributes.rb +35 -0
  389. data/lib/arachni/parser/nodes/element.rb +48 -0
  390. data/lib/arachni/parser/nodes/text.rb +32 -0
  391. data/lib/arachni/parser/nodes/with_value.rb +29 -0
  392. data/lib/arachni/parser/sax.rb +76 -0
  393. data/lib/arachni/parser/with_children/search.rb +92 -0
  394. data/lib/arachni/parser/with_children.rb +35 -0
  395. data/lib/arachni/parser.rb +181 -78
  396. data/lib/arachni/platform/fingerprinter.rb +1 -1
  397. data/lib/arachni/platform/list.rb +1 -1
  398. data/lib/arachni/platform/manager.rb +2 -2
  399. data/lib/arachni/platform.rb +1 -1
  400. data/lib/arachni/plugin/base.rb +2 -2
  401. data/lib/arachni/plugin/formatter.rb +1 -1
  402. data/lib/arachni/plugin/manager.rb +8 -5
  403. data/lib/arachni/plugin.rb +1 -1
  404. data/lib/arachni/processes/dispatchers.rb +1 -1
  405. data/lib/arachni/processes/executables/base.rb +2 -1
  406. data/lib/arachni/processes/executables/browser.rb +0 -2
  407. data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
  408. data/lib/arachni/processes/helpers/instances.rb +1 -1
  409. data/lib/arachni/processes/helpers/processes.rb +1 -1
  410. data/lib/arachni/processes/helpers.rb +1 -1
  411. data/lib/arachni/processes/instances.rb +1 -1
  412. data/lib/arachni/processes/manager.rb +18 -9
  413. data/lib/arachni/processes.rb +1 -1
  414. data/lib/arachni/report.rb +8 -1
  415. data/lib/arachni/reporter/base.rb +1 -1
  416. data/lib/arachni/reporter/formatter_manager.rb +1 -1
  417. data/lib/arachni/reporter/manager.rb +1 -1
  418. data/lib/arachni/reporter/options.rb +1 -10
  419. data/lib/arachni/reporter.rb +1 -1
  420. data/lib/arachni/rest/server/instance_helpers.rb +10 -1
  421. data/lib/arachni/rest/server.rb +13 -1
  422. data/lib/arachni/rpc/client/base.rb +1 -1
  423. data/lib/arachni/rpc/client/dispatcher.rb +1 -1
  424. data/lib/arachni/rpc/client/instance/framework.rb +1 -1
  425. data/lib/arachni/rpc/client/instance/service.rb +1 -1
  426. data/lib/arachni/rpc/client/instance.rb +1 -1
  427. data/lib/arachni/rpc/serializer.rb +1 -1
  428. data/lib/arachni/rpc/server/active_options.rb +1 -1
  429. data/lib/arachni/rpc/server/base.rb +1 -1
  430. data/lib/arachni/rpc/server/check/manager.rb +1 -1
  431. data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
  432. data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
  433. data/lib/arachni/rpc/server/dispatcher.rb +1 -1
  434. data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
  435. data/lib/arachni/rpc/server/framework/master.rb +1 -1
  436. data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
  437. data/lib/arachni/rpc/server/framework/slave.rb +1 -1
  438. data/lib/arachni/rpc/server/framework.rb +1 -1
  439. data/lib/arachni/rpc/server/instance.rb +1 -1
  440. data/lib/arachni/rpc/server/output.rb +1 -1
  441. data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
  442. data/lib/arachni/ruby/array.rb +1 -1
  443. data/lib/arachni/ruby/hash.rb +1 -1
  444. data/lib/arachni/ruby/object.rb +1 -1
  445. data/lib/arachni/ruby/set.rb +1 -1
  446. data/lib/arachni/ruby/string.rb +9 -5
  447. data/lib/arachni/ruby/webrick/cookie.rb +1 -1
  448. data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
  449. data/lib/arachni/ruby/webrick.rb +1 -1
  450. data/lib/arachni/ruby.rb +1 -1
  451. data/lib/arachni/scope.rb +1 -1
  452. data/lib/arachni/selenium/webdriver/element.rb +4 -4
  453. data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +59 -0
  454. data/lib/arachni/session.rb +32 -13
  455. data/lib/arachni/snapshot.rb +2 -2
  456. data/lib/arachni/state/audit.rb +1 -1
  457. data/lib/arachni/state/element_filter.rb +1 -1
  458. data/lib/arachni/state/framework/rpc.rb +1 -1
  459. data/lib/arachni/state/framework.rb +1 -1
  460. data/lib/arachni/state/http.rb +2 -2
  461. data/lib/arachni/state/options.rb +1 -1
  462. data/lib/arachni/state/plugins.rb +1 -1
  463. data/lib/arachni/state.rb +1 -1
  464. data/lib/arachni/support/buffer/autoflush.rb +1 -1
  465. data/lib/arachni/support/buffer/base.rb +1 -1
  466. data/lib/arachni/support/buffer.rb +1 -1
  467. data/lib/arachni/support/cache/base.rb +1 -1
  468. data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
  469. data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
  470. data/lib/arachni/support/cache/least_recently_used.rb +1 -1
  471. data/lib/arachni/support/cache/preference.rb +1 -1
  472. data/lib/arachni/support/cache/random_replacement.rb +1 -1
  473. data/lib/arachni/support/cache.rb +1 -1
  474. data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
  475. data/lib/arachni/support/crypto.rb +1 -1
  476. data/lib/arachni/support/database/base.rb +16 -10
  477. data/lib/arachni/support/database/hash.rb +1 -1
  478. data/lib/arachni/support/database/queue.rb +1 -1
  479. data/lib/arachni/support/database.rb +1 -1
  480. data/lib/arachni/support/glob.rb +1 -1
  481. data/lib/arachni/support/lookup/base.rb +1 -1
  482. data/lib/arachni/support/lookup/hash_set.rb +1 -1
  483. data/lib/arachni/support/lookup/moolb.rb +1 -1
  484. data/lib/arachni/support/lookup.rb +1 -1
  485. data/lib/arachni/support/mixins/observable.rb +1 -1
  486. data/lib/arachni/support/mixins/terminal.rb +1 -1
  487. data/lib/arachni/support/mixins.rb +1 -1
  488. data/lib/arachni/support/profiler.rb +52 -13
  489. data/lib/arachni/support/signature.rb +18 -6
  490. data/lib/arachni/support.rb +1 -1
  491. data/lib/arachni/trainer.rb +55 -39
  492. data/lib/arachni/ui/foo/output.rb +1 -1
  493. data/lib/arachni/uri/scope.rb +15 -13
  494. data/lib/arachni/uri.rb +129 -103
  495. data/lib/arachni/utilities.rb +10 -10
  496. data/lib/arachni/version.rb +1 -1
  497. data/lib/arachni.rb +1 -7
  498. data/lib/version +1 -1
  499. data/spec/arachni/browser/element_locator_spec.rb +42 -18
  500. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +264 -109
  501. data/spec/arachni/browser/javascript/polyfills_spec.rb +0 -15
  502. data/spec/arachni/browser/javascript/proxy_spec.rb +0 -10
  503. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +43 -118
  504. data/spec/arachni/browser/javascript_spec.rb +95 -60
  505. data/spec/arachni/browser_cluster/job_spec.rb +23 -8
  506. data/spec/arachni/browser_cluster/jobs/dom_exploration_spec.rb +6 -1
  507. data/spec/arachni/browser_cluster/worker_spec.rb +29 -87
  508. data/spec/arachni/browser_cluster_spec.rb +124 -43
  509. data/spec/arachni/browser_spec.rb +463 -421
  510. data/spec/arachni/check/auditor_spec.rb +162 -198
  511. data/spec/arachni/data/framework/rpc_spec.rb +1 -1
  512. data/spec/arachni/data/framework_spec.rb +1 -1
  513. data/spec/arachni/element/capabilities/analyzable/signature_spec.rb +46 -3
  514. data/spec/arachni/element/cookie/dom_spec.rb +1 -1
  515. data/spec/arachni/element/cookie_spec.rb +159 -64
  516. data/spec/arachni/element/form/dom_spec.rb +1 -1
  517. data/spec/arachni/element/form_spec.rb +101 -54
  518. data/spec/arachni/element/header_spec.rb +3 -1
  519. data/spec/arachni/element/json_spec.rb +2 -0
  520. data/spec/arachni/element/link/dom_spec.rb +2 -2
  521. data/spec/arachni/element/link_spec.rb +46 -15
  522. data/spec/arachni/element/link_template/dom_spec.rb +1 -1
  523. data/spec/arachni/element/link_template_spec.rb +36 -12
  524. data/spec/arachni/element/nested_cookie_spec.rb +687 -0
  525. data/spec/arachni/element/server_spec.rb +22 -5
  526. data/spec/arachni/element/ui_form/dom_spec.rb +1 -1
  527. data/spec/arachni/element/ui_form_spec.rb +2 -2
  528. data/spec/arachni/element/ui_input/dom_spec.rb +1 -1
  529. data/spec/arachni/element/ui_input_spec.rb +1 -1
  530. data/spec/arachni/element/xml_spec.rb +5 -3
  531. data/spec/arachni/framework/parts/audit_spec.rb +2 -14
  532. data/spec/arachni/framework/parts/data_spec.rb +0 -6
  533. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +126 -0
  534. data/spec/arachni/http/client_spec.rb +96 -36
  535. data/spec/arachni/http/cookie_jar_spec.rb +2 -2
  536. data/spec/arachni/http/headers_spec.rb +59 -12
  537. data/spec/arachni/http/proxy_server_spec.rb +58 -25
  538. data/spec/arachni/http/request_spec.rb +382 -35
  539. data/spec/arachni/http/response_spec.rb +135 -7
  540. data/spec/arachni/issue_spec.rb +21 -2
  541. data/spec/arachni/option_groups/browser_cluster_spec.rb +17 -0
  542. data/spec/arachni/option_groups/http_spec.rb +21 -6
  543. data/spec/arachni/option_groups/paths_spec.rb +23 -1
  544. data/spec/arachni/option_groups/scope_spec.rb +27 -7
  545. data/spec/arachni/options_spec.rb +8 -1
  546. data/spec/arachni/page/dom_spec.rb +20 -6
  547. data/spec/arachni/page_spec.rb +8 -7
  548. data/spec/arachni/parser/document_spec.rb +49 -0
  549. data/spec/arachni/parser/nodes/comment_spec.rb +24 -0
  550. data/spec/arachni/parser/nodes/element/with_attributes/attributes_spec.rb +40 -0
  551. data/spec/arachni/parser/nodes/element/with_attributes_spec.rb +50 -0
  552. data/spec/arachni/parser/nodes/element_spec.rb +18 -0
  553. data/spec/arachni/parser/nodes/text_spec.rb +24 -0
  554. data/spec/arachni/parser/sax_spec.rb +88 -0
  555. data/spec/arachni/parser/with_children/search_spec.rb +146 -0
  556. data/spec/arachni/parser/with_children_spec.rb +37 -0
  557. data/spec/arachni/parser_spec.rb +211 -27
  558. data/spec/arachni/platform/list_spec.rb +1 -2
  559. data/spec/arachni/report_spec.rb +9 -2
  560. data/spec/arachni/reporter/options_spec.rb +0 -14
  561. data/spec/arachni/rest/server_spec.rb +91 -8
  562. data/spec/arachni/rpc/server/active_options_spec.rb +1 -1
  563. data/spec/arachni/rpc/server/framework/distributor_spec.rb +6 -6
  564. data/spec/arachni/ruby/string_spec.rb +6 -0
  565. data/spec/arachni/session_spec.rb +69 -8
  566. data/spec/arachni/snapshot_spec.rb +1 -1
  567. data/spec/arachni/state/framework_spec.rb +2 -2
  568. data/spec/arachni/support/signature_spec.rb +58 -0
  569. data/spec/arachni/trainer_spec.rb +102 -21
  570. data/spec/arachni/uri_spec.rb +11 -8
  571. data/spec/arachni/utilities_spec.rb +3 -3
  572. data/spec/components/checks/active/code_injection_spec.rb +12 -7
  573. data/spec/components/checks/active/code_injection_timing_spec.rb +4 -3
  574. data/spec/components/checks/active/csrf_spec.rb +1 -21
  575. data/spec/components/checks/active/file_inclusion_spec.rb +15 -10
  576. data/spec/components/checks/active/ldap_injection_spec.rb +5 -4
  577. data/spec/components/checks/active/no_sql_injection_differential_spec.rb +1 -1
  578. data/spec/components/checks/active/no_sql_injection_spec.rb +5 -4
  579. data/spec/components/checks/active/os_cmd_injection_spec.rb +6 -4
  580. data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -3
  581. data/spec/components/checks/active/path_traversal_spec.rb +18 -15
  582. data/spec/components/checks/active/response_splitting_spec.rb +5 -4
  583. data/spec/components/checks/active/rfi_spec.rb +9 -8
  584. data/spec/components/checks/active/source_code_disclosure_spec.rb +33 -10
  585. data/spec/components/checks/active/sql_injection_differential_spec.rb +1 -1
  586. data/spec/components/checks/active/sql_injection_spec.rb +61 -35
  587. data/spec/components/checks/active/sql_injection_timing_spec.rb +11 -8
  588. data/spec/components/checks/active/unvalidated_redirect_spec.rb +9 -8
  589. data/spec/components/checks/active/xpath_injection_spec.rb +5 -4
  590. data/spec/components/checks/active/xss_dom_script_context_spec.rb +6 -10
  591. data/spec/components/checks/active/xss_dom_spec.rb +2 -2
  592. data/spec/components/checks/active/xss_event_spec.rb +11 -3
  593. data/spec/components/checks/active/xss_script_context_spec.rb +8 -7
  594. data/spec/components/checks/active/xss_spec.rb +7 -6
  595. data/spec/components/checks/active/xss_tag_spec.rb +11 -3
  596. data/spec/components/checks/passive/backup_directories_spec.rb +3 -1
  597. data/spec/components/checks/passive/backup_files_spec.rb +4 -1
  598. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +2 -2
  599. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +6 -0
  600. data/spec/components/path_extractors/comments_spec.rb +3 -1
  601. data/spec/components/path_extractors/data_url_spec.rb +6 -2
  602. data/spec/components/path_extractors/links_spec.rb +1 -1
  603. data/spec/components/plugins/autologin_spec.rb +2 -2
  604. data/spec/components/plugins/webhook_notify_spec.rb +69 -0
  605. data/spec/spec_helper.rb +2 -1
  606. data/spec/support/factories/http/response.rb +1 -1
  607. data/spec/support/factories/issue.rb +1 -2
  608. data/spec/support/factories/page/dom.rb +6 -0
  609. data/spec/support/factories/scan_report.rb +1 -0
  610. data/spec/support/factories/vector.rb +7 -3
  611. data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
  612. data/spec/support/fixtures/checks/test.rb +4 -4
  613. data/spec/support/fixtures/checks/test2.rb +1 -1
  614. data/spec/support/fixtures/checks/test3.rb +1 -1
  615. data/spec/support/fixtures/cookies.txt +2 -2
  616. data/spec/support/fixtures/executables/node.rb +2 -3
  617. data/spec/support/fixtures/fingerprinters/test.rb +1 -1
  618. data/spec/support/fixtures/nested_cookies.txt +11 -0
  619. data/spec/support/fixtures/plugins/bad.rb +1 -1
  620. data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
  621. data/spec/support/fixtures/plugins/distributable.rb +1 -1
  622. data/spec/support/fixtures/plugins/loop.rb +1 -1
  623. data/spec/support/fixtures/plugins/suspendable.rb +1 -1
  624. data/spec/support/fixtures/plugins/wait.rb +1 -1
  625. data/spec/support/fixtures/plugins/with_options.rb +1 -1
  626. data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
  627. data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
  628. data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
  629. data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
  630. data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
  631. data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
  632. data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
  633. data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
  634. data/spec/support/fixtures/report.afr +0 -0
  635. data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
  636. data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
  637. data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
  638. data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
  639. data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
  640. data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
  641. data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
  642. data/spec/support/fixtures/run_check/body.rb +1 -1
  643. data/spec/support/fixtures/run_check/cookies.rb +1 -1
  644. data/spec/support/fixtures/run_check/empty.rb +1 -1
  645. data/spec/support/fixtures/run_check/flch.rb +1 -1
  646. data/spec/support/fixtures/run_check/forms.rb +1 -1
  647. data/spec/support/fixtures/run_check/headers.rb +1 -1
  648. data/spec/support/fixtures/run_check/links.rb +1 -1
  649. data/spec/support/fixtures/run_check/nil.rb +1 -1
  650. data/spec/support/fixtures/run_check/path.rb +1 -1
  651. data/spec/support/fixtures/run_check/server.rb +1 -1
  652. data/spec/support/fixtures/signature_check/signature.rb +1 -1
  653. data/spec/support/fixtures/wait_check/wait.rb +1 -1
  654. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +0 -3
  655. data/spec/support/helpers/framework.rb +1 -1
  656. data/spec/support/helpers/misc.rb +1 -1
  657. data/spec/support/helpers/paths.rb +1 -1
  658. data/spec/support/helpers/requires.rb +1 -1
  659. data/spec/support/helpers/resets.rb +1 -1
  660. data/spec/support/helpers/web_server.rb +1 -1
  661. data/spec/support/lib/factory.rb +1 -1
  662. data/spec/support/lib/web_server_client.rb +1 -1
  663. data/spec/support/lib/web_server_dispatcher.rb +1 -1
  664. data/spec/support/lib/web_server_manager.rb +4 -2
  665. data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +48 -0
  666. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +15 -3
  667. data/spec/support/servers/arachni/browser.rb +275 -4
  668. data/spec/support/servers/arachni/check/auditor.rb +9 -0
  669. data/spec/support/servers/arachni/element/cookie.rb +34 -0
  670. data/spec/support/servers/arachni/element/form/form_dom.rb +1 -0
  671. data/spec/support/servers/arachni/element/form.rb +36 -2
  672. data/spec/support/servers/arachni/element/header.rb +36 -1
  673. data/spec/support/servers/arachni/element/json.rb +33 -0
  674. data/spec/support/servers/arachni/element/link.rb +33 -1
  675. data/spec/support/servers/arachni/element/link_template.rb +37 -5
  676. data/spec/support/servers/arachni/element/nested_cookie.rb +84 -0
  677. data/spec/support/servers/arachni/element/xml.rb +33 -0
  678. data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +36 -0
  679. data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_1.rb +18 -0
  680. data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_2.rb +11 -0
  681. data/spec/support/servers/arachni/http/client.rb +43 -4
  682. data/spec/support/servers/arachni/http/proxy_server.rb +12 -0
  683. data/spec/support/servers/arachni/parser.rb +6 -0
  684. data/spec/support/servers/arachni/session.rb +24 -1
  685. data/spec/support/servers/checks/active/code_injection.rb +18 -0
  686. data/spec/support/servers/checks/active/code_injection_timing.rb +18 -0
  687. data/spec/support/servers/checks/active/csrf.rb +0 -76
  688. data/spec/support/servers/checks/active/file_inclusion.rb +19 -1
  689. data/spec/support/servers/checks/active/ldap_injection.rb +18 -0
  690. data/spec/support/servers/checks/active/no_sql_injection.rb +27 -0
  691. data/spec/support/servers/checks/active/no_sql_injection_differential.rb +19 -0
  692. data/spec/support/servers/checks/active/os_cmd_injection.rb +29 -0
  693. data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +18 -1
  694. data/spec/support/servers/checks/active/path_traversal.rb +30 -3
  695. data/spec/support/servers/checks/active/response_splitting.rb +30 -1
  696. data/spec/support/servers/checks/active/rfi.rb +30 -2
  697. data/spec/support/servers/checks/active/session_fixation.rb +1 -3
  698. data/spec/support/servers/checks/active/source_code_disclosure.rb +16 -0
  699. data/spec/support/servers/checks/active/sql_injection/java +2 -0
  700. data/spec/support/servers/checks/active/sql_injection.rb +27 -0
  701. data/spec/support/servers/checks/active/sql_injection_differential.rb +19 -0
  702. data/spec/support/servers/checks/active/sql_injection_timing.rb +19 -1
  703. data/spec/support/servers/checks/active/unvalidated_redirect.rb +121 -1
  704. data/spec/support/servers/checks/active/xpath_injection.rb +27 -0
  705. data/spec/support/servers/checks/active/xss.rb +40 -0
  706. data/spec/support/servers/checks/active/xss_event.rb +23 -2
  707. data/spec/support/servers/checks/active/xss_script_context.rb +18 -0
  708. data/spec/support/servers/checks/active/xss_tag.rb +40 -0
  709. data/spec/support/servers/checks/passive/backup_files.rb +20 -1
  710. data/spec/support/servers/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -5
  711. data/spec/support/servers/checks/passive/grep/insecure_cookies_https.rb +9 -0
  712. data/spec/support/servers/checks/passive/grep/x_frame_options.rb +5 -0
  713. data/spec/support/servers/plugins/autologin.rb +17 -1
  714. data/spec/support/servers/plugins/webhook_notify.rb +9 -0
  715. data/spec/support/shared/check.rb +1 -0
  716. data/spec/support/shared/element/capabilities/auditable/buffered.rb +791 -0
  717. data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +797 -0
  718. data/spec/support/shared/element/capabilities/auditable.rb +28 -34
  719. data/spec/support/shared/element/capabilities/inputtable.rb +26 -0
  720. data/spec/support/shared/element/capabilities/with_node.rb +2 -2
  721. data/spec/support/shared/element/dom/submittable.rb +10 -10
  722. data/spec/support/shared/path_extractor.rb +17 -5
  723. data/ui/cli/framework/option_parser.rb +78 -13
  724. data/ui/cli/framework.rb +29 -8
  725. data/ui/cli/option_parser.rb +1 -1
  726. data/ui/cli/output.rb +10 -3
  727. data/ui/cli/reporter/option_parser.rb +1 -1
  728. data/ui/cli/reporter.rb +1 -1
  729. data/ui/cli/reproduce/option_parser.rb +90 -0
  730. data/ui/cli/reproduce.rb +228 -0
  731. data/ui/cli/rest/server/option_parser.rb +1 -1
  732. data/ui/cli/rest/server.rb +1 -1
  733. data/ui/cli/restored_framework/option_parser.rb +1 -1
  734. data/ui/cli/restored_framework.rb +1 -1
  735. data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
  736. data/ui/cli/rpc/client/dispatcher_monitor.rb +9 -11
  737. data/ui/cli/rpc/client/instance.rb +7 -4
  738. data/ui/cli/rpc/client/local/option_parser.rb +1 -1
  739. data/ui/cli/rpc/client/local.rb +1 -1
  740. data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
  741. data/ui/cli/rpc/client/remote.rb +1 -1
  742. data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
  743. data/ui/cli/rpc/server/dispatcher.rb +1 -1
  744. data/ui/cli/utilities.rb +1 -1
  745. metadata +178 -79
  746. data/ACKNOWLEDGMENTS.md +0 -21
  747. data/AUTHORS.md +0 -3
  748. data/CONTRIBUTORS.md +0 -22
data/spec/arachni/check/auditor_spec.rb CHANGED
@@ -144,7 +144,7 @@ describe Arachni::Check::Auditor do
144
144
  describe '.check?' do
145
145
  context 'when elements have been provided' do
146
146
  it 'restricts the check' do
147
- page = Arachni::Page.from_data( url: url, body: 'stuff' )
147
+ page = Arachni::Page.from_data( url: url, body: 'stuff',headers: [] )
148
148
  allow(page).to receive(:has_script?) { true }
149
149
  auditor.class.info[:elements] =
150
150
  element_classes + [Arachni::Element::Body, Arachni::Element::GenericDOM]
@@ -205,6 +205,7 @@ describe Arachni::Check::Auditor do
205
205
  let(:page) do
206
206
  p = Arachni::Page.from_data(
207
207
  url: url,
208
+ headers: [],
208
209
  "#{element.type}s".gsub( '_dom', '').to_sym => [Factory[element.type]]
209
210
  )
210
211
  allow(p.dom).to receive(:depth) { 1 }
@@ -364,7 +365,7 @@ describe Arachni::Check::Auditor do
364
365
 
365
366
  describe '#log_remote_file_if_exists' do
366
367
  it "delegates to #{Arachni::Element::Server}#log_remote_file_if_exists" do
367
- sent = [:stuff, false]
368
+ sent = [:stuff, false, { blah: '1' }]
368
369
  received = nil
369
370
  b = proc {}
370
371
 
@@ -391,6 +392,11 @@ describe Arachni::Check::Auditor do
391
392
  let(:issue) { Arachni::Data.issues.last }
392
393
  let(:vector) { Arachni::Element::Server.new( page.url ) }
393
394
 
395
+ it 'assigns the extra Issue options' do
396
+ expect(subject.log_remote_file( page, false )).to be_trusted
397
+ expect(subject.log_remote_file( page, false, trusted: false )).to_not be_trusted
398
+ end
399
+
394
400
  context 'given a' do
395
401
  describe Arachni::Page do
396
402
  it 'logs it' do
@@ -422,62 +428,41 @@ describe Arachni::Check::Auditor do
422
428
  end
423
429
 
424
430
  it 'sets the auditor' do
425
- auditor.each_candidate_element [ Arachni::Link ] do |element|
431
+ auditor.each_candidate_element do |element|
426
432
  expect(element.auditor).to eq(auditor)
427
433
  end
428
434
  end
429
435
 
430
- context 'when types have been provided' do
431
- it 'provides those types of elements' do
432
- elements = []
433
- auditor.each_candidate_element [ Arachni::Link, Arachni::Header ] do |element|
434
- elements << element
435
- end
436
+ it 'provides the types of elements specified by the check' do
437
+ auditor.class.info[:elements] = [Arachni::Link, Arachni::Form]
436
438
 
437
- expect(elements).to eq((auditor.page.links | auditor.page.headers).
438
- select { |e| e.inputs.any? })
439
+ elements = []
440
+ auditor.each_candidate_element do |element|
441
+ elements << element
439
442
  end
440
443
 
441
- context 'and are not supported' do
442
- it 'raises ArgumentError' do
443
- expect {
444
- auditor.each_candidate_element [Arachni::Link::DOM]
445
- }.to raise_error ArgumentError
446
- end
447
- end
444
+ expect(auditor.class.elements).to eq([Arachni::Link, Arachni::Form])
445
+ expect(elements).to eq((auditor.page.links | auditor.page.forms).
446
+ select { |e| e.inputs.any? })
448
447
  end
449
- context 'when types have not been provided' do
450
- it 'provides the types of elements specified by the check' do
451
- auditor.class.info[:elements] = [Arachni::Link, Arachni::Form]
448
+
449
+ context 'and no types are specified by the check' do
450
+ it 'provides all types of elements but :inputs and :ui_forms'do
451
+ auditor.class.info[:elements].clear
452
+
453
+ expected_elements = Arachni::Page::ELEMENTS
454
+ expected_elements.delete :ui_inputs
455
+ expected_elements.delete :ui_forms
452
456
 
453
457
  elements = []
454
458
  auditor.each_candidate_element do |element|
455
459
  elements << element
456
460
  end
457
461
 
458
- expect(auditor.class.elements).to eq([Arachni::Link, Arachni::Form])
459
- expect(elements).to eq((auditor.page.links | auditor.page.forms).
462
+ expect(elements.map { |e| "#{e.type}s".to_sym }.uniq).to eq(Arachni::Page::ELEMENTS)
463
+ expect(elements).to eq((auditor.page.elements).
460
464
  select { |e| e.inputs.any? })
461
465
  end
462
-
463
- context 'and no types are specified by the check' do
464
- it 'provides all types of elements but :inputs and :ui_forms'do
465
- auditor.class.info[:elements].clear
466
-
467
- expected_elements = Arachni::Page::ELEMENTS
468
- expected_elements.delete :ui_inputs
469
- expected_elements.delete :ui_forms
470
-
471
- elements = []
472
- auditor.each_candidate_element do |element|
473
- elements << element
474
- end
475
-
476
- expect(elements.map { |e| "#{e.type}s".to_sym }.uniq).to eq(Arachni::Page::ELEMENTS)
477
- expect(elements).to eq((auditor.page.elements).
478
- select { |e| e.inputs.any? })
479
- end
480
- end
481
466
  end
482
467
  end
483
468
 
@@ -498,54 +483,33 @@ describe Arachni::Check::Auditor do
498
483
  end
499
484
  end
500
485
 
501
- context 'when types have been provided' do
502
- it 'provides those types of elements' do
503
- elements = []
504
- auditor.each_candidate_dom_element [ Arachni::Link::DOM ] do |element|
505
- elements << element
506
- end
486
+ it 'provides the types of elements specified by the check' do
487
+ auditor.class.info[:elements] = [Arachni::Form::DOM]
488
+ expect(auditor.class.elements).to eq([Arachni::Form::DOM])
507
489
 
508
- expect(elements).to be_any
509
- expect(elements).to eq(auditor.page.links.select { |l| l.dom }.map(&:dom))
490
+ elements = []
491
+ auditor.each_candidate_dom_element do |element|
492
+ elements << element
510
493
  end
511
494
 
512
- context 'and are not supported' do
513
- it 'raises ArgumentError' do
514
- expect {
515
- auditor.each_candidate_dom_element [Arachni::Link]
516
- }.to raise_error ArgumentError
517
- end
518
- end
495
+ expect(elements).to eq(auditor.page.forms.map(&:dom))
519
496
  end
520
- context 'when types have not been provided' do
521
- it 'provides the types of elements specified by the check' do
522
- auditor.class.info[:elements] = [Arachni::Form::DOM]
523
- expect(auditor.class.elements).to eq([Arachni::Form::DOM])
497
+
498
+ context 'and no types are specified by the check' do
499
+ it 'provides all types of elements'do
500
+ auditor.class.info[:elements].clear
524
501
 
525
502
  elements = []
526
503
  auditor.each_candidate_dom_element do |element|
527
504
  elements << element
528
505
  end
529
506
 
530
- expect(elements).to eq(auditor.page.forms.map(&:dom))
531
- end
532
-
533
- context 'and no types are specified by the check' do
534
- it 'provides all types of elements'do
535
- auditor.class.info[:elements].clear
536
-
537
- elements = []
538
- auditor.each_candidate_dom_element do |element|
539
- elements << element
540
- end
541
-
542
- expect(elements).to eq(
543
- (auditor.page.links.select { |l| l.dom } |
544
- auditor.page.forms | auditor.page.cookies |
545
- auditor.page.link_templates | auditor.page.ui_inputs |
546
- auditor.page.ui_forms).map(&:dom)
547
- )
548
- end
507
+ expect(elements).to eq(
508
+ (auditor.page.links.select { |l| l.dom } |
509
+ auditor.page.forms | auditor.page.cookies |
510
+ auditor.page.link_templates | auditor.page.ui_inputs |
511
+ auditor.page.ui_forms).map(&:dom)
512
+ )
549
513
  end
550
514
  end
551
515
  end
@@ -627,20 +591,19 @@ describe Arachni::Check::Auditor do
627
591
  end
628
592
  end
629
593
 
630
- describe '#log_issue' do
594
+ describe '.log_issue' do
631
595
  it 'logs an issue' do
632
- auditor.log_issue( issue_data )
596
+ auditor.class.log_issue( issue_data )
633
597
 
634
598
  logged_issue = Arachni::Data.issues.first
635
599
 
636
600
  expect(logged_issue.to_h.tap do |h|
637
601
  h[:page][:dom][:transitions].each { |t| t.delete :time }
638
- end).to eq issue.to_h.merge( referring_page: {
639
- body: auditor.page.body,
640
- dom: auditor.page.dom.to_h.tap do |h|
641
- h.delete :skip_states
642
- end
643
- }).tap { |h| h[:page][:dom][:transitions].each { |t| t.delete :time } }
602
+ h[:referring_page][:dom][:transitions].each { |t| t.delete :time }
603
+ end).to eq (issue.to_h.tap do |h|
604
+ h[:page][:dom][:transitions].each { |t| t.delete :time }
605
+ h[:referring_page][:dom][:transitions].each { |t| t.delete :time }
606
+ end)
644
607
  end
645
608
 
646
609
  it 'assigns a #referring_page' do
@@ -656,15 +619,31 @@ describe Arachni::Check::Auditor do
656
619
 
657
620
  context 'when #issue_limit_reached?' do
658
621
  it 'does not log the issue' do
659
- allow(subject).to receive(:issue_limit_reached?) { true }
622
+ allow(auditor.class).to receive(:issue_limit_reached?) { true }
660
623
 
661
- expect(auditor.log_issue( issue_data )).to be_falsey
624
+ expect(auditor.class.log_issue( issue_data )).to be_falsey
662
625
  expect(Arachni::Data.issues).to be_empty
663
626
  end
664
627
  end
665
628
  end
666
629
 
667
- describe '#log' do
630
+ describe '#log_issue' do
631
+ it 'forwards options to .log_issue' do
632
+ expect(auditor.class).to receive(:log_issue).with(
633
+ issue_data.merge( referring_page: auditor.page )
634
+ )
635
+ auditor.log_issue( issue_data )
636
+ end
637
+
638
+ it 'assigns a #referring_page' do
639
+ auditor.log_issue( issue_data )
640
+
641
+ logged_issue = Arachni::Data.issues.first
642
+ expect(logged_issue.referring_page).to eq(auditor.page)
643
+ end
644
+ end
645
+
646
+ describe '.log' do
668
647
  let(:issue_data) do
669
648
  d = super()
670
649
 
@@ -675,28 +654,28 @@ describe Arachni::Check::Auditor do
675
654
  end
676
655
 
677
656
  it 'preserves the given remarks' do
678
- auditor.log( issue_data )
657
+ auditor.class.log( issue_data )
679
658
 
680
659
  logged_issue = Arachni::Data.issues.first
681
660
  expect(logged_issue.remarks.first).to be_any
682
661
  end
683
662
 
684
663
  it 'returns the issue' do
685
- expect(auditor.log( issue_data )).to be_kind_of Arachni::Issue
664
+ expect(auditor.class.log( issue_data )).to be_kind_of Arachni::Issue
686
665
  end
687
666
 
688
667
  context 'when given a page' do
689
668
  after { @framework.http.run }
690
669
 
691
670
  it 'includes response data' do
692
- auditor.log( issue_data )
671
+ auditor.class.log( issue_data )
693
672
  expect(Arachni::Data.issues.first.response).to eq(
694
673
  issue_data[:page].response
695
674
  )
696
675
  end
697
676
 
698
677
  it 'includes request data' do
699
- auditor.log( issue_data )
678
+ auditor.class.log( issue_data )
700
679
  expect(Arachni::Data.issues.first.request).to eq(
701
680
  issue_data[:page].request
702
681
  )
@@ -704,14 +683,53 @@ describe Arachni::Check::Auditor do
704
683
  end
705
684
 
706
685
  context 'when not given a page' do
707
- it 'uses the current page' do
708
- issue_data.delete(:page)
709
- auditor.log( issue_data )
686
+ it 'uses the referring page' do
687
+ issue_data[:referring_page].response.url = @opts.url
688
+ auditor.class.log( issue_data )
710
689
 
711
690
  issue = Arachni::Data.issues.first
712
- expect(issue.page.body).to eq(auditor.page.body)
713
- expect(issue.response).to eq(auditor.page.response)
714
- expect(issue.request).to eq(auditor.page.request)
691
+
692
+ expect(issue.page.body).to eq(issue_data[:referring_page].body)
693
+ expect(issue.response).to eq(issue_data[:referring_page].response)
694
+ expect(issue.request).to eq(issue_data[:referring_page].request)
695
+ end
696
+ end
697
+
698
+ context 'when :referring page has been set' do
699
+ it 'uses it to set the Issue#referring_page' do
700
+ i = auditor.class.log( issue_data )
701
+ expect(i.referring_page).to eq issue_data[:referring_page]
702
+ end
703
+ end
704
+
705
+ context 'when no :referring page has been set' do
706
+ it 'uses Element#page' do
707
+ issue_data[:vector].page = issue_data.delete( :referring_page )
708
+
709
+ i = auditor.class.log( issue_data )
710
+ expect(i.referring_page).to eq issue_data[:vector].page
711
+ end
712
+ end
713
+
714
+ context 'when no referring page data are available' do
715
+ it 'raises ArgumentError' do
716
+ expect do
717
+ issue_data[:vector].page = nil
718
+ issue_data[:referring_page] = nil
719
+
720
+ auditor.class.log( issue_data )
721
+ end.to raise_error ArgumentError
722
+ end
723
+ end
724
+
725
+ context 'when no referring page data are available' do
726
+ it 'raises ArgumentError' do
727
+ expect do
728
+ issue_data[:vector].page = nil
729
+ issue_data[:referring_page] = nil
730
+
731
+ auditor.class.log( issue_data )
732
+ end.to raise_error ArgumentError
715
733
  end
716
734
  end
717
735
 
@@ -752,6 +770,24 @@ describe Arachni::Check::Auditor do
752
770
  end
753
771
  end
754
772
 
773
+ describe '#log' do
774
+ let(:issue_data) do
775
+ d = super()
776
+
777
+ d[:page].response.url = @opts.url
778
+ d.merge( page: d[:page] )
779
+
780
+ d
781
+ end
782
+
783
+ it 'forwards options to .log_issue' do
784
+ expect(auditor.class).to receive(:log).with(
785
+ issue_data.merge( referring_page: auditor.page )
786
+ )
787
+ auditor.log( issue_data )
788
+ end
789
+ end
790
+
755
791
  describe '#audit' do
756
792
  before do
757
793
  @seed = 'my_seed'
@@ -796,99 +832,20 @@ describe Arachni::Check::Auditor do
796
832
  end
797
833
 
798
834
  auditor.audit( @seed ){}
799
- expect($audit_called).to eq(auditor.page.elements.map(&:class))
835
+ expect($audit_called).to eq(auditor.class.elements)
800
836
  end
801
837
  end
802
838
 
803
839
  context 'when called without a block' do
804
840
  it 'delegates to #audit_signature' do
805
- expect(auditor).to receive(:audit_signature).with( @seed, described_class::OPTIONS )
806
- auditor.audit( @seed )
841
+ opts = { stuff: :here }
842
+
843
+ expect(auditor).to receive(:audit_signature).with( @seed, opts )
844
+ auditor.audit( @seed, opts )
807
845
  end
808
846
  end
809
847
 
810
848
  context 'when called with options' do
811
- describe ':elements' do
812
-
813
- before { auditor.load_page_from( @url + '/elem_combo' ) }
814
-
815
- describe 'Arachni::Element::Link' do
816
- it 'audits links' do
817
- auditor.audit( @seed,
818
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
819
- elements: [ Arachni::Element::Link ]
820
- )
821
- @framework.http.run
822
- expect(Arachni::Data.issues.size).to eq(1)
823
- issue = Arachni::Data.issues.first
824
- expect(issue.vector.class).to eq(Arachni::Element::Link)
825
- expect(issue.vector.affected_input_name).to eq('link_input')
826
- end
827
- end
828
- describe 'Arachni::Element::Form' do
829
- it 'audits forms' do
830
- auditor.audit( @seed,
831
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
832
- elements: [ Arachni::Element::Form ]
833
- )
834
- @framework.http.run
835
- expect(Arachni::Data.issues.size).to eq(1)
836
- issue = Arachni::Data.issues.first
837
- expect(issue.vector.class).to eq(Arachni::Element::Form)
838
- expect(issue.vector.affected_input_name).to eq('form_input')
839
- end
840
- end
841
- describe 'Arachni::Element::Cookie' do
842
- it 'audits cookies' do
843
- auditor.audit( @seed,
844
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
845
- elements: [ Arachni::Element::Cookie ]
846
- )
847
- @framework.http.run
848
- expect(Arachni::Data.issues.size).to eq(1)
849
- issue = Arachni::Data.issues.first
850
- expect(issue.vector.class).to eq(Arachni::Element::Cookie)
851
- expect(issue.vector.affected_input_name).to eq('cookie_input')
852
- end
853
- it 'maintains the session while auditing cookies' do
854
- auditor.load_page_from( @url + '/session' )
855
- auditor.audit( @seed,
856
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
857
- elements: [ Arachni::Element::Cookie ]
858
- )
859
- @framework.http.run
860
- expect(Arachni::Data.issues.size).to eq(1)
861
- issue = Arachni::Data.issues.first
862
- expect(issue.vector.class).to eq(Arachni::Element::Cookie)
863
- expect(issue.vector.affected_input_name).to eq('vulnerable')
864
- end
865
-
866
- end
867
- describe 'Arachni::Element::Header' do
868
- it 'audits headers' do
869
- auditor.audit( @seed,
870
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ],
871
- elements: [ Arachni::Element::Header ]
872
- )
873
- @framework.http.run
874
- expect(Arachni::Data.issues.size).to eq(1)
875
- issue = Arachni::Data.issues.first
876
- expect(issue.vector.class).to eq(Arachni::Element::Header)
877
- expect(issue.vector.affected_input_name).to eq('Referer')
878
- end
879
- end
880
-
881
- context 'when using default options' do
882
- it 'audits all element types' do
883
- auditor.audit( @seed,
884
- format: [ Arachni::Check::Auditor::Format::STRAIGHT ]
885
- )
886
- @framework.http.run
887
- expect(Arachni::Data.issues.size).to eq(4)
888
- end
889
- end
890
- end
891
-
892
849
  describe ':train' do
893
850
  context 'default' do
894
851
  it 'parses the responses of forms submitted with their default values and feed any new elements back to the framework to be audited' do
@@ -901,17 +858,19 @@ describe Arachni::Check::Auditor do
901
858
  # feed the new pages/elements back to the queue
902
859
  @framework.trainer.on_new_page { |p| pages << p }
903
860
 
861
+ vector = nil
904
862
  # audit until no more new elements appear
905
863
  while (page = pages.pop)
906
864
  auditor = Auditor.new( page, @framework )
907
- auditor.audit( @seed )
865
+ auditor.audit( @seed ) do |response, mutation|
866
+ next if !response.body.include? @seed
867
+ vector = mutation.affected_input_name
868
+ end
908
869
  # run audit requests
909
870
  @framework.http.run
910
871
  end
911
872
 
912
- expect(Arachni::Data.issues.all.find do |i|
913
- i.vector.affected_input_name == 'you_made_it'
914
- end).to be_truthy
873
+ expect(vector).to eq 'you_made_it'
915
874
  end
916
875
  end
917
876
 
@@ -926,18 +885,21 @@ describe Arachni::Check::Auditor do
926
885
  # feed the new pages/elements back to the queue
927
886
  @framework.trainer.on_new_page { |p| pages << p }
928
887
 
888
+ vector = nil
929
889
  # audit until no more new elements appear
930
- while page = pages.pop
890
+ while (page = pages.pop)
931
891
  auditor = Arachni::Check::Base.new( page, @framework )
932
- auditor.audit( @seed, submit: { train: true })
892
+ auditor.audit( @seed, submit: { train: true } ) do |response, mutation|
893
+ next if !response.body.include?( @seed ) ||
894
+ mutation.affected_input_name != 'you_made_it'
895
+
896
+ vector = mutation.affected_input_name
897
+ end
933
898
  # run audit requests
934
899
  @framework.http.run
935
900
  end
936
901
 
937
- issue = issues.first
938
- expect(issue).to be_truthy
939
- expect(issue.vector.class).to eq(Arachni::Element::Form)
940
- expect(issue.vector.affected_input_name).to eq('you_made_it')
902
+ expect(vector).to eq 'you_made_it'
941
903
  end
942
904
  end
943
905
 
@@ -978,7 +940,7 @@ describe Arachni::Check::Auditor do
978
940
  end
979
941
 
980
942
  auditor.audit_signature( 'seed' )
981
- expect($audit_signature_called).to eq(auditor.page.elements.map(&:class))
943
+ expect($audit_signature_called).to eq(auditor.class.elements)
982
944
  end
983
945
  end
984
946
 
@@ -997,7 +959,7 @@ describe Arachni::Check::Auditor do
997
959
  end
998
960
 
999
961
  auditor.audit_differential( { false: '0', pairs: { '1' => '2' } } )
1000
- expect($audit_differential_called).to eq(auditor.page.elements.map(&:class))
962
+ expect($audit_differential_called).to eq(auditor.class.elements)
1001
963
  end
1002
964
  end
1003
965
 
@@ -1016,7 +978,7 @@ describe Arachni::Check::Auditor do
1016
978
  end
1017
979
 
1018
980
  auditor.audit_timeout( 'seed', timeout: 1 )
1019
- expect($audit_timeout_called).to eq(auditor.page.elements.map(&:class))
981
+ expect($audit_timeout_called).to eq(auditor.class.elements)
1020
982
  end
1021
983
  end
1022
984
 
@@ -1182,6 +1144,8 @@ describe Arachni::Check::Auditor do
1182
1144
 
1183
1145
  context 'true' do
1184
1146
  it 'marks the job as done' do
1147
+ pending
1148
+
1185
1149
  calls = 0
1186
1150
  auditor.trace_taint( url ) do
1187
1151
  calls += 1
data/spec/arachni/data/framework/rpc_spec.rb CHANGED
@@ -41,7 +41,7 @@ describe Arachni::Data::Framework::RPC do
41
41
 
42
42
  pages = []
43
43
  Dir["#{dump_directory}/distributed_page_queue/*"].each do |page_file|
44
- pages << Marshal.load( IO.binread( page_file ) )
44
+ pages << subject.distributed_page_queue.unserialize( IO.binread( page_file ) )
45
45
  end
46
46
  expect(pages).to eq([page, page])
47
47
  end
data/spec/arachni/data/framework_spec.rb CHANGED
@@ -166,7 +166,7 @@ describe Arachni::Data::Framework do
166
166
 
167
167
  pages = []
168
168
  Dir["#{dump_directory}/page_queue/*"].each do |page_file|
169
- pages << Marshal.load( IO.binread( page_file ) )
169
+ pages << subject.page_queue.unserialize( IO.binread( page_file ) )
170
170
  end
171
171
  expect(pages).to eq([page, page])
172
172
  end
data/spec/arachni/element/capabilities/analyzable/signature_spec.rb CHANGED
@@ -18,7 +18,6 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
18
18
  end
19
19
 
20
20
  describe '#signature_analysis' do
21
-
22
21
  before do
23
22
  @seed = 'my_seed'
24
23
  Arachni::Framework.reset
@@ -81,7 +80,7 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
81
80
  end
82
81
  end
83
82
 
84
- context 'String' do
83
+ context 'Regexp' do
85
84
  it 'tries to match the provided pattern' do
86
85
  @positive.signature_analysis(
87
86
  @seed,
@@ -93,6 +92,17 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
93
92
  expect(issues.first.vector.seed).to eq(@seed)
94
93
  expect(issues.first).to be_trusted
95
94
  end
95
+
96
+ context 'multi-line' do
97
+ it 'raises error' do
98
+ expect do
99
+ @positive.signature_analysis(
100
+ @seed,
101
+ signatures: /ff/m
102
+ )
103
+ end.to raise_error ArgumentError
104
+ end
105
+ end
96
106
  end
97
107
 
98
108
  context 'Array' do
@@ -106,6 +116,17 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
106
116
  expect(issues.size).to eq(1)
107
117
  expect(issues.first.vector.seed).to eq(@seed)
108
118
  end
119
+
120
+ context 'with multi-line Regexp' do
121
+ it 'raises error' do
122
+ expect do
123
+ @positive.signature_analysis(
124
+ @seed,
125
+ signatures: [/ff/m]
126
+ )
127
+ end.to raise_error ArgumentError
128
+ end
129
+ end
109
130
  end
110
131
 
111
132
  context 'Hash' do
@@ -128,6 +149,28 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
128
149
  expect(issues[0].signature).to eq(regexps[:windows].source)
129
150
  end
130
151
 
152
+ context 'with multi-line Regexp' do
153
+ it 'raises error' do
154
+ expect do
155
+ @positive.signature_analysis(
156
+ @seed,
157
+ signatures: {
158
+ windows: /ff/m
159
+ }
160
+ )
161
+ end.to raise_error ArgumentError
162
+
163
+ expect do
164
+ @positive.signature_analysis(
165
+ @seed,
166
+ signatures: {
167
+ windows: [/ff/m]
168
+ }
169
+ )
170
+ end.to raise_error ArgumentError
171
+ end
172
+ end
173
+
131
174
  context 'when the payloads are per platform' do
132
175
  it 'only tries to matches the regexps for that platform' do
133
176
  issues = []
@@ -168,7 +211,7 @@ describe Arachni::Element::Capabilities::Analyzable::Signature do
168
211
  end
169
212
  end
170
213
 
171
- context 'when there is not a payload for the regexp platform' do
214
+ context 'when there is not a payload for the platform' do
172
215
  it 'matches against all payload responses and assigns the pattern platform to the issue' do
173
216
  payloads = {
174
217
  windows: "#{@seed} windows",