arachni 1.4 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (748) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +195 -0
  3. data/Gemfile +4 -4
  4. data/LICENSE.md +1 -1
  5. data/README.md +7 -3
  6. data/Rakefile +1 -43
  7. data/arachni.gemspec +35 -30
  8. data/bin/arachni +1 -1
  9. data/bin/arachni_console +1 -1
  10. data/bin/arachni_multi +6 -1
  11. data/bin/arachni_reporter +1 -1
  12. data/bin/arachni_reproduce +12 -0
  13. data/bin/arachni_rest_server +1 -1
  14. data/bin/arachni_restore +1 -1
  15. data/bin/arachni_rpc +6 -1
  16. data/bin/arachni_rpcd +1 -1
  17. data/bin/arachni_rpcd_monitor +6 -1
  18. data/bin/arachni_script +1 -1
  19. data/components/checks/active/code_injection.rb +1 -1
  20. data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
  21. data/components/checks/active/code_injection_timing.rb +1 -1
  22. data/components/checks/active/csrf.rb +20 -75
  23. data/components/checks/active/file_inclusion.rb +1 -1
  24. data/components/checks/active/ldap_injection.rb +1 -1
  25. data/components/checks/active/no_sql_injection.rb +1 -1
  26. data/components/checks/active/no_sql_injection_differential.rb +3 -3
  27. data/components/checks/active/os_cmd_injection.rb +1 -1
  28. data/components/checks/active/os_cmd_injection_timing.rb +1 -1
  29. data/components/checks/active/path_traversal.rb +3 -3
  30. data/components/checks/active/response_splitting.rb +1 -1
  31. data/components/checks/active/rfi.rb +1 -1
  32. data/components/checks/active/session_fixation.rb +1 -1
  33. data/components/checks/active/source_code_disclosure.rb +1 -1
  34. data/components/checks/active/sql_injection/regexps/hsqldb.yaml +1 -0
  35. data/components/checks/active/sql_injection/substrings/hsqldb +1 -0
  36. data/components/checks/active/sql_injection/substrings/java +4 -0
  37. data/components/checks/active/sql_injection/substrings/oracle +0 -1
  38. data/components/checks/active/sql_injection/substrings/sqlite +1 -0
  39. data/components/checks/active/sql_injection.rb +1 -1
  40. data/components/checks/active/sql_injection_differential.rb +3 -3
  41. data/components/checks/active/sql_injection_timing.rb +1 -1
  42. data/components/checks/active/trainer.rb +1 -1
  43. data/components/checks/active/unvalidated_redirect.rb +34 -11
  44. data/components/checks/active/unvalidated_redirect_dom.rb +4 -4
  45. data/components/checks/active/xpath_injection.rb +1 -1
  46. data/components/checks/active/xss.rb +54 -29
  47. data/components/checks/active/xss_dom.rb +15 -11
  48. data/components/checks/active/xss_dom_script_context.rb +4 -6
  49. data/components/checks/active/xss_event.rb +46 -34
  50. data/components/checks/active/xss_path.rb +9 -6
  51. data/components/checks/active/xss_script_context.rb +100 -47
  52. data/components/checks/active/xss_tag.rb +41 -15
  53. data/components/checks/active/xxe.rb +1 -1
  54. data/components/checks/passive/allowed_methods.rb +1 -1
  55. data/components/checks/passive/backdoors.rb +1 -1
  56. data/components/checks/passive/backup_directories.rb +15 -3
  57. data/components/checks/passive/backup_files.rb +39 -6
  58. data/components/checks/passive/common_admin_interfaces/admin-panels.txt +1 -0
  59. data/components/checks/passive/common_admin_interfaces.rb +1 -1
  60. data/components/checks/passive/common_directories/directories.txt +1 -0
  61. data/components/checks/passive/common_directories.rb +1 -1
  62. data/components/checks/passive/common_files.rb +1 -1
  63. data/components/checks/passive/directory_listing.rb +1 -1
  64. data/components/checks/passive/grep/captcha.rb +8 -9
  65. data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
  66. data/components/checks/passive/grep/credit_card.rb +1 -1
  67. data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
  68. data/components/checks/passive/grep/emails.rb +1 -1
  69. data/components/checks/passive/grep/form_upload.rb +3 -5
  70. data/components/checks/passive/grep/hsts.rb +1 -1
  71. data/components/checks/passive/grep/html_objects.rb +1 -1
  72. data/components/checks/passive/grep/http_only_cookies.rb +1 -1
  73. data/components/checks/passive/grep/insecure_cookies.rb +5 -5
  74. data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
  75. data/components/checks/passive/grep/mixed_resource.rb +4 -4
  76. data/components/checks/passive/grep/password_autocomplete.rb +1 -1
  77. data/components/checks/passive/grep/private_ip.rb +1 -1
  78. data/components/checks/passive/grep/ssn.rb +1 -1
  79. data/components/checks/passive/grep/unencrypted_password_forms.rb +3 -3
  80. data/components/checks/passive/grep/x_frame_options.rb +4 -4
  81. data/components/checks/passive/htaccess_limit.rb +1 -1
  82. data/components/checks/passive/http_put.rb +1 -1
  83. data/components/checks/passive/insecure_client_access_policy.rb +2 -2
  84. data/components/checks/passive/insecure_cross_domain_policy_access.rb +2 -2
  85. data/components/checks/passive/insecure_cross_domain_policy_headers.rb +2 -2
  86. data/components/checks/passive/interesting_responses.rb +1 -1
  87. data/components/checks/passive/localstart_asp.rb +1 -1
  88. data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
  89. data/components/checks/passive/webdav.rb +1 -1
  90. data/components/checks/passive/xst.rb +10 -12
  91. data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
  92. data/components/fingerprinters/frameworks/cakephp.rb +1 -1
  93. data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
  94. data/components/fingerprinters/frameworks/django.rb +1 -1
  95. data/components/fingerprinters/frameworks/jsf.rb +1 -1
  96. data/components/fingerprinters/frameworks/nette.rb +1 -1
  97. data/components/fingerprinters/frameworks/rack.rb +1 -1
  98. data/components/fingerprinters/frameworks/rails.rb +1 -1
  99. data/components/fingerprinters/frameworks/symfony.rb +1 -1
  100. data/components/fingerprinters/languages/asp.rb +1 -1
  101. data/components/fingerprinters/languages/aspx.rb +1 -1
  102. data/components/fingerprinters/languages/java.rb +1 -1
  103. data/components/fingerprinters/languages/php.rb +1 -1
  104. data/components/fingerprinters/languages/python.rb +1 -1
  105. data/components/fingerprinters/languages/ruby.rb +1 -1
  106. data/components/fingerprinters/os/bsd.rb +1 -1
  107. data/components/fingerprinters/os/linux.rb +1 -1
  108. data/components/fingerprinters/os/solaris.rb +1 -1
  109. data/components/fingerprinters/os/unix.rb +1 -1
  110. data/components/fingerprinters/os/windows.rb +1 -1
  111. data/components/fingerprinters/servers/apache.rb +1 -1
  112. data/components/fingerprinters/servers/gunicorn.rb +1 -1
  113. data/components/fingerprinters/servers/iis.rb +1 -1
  114. data/components/fingerprinters/servers/jetty.rb +1 -1
  115. data/components/fingerprinters/servers/nginx.rb +1 -1
  116. data/components/fingerprinters/servers/tomcat.rb +1 -1
  117. data/components/path_extractors/anchors.rb +3 -5
  118. data/components/path_extractors/areas.rb +3 -4
  119. data/components/path_extractors/comments.rb +4 -5
  120. data/components/path_extractors/data_url.rb +4 -5
  121. data/components/path_extractors/forms.rb +3 -4
  122. data/components/path_extractors/frames.rb +3 -5
  123. data/components/path_extractors/generic.rb +3 -1
  124. data/components/path_extractors/links.rb +3 -4
  125. data/components/path_extractors/meta_refresh.rb +11 -17
  126. data/components/path_extractors/scripts.rb +18 -15
  127. data/components/plugins/autologin.rb +3 -2
  128. data/components/plugins/beep_notify.rb +1 -1
  129. data/components/plugins/content_types.rb +1 -1
  130. data/components/plugins/cookie_collector.rb +1 -1
  131. data/components/plugins/debug/browser_cluster_job_monitor.rb +60 -0
  132. data/components/plugins/defaults/autothrottle.rb +1 -1
  133. data/components/plugins/defaults/healthmap.rb +3 -1
  134. data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
  135. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
  136. data/components/plugins/defaults/meta/uniformity.rb +1 -1
  137. data/components/plugins/email_notify.rb +26 -9
  138. data/components/plugins/exec.rb +1 -1
  139. data/components/plugins/form_dicattack.rb +3 -4
  140. data/components/plugins/headers_collector.rb +1 -1
  141. data/components/plugins/http_dicattack.rb +4 -5
  142. data/components/plugins/login_script.rb +2 -2
  143. data/components/plugins/metrics.rb +44 -18
  144. data/components/plugins/page_dump.rb +60 -0
  145. data/components/plugins/proxy/panel/verify_login_sequence.html.erb +1 -1
  146. data/components/plugins/proxy/template_scope.rb +6 -1
  147. data/components/plugins/proxy.rb +44 -31
  148. data/components/plugins/rate_limiter.rb +80 -0
  149. data/components/plugins/restrict_to_dom_state.rb +1 -1
  150. data/components/plugins/script.rb +1 -1
  151. data/components/plugins/uncommon_headers.rb +1 -1
  152. data/components/plugins/vector_collector.rb +1 -1
  153. data/components/plugins/vector_feed.rb +1 -1
  154. data/components/plugins/waf_detector.rb +3 -3
  155. data/components/plugins/webhook_notify.rb +99 -0
  156. data/components/reporters/ap.rb +1 -1
  157. data/components/reporters/html/default/configuration.erb +2 -0
  158. data/components/reporters/html/default.erb +3 -2
  159. data/components/reporters/html.rb +5 -8
  160. data/components/reporters/json.rb +1 -1
  161. data/components/reporters/marshal.rb +1 -1
  162. data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
  163. data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
  164. data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
  165. data/components/reporters/plugin_formatters/html/exec.rb +1 -1
  166. data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
  167. data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
  168. data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
  169. data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
  170. data/components/reporters/plugin_formatters/html/metrics.rb +46 -1
  171. data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
  172. data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
  173. data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
  174. data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
  175. data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
  176. data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
  177. data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
  178. data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
  179. data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
  180. data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
  181. data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
  182. data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
  183. data/components/reporters/plugin_formatters/stdout/metrics.rb +11 -1
  184. data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
  185. data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
  186. data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
  187. data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
  188. data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
  189. data/components/reporters/plugin_formatters/xml/content_types.rb +10 -7
  190. data/components/reporters/plugin_formatters/xml/cookie_collector.rb +6 -3
  191. data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
  192. data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
  193. data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
  194. data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
  195. data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
  196. data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
  197. data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +5 -2
  198. data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
  199. data/components/reporters/plugin_formatters/xml/vector_collector.rb +8 -5
  200. data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
  201. data/components/reporters/stdout.rb +3 -2
  202. data/components/reporters/txt.rb +1 -1
  203. data/components/reporters/xml/schema.xsd +29 -13
  204. data/components/reporters/xml.rb +40 -23
  205. data/components/reporters/yaml.rb +1 -1
  206. data/config/write_paths.yml +4 -0
  207. data/lib/arachni/banner.rb +1 -1
  208. data/lib/arachni/browser/element_locator.rb +9 -5
  209. data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
  210. data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
  211. data/lib/arachni/browser/javascript/proxy.rb +1 -1
  212. data/lib/arachni/browser/javascript/scripts/dom_monitor.js +329 -72
  213. data/lib/arachni/browser/javascript/scripts/polyfills.js +0 -28
  214. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +81 -25
  215. data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
  216. data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
  217. data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
  218. data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
  219. data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
  220. data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
  221. data/lib/arachni/browser/javascript.rb +111 -198
  222. data/lib/arachni/browser.rb +309 -382
  223. data/lib/arachni/browser_cluster/job/result.rb +1 -1
  224. data/lib/arachni/browser_cluster/job.rb +9 -2
  225. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +8 -2
  226. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
  227. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
  228. data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
  229. data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +13 -1
  230. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
  231. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  232. data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
  233. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
  234. data/lib/arachni/browser_cluster/worker.rb +97 -87
  235. data/lib/arachni/browser_cluster.rb +79 -62
  236. data/lib/arachni/check/auditor.rb +161 -155
  237. data/lib/arachni/check/base.rb +1 -1
  238. data/lib/arachni/check/manager.rb +1 -1
  239. data/lib/arachni/check.rb +1 -1
  240. data/lib/arachni/component/base.rb +3 -1
  241. data/lib/arachni/component/manager.rb +1 -1
  242. data/lib/arachni/component/options/address.rb +1 -1
  243. data/lib/arachni/component/options/base.rb +1 -1
  244. data/lib/arachni/component/options/bool.rb +1 -1
  245. data/lib/arachni/component/options/float.rb +1 -1
  246. data/lib/arachni/component/options/int.rb +1 -1
  247. data/lib/arachni/component/options/multiple_choice.rb +1 -1
  248. data/lib/arachni/component/options/object.rb +1 -1
  249. data/lib/arachni/component/options/path.rb +1 -1
  250. data/lib/arachni/component/options/port.rb +1 -1
  251. data/lib/arachni/component/options/string.rb +1 -1
  252. data/lib/arachni/component/options/url.rb +1 -1
  253. data/lib/arachni/component/options.rb +1 -1
  254. data/lib/arachni/component/output.rb +8 -2
  255. data/lib/arachni/component/utilities.rb +1 -1
  256. data/lib/arachni/component.rb +1 -1
  257. data/lib/arachni/data/framework/rpc.rb +2 -2
  258. data/lib/arachni/data/framework.rb +3 -2
  259. data/lib/arachni/data/issues.rb +1 -1
  260. data/lib/arachni/data/plugins.rb +1 -1
  261. data/lib/arachni/data/session.rb +1 -1
  262. data/lib/arachni/data.rb +1 -1
  263. data/lib/arachni/element/base.rb +1 -1
  264. data/lib/arachni/element/body.rb +1 -1
  265. data/lib/arachni/element/capabilities/analyzable/differential.rb +142 -175
  266. data/lib/arachni/element/capabilities/analyzable/signature.rb +40 -18
  267. data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
  268. data/lib/arachni/element/capabilities/analyzable.rb +1 -1
  269. data/lib/arachni/element/capabilities/auditable/buffered.rb +92 -0
  270. data/lib/arachni/element/capabilities/auditable/line_buffered.rb +103 -0
  271. data/lib/arachni/element/capabilities/auditable.rb +2 -8
  272. data/lib/arachni/element/capabilities/dom_only.rb +1 -1
  273. data/lib/arachni/element/capabilities/inputtable.rb +6 -2
  274. data/lib/arachni/element/capabilities/mutable.rb +1 -1
  275. data/lib/arachni/element/capabilities/refreshable.rb +1 -1
  276. data/lib/arachni/element/capabilities/submittable.rb +1 -1
  277. data/lib/arachni/element/capabilities/with_auditor/output.rb +4 -3
  278. data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
  279. data/lib/arachni/element/capabilities/with_dom.rb +1 -1
  280. data/lib/arachni/element/capabilities/with_node.rb +3 -3
  281. data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
  282. data/lib/arachni/element/capabilities/with_scope.rb +1 -1
  283. data/lib/arachni/element/capabilities/with_source.rb +2 -2
  284. data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
  285. data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
  286. data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
  287. data/lib/arachni/element/cookie/dom.rb +1 -1
  288. data/lib/arachni/element/cookie.rb +49 -24
  289. data/lib/arachni/element/dom/capabilities/auditable.rb +44 -3
  290. data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
  291. data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
  292. data/lib/arachni/element/dom/capabilities/mutable.rb +7 -3
  293. data/lib/arachni/element/dom/capabilities/submittable.rb +51 -22
  294. data/lib/arachni/element/dom.rb +1 -1
  295. data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
  296. data/lib/arachni/element/form/capabilities/mutable.rb +16 -11
  297. data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
  298. data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
  299. data/lib/arachni/element/form/dom.rb +1 -1
  300. data/lib/arachni/element/form.rb +21 -32
  301. data/lib/arachni/element/generic_dom.rb +1 -1
  302. data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
  303. data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
  304. data/lib/arachni/element/header.rb +3 -1
  305. data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
  306. data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
  307. data/lib/arachni/element/json.rb +4 -8
  308. data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
  309. data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
  310. data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
  311. data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
  312. data/lib/arachni/element/link/dom.rb +1 -1
  313. data/lib/arachni/element/link.rb +11 -30
  314. data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
  315. data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
  316. data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
  317. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
  318. data/lib/arachni/element/link_template/dom.rb +2 -2
  319. data/lib/arachni/element/link_template.rb +10 -19
  320. data/lib/arachni/element/nested_cookie/capabilities/submittable.rb +35 -0
  321. data/lib/arachni/element/nested_cookie.rb +370 -0
  322. data/lib/arachni/element/path.rb +1 -1
  323. data/lib/arachni/element/server.rb +11 -11
  324. data/lib/arachni/element/ui_form/dom.rb +1 -1
  325. data/lib/arachni/element/ui_form.rb +5 -6
  326. data/lib/arachni/element/ui_input/dom.rb +1 -1
  327. data/lib/arachni/element/ui_input.rb +4 -6
  328. data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
  329. data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
  330. data/lib/arachni/element/xml.rb +3 -7
  331. data/lib/arachni/element_filter.rb +1 -1
  332. data/lib/arachni/error.rb +1 -1
  333. data/lib/arachni/ethon/easy.rb +1 -1
  334. data/lib/arachni/framework/parts/audit.rb +6 -1
  335. data/lib/arachni/framework/parts/browser.rb +14 -14
  336. data/lib/arachni/framework/parts/check.rb +1 -1
  337. data/lib/arachni/framework/parts/data.rb +1 -1
  338. data/lib/arachni/framework/parts/platform.rb +1 -1
  339. data/lib/arachni/framework/parts/plugin.rb +1 -1
  340. data/lib/arachni/framework/parts/report.rb +3 -3
  341. data/lib/arachni/framework/parts/scope.rb +1 -1
  342. data/lib/arachni/framework/parts/state.rb +1 -1
  343. data/lib/arachni/framework.rb +1 -1
  344. data/lib/arachni/http/client/dynamic_404_handler.rb +74 -16
  345. data/lib/arachni/http/client.rb +38 -11
  346. data/lib/arachni/http/cookie_jar.rb +13 -8
  347. data/lib/arachni/http/headers.rb +11 -5
  348. data/lib/arachni/http/message/scope.rb +1 -1
  349. data/lib/arachni/http/message.rb +10 -9
  350. data/lib/arachni/http/proxy_server/connection.rb +110 -82
  351. data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +18 -32
  352. data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +28 -49
  353. data/lib/arachni/http/proxy_server/ssl_interceptor.rb +8 -6
  354. data/lib/arachni/http/proxy_server/tunnel.rb +4 -4
  355. data/lib/arachni/http/proxy_server.rb +44 -11
  356. data/lib/arachni/http/request/scope.rb +1 -1
  357. data/lib/arachni/http/request.rb +239 -41
  358. data/lib/arachni/http/response/scope.rb +1 -1
  359. data/lib/arachni/http/response.rb +73 -10
  360. data/lib/arachni/http.rb +1 -1
  361. data/lib/arachni/issue/severity/base.rb +1 -1
  362. data/lib/arachni/issue/severity.rb +1 -1
  363. data/lib/arachni/issue.rb +42 -14
  364. data/lib/arachni/option_group.rb +1 -1
  365. data/lib/arachni/option_groups/audit.rb +11 -2
  366. data/lib/arachni/option_groups/browser_cluster.rb +32 -4
  367. data/lib/arachni/option_groups/datastore.rb +1 -1
  368. data/lib/arachni/option_groups/dispatcher.rb +1 -1
  369. data/lib/arachni/option_groups/http.rb +39 -10
  370. data/lib/arachni/option_groups/input.rb +1 -1
  371. data/lib/arachni/option_groups/output.rb +1 -1
  372. data/lib/arachni/option_groups/paths.rb +12 -1
  373. data/lib/arachni/option_groups/rpc.rb +1 -1
  374. data/lib/arachni/option_groups/scope.rb +58 -4
  375. data/lib/arachni/option_groups/session.rb +1 -1
  376. data/lib/arachni/option_groups/snapshot.rb +1 -1
  377. data/lib/arachni/option_groups.rb +1 -1
  378. data/lib/arachni/options.rb +23 -4
  379. data/lib/arachni/page/dom/transition.rb +5 -2
  380. data/lib/arachni/page/dom.rb +46 -54
  381. data/lib/arachni/page/scope.rb +1 -1
  382. data/lib/arachni/page.rb +10 -8
  383. data/lib/arachni/parser/document.rb +34 -0
  384. data/lib/arachni/parser/extractors/base.rb +48 -0
  385. data/lib/arachni/parser/nodes/base.rb +22 -0
  386. data/lib/arachni/parser/nodes/comment.rb +32 -0
  387. data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +31 -0
  388. data/lib/arachni/parser/nodes/element/with_attributes.rb +35 -0
  389. data/lib/arachni/parser/nodes/element.rb +48 -0
  390. data/lib/arachni/parser/nodes/text.rb +32 -0
  391. data/lib/arachni/parser/nodes/with_value.rb +29 -0
  392. data/lib/arachni/parser/sax.rb +76 -0
  393. data/lib/arachni/parser/with_children/search.rb +92 -0
  394. data/lib/arachni/parser/with_children.rb +35 -0
  395. data/lib/arachni/parser.rb +181 -78
  396. data/lib/arachni/platform/fingerprinter.rb +1 -1
  397. data/lib/arachni/platform/list.rb +1 -1
  398. data/lib/arachni/platform/manager.rb +2 -2
  399. data/lib/arachni/platform.rb +1 -1
  400. data/lib/arachni/plugin/base.rb +2 -2
  401. data/lib/arachni/plugin/formatter.rb +1 -1
  402. data/lib/arachni/plugin/manager.rb +8 -5
  403. data/lib/arachni/plugin.rb +1 -1
  404. data/lib/arachni/processes/dispatchers.rb +1 -1
  405. data/lib/arachni/processes/executables/base.rb +2 -1
  406. data/lib/arachni/processes/executables/browser.rb +0 -2
  407. data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
  408. data/lib/arachni/processes/helpers/instances.rb +1 -1
  409. data/lib/arachni/processes/helpers/processes.rb +1 -1
  410. data/lib/arachni/processes/helpers.rb +1 -1
  411. data/lib/arachni/processes/instances.rb +1 -1
  412. data/lib/arachni/processes/manager.rb +18 -9
  413. data/lib/arachni/processes.rb +1 -1
  414. data/lib/arachni/report.rb +8 -1
  415. data/lib/arachni/reporter/base.rb +1 -1
  416. data/lib/arachni/reporter/formatter_manager.rb +1 -1
  417. data/lib/arachni/reporter/manager.rb +1 -1
  418. data/lib/arachni/reporter/options.rb +1 -10
  419. data/lib/arachni/reporter.rb +1 -1
  420. data/lib/arachni/rest/server/instance_helpers.rb +10 -1
  421. data/lib/arachni/rest/server.rb +13 -1
  422. data/lib/arachni/rpc/client/base.rb +1 -1
  423. data/lib/arachni/rpc/client/dispatcher.rb +1 -1
  424. data/lib/arachni/rpc/client/instance/framework.rb +1 -1
  425. data/lib/arachni/rpc/client/instance/service.rb +1 -1
  426. data/lib/arachni/rpc/client/instance.rb +1 -1
  427. data/lib/arachni/rpc/serializer.rb +1 -1
  428. data/lib/arachni/rpc/server/active_options.rb +1 -1
  429. data/lib/arachni/rpc/server/base.rb +1 -1
  430. data/lib/arachni/rpc/server/check/manager.rb +1 -1
  431. data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
  432. data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
  433. data/lib/arachni/rpc/server/dispatcher.rb +1 -1
  434. data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
  435. data/lib/arachni/rpc/server/framework/master.rb +1 -1
  436. data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
  437. data/lib/arachni/rpc/server/framework/slave.rb +1 -1
  438. data/lib/arachni/rpc/server/framework.rb +1 -1
  439. data/lib/arachni/rpc/server/instance.rb +1 -1
  440. data/lib/arachni/rpc/server/output.rb +1 -1
  441. data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
  442. data/lib/arachni/ruby/array.rb +1 -1
  443. data/lib/arachni/ruby/hash.rb +1 -1
  444. data/lib/arachni/ruby/object.rb +1 -1
  445. data/lib/arachni/ruby/set.rb +1 -1
  446. data/lib/arachni/ruby/string.rb +9 -5
  447. data/lib/arachni/ruby/webrick/cookie.rb +1 -1
  448. data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
  449. data/lib/arachni/ruby/webrick.rb +1 -1
  450. data/lib/arachni/ruby.rb +1 -1
  451. data/lib/arachni/scope.rb +1 -1
  452. data/lib/arachni/selenium/webdriver/element.rb +4 -4
  453. data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +59 -0
  454. data/lib/arachni/session.rb +32 -13
  455. data/lib/arachni/snapshot.rb +2 -2
  456. data/lib/arachni/state/audit.rb +1 -1
  457. data/lib/arachni/state/element_filter.rb +1 -1
  458. data/lib/arachni/state/framework/rpc.rb +1 -1
  459. data/lib/arachni/state/framework.rb +1 -1
  460. data/lib/arachni/state/http.rb +2 -2
  461. data/lib/arachni/state/options.rb +1 -1
  462. data/lib/arachni/state/plugins.rb +1 -1
  463. data/lib/arachni/state.rb +1 -1
  464. data/lib/arachni/support/buffer/autoflush.rb +1 -1
  465. data/lib/arachni/support/buffer/base.rb +1 -1
  466. data/lib/arachni/support/buffer.rb +1 -1
  467. data/lib/arachni/support/cache/base.rb +1 -1
  468. data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
  469. data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
  470. data/lib/arachni/support/cache/least_recently_used.rb +1 -1
  471. data/lib/arachni/support/cache/preference.rb +1 -1
  472. data/lib/arachni/support/cache/random_replacement.rb +1 -1
  473. data/lib/arachni/support/cache.rb +1 -1
  474. data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
  475. data/lib/arachni/support/crypto.rb +1 -1
  476. data/lib/arachni/support/database/base.rb +16 -10
  477. data/lib/arachni/support/database/hash.rb +1 -1
  478. data/lib/arachni/support/database/queue.rb +1 -1
  479. data/lib/arachni/support/database.rb +1 -1
  480. data/lib/arachni/support/glob.rb +1 -1
  481. data/lib/arachni/support/lookup/base.rb +1 -1
  482. data/lib/arachni/support/lookup/hash_set.rb +1 -1
  483. data/lib/arachni/support/lookup/moolb.rb +1 -1
  484. data/lib/arachni/support/lookup.rb +1 -1
  485. data/lib/arachni/support/mixins/observable.rb +1 -1
  486. data/lib/arachni/support/mixins/terminal.rb +1 -1
  487. data/lib/arachni/support/mixins.rb +1 -1
  488. data/lib/arachni/support/profiler.rb +52 -13
  489. data/lib/arachni/support/signature.rb +18 -6
  490. data/lib/arachni/support.rb +1 -1
  491. data/lib/arachni/trainer.rb +55 -39
  492. data/lib/arachni/ui/foo/output.rb +1 -1
  493. data/lib/arachni/uri/scope.rb +15 -13
  494. data/lib/arachni/uri.rb +129 -103
  495. data/lib/arachni/utilities.rb +10 -10
  496. data/lib/arachni/version.rb +1 -1
  497. data/lib/arachni.rb +1 -7
  498. data/lib/version +1 -1
  499. data/spec/arachni/browser/element_locator_spec.rb +42 -18
  500. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +264 -109
  501. data/spec/arachni/browser/javascript/polyfills_spec.rb +0 -15
  502. data/spec/arachni/browser/javascript/proxy_spec.rb +0 -10
  503. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +43 -118
  504. data/spec/arachni/browser/javascript_spec.rb +95 -60
  505. data/spec/arachni/browser_cluster/job_spec.rb +23 -8
  506. data/spec/arachni/browser_cluster/jobs/dom_exploration_spec.rb +6 -1
  507. data/spec/arachni/browser_cluster/worker_spec.rb +29 -87
  508. data/spec/arachni/browser_cluster_spec.rb +124 -43
  509. data/spec/arachni/browser_spec.rb +463 -421
  510. data/spec/arachni/check/auditor_spec.rb +162 -198
  511. data/spec/arachni/data/framework/rpc_spec.rb +1 -1
  512. data/spec/arachni/data/framework_spec.rb +1 -1
  513. data/spec/arachni/element/capabilities/analyzable/signature_spec.rb +46 -3
  514. data/spec/arachni/element/cookie/dom_spec.rb +1 -1
  515. data/spec/arachni/element/cookie_spec.rb +159 -64
  516. data/spec/arachni/element/form/dom_spec.rb +1 -1
  517. data/spec/arachni/element/form_spec.rb +101 -54
  518. data/spec/arachni/element/header_spec.rb +3 -1
  519. data/spec/arachni/element/json_spec.rb +2 -0
  520. data/spec/arachni/element/link/dom_spec.rb +2 -2
  521. data/spec/arachni/element/link_spec.rb +46 -15
  522. data/spec/arachni/element/link_template/dom_spec.rb +1 -1
  523. data/spec/arachni/element/link_template_spec.rb +36 -12
  524. data/spec/arachni/element/nested_cookie_spec.rb +687 -0
  525. data/spec/arachni/element/server_spec.rb +22 -5
  526. data/spec/arachni/element/ui_form/dom_spec.rb +1 -1
  527. data/spec/arachni/element/ui_form_spec.rb +2 -2
  528. data/spec/arachni/element/ui_input/dom_spec.rb +1 -1
  529. data/spec/arachni/element/ui_input_spec.rb +1 -1
  530. data/spec/arachni/element/xml_spec.rb +5 -3
  531. data/spec/arachni/framework/parts/audit_spec.rb +2 -14
  532. data/spec/arachni/framework/parts/data_spec.rb +0 -6
  533. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +126 -0
  534. data/spec/arachni/http/client_spec.rb +96 -36
  535. data/spec/arachni/http/cookie_jar_spec.rb +2 -2
  536. data/spec/arachni/http/headers_spec.rb +59 -12
  537. data/spec/arachni/http/proxy_server_spec.rb +58 -25
  538. data/spec/arachni/http/request_spec.rb +382 -35
  539. data/spec/arachni/http/response_spec.rb +135 -7
  540. data/spec/arachni/issue_spec.rb +21 -2
  541. data/spec/arachni/option_groups/browser_cluster_spec.rb +17 -0
  542. data/spec/arachni/option_groups/http_spec.rb +21 -6
  543. data/spec/arachni/option_groups/paths_spec.rb +23 -1
  544. data/spec/arachni/option_groups/scope_spec.rb +27 -7
  545. data/spec/arachni/options_spec.rb +8 -1
  546. data/spec/arachni/page/dom_spec.rb +20 -6
  547. data/spec/arachni/page_spec.rb +8 -7
  548. data/spec/arachni/parser/document_spec.rb +49 -0
  549. data/spec/arachni/parser/nodes/comment_spec.rb +24 -0
  550. data/spec/arachni/parser/nodes/element/with_attributes/attributes_spec.rb +40 -0
  551. data/spec/arachni/parser/nodes/element/with_attributes_spec.rb +50 -0
  552. data/spec/arachni/parser/nodes/element_spec.rb +18 -0
  553. data/spec/arachni/parser/nodes/text_spec.rb +24 -0
  554. data/spec/arachni/parser/sax_spec.rb +88 -0
  555. data/spec/arachni/parser/with_children/search_spec.rb +146 -0
  556. data/spec/arachni/parser/with_children_spec.rb +37 -0
  557. data/spec/arachni/parser_spec.rb +211 -27
  558. data/spec/arachni/platform/list_spec.rb +1 -2
  559. data/spec/arachni/report_spec.rb +9 -2
  560. data/spec/arachni/reporter/options_spec.rb +0 -14
  561. data/spec/arachni/rest/server_spec.rb +91 -8
  562. data/spec/arachni/rpc/server/active_options_spec.rb +1 -1
  563. data/spec/arachni/rpc/server/framework/distributor_spec.rb +6 -6
  564. data/spec/arachni/ruby/string_spec.rb +6 -0
  565. data/spec/arachni/session_spec.rb +69 -8
  566. data/spec/arachni/snapshot_spec.rb +1 -1
  567. data/spec/arachni/state/framework_spec.rb +2 -2
  568. data/spec/arachni/support/signature_spec.rb +58 -0
  569. data/spec/arachni/trainer_spec.rb +102 -21
  570. data/spec/arachni/uri_spec.rb +11 -8
  571. data/spec/arachni/utilities_spec.rb +3 -3
  572. data/spec/components/checks/active/code_injection_spec.rb +12 -7
  573. data/spec/components/checks/active/code_injection_timing_spec.rb +4 -3
  574. data/spec/components/checks/active/csrf_spec.rb +1 -21
  575. data/spec/components/checks/active/file_inclusion_spec.rb +15 -10
  576. data/spec/components/checks/active/ldap_injection_spec.rb +5 -4
  577. data/spec/components/checks/active/no_sql_injection_differential_spec.rb +1 -1
  578. data/spec/components/checks/active/no_sql_injection_spec.rb +5 -4
  579. data/spec/components/checks/active/os_cmd_injection_spec.rb +6 -4
  580. data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -3
  581. data/spec/components/checks/active/path_traversal_spec.rb +18 -15
  582. data/spec/components/checks/active/response_splitting_spec.rb +5 -4
  583. data/spec/components/checks/active/rfi_spec.rb +9 -8
  584. data/spec/components/checks/active/source_code_disclosure_spec.rb +33 -10
  585. data/spec/components/checks/active/sql_injection_differential_spec.rb +1 -1
  586. data/spec/components/checks/active/sql_injection_spec.rb +61 -35
  587. data/spec/components/checks/active/sql_injection_timing_spec.rb +11 -8
  588. data/spec/components/checks/active/unvalidated_redirect_spec.rb +9 -8
  589. data/spec/components/checks/active/xpath_injection_spec.rb +5 -4
  590. data/spec/components/checks/active/xss_dom_script_context_spec.rb +6 -10
  591. data/spec/components/checks/active/xss_dom_spec.rb +2 -2
  592. data/spec/components/checks/active/xss_event_spec.rb +11 -3
  593. data/spec/components/checks/active/xss_script_context_spec.rb +8 -7
  594. data/spec/components/checks/active/xss_spec.rb +7 -6
  595. data/spec/components/checks/active/xss_tag_spec.rb +11 -3
  596. data/spec/components/checks/passive/backup_directories_spec.rb +3 -1
  597. data/spec/components/checks/passive/backup_files_spec.rb +4 -1
  598. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +2 -2
  599. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +6 -0
  600. data/spec/components/path_extractors/comments_spec.rb +3 -1
  601. data/spec/components/path_extractors/data_url_spec.rb +6 -2
  602. data/spec/components/path_extractors/links_spec.rb +1 -1
  603. data/spec/components/plugins/autologin_spec.rb +2 -2
  604. data/spec/components/plugins/webhook_notify_spec.rb +69 -0
  605. data/spec/spec_helper.rb +2 -1
  606. data/spec/support/factories/http/response.rb +1 -1
  607. data/spec/support/factories/issue.rb +1 -2
  608. data/spec/support/factories/page/dom.rb +6 -0
  609. data/spec/support/factories/scan_report.rb +1 -0
  610. data/spec/support/factories/vector.rb +7 -3
  611. data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
  612. data/spec/support/fixtures/checks/test.rb +4 -4
  613. data/spec/support/fixtures/checks/test2.rb +1 -1
  614. data/spec/support/fixtures/checks/test3.rb +1 -1
  615. data/spec/support/fixtures/cookies.txt +2 -2
  616. data/spec/support/fixtures/executables/node.rb +2 -3
  617. data/spec/support/fixtures/fingerprinters/test.rb +1 -1
  618. data/spec/support/fixtures/nested_cookies.txt +11 -0
  619. data/spec/support/fixtures/plugins/bad.rb +1 -1
  620. data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
  621. data/spec/support/fixtures/plugins/distributable.rb +1 -1
  622. data/spec/support/fixtures/plugins/loop.rb +1 -1
  623. data/spec/support/fixtures/plugins/suspendable.rb +1 -1
  624. data/spec/support/fixtures/plugins/wait.rb +1 -1
  625. data/spec/support/fixtures/plugins/with_options.rb +1 -1
  626. data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
  627. data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
  628. data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
  629. data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
  630. data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
  631. data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
  632. data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
  633. data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
  634. data/spec/support/fixtures/report.afr +0 -0
  635. data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
  636. data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
  637. data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
  638. data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
  639. data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
  640. data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
  641. data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
  642. data/spec/support/fixtures/run_check/body.rb +1 -1
  643. data/spec/support/fixtures/run_check/cookies.rb +1 -1
  644. data/spec/support/fixtures/run_check/empty.rb +1 -1
  645. data/spec/support/fixtures/run_check/flch.rb +1 -1
  646. data/spec/support/fixtures/run_check/forms.rb +1 -1
  647. data/spec/support/fixtures/run_check/headers.rb +1 -1
  648. data/spec/support/fixtures/run_check/links.rb +1 -1
  649. data/spec/support/fixtures/run_check/nil.rb +1 -1
  650. data/spec/support/fixtures/run_check/path.rb +1 -1
  651. data/spec/support/fixtures/run_check/server.rb +1 -1
  652. data/spec/support/fixtures/signature_check/signature.rb +1 -1
  653. data/spec/support/fixtures/wait_check/wait.rb +1 -1
  654. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +0 -3
  655. data/spec/support/helpers/framework.rb +1 -1
  656. data/spec/support/helpers/misc.rb +1 -1
  657. data/spec/support/helpers/paths.rb +1 -1
  658. data/spec/support/helpers/requires.rb +1 -1
  659. data/spec/support/helpers/resets.rb +1 -1
  660. data/spec/support/helpers/web_server.rb +1 -1
  661. data/spec/support/lib/factory.rb +1 -1
  662. data/spec/support/lib/web_server_client.rb +1 -1
  663. data/spec/support/lib/web_server_dispatcher.rb +1 -1
  664. data/spec/support/lib/web_server_manager.rb +4 -2
  665. data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +48 -0
  666. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +15 -3
  667. data/spec/support/servers/arachni/browser.rb +275 -4
  668. data/spec/support/servers/arachni/check/auditor.rb +9 -0
  669. data/spec/support/servers/arachni/element/cookie.rb +34 -0
  670. data/spec/support/servers/arachni/element/form/form_dom.rb +1 -0
  671. data/spec/support/servers/arachni/element/form.rb +36 -2
  672. data/spec/support/servers/arachni/element/header.rb +36 -1
  673. data/spec/support/servers/arachni/element/json.rb +33 -0
  674. data/spec/support/servers/arachni/element/link.rb +33 -1
  675. data/spec/support/servers/arachni/element/link_template.rb +37 -5
  676. data/spec/support/servers/arachni/element/nested_cookie.rb +84 -0
  677. data/spec/support/servers/arachni/element/xml.rb +33 -0
  678. data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +36 -0
  679. data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_1.rb +18 -0
  680. data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_2.rb +11 -0
  681. data/spec/support/servers/arachni/http/client.rb +43 -4
  682. data/spec/support/servers/arachni/http/proxy_server.rb +12 -0
  683. data/spec/support/servers/arachni/parser.rb +6 -0
  684. data/spec/support/servers/arachni/session.rb +24 -1
  685. data/spec/support/servers/checks/active/code_injection.rb +18 -0
  686. data/spec/support/servers/checks/active/code_injection_timing.rb +18 -0
  687. data/spec/support/servers/checks/active/csrf.rb +0 -76
  688. data/spec/support/servers/checks/active/file_inclusion.rb +19 -1
  689. data/spec/support/servers/checks/active/ldap_injection.rb +18 -0
  690. data/spec/support/servers/checks/active/no_sql_injection.rb +27 -0
  691. data/spec/support/servers/checks/active/no_sql_injection_differential.rb +19 -0
  692. data/spec/support/servers/checks/active/os_cmd_injection.rb +29 -0
  693. data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +18 -1
  694. data/spec/support/servers/checks/active/path_traversal.rb +30 -3
  695. data/spec/support/servers/checks/active/response_splitting.rb +30 -1
  696. data/spec/support/servers/checks/active/rfi.rb +30 -2
  697. data/spec/support/servers/checks/active/session_fixation.rb +1 -3
  698. data/spec/support/servers/checks/active/source_code_disclosure.rb +16 -0
  699. data/spec/support/servers/checks/active/sql_injection/java +2 -0
  700. data/spec/support/servers/checks/active/sql_injection.rb +27 -0
  701. data/spec/support/servers/checks/active/sql_injection_differential.rb +19 -0
  702. data/spec/support/servers/checks/active/sql_injection_timing.rb +19 -1
  703. data/spec/support/servers/checks/active/unvalidated_redirect.rb +121 -1
  704. data/spec/support/servers/checks/active/xpath_injection.rb +27 -0
  705. data/spec/support/servers/checks/active/xss.rb +40 -0
  706. data/spec/support/servers/checks/active/xss_event.rb +23 -2
  707. data/spec/support/servers/checks/active/xss_script_context.rb +18 -0
  708. data/spec/support/servers/checks/active/xss_tag.rb +40 -0
  709. data/spec/support/servers/checks/passive/backup_files.rb +20 -1
  710. data/spec/support/servers/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -5
  711. data/spec/support/servers/checks/passive/grep/insecure_cookies_https.rb +9 -0
  712. data/spec/support/servers/checks/passive/grep/x_frame_options.rb +5 -0
  713. data/spec/support/servers/plugins/autologin.rb +17 -1
  714. data/spec/support/servers/plugins/webhook_notify.rb +9 -0
  715. data/spec/support/shared/check.rb +1 -0
  716. data/spec/support/shared/element/capabilities/auditable/buffered.rb +791 -0
  717. data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +797 -0
  718. data/spec/support/shared/element/capabilities/auditable.rb +28 -34
  719. data/spec/support/shared/element/capabilities/inputtable.rb +26 -0
  720. data/spec/support/shared/element/capabilities/with_node.rb +2 -2
  721. data/spec/support/shared/element/dom/submittable.rb +10 -10
  722. data/spec/support/shared/path_extractor.rb +17 -5
  723. data/ui/cli/framework/option_parser.rb +78 -13
  724. data/ui/cli/framework.rb +29 -8
  725. data/ui/cli/option_parser.rb +1 -1
  726. data/ui/cli/output.rb +10 -3
  727. data/ui/cli/reporter/option_parser.rb +1 -1
  728. data/ui/cli/reporter.rb +1 -1
  729. data/ui/cli/reproduce/option_parser.rb +90 -0
  730. data/ui/cli/reproduce.rb +228 -0
  731. data/ui/cli/rest/server/option_parser.rb +1 -1
  732. data/ui/cli/rest/server.rb +1 -1
  733. data/ui/cli/restored_framework/option_parser.rb +1 -1
  734. data/ui/cli/restored_framework.rb +1 -1
  735. data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
  736. data/ui/cli/rpc/client/dispatcher_monitor.rb +9 -11
  737. data/ui/cli/rpc/client/instance.rb +7 -4
  738. data/ui/cli/rpc/client/local/option_parser.rb +1 -1
  739. data/ui/cli/rpc/client/local.rb +1 -1
  740. data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
  741. data/ui/cli/rpc/client/remote.rb +1 -1
  742. data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
  743. data/ui/cli/rpc/server/dispatcher.rb +1 -1
  744. data/ui/cli/utilities.rb +1 -1
  745. metadata +178 -79
  746. data/ACKNOWLEDGMENTS.md +0 -21
  747. data/AUTHORS.md +0 -3
  748. data/CONTRIBUTORS.md +0 -22
data/spec/arachni/element/server_spec.rb CHANGED
@@ -83,6 +83,12 @@ describe Arachni::Element::Server do
83
83
  expect(logged_issue.trusted).to be_truthy
84
84
  end
85
85
 
86
+ it 'assigns the extra Issue options' do
87
+ auditable.log_remote_file_if_exists( @base_url + 'true', false, trusted: false )
88
+ @framework.http.run
89
+ expect(Arachni::Data.issues.first).to_not be_trusted
90
+ end
91
+
86
92
  context 'when one issue is logged' do
87
93
  it "does not push the response to the #{Arachni::Trainer}" do
88
94
  auditable.log_remote_file_if_exists( @base_url + 'true' )
@@ -222,11 +228,22 @@ describe Arachni::Element::Server do
222
228
  end
223
229
 
224
230
  context 'when the response is a redirect' do
225
- it 'yields false' do
226
- exists = true
227
- auditable.remote_file_exist?( @base_url + 'redirect' ) { |bool| exists = bool }
228
- @framework.http.run
229
- expect(exists).to be_falsey
231
+ context 'and the final page is found' do
232
+ it 'yields true' do
233
+ exists = true
234
+ auditable.remote_file_exist?( @base_url + 'redirect' ) { |bool| exists = bool }
235
+ @framework.http.run
236
+ expect(exists).to be_truthy
237
+ end
238
+ end
239
+
240
+ context 'and the final page is not found' do
241
+ it 'yields false' do
242
+ exists = true
243
+ auditable.remote_file_exist?( @base_url + 'redirect/not_found' ) { |bool| exists = bool }
244
+ @framework.http.run
245
+ expect(exists).to be_falsey
246
+ end
230
247
  end
231
248
  end
232
249
  end
data/spec/arachni/element/ui_form/dom_spec.rb CHANGED
@@ -20,7 +20,7 @@ describe Arachni::Element::UIForm::DOM do
20
20
 
21
21
  def auditable_extract_parameters( page )
22
22
  {
23
- 'my-input' => page.document.css('#container').text.strip
23
+ 'my-input' => Nokogiri::HTML(page.body).css('#container').text.strip
24
24
  }
25
25
  end
26
26
 
data/spec/arachni/element/ui_form_spec.rb CHANGED
@@ -173,7 +173,7 @@ describe Arachni::Element::UIForm do
173
173
 
174
174
  context 'as <input type="button">' do
175
175
  let(:url) { "#{super()}/input-button" }
176
- let(:source) { '<input type="button" id="insert" value="Insert into DOM">' }
176
+ let(:source) { '<input id="insert" type="button" value="Insert into DOM">' }
177
177
 
178
178
  context 'without inputs' do
179
179
  let(:url) { "#{super()}/without-inputs" }
@@ -240,7 +240,7 @@ describe Arachni::Element::UIForm do
240
240
 
241
241
  context 'as <input type="submit">' do
242
242
  let(:url) { "#{super()}/input-submit" }
243
- let(:source) { '<input type="submit" id="insert" value="Insert into DOM">' }
243
+ let(:source) { '<input id="insert" type="submit" value="Insert into DOM">' }
244
244
 
245
245
  context 'without inputs' do
246
246
  let(:url) { "#{super()}/without-inputs" }
data/spec/arachni/element/ui_input/dom_spec.rb CHANGED
@@ -18,7 +18,7 @@ describe Arachni::Element::UIInput::DOM do
18
18
  end
19
19
 
20
20
  def auditable_extract_parameters( page )
21
- { 'my-input' => page.document.css('#container').text.strip }
21
+ { 'my-input' => Nokogiri::HTML(page.body).css('#container').text.strip }
22
22
  end
23
23
 
24
24
  def element
data/spec/arachni/element/ui_input_spec.rb CHANGED
@@ -57,7 +57,7 @@ describe Arachni::Element::UIInput do
57
57
 
58
58
  context 'with events' do
59
59
  let(:url) { "#{super()}/with_events" }
60
- let(:source) { '<input type="text" id="my-input" value="stuff">' }
60
+ let(:source) { '<input id="my-input" type="text" value="stuff">' }
61
61
 
62
62
  it 'returns array of elements' do
63
63
  input = described_class.from_browser( @browser, page ).first
data/spec/arachni/element/xml_spec.rb CHANGED
@@ -13,7 +13,9 @@ describe Arachni::Element::XML do
13
13
  it_should_behave_like 'mutable',
14
14
  supports_nulls: false,
15
15
  inputs: described_class.parse_inputs( inputtable_source )
16
- it_should_behave_like 'auditable'
16
+ it_should_behave_like 'auditable', supports_nulls: false
17
+ it_should_behave_like 'buffered_auditable'
18
+ it_should_behave_like 'line_buffered_auditable'
17
19
 
18
20
  before :each do
19
21
  @framework ||= Arachni::Framework.new
@@ -143,7 +145,7 @@ EOXML
143
145
 
144
146
  describe '#to_rpc_data' do
145
147
  it "includes 'source'" do
146
- expect(subject.to_rpc_data['source']).to eq(source)
148
+ expect(subject.to_rpc_data['source']).to eq(source.strip)
147
149
  end
148
150
  end
149
151
 
@@ -162,7 +164,7 @@ EOXML
162
164
  it 'parses a request into an element' do
163
165
  expect(subject.url).to eq(url)
164
166
  expect(subject.action).to eq(request.url)
165
- expect(subject.source).to eq(request.body)
167
+ expect(subject.source).to eq(request.body.strip)
166
168
  expect(subject.method).to eq(request.method)
167
169
  end
168
170
  end
data/spec/arachni/framework/parts/audit_spec.rb CHANGED
@@ -247,24 +247,12 @@ describe Arachni::Framework::Parts::Audit do
247
247
  f.options.audit.elements :links, :forms, :cookies
248
248
  f.checks.load :signature
249
249
  f.options.scope.dom_depth_limit = 1
250
- expect(f.url_queue_total_size).to eq(0)
251
- expect(f.audit_page( Arachni::Page.from_url( @url + '/with_javascript' ) )).to be_truthy
252
- f.run
253
- expect(f.url_queue_total_size).to eq(3)
254
-
255
- f.reset
256
-
257
- f.options.audit.elements :links, :forms, :cookies
258
- f.checks.load :signature
259
- f.options.scope.dom_depth_limit = 1
260
- expect(f.url_queue_total_size).to eq(0)
261
250
 
262
251
  page = Arachni::Page.from_url( @url + '/with_javascript' )
263
252
  page.dom.push_transition Arachni::Page::DOM::Transition.new( :page, :load )
253
+ page.dom.push_transition Arachni::Page::DOM::Transition.new( :page, :load )
264
254
 
265
- expect(f.audit_page( page )).to be_truthy
266
- f.run
267
- expect(f.url_queue_total_size).to eq(1)
255
+ expect(f.audit_page( page )).to be_falsey
268
256
  end
269
257
  end
270
258
 
data/spec/arachni/framework/parts/data_spec.rb CHANGED
@@ -26,14 +26,8 @@ describe Arachni::Framework::Parts::Data do
26
26
  let(:page) { Arachni::Page.from_url( @url + '/train/true' ) }
27
27
 
28
28
  it 'pushes it to the page audit queue and returns true' do
29
- subject.options.audit.elements :links, :forms, :cookies
30
- subject.checks.load :signature
31
-
32
29
  expect(subject.page_queue_total_size).to eq(0)
33
30
  expect(subject.push_to_page_queue( page )).to be_truthy
34
- subject.run
35
-
36
- expect(subject.report.issues.size).to eq(1)
37
31
  expect(subject.page_queue_total_size).to be > 0
38
32
  end
39
33
 
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb CHANGED
@@ -14,6 +14,38 @@ describe Arachni::HTTP::Client::Dynamic404Handler do
14
14
  let(:url) { "#{@url}/" }
15
15
 
16
16
  describe '#_404?' do
17
+ context 'when not dealing with a redirect' do
18
+ context 'to an outside custom 404' do
19
+ it 'returns true' do
20
+ @dynamic_404_handler_redirect_1 =
21
+ web_server_url_for( :dynamic_404_handler_redirect_1 )
22
+
23
+ @dynamic_404_handler_redirect_2 =
24
+ web_server_url_for( :dynamic_404_handler_redirect_2 )
25
+
26
+ Arachni::HTTP::Client.get(
27
+ "#{@dynamic_404_handler_redirect_1}/set-redirect",
28
+ parameters: {
29
+ url: @dynamic_404_handler_redirect_2
30
+ },
31
+ mode: :sync
32
+ )
33
+
34
+ response = client.get(
35
+ @dynamic_404_handler_redirect_1 + '/test/stuff.php',
36
+ follow_location: true,
37
+ mode: :sync
38
+ )
39
+
40
+ bool = false
41
+ subject._404?( response ) { |c_bool| bool = c_bool }
42
+ client.run
43
+
44
+ expect(bool).to be_true
45
+ end
46
+ end
47
+ end
48
+
17
49
  context 'when not dealing with a not-found response' do
18
50
  it 'returns false' do
19
51
  res = nil
@@ -120,6 +152,100 @@ describe Arachni::HTTP::Client::Dynamic404Handler do
120
152
  it 'returns true'
121
153
  end
122
154
  end
155
+
156
+ context 'which ignores anything past the resource name' do
157
+ context 'with a non existent resource' do
158
+ it 'returns true' do
159
+ res = nil
160
+ client.get( url + '/ignore-after-filename/123dd/' ) { |c_res| res = c_res }
161
+ client.run
162
+
163
+ bool = nil
164
+ subject._404?( res ) { |c_bool| bool = c_bool }
165
+ client.run
166
+
167
+ expect(bool).to be_truthy
168
+ end
169
+ end
170
+ end
171
+
172
+ context 'which ignores anything ahead of the resource name' do
173
+ context 'with a non existent resource' do
174
+ it 'returns true' do
175
+ res = nil
176
+ client.get( url + '/ignore-before-filename/fff123/' ) { |c_res| res = c_res }
177
+ client.run
178
+
179
+ bool = nil
180
+ subject._404?( res ) { |c_bool| bool = c_bool }
181
+ client.run
182
+
183
+ expect(bool).to be_truthy
184
+ end
185
+ end
186
+ end
187
+
188
+ context 'when checking for a resource with a name that routes based on dash' do
189
+ context 'and the handler is pre-dash sensitive' do
190
+ context 'and is found' do
191
+ it 'returns false' do
192
+ res = nil
193
+ client.get( url + 'advanced/sensitive-dash/pre/blah-html' ) { |c_res| res = c_res }
194
+ client.run
195
+
196
+ bool = nil
197
+ subject._404?( res ) { |c_bool| bool = c_bool }
198
+ client.run
199
+
200
+ expect(bool).to be_falsey
201
+ end
202
+ end
203
+
204
+ context 'and is not found' do
205
+ it 'returns true' do
206
+ res = nil
207
+ client.get( url + 'advanced/sensitive-dash/pre/blah2-html' ) { |c_res| res = c_res }
208
+ client.run
209
+
210
+ bool = nil
211
+ subject._404?( res ) { |c_bool| bool = c_bool }
212
+ client.run
213
+
214
+ expect(bool).to be_truthy
215
+ end
216
+ end
217
+ end
218
+
219
+ context 'and the handler is post-dash sensitive' do
220
+ context 'and is found' do
221
+ it 'returns false' do
222
+ res = nil
223
+ client.get( url + 'advanced/sensitive-dash/post/blah-html' ) { |c_res| res = c_res }
224
+ client.run
225
+
226
+ bool = nil
227
+ subject._404?( res ) { |c_bool| bool = c_bool }
228
+ client.run
229
+
230
+ expect(bool).to be_falsey
231
+ end
232
+ end
233
+
234
+ context 'and is not found' do
235
+ it 'returns true' do
236
+ res = nil
237
+ client.get( url + 'advanced/sensitive-dash/post/blah-html2' ) { |c_res| res = c_res }
238
+ client.run
239
+
240
+ bool = nil
241
+ subject._404?( res ) { |c_bool| bool = c_bool }
242
+ client.run
243
+
244
+ expect(bool).to be_truthy
245
+ end
246
+ end
247
+ end
248
+ end
123
249
  end
124
250
 
125
251
  context 'when checking for an already checked URL' do
data/spec/arachni/http/client_spec.rb CHANGED
@@ -137,19 +137,10 @@ describe Arachni::HTTP::Client do
137
137
 
138
138
  describe Arachni::OptionGroups::HTTP do
139
139
  describe '#request_concurrency' do
140
- context 'Integer' do
141
- it 'uses it as a max_concurrency' do
142
- @opts.http.request_concurrency = 34
143
- subject.reset
144
- expect(subject.max_concurrency).to eq(34)
145
- end
146
- end
147
- context 'nil' do
148
- it 'uses a default max concurrency setting' do
149
- @opts.http.request_concurrency = nil
150
- subject.reset
151
- expect(subject.max_concurrency).to eq(Arachni::HTTP::Client::MAX_CONCURRENCY)
152
- end
140
+ it 'uses it as a max_concurrency' do
141
+ @opts.http.request_concurrency = 34
142
+ subject.reset
143
+ expect(subject.max_concurrency).to eq(34)
153
144
  end
154
145
  end
155
146
 
@@ -329,7 +320,7 @@ describe Arachni::HTTP::Client do
329
320
  it 'provides access to default headers' do
330
321
  headers = subject.headers
331
322
  expect(headers['Accept']).to eq('text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8')
332
- expect(headers['User-Agent']).to eq('Arachni/v' + Arachni::VERSION)
323
+ expect(headers['User-Agent']).to include 'Arachni/v' + Arachni::VERSION
333
324
  end
334
325
 
335
326
  context "when #{Arachni::OptionGroups::HTTP}#request_headers is set" do
@@ -398,13 +389,14 @@ describe Arachni::HTTP::Client do
398
389
 
399
390
  context "when #{Arachni::OptionGroups::HTTP}#cookie_string is set" do
400
391
  it 'parses the string and add those cookies to the CookieJar' do
401
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2; stuff=%25blah; another_name=another_val'
392
+ @opts.http.cookie_string = 'my_cookie_name=val1;path=/my/path,blah_name=val2, stuff=%25blah, another_name=another_val'
402
393
  expect(subject.cookie_jar.cookies).to be_empty
403
394
  subject.reset
404
395
  cookies = subject.cookie_jar.cookies
405
396
  expect(cookies.size).to eq(4)
406
397
  expect(cookies.first.name).to eq('my_cookie_name')
407
398
  expect(cookies.first.value).to eq('val1')
399
+ expect(cookies.first.path).to eq('/my/path')
408
400
  expect(cookies[1].name).to eq('blah_name')
409
401
  expect(cookies[1].value).to eq('val2')
410
402
  expect(cookies[2].name).to eq('stuff')
@@ -417,7 +409,7 @@ describe Arachni::HTTP::Client do
417
409
 
418
410
  describe '#cookies' do
419
411
  it 'returns the current cookies' do
420
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2; another_name=another_val'
412
+ @opts.http.cookie_string = 'my_cookie_name=val1,blah_name=val2, another_name=another_val'
421
413
  expect(subject.cookie_jar.cookies).to be_empty
422
414
  subject.reset
423
415
  expect(subject.cookies.size).to eq(3)
@@ -567,18 +559,15 @@ describe Arachni::HTTP::Client do
567
559
 
568
560
  describe '#original_max_concurrency' do
569
561
  it 'returns the original max concurrency' do
570
- expect(subject.original_max_concurrency).to eq(20)
562
+ expect(subject.original_max_concurrency).to eq(10)
571
563
  expect(subject.original_max_concurrency).to eq(subject.max_concurrency)
572
564
 
573
- subject.max_concurrency = 10
574
- expect(subject.original_max_concurrency).to eq(20)
565
+ subject.max_concurrency = 5
566
+ expect(subject.original_max_concurrency).to eq(10)
575
567
  end
576
568
  end
577
569
 
578
570
  describe '#max_concurrency' do
579
- it 'defaults to 20' do
580
- expect(subject.max_concurrency).to eq(20)
581
- end
582
571
  it 'respects the http_request_concurrency option' do
583
572
  @opts.http.request_concurrency = 50
584
573
  subject.reset
@@ -611,10 +600,11 @@ describe Arachni::HTTP::Client do
611
600
  it "fills in #{Arachni::HTTP::Request}#headers_string" do
612
601
  host = "#{Arachni::URI(@url).host}:#{Arachni::URI(@url).port}"
613
602
  expect(subject.request( @url, mode: :sync ).request.headers_string).to eq(
614
- "GET / HTTP/1.1\r\nHost: #{host}\r\nAccept-Encoding: gzip, " +
615
- "deflate\r\nUser-Agent: Arachni/v#{Arachni::VERSION}\r\nAccept: text/html," +
603
+ "GET / HTTP/1.1\r\nHost: #{host}\r\nAuthorization: Basic Og==\r\nAccept-Encoding: gzip, " +
604
+ "deflate\r\nUser-Agent: #{Arachni::Options.http.user_agent}\r\nAccept: text/html," +
616
605
  "application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" +
617
- "Accept-Language: en-US,en;q=0.8,he;q=0.6\r\n\r\n"
606
+ "Accept-Language: en-US,en;q=0.8,he;q=0.6\r\n" +
607
+ "X-Arachni-Scan-Seed: #{Arachni::Utilities.random_seed}\r\n\r\n"
618
608
  )
619
609
  end
620
610
 
@@ -629,6 +619,73 @@ describe Arachni::HTTP::Client do
629
619
  ).request.effective_body).to eq("1=%202&%203=4")
630
620
  end
631
621
 
622
+ describe ':on_headers' do
623
+ it 'gets called when headers are available' do
624
+ h = nil
625
+
626
+ subject.request(
627
+ "#{@url}/fast_stream",
628
+ mode: :sync,
629
+ on_headers: proc do |response|
630
+ h = response.to_h
631
+ end
632
+ )
633
+
634
+ expect(h[:code]).to eq 200
635
+ expect(h[:body]).to eq ''
636
+ expect(h[:headers]).to be_any
637
+ end
638
+ end
639
+
640
+ describe ':on_body' do
641
+ it 'gets called with body chunks' do
642
+ chunks = []
643
+
644
+ subject.request(
645
+ "#{@url}/fast_stream",
646
+ mode: :sync,
647
+ on_body: proc do |chunk|
648
+ chunks << chunk
649
+ end
650
+ )
651
+
652
+ expect(chunks.size).to be == 5
653
+ end
654
+ end
655
+
656
+ describe ':on_body_line' do
657
+ it 'gets called with body lines' do
658
+ lines = []
659
+
660
+ subject.request(
661
+ "#{@url}/fast_stream",
662
+ mode: :sync,
663
+ on_body_line: proc do |line|
664
+ lines << line
665
+ end
666
+ )
667
+
668
+ expect(lines.size).to be == 5
669
+ end
670
+ end
671
+
672
+ describe ':on_body_lines' do
673
+ it 'gets called with chunks of body lines' do
674
+ lines = []
675
+
676
+ subject.request(
677
+ "#{@url}/lines/non-stream",
678
+ mode: :sync,
679
+ on_body_lines: proc do |line|
680
+ lines << line
681
+ end
682
+ )
683
+
684
+ expect(lines.size).to be > 1
685
+ expect(lines.size).to be < 500
686
+ end
687
+ end
688
+
632
689
  describe ':fingerprint' do
633
690
  before do
634
691
  Arachni::Platform::Manager.clear
@@ -734,21 +791,21 @@ describe Arachni::HTTP::Client do
734
791
  response_max_size: 0
735
792
  )
736
793
 
737
- expect(r.headers).not_to include 'Content-Type'
794
+ expect(r.headers['Content-Type']).to be_empty
738
795
  expect(r.body).to be_empty
739
796
 
740
797
  r = subject.request( @url + '/http_response_max_size/without_content_length',
741
798
  mode: :sync,
742
799
  response_max_size: 1
743
800
  )
744
- expect(r.headers).not_to include 'Content-Type'
801
+ expect(r.headers['Content-Type']).to be_empty
745
802
  expect(r.body).to be_empty
746
803
 
747
804
  r = subject.request( @url + '/http_response_max_size/without_content_length',
748
805
  mode: :sync,
749
806
  response_max_size: 999999
750
807
  )
751
- expect(r.headers).not_to include 'Content-Type'
808
+ expect(r.headers['Content-Type']).to be_empty
752
809
  expect(r.body).to be_empty
753
810
 
754
811
  r = subject.request( @url + '/http_response_max_size/without_content_length',
@@ -756,7 +813,7 @@ describe Arachni::HTTP::Client do
756
813
  response_max_size: 1000000
757
814
  )
758
815
 
759
- expect(r.headers).not_to include 'Content-Type'
816
+ expect(r.headers['Content-Type']).to be_empty
760
817
  expect(r.body).not_to be_empty
761
818
  end
762
819
  end
@@ -820,7 +877,7 @@ describe Arachni::HTTP::Client do
820
877
  end
821
878
  context 'false' do
822
879
  it 'uses the raw data from the cookie jar' do
823
- @opts.http.cookie_string = 'my_cookie_name="val1";"blah_name"=val2;another_name=another_val'
880
+ @opts.http.cookie_string = 'my_cookie_name="val1","blah_name"=val2,another_name=another_val'
824
881
  expect(subject.cookie_jar.cookies).to be_empty
825
882
  subject.reset
826
883
 
@@ -836,7 +893,7 @@ describe Arachni::HTTP::Client do
836
893
  end
837
894
  context 'when custom cookies are provided' do
838
895
  it 'merges them with the cookie_jar and override it' do
839
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
896
+ @opts.http.cookie_string = 'my_cookie_name=val1,blah_name=val2,another_name=another_val'
840
897
  expect(subject.cookie_jar.cookies).to be_empty
841
898
  subject.reset
842
899
 
@@ -857,7 +914,7 @@ describe Arachni::HTTP::Client do
857
914
  end
858
915
  context 'nil' do
859
916
  it 'defaults to false' do
860
- @opts.http.cookie_string = 'my_cookie_name="val1";"blah_name"=val2;another_name=another_val'
917
+ @opts.http.cookie_string = 'my_cookie_name="val1","blah_name"=val2,another_name=another_val'
861
918
  expect(subject.cookie_jar.cookies).to be_empty
862
919
  subject.reset
863
920
 
@@ -1039,7 +1096,7 @@ describe Arachni::HTTP::Client do
1039
1096
 
1040
1097
  describe 'nil' do
1041
1098
  it 'uses te cookies in the CookieJar' do
1042
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
1099
+ @opts.http.cookie_string = 'my_cookie_name=val1,blah_name=val2,another_name=another_val'
1043
1100
  expect(subject.cookie_jar.cookies).to be_empty
1044
1101
  subject.reset
1045
1102
 
@@ -1082,7 +1139,7 @@ describe Arachni::HTTP::Client do
1082
1139
  end
1083
1140
 
1084
1141
  it 'merges them with the cookie-jar' do
1085
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
1142
+ @opts.http.cookie_string = 'my_cookie_name=val1,blah_name=val2,another_name=another_val'
1086
1143
  expect(subject.cookie_jar.cookies).to be_empty
1087
1144
  subject.reset
1088
1145
 
@@ -1223,10 +1280,13 @@ describe Arachni::HTTP::Client do
1223
1280
  value: 'val2',
1224
1281
  domain: Arachni::URI( @url ).domain
1225
1282
  )
1283
+
1226
1284
  subject.update_cookies( cookies )
1227
1285
  subject.request( @url + '/update_cookies', update_cookies: true )
1228
1286
  subject.run
1229
- expect(subject.cookies.first.value).to eq(cookies.first.value + ' [UPDATED!]')
1287
+
1288
+ cookie = subject.cookies.find { |c| c.value == 'val2 [UPDATED!]'}
1289
+ expect(cookie).to be_truthy
1230
1290
  end
1231
1291
  end
1232
1292
  end
@@ -1263,7 +1323,7 @@ describe Arachni::HTTP::Client do
1263
1323
 
1264
1324
  context 'when cookie-jar lookup fails' do
1265
1325
  it 'only uses the given cookies' do
1266
- @opts.http.cookie_string = 'my_cookie_name=val1;blah_name=val2;another_name=another_val'
1326
+ @opts.http.cookie_string = 'my_cookie_name=val1,blah_name=val2,another_name=another_val'
1267
1327
  expect(subject.cookie_jar.cookies).to be_empty
1268
1328
  subject.reset
1269
1329
  expect(subject.cookie_jar.cookies).to be_any
data/spec/arachni/http/cookie_jar_spec.rb CHANGED
@@ -142,7 +142,7 @@ describe Arachni::HTTP::CookieJar do
142
142
  expect(subject).to be_empty
143
143
 
144
144
  Arachni::Options.url = 'http://test.com'
145
- subject.update( 'some_param=9e4ca2cc0f18a49f7c1881f78bebf7df; path=/; expires=Wed, 02-Oct-2020 23:53:46 GMT; HttpOnly' )
145
+ subject.update( 'some_param=9e4ca2cc0f18a49f7c1881f78bebf7df; path=/; expires=Wed, 02-Oct-2030 23:53:46 GMT; HttpOnly' )
146
146
  expect(subject.cookies.first.name).to eq('some_param')
147
147
  expect(subject.cookies.first.value).to eq('9e4ca2cc0f18a49f7c1881f78bebf7df')
148
148
  end
@@ -153,7 +153,7 @@ describe Arachni::HTTP::CookieJar do
153
153
  expect(subject).to be_empty
154
154
 
155
155
  Arachni::Options.url = 'http://test.com'
156
- subject.update( 'some_param=9e4ca2cc0f18a49f7c1881f78bebf7df; path=/; expires=Wed, 02-Oct-2020 23:53:46 GMT; HttpOnly' )
156
+ subject.update( 'some_param=9e4ca2cc0f18a49f7c1881f78bebf7df; path=/; expires=Wed, 02-Oct-2030 23:53:46 GMT; HttpOnly' )
157
157
  expect(subject.cookies.first.name).to eq('some_param')
158
158
  expect(subject.cookies.first.value).to eq('9e4ca2cc0f18a49f7c1881f78bebf7df')
159
159
  end