RubyGems - arachni - Versions diffs - 1.4 → 1.6.0 - Mend

arachni 1.4 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (748) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +195 -0
data/Gemfile +4 -4
data/LICENSE.md +1 -1
data/README.md +7 -3
data/Rakefile +1 -43
data/arachni.gemspec +35 -30
data/bin/arachni +1 -1
data/bin/arachni_console +1 -1
data/bin/arachni_multi +6 -1
data/bin/arachni_reporter +1 -1
data/bin/arachni_reproduce +12 -0
data/bin/arachni_rest_server +1 -1
data/bin/arachni_restore +1 -1
data/bin/arachni_rpc +6 -1
data/bin/arachni_rpcd +1 -1
data/bin/arachni_rpcd_monitor +6 -1
data/bin/arachni_script +1 -1
data/components/checks/active/code_injection.rb +1 -1
data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
data/components/checks/active/code_injection_timing.rb +1 -1
data/components/checks/active/csrf.rb +20 -75
data/components/checks/active/file_inclusion.rb +1 -1
data/components/checks/active/ldap_injection.rb +1 -1
data/components/checks/active/no_sql_injection.rb +1 -1
data/components/checks/active/no_sql_injection_differential.rb +3 -3
data/components/checks/active/os_cmd_injection.rb +1 -1
data/components/checks/active/os_cmd_injection_timing.rb +1 -1
data/components/checks/active/path_traversal.rb +3 -3
data/components/checks/active/response_splitting.rb +1 -1
data/components/checks/active/rfi.rb +1 -1
data/components/checks/active/session_fixation.rb +1 -1
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/sql_injection/regexps/hsqldb.yaml +1 -0
data/components/checks/active/sql_injection/substrings/hsqldb +1 -0
data/components/checks/active/sql_injection/substrings/java +4 -0
data/components/checks/active/sql_injection/substrings/oracle +0 -1
data/components/checks/active/sql_injection/substrings/sqlite +1 -0
data/components/checks/active/sql_injection.rb +1 -1
data/components/checks/active/sql_injection_differential.rb +3 -3
data/components/checks/active/sql_injection_timing.rb +1 -1
data/components/checks/active/trainer.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +34 -11
data/components/checks/active/unvalidated_redirect_dom.rb +4 -4
data/components/checks/active/xpath_injection.rb +1 -1
data/components/checks/active/xss.rb +54 -29
data/components/checks/active/xss_dom.rb +15 -11
data/components/checks/active/xss_dom_script_context.rb +4 -6
data/components/checks/active/xss_event.rb +46 -34
data/components/checks/active/xss_path.rb +9 -6
data/components/checks/active/xss_script_context.rb +100 -47
data/components/checks/active/xss_tag.rb +41 -15
data/components/checks/active/xxe.rb +1 -1
data/components/checks/passive/allowed_methods.rb +1 -1
data/components/checks/passive/backdoors.rb +1 -1
data/components/checks/passive/backup_directories.rb +15 -3
data/components/checks/passive/backup_files.rb +39 -6
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +1 -0
data/components/checks/passive/common_admin_interfaces.rb +1 -1
data/components/checks/passive/common_directories/directories.txt +1 -0
data/components/checks/passive/common_directories.rb +1 -1
data/components/checks/passive/common_files.rb +1 -1
data/components/checks/passive/directory_listing.rb +1 -1
data/components/checks/passive/grep/captcha.rb +8 -9
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
data/components/checks/passive/grep/credit_card.rb +1 -1
data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
data/components/checks/passive/grep/emails.rb +1 -1
data/components/checks/passive/grep/form_upload.rb +3 -5
data/components/checks/passive/grep/hsts.rb +1 -1
data/components/checks/passive/grep/html_objects.rb +1 -1
data/components/checks/passive/grep/http_only_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cookies.rb +5 -5
data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
data/components/checks/passive/grep/mixed_resource.rb +4 -4
data/components/checks/passive/grep/password_autocomplete.rb +1 -1
data/components/checks/passive/grep/private_ip.rb +1 -1
data/components/checks/passive/grep/ssn.rb +1 -1
data/components/checks/passive/grep/unencrypted_password_forms.rb +3 -3
data/components/checks/passive/grep/x_frame_options.rb +4 -4
data/components/checks/passive/htaccess_limit.rb +1 -1
data/components/checks/passive/http_put.rb +1 -1
data/components/checks/passive/insecure_client_access_policy.rb +2 -2
data/components/checks/passive/insecure_cross_domain_policy_access.rb +2 -2
data/components/checks/passive/insecure_cross_domain_policy_headers.rb +2 -2
data/components/checks/passive/interesting_responses.rb +1 -1
data/components/checks/passive/localstart_asp.rb +1 -1
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
data/components/checks/passive/webdav.rb +1 -1
data/components/checks/passive/xst.rb +10 -12
data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
data/components/fingerprinters/frameworks/cakephp.rb +1 -1
data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
data/components/fingerprinters/frameworks/django.rb +1 -1
data/components/fingerprinters/frameworks/jsf.rb +1 -1
data/components/fingerprinters/frameworks/nette.rb +1 -1
data/components/fingerprinters/frameworks/rack.rb +1 -1
data/components/fingerprinters/frameworks/rails.rb +1 -1
data/components/fingerprinters/frameworks/symfony.rb +1 -1
data/components/fingerprinters/languages/asp.rb +1 -1
data/components/fingerprinters/languages/aspx.rb +1 -1
data/components/fingerprinters/languages/java.rb +1 -1
data/components/fingerprinters/languages/php.rb +1 -1
data/components/fingerprinters/languages/python.rb +1 -1
data/components/fingerprinters/languages/ruby.rb +1 -1
data/components/fingerprinters/os/bsd.rb +1 -1
data/components/fingerprinters/os/linux.rb +1 -1
data/components/fingerprinters/os/solaris.rb +1 -1
data/components/fingerprinters/os/unix.rb +1 -1
data/components/fingerprinters/os/windows.rb +1 -1
data/components/fingerprinters/servers/apache.rb +1 -1
data/components/fingerprinters/servers/gunicorn.rb +1 -1
data/components/fingerprinters/servers/iis.rb +1 -1
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/nginx.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +1 -1
data/components/path_extractors/anchors.rb +3 -5
data/components/path_extractors/areas.rb +3 -4
data/components/path_extractors/comments.rb +4 -5
data/components/path_extractors/data_url.rb +4 -5
data/components/path_extractors/forms.rb +3 -4
data/components/path_extractors/frames.rb +3 -5
data/components/path_extractors/generic.rb +3 -1
data/components/path_extractors/links.rb +3 -4
data/components/path_extractors/meta_refresh.rb +11 -17
data/components/path_extractors/scripts.rb +18 -15
data/components/plugins/autologin.rb +3 -2
data/components/plugins/beep_notify.rb +1 -1
data/components/plugins/content_types.rb +1 -1
data/components/plugins/cookie_collector.rb +1 -1
data/components/plugins/debug/browser_cluster_job_monitor.rb +60 -0
data/components/plugins/defaults/autothrottle.rb +1 -1
data/components/plugins/defaults/healthmap.rb +3 -1
data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
data/components/plugins/defaults/meta/uniformity.rb +1 -1
data/components/plugins/email_notify.rb +26 -9
data/components/plugins/exec.rb +1 -1
data/components/plugins/form_dicattack.rb +3 -4
data/components/plugins/headers_collector.rb +1 -1
data/components/plugins/http_dicattack.rb +4 -5
data/components/plugins/login_script.rb +2 -2
data/components/plugins/metrics.rb +44 -18
data/components/plugins/page_dump.rb +60 -0
data/components/plugins/proxy/panel/verify_login_sequence.html.erb +1 -1
data/components/plugins/proxy/template_scope.rb +6 -1
data/components/plugins/proxy.rb +44 -31
data/components/plugins/rate_limiter.rb +80 -0
data/components/plugins/restrict_to_dom_state.rb +1 -1
data/components/plugins/script.rb +1 -1
data/components/plugins/uncommon_headers.rb +1 -1
data/components/plugins/vector_collector.rb +1 -1
data/components/plugins/vector_feed.rb +1 -1
data/components/plugins/waf_detector.rb +3 -3
data/components/plugins/webhook_notify.rb +99 -0
data/components/reporters/ap.rb +1 -1
data/components/reporters/html/default/configuration.erb +2 -0
data/components/reporters/html/default.erb +3 -2
data/components/reporters/html.rb +5 -8
data/components/reporters/json.rb +1 -1
data/components/reporters/marshal.rb +1 -1
data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/exec.rb +1 -1
data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
data/components/reporters/plugin_formatters/html/metrics.rb +46 -1
data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
data/components/reporters/plugin_formatters/stdout/metrics.rb +11 -1
data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
data/components/reporters/plugin_formatters/xml/content_types.rb +10 -7
data/components/reporters/plugin_formatters/xml/cookie_collector.rb +6 -3
data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +5 -2
data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/xml/vector_collector.rb +8 -5
data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
data/components/reporters/stdout.rb +3 -2
data/components/reporters/txt.rb +1 -1
data/components/reporters/xml/schema.xsd +29 -13
data/components/reporters/xml.rb +40 -23
data/components/reporters/yaml.rb +1 -1
data/config/write_paths.yml +4 -0
data/lib/arachni/banner.rb +1 -1
data/lib/arachni/browser/element_locator.rb +9 -5
data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
data/lib/arachni/browser/javascript/proxy.rb +1 -1
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +329 -72
data/lib/arachni/browser/javascript/scripts/polyfills.js +0 -28
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +81 -25
data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
data/lib/arachni/browser/javascript.rb +111 -198
data/lib/arachni/browser.rb +309 -382
data/lib/arachni/browser_cluster/job/result.rb +1 -1
data/lib/arachni/browser_cluster/job.rb +9 -2
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +8 -2
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +13 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +97 -87
data/lib/arachni/browser_cluster.rb +79 -62
data/lib/arachni/check/auditor.rb +161 -155
data/lib/arachni/check/base.rb +1 -1
data/lib/arachni/check/manager.rb +1 -1
data/lib/arachni/check.rb +1 -1
data/lib/arachni/component/base.rb +3 -1
data/lib/arachni/component/manager.rb +1 -1
data/lib/arachni/component/options/address.rb +1 -1
data/lib/arachni/component/options/base.rb +1 -1
data/lib/arachni/component/options/bool.rb +1 -1
data/lib/arachni/component/options/float.rb +1 -1
data/lib/arachni/component/options/int.rb +1 -1
data/lib/arachni/component/options/multiple_choice.rb +1 -1
data/lib/arachni/component/options/object.rb +1 -1
data/lib/arachni/component/options/path.rb +1 -1
data/lib/arachni/component/options/port.rb +1 -1
data/lib/arachni/component/options/string.rb +1 -1
data/lib/arachni/component/options/url.rb +1 -1
data/lib/arachni/component/options.rb +1 -1
data/lib/arachni/component/output.rb +8 -2
data/lib/arachni/component/utilities.rb +1 -1
data/lib/arachni/component.rb +1 -1
data/lib/arachni/data/framework/rpc.rb +2 -2
data/lib/arachni/data/framework.rb +3 -2
data/lib/arachni/data/issues.rb +1 -1
data/lib/arachni/data/plugins.rb +1 -1
data/lib/arachni/data/session.rb +1 -1
data/lib/arachni/data.rb +1 -1
data/lib/arachni/element/base.rb +1 -1
data/lib/arachni/element/body.rb +1 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +142 -175
data/lib/arachni/element/capabilities/analyzable/signature.rb +40 -18
data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
data/lib/arachni/element/capabilities/analyzable.rb +1 -1
data/lib/arachni/element/capabilities/auditable/buffered.rb +92 -0
data/lib/arachni/element/capabilities/auditable/line_buffered.rb +103 -0
data/lib/arachni/element/capabilities/auditable.rb +2 -8
data/lib/arachni/element/capabilities/dom_only.rb +1 -1
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/mutable.rb +1 -1
data/lib/arachni/element/capabilities/refreshable.rb +1 -1
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor/output.rb +4 -3
data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
data/lib/arachni/element/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/capabilities/with_node.rb +3 -3
data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
data/lib/arachni/element/capabilities/with_scope.rb +1 -1
data/lib/arachni/element/capabilities/with_source.rb +2 -2
data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/cookie/dom.rb +1 -1
data/lib/arachni/element/cookie.rb +49 -24
data/lib/arachni/element/dom/capabilities/auditable.rb +44 -3
data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
data/lib/arachni/element/dom/capabilities/mutable.rb +7 -3
data/lib/arachni/element/dom/capabilities/submittable.rb +51 -22
data/lib/arachni/element/dom.rb +1 -1
data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
data/lib/arachni/element/form/capabilities/mutable.rb +16 -11
data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/form/dom.rb +1 -1
data/lib/arachni/element/form.rb +21 -32
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
data/lib/arachni/element/header.rb +3 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/json.rb +4 -8
data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link/dom.rb +1 -1
data/lib/arachni/element/link.rb +11 -30
data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link_template/dom.rb +2 -2
data/lib/arachni/element/link_template.rb +10 -19
data/lib/arachni/element/nested_cookie/capabilities/submittable.rb +35 -0
data/lib/arachni/element/nested_cookie.rb +370 -0
data/lib/arachni/element/path.rb +1 -1
data/lib/arachni/element/server.rb +11 -11
data/lib/arachni/element/ui_form/dom.rb +1 -1
data/lib/arachni/element/ui_form.rb +5 -6
data/lib/arachni/element/ui_input/dom.rb +1 -1
data/lib/arachni/element/ui_input.rb +4 -6
data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
data/lib/arachni/element/xml.rb +3 -7
data/lib/arachni/element_filter.rb +1 -1
data/lib/arachni/error.rb +1 -1
data/lib/arachni/ethon/easy.rb +1 -1
data/lib/arachni/framework/parts/audit.rb +6 -1
data/lib/arachni/framework/parts/browser.rb +14 -14
data/lib/arachni/framework/parts/check.rb +1 -1
data/lib/arachni/framework/parts/data.rb +1 -1
data/lib/arachni/framework/parts/platform.rb +1 -1
data/lib/arachni/framework/parts/plugin.rb +1 -1
data/lib/arachni/framework/parts/report.rb +3 -3
data/lib/arachni/framework/parts/scope.rb +1 -1
data/lib/arachni/framework/parts/state.rb +1 -1
data/lib/arachni/framework.rb +1 -1
data/lib/arachni/http/client/dynamic_404_handler.rb +74 -16
data/lib/arachni/http/client.rb +38 -11
data/lib/arachni/http/cookie_jar.rb +13 -8
data/lib/arachni/http/headers.rb +11 -5
data/lib/arachni/http/message/scope.rb +1 -1
data/lib/arachni/http/message.rb +10 -9
data/lib/arachni/http/proxy_server/connection.rb +110 -82
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +18 -32
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +28 -49
data/lib/arachni/http/proxy_server/ssl_interceptor.rb +8 -6
data/lib/arachni/http/proxy_server/tunnel.rb +4 -4
data/lib/arachni/http/proxy_server.rb +44 -11
data/lib/arachni/http/request/scope.rb +1 -1
data/lib/arachni/http/request.rb +239 -41
data/lib/arachni/http/response/scope.rb +1 -1
data/lib/arachni/http/response.rb +73 -10
data/lib/arachni/http.rb +1 -1
data/lib/arachni/issue/severity/base.rb +1 -1
data/lib/arachni/issue/severity.rb +1 -1
data/lib/arachni/issue.rb +42 -14
data/lib/arachni/option_group.rb +1 -1
data/lib/arachni/option_groups/audit.rb +11 -2
data/lib/arachni/option_groups/browser_cluster.rb +32 -4
data/lib/arachni/option_groups/datastore.rb +1 -1
data/lib/arachni/option_groups/dispatcher.rb +1 -1
data/lib/arachni/option_groups/http.rb +39 -10
data/lib/arachni/option_groups/input.rb +1 -1
data/lib/arachni/option_groups/output.rb +1 -1
data/lib/arachni/option_groups/paths.rb +12 -1
data/lib/arachni/option_groups/rpc.rb +1 -1
data/lib/arachni/option_groups/scope.rb +58 -4
data/lib/arachni/option_groups/session.rb +1 -1
data/lib/arachni/option_groups/snapshot.rb +1 -1
data/lib/arachni/option_groups.rb +1 -1
data/lib/arachni/options.rb +23 -4
data/lib/arachni/page/dom/transition.rb +5 -2
data/lib/arachni/page/dom.rb +46 -54
data/lib/arachni/page/scope.rb +1 -1
data/lib/arachni/page.rb +10 -8
data/lib/arachni/parser/document.rb +34 -0
data/lib/arachni/parser/extractors/base.rb +48 -0
data/lib/arachni/parser/nodes/base.rb +22 -0
data/lib/arachni/parser/nodes/comment.rb +32 -0
data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +31 -0
data/lib/arachni/parser/nodes/element/with_attributes.rb +35 -0
data/lib/arachni/parser/nodes/element.rb +48 -0
data/lib/arachni/parser/nodes/text.rb +32 -0
data/lib/arachni/parser/nodes/with_value.rb +29 -0
data/lib/arachni/parser/sax.rb +76 -0
data/lib/arachni/parser/with_children/search.rb +92 -0
data/lib/arachni/parser/with_children.rb +35 -0
data/lib/arachni/parser.rb +181 -78
data/lib/arachni/platform/fingerprinter.rb +1 -1
data/lib/arachni/platform/list.rb +1 -1
data/lib/arachni/platform/manager.rb +2 -2
data/lib/arachni/platform.rb +1 -1
data/lib/arachni/plugin/base.rb +2 -2
data/lib/arachni/plugin/formatter.rb +1 -1
data/lib/arachni/plugin/manager.rb +8 -5
data/lib/arachni/plugin.rb +1 -1
data/lib/arachni/processes/dispatchers.rb +1 -1
data/lib/arachni/processes/executables/base.rb +2 -1
data/lib/arachni/processes/executables/browser.rb +0 -2
data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
data/lib/arachni/processes/helpers/instances.rb +1 -1
data/lib/arachni/processes/helpers/processes.rb +1 -1
data/lib/arachni/processes/helpers.rb +1 -1
data/lib/arachni/processes/instances.rb +1 -1
data/lib/arachni/processes/manager.rb +18 -9
data/lib/arachni/processes.rb +1 -1
data/lib/arachni/report.rb +8 -1
data/lib/arachni/reporter/base.rb +1 -1
data/lib/arachni/reporter/formatter_manager.rb +1 -1
data/lib/arachni/reporter/manager.rb +1 -1
data/lib/arachni/reporter/options.rb +1 -10
data/lib/arachni/reporter.rb +1 -1
data/lib/arachni/rest/server/instance_helpers.rb +10 -1
data/lib/arachni/rest/server.rb +13 -1
data/lib/arachni/rpc/client/base.rb +1 -1
data/lib/arachni/rpc/client/dispatcher.rb +1 -1
data/lib/arachni/rpc/client/instance/framework.rb +1 -1
data/lib/arachni/rpc/client/instance/service.rb +1 -1
data/lib/arachni/rpc/client/instance.rb +1 -1
data/lib/arachni/rpc/serializer.rb +1 -1
data/lib/arachni/rpc/server/active_options.rb +1 -1
data/lib/arachni/rpc/server/base.rb +1 -1
data/lib/arachni/rpc/server/check/manager.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
data/lib/arachni/rpc/server/dispatcher.rb +1 -1
data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
data/lib/arachni/rpc/server/framework/master.rb +1 -1
data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
data/lib/arachni/rpc/server/framework/slave.rb +1 -1
data/lib/arachni/rpc/server/framework.rb +1 -1
data/lib/arachni/rpc/server/instance.rb +1 -1
data/lib/arachni/rpc/server/output.rb +1 -1
data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
data/lib/arachni/ruby/array.rb +1 -1
data/lib/arachni/ruby/hash.rb +1 -1
data/lib/arachni/ruby/object.rb +1 -1
data/lib/arachni/ruby/set.rb +1 -1
data/lib/arachni/ruby/string.rb +9 -5
data/lib/arachni/ruby/webrick/cookie.rb +1 -1
data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
data/lib/arachni/ruby/webrick.rb +1 -1
data/lib/arachni/ruby.rb +1 -1
data/lib/arachni/scope.rb +1 -1
data/lib/arachni/selenium/webdriver/element.rb +4 -4
data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +59 -0
data/lib/arachni/session.rb +32 -13
data/lib/arachni/snapshot.rb +2 -2
data/lib/arachni/state/audit.rb +1 -1
data/lib/arachni/state/element_filter.rb +1 -1
data/lib/arachni/state/framework/rpc.rb +1 -1
data/lib/arachni/state/framework.rb +1 -1
data/lib/arachni/state/http.rb +2 -2
data/lib/arachni/state/options.rb +1 -1
data/lib/arachni/state/plugins.rb +1 -1
data/lib/arachni/state.rb +1 -1
data/lib/arachni/support/buffer/autoflush.rb +1 -1
data/lib/arachni/support/buffer/base.rb +1 -1
data/lib/arachni/support/buffer.rb +1 -1
data/lib/arachni/support/cache/base.rb +1 -1
data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
data/lib/arachni/support/cache/least_recently_used.rb +1 -1
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -1
data/lib/arachni/support/cache.rb +1 -1
data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
data/lib/arachni/support/crypto.rb +1 -1
data/lib/arachni/support/database/base.rb +16 -10
data/lib/arachni/support/database/hash.rb +1 -1
data/lib/arachni/support/database/queue.rb +1 -1
data/lib/arachni/support/database.rb +1 -1
data/lib/arachni/support/glob.rb +1 -1
data/lib/arachni/support/lookup/base.rb +1 -1
data/lib/arachni/support/lookup/hash_set.rb +1 -1
data/lib/arachni/support/lookup/moolb.rb +1 -1
data/lib/arachni/support/lookup.rb +1 -1
data/lib/arachni/support/mixins/observable.rb +1 -1
data/lib/arachni/support/mixins/terminal.rb +1 -1
data/lib/arachni/support/mixins.rb +1 -1
data/lib/arachni/support/profiler.rb +52 -13
data/lib/arachni/support/signature.rb +18 -6
data/lib/arachni/support.rb +1 -1
data/lib/arachni/trainer.rb +55 -39
data/lib/arachni/ui/foo/output.rb +1 -1
data/lib/arachni/uri/scope.rb +15 -13
data/lib/arachni/uri.rb +129 -103
data/lib/arachni/utilities.rb +10 -10
data/lib/arachni/version.rb +1 -1
data/lib/arachni.rb +1 -7
data/lib/version +1 -1
data/spec/arachni/browser/element_locator_spec.rb +42 -18
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +264 -109
data/spec/arachni/browser/javascript/polyfills_spec.rb +0 -15
data/spec/arachni/browser/javascript/proxy_spec.rb +0 -10
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +43 -118
data/spec/arachni/browser/javascript_spec.rb +95 -60
data/spec/arachni/browser_cluster/job_spec.rb +23 -8
data/spec/arachni/browser_cluster/jobs/dom_exploration_spec.rb +6 -1
data/spec/arachni/browser_cluster/worker_spec.rb +29 -87
data/spec/arachni/browser_cluster_spec.rb +124 -43
data/spec/arachni/browser_spec.rb +463 -421
data/spec/arachni/check/auditor_spec.rb +162 -198
data/spec/arachni/data/framework/rpc_spec.rb +1 -1
data/spec/arachni/data/framework_spec.rb +1 -1
data/spec/arachni/element/capabilities/analyzable/signature_spec.rb +46 -3
data/spec/arachni/element/cookie/dom_spec.rb +1 -1
data/spec/arachni/element/cookie_spec.rb +159 -64
data/spec/arachni/element/form/dom_spec.rb +1 -1
data/spec/arachni/element/form_spec.rb +101 -54
data/spec/arachni/element/header_spec.rb +3 -1
data/spec/arachni/element/json_spec.rb +2 -0
data/spec/arachni/element/link/dom_spec.rb +2 -2
data/spec/arachni/element/link_spec.rb +46 -15
data/spec/arachni/element/link_template/dom_spec.rb +1 -1
data/spec/arachni/element/link_template_spec.rb +36 -12
data/spec/arachni/element/nested_cookie_spec.rb +687 -0
data/spec/arachni/element/server_spec.rb +22 -5
data/spec/arachni/element/ui_form/dom_spec.rb +1 -1
data/spec/arachni/element/ui_form_spec.rb +2 -2
data/spec/arachni/element/ui_input/dom_spec.rb +1 -1
data/spec/arachni/element/ui_input_spec.rb +1 -1
data/spec/arachni/element/xml_spec.rb +5 -3
data/spec/arachni/framework/parts/audit_spec.rb +2 -14
data/spec/arachni/framework/parts/data_spec.rb +0 -6
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +126 -0
data/spec/arachni/http/client_spec.rb +96 -36
data/spec/arachni/http/cookie_jar_spec.rb +2 -2
data/spec/arachni/http/headers_spec.rb +59 -12
data/spec/arachni/http/proxy_server_spec.rb +58 -25
data/spec/arachni/http/request_spec.rb +382 -35
data/spec/arachni/http/response_spec.rb +135 -7
data/spec/arachni/issue_spec.rb +21 -2
data/spec/arachni/option_groups/browser_cluster_spec.rb +17 -0
data/spec/arachni/option_groups/http_spec.rb +21 -6
data/spec/arachni/option_groups/paths_spec.rb +23 -1
data/spec/arachni/option_groups/scope_spec.rb +27 -7
data/spec/arachni/options_spec.rb +8 -1
data/spec/arachni/page/dom_spec.rb +20 -6
data/spec/arachni/page_spec.rb +8 -7
data/spec/arachni/parser/document_spec.rb +49 -0
data/spec/arachni/parser/nodes/comment_spec.rb +24 -0
data/spec/arachni/parser/nodes/element/with_attributes/attributes_spec.rb +40 -0
data/spec/arachni/parser/nodes/element/with_attributes_spec.rb +50 -0
data/spec/arachni/parser/nodes/element_spec.rb +18 -0
data/spec/arachni/parser/nodes/text_spec.rb +24 -0
data/spec/arachni/parser/sax_spec.rb +88 -0
data/spec/arachni/parser/with_children/search_spec.rb +146 -0
data/spec/arachni/parser/with_children_spec.rb +37 -0
data/spec/arachni/parser_spec.rb +211 -27
data/spec/arachni/platform/list_spec.rb +1 -2
data/spec/arachni/report_spec.rb +9 -2
data/spec/arachni/reporter/options_spec.rb +0 -14
data/spec/arachni/rest/server_spec.rb +91 -8
data/spec/arachni/rpc/server/active_options_spec.rb +1 -1
data/spec/arachni/rpc/server/framework/distributor_spec.rb +6 -6
data/spec/arachni/ruby/string_spec.rb +6 -0
data/spec/arachni/session_spec.rb +69 -8
data/spec/arachni/snapshot_spec.rb +1 -1
data/spec/arachni/state/framework_spec.rb +2 -2
data/spec/arachni/support/signature_spec.rb +58 -0
data/spec/arachni/trainer_spec.rb +102 -21
data/spec/arachni/uri_spec.rb +11 -8
data/spec/arachni/utilities_spec.rb +3 -3
data/spec/components/checks/active/code_injection_spec.rb +12 -7
data/spec/components/checks/active/code_injection_timing_spec.rb +4 -3
data/spec/components/checks/active/csrf_spec.rb +1 -21
data/spec/components/checks/active/file_inclusion_spec.rb +15 -10
data/spec/components/checks/active/ldap_injection_spec.rb +5 -4
data/spec/components/checks/active/no_sql_injection_differential_spec.rb +1 -1
data/spec/components/checks/active/no_sql_injection_spec.rb +5 -4
data/spec/components/checks/active/os_cmd_injection_spec.rb +6 -4
data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -3
data/spec/components/checks/active/path_traversal_spec.rb +18 -15
data/spec/components/checks/active/response_splitting_spec.rb +5 -4
data/spec/components/checks/active/rfi_spec.rb +9 -8
data/spec/components/checks/active/source_code_disclosure_spec.rb +33 -10
data/spec/components/checks/active/sql_injection_differential_spec.rb +1 -1
data/spec/components/checks/active/sql_injection_spec.rb +61 -35
data/spec/components/checks/active/sql_injection_timing_spec.rb +11 -8
data/spec/components/checks/active/unvalidated_redirect_spec.rb +9 -8
data/spec/components/checks/active/xpath_injection_spec.rb +5 -4
data/spec/components/checks/active/xss_dom_script_context_spec.rb +6 -10
data/spec/components/checks/active/xss_dom_spec.rb +2 -2
data/spec/components/checks/active/xss_event_spec.rb +11 -3
data/spec/components/checks/active/xss_script_context_spec.rb +8 -7
data/spec/components/checks/active/xss_spec.rb +7 -6
data/spec/components/checks/active/xss_tag_spec.rb +11 -3
data/spec/components/checks/passive/backup_directories_spec.rb +3 -1
data/spec/components/checks/passive/backup_files_spec.rb +4 -1
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +2 -2
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +6 -0
data/spec/components/path_extractors/comments_spec.rb +3 -1
data/spec/components/path_extractors/data_url_spec.rb +6 -2
data/spec/components/path_extractors/links_spec.rb +1 -1
data/spec/components/plugins/autologin_spec.rb +2 -2
data/spec/components/plugins/webhook_notify_spec.rb +69 -0
data/spec/spec_helper.rb +2 -1
data/spec/support/factories/http/response.rb +1 -1
data/spec/support/factories/issue.rb +1 -2
data/spec/support/factories/page/dom.rb +6 -0
data/spec/support/factories/scan_report.rb +1 -0
data/spec/support/factories/vector.rb +7 -3
data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
data/spec/support/fixtures/checks/test.rb +4 -4
data/spec/support/fixtures/checks/test2.rb +1 -1
data/spec/support/fixtures/checks/test3.rb +1 -1
data/spec/support/fixtures/cookies.txt +2 -2
data/spec/support/fixtures/executables/node.rb +2 -3
data/spec/support/fixtures/fingerprinters/test.rb +1 -1
data/spec/support/fixtures/nested_cookies.txt +11 -0
data/spec/support/fixtures/plugins/bad.rb +1 -1
data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
data/spec/support/fixtures/plugins/distributable.rb +1 -1
data/spec/support/fixtures/plugins/loop.rb +1 -1
data/spec/support/fixtures/plugins/suspendable.rb +1 -1
data/spec/support/fixtures/plugins/wait.rb +1 -1
data/spec/support/fixtures/plugins/with_options.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
data/spec/support/fixtures/run_check/body.rb +1 -1
data/spec/support/fixtures/run_check/cookies.rb +1 -1
data/spec/support/fixtures/run_check/empty.rb +1 -1
data/spec/support/fixtures/run_check/flch.rb +1 -1
data/spec/support/fixtures/run_check/forms.rb +1 -1
data/spec/support/fixtures/run_check/headers.rb +1 -1
data/spec/support/fixtures/run_check/links.rb +1 -1
data/spec/support/fixtures/run_check/nil.rb +1 -1
data/spec/support/fixtures/run_check/path.rb +1 -1
data/spec/support/fixtures/run_check/server.rb +1 -1
data/spec/support/fixtures/signature_check/signature.rb +1 -1
data/spec/support/fixtures/wait_check/wait.rb +1 -1
data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +0 -3
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/misc.rb +1 -1
data/spec/support/helpers/paths.rb +1 -1
data/spec/support/helpers/requires.rb +1 -1
data/spec/support/helpers/resets.rb +1 -1
data/spec/support/helpers/web_server.rb +1 -1
data/spec/support/lib/factory.rb +1 -1
data/spec/support/lib/web_server_client.rb +1 -1
data/spec/support/lib/web_server_dispatcher.rb +1 -1
data/spec/support/lib/web_server_manager.rb +4 -2
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +48 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +15 -3
data/spec/support/servers/arachni/browser.rb +275 -4
data/spec/support/servers/arachni/check/auditor.rb +9 -0
data/spec/support/servers/arachni/element/cookie.rb +34 -0
data/spec/support/servers/arachni/element/form/form_dom.rb +1 -0
data/spec/support/servers/arachni/element/form.rb +36 -2
data/spec/support/servers/arachni/element/header.rb +36 -1
data/spec/support/servers/arachni/element/json.rb +33 -0
data/spec/support/servers/arachni/element/link.rb +33 -1
data/spec/support/servers/arachni/element/link_template.rb +37 -5
data/spec/support/servers/arachni/element/nested_cookie.rb +84 -0
data/spec/support/servers/arachni/element/xml.rb +33 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +36 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_1.rb +18 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_2.rb +11 -0
data/spec/support/servers/arachni/http/client.rb +43 -4
data/spec/support/servers/arachni/http/proxy_server.rb +12 -0
data/spec/support/servers/arachni/parser.rb +6 -0
data/spec/support/servers/arachni/session.rb +24 -1
data/spec/support/servers/checks/active/code_injection.rb +18 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +18 -0
data/spec/support/servers/checks/active/csrf.rb +0 -76
data/spec/support/servers/checks/active/file_inclusion.rb +19 -1
data/spec/support/servers/checks/active/ldap_injection.rb +18 -0
data/spec/support/servers/checks/active/no_sql_injection.rb +27 -0
data/spec/support/servers/checks/active/no_sql_injection_differential.rb +19 -0
data/spec/support/servers/checks/active/os_cmd_injection.rb +29 -0
data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +18 -1
data/spec/support/servers/checks/active/path_traversal.rb +30 -3
data/spec/support/servers/checks/active/response_splitting.rb +30 -1
data/spec/support/servers/checks/active/rfi.rb +30 -2
data/spec/support/servers/checks/active/session_fixation.rb +1 -3
data/spec/support/servers/checks/active/source_code_disclosure.rb +16 -0
data/spec/support/servers/checks/active/sql_injection/java +2 -0
data/spec/support/servers/checks/active/sql_injection.rb +27 -0
data/spec/support/servers/checks/active/sql_injection_differential.rb +19 -0
data/spec/support/servers/checks/active/sql_injection_timing.rb +19 -1
data/spec/support/servers/checks/active/unvalidated_redirect.rb +121 -1
data/spec/support/servers/checks/active/xpath_injection.rb +27 -0
data/spec/support/servers/checks/active/xss.rb +40 -0
data/spec/support/servers/checks/active/xss_event.rb +23 -2
data/spec/support/servers/checks/active/xss_script_context.rb +18 -0
data/spec/support/servers/checks/active/xss_tag.rb +40 -0
data/spec/support/servers/checks/passive/backup_files.rb +20 -1
data/spec/support/servers/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -5
data/spec/support/servers/checks/passive/grep/insecure_cookies_https.rb +9 -0
data/spec/support/servers/checks/passive/grep/x_frame_options.rb +5 -0
data/spec/support/servers/plugins/autologin.rb +17 -1
data/spec/support/servers/plugins/webhook_notify.rb +9 -0
data/spec/support/shared/check.rb +1 -0
data/spec/support/shared/element/capabilities/auditable/buffered.rb +791 -0
data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +797 -0
data/spec/support/shared/element/capabilities/auditable.rb +28 -34
data/spec/support/shared/element/capabilities/inputtable.rb +26 -0
data/spec/support/shared/element/capabilities/with_node.rb +2 -2
data/spec/support/shared/element/dom/submittable.rb +10 -10
data/spec/support/shared/path_extractor.rb +17 -5
data/ui/cli/framework/option_parser.rb +78 -13
data/ui/cli/framework.rb +29 -8
data/ui/cli/option_parser.rb +1 -1
data/ui/cli/output.rb +10 -3
data/ui/cli/reporter/option_parser.rb +1 -1
data/ui/cli/reporter.rb +1 -1
data/ui/cli/reproduce/option_parser.rb +90 -0
data/ui/cli/reproduce.rb +228 -0
data/ui/cli/rest/server/option_parser.rb +1 -1
data/ui/cli/rest/server.rb +1 -1
data/ui/cli/restored_framework/option_parser.rb +1 -1
data/ui/cli/restored_framework.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor.rb +9 -11
data/ui/cli/rpc/client/instance.rb +7 -4
data/ui/cli/rpc/client/local/option_parser.rb +1 -1
data/ui/cli/rpc/client/local.rb +1 -1
data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
data/ui/cli/rpc/client/remote.rb +1 -1
data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
data/ui/cli/rpc/server/dispatcher.rb +1 -1
data/ui/cli/utilities.rb +1 -1
metadata +178 -79
data/ACKNOWLEDGMENTS.md +0 -21
data/AUTHORS.md +0 -3
data/CONTRIBUTORS.md +0 -22

data/spec/arachni/http/response_spec.rb CHANGED Viewed

@@ -140,6 +140,131 @@ describe Arachni::HTTP::Response do
         end
     end
+    describe '#html?' do
+        context 'when it starts with an HTML doctype' do
+            subject do
+                described_class.new(
+                    url:  'http://test.com',
+                    code: 200,
+                    body: body
+                )
+            end
+            let(:body) { '<!DOCTYPE html' }
+            expect_it { to be_html }
+        end
+        context 'when the Content-Type is' do
+            subject do
+                described_class.new(
+                    url:     'http://test.com',
+                    code:    200,
+                    headers: {
+                        'Content-Type' => content_type
+                    }
+                )
+            end
+            ['text/html', 'text/html; charset=ISO-8859-1',
+             'text/html ; charset=ISO-8859-1',
+             'application/xhtml+xml', 'application/xhtml+xml; charset=ISO-8859-1',
+             'application/xhtml+xml ; charset=ISO-8859-1'].each do |content_type|
+                context content_type.downcase do
+                    let(:content_type) { content_type.downcase }
+                    expect_it { to be_html }
+                end
+                context content_type.upcase do
+                    let(:content_type) { content_type.upcase }
+                    expect_it { to be_html }
+                end
+            end
+            context 'other' do
+                let(:content_type) { 'text/plain' }
+                expect_it { to_not be_html }
+            end
+            context 'missing' do
+                context 'and X-Content-Type-Options is' do
+                    context 'missing' do
+                        context 'and the body includes HTML identifier' do
+                            subject do
+                                described_class.new(
+                                    url:  'http://test.com',
+                                    code: 200,
+                                    body: body
+                                )
+                            end
+                            described_class::HTML_IDENTIFIERS.each do |id|
+                                context id.downcase do
+                                    let(:body) { id.downcase }
+                                    expect_it { to be_html }
+                                end
+                                context id.upcase do
+                                    let(:body) { id.upcase }
+                                    expect_it { to be_html }
+                                end
+                            end
+                            context 'other' do
+                                let(:body) { 'Stuff here' }
+                                expect_it { to_not be_html }
+                            end
+                        end
+                    end
+                    context 'nosniff' do
+                        context 'and the body includes HTML identifier' do
+                            subject do
+                                described_class.new(
+                                    url:  'http://test.com',
+                                    code: 200,
+                                    body: body,
+                                    headers: {
+                                        'X-Content-Type-Options' => 'nosniff'
+                                    }
+                                )
+                            end
+                            described_class::HTML_IDENTIFIERS.each do |id|
+                                context id.downcase do
+                                    let(:body) { id.downcase }
+                                    expect_it { to_not be_html }
+                                end
+                                context id.upcase do
+                                    let(:body) { id.upcase }
+                                    expect_it { to_not be_html }
+                                end
+                            end
+                            context 'other' do
+                                let(:body) { 'Stuff here' }
+                                expect_it { to_not be_html }
+                            end
+                        end
+                    end
+                end
+            end
+        end
+    end
     describe '#partial?' do
         context 'when the response body does not match the content-lenth' do
             it 'returns true' do
@@ -148,7 +273,7 @@ describe Arachni::HTTP::Response do
             end
         end
-        context 'when the response body matches the content-lenth' do
+        context 'when the response body matches the content-length' do
             it 'returns false' do
                 response = @http.get( @url, mode: :sync )
                 expect(response).to_not be_partial
@@ -159,6 +284,15 @@ describe Arachni::HTTP::Response do
             context 'that does not complete' do
                 it 'returns true' do
                     response = @http.get( "#{@url}/partial_stream", mode: :sync )
+                    expect(response.return_code).to eq :partial_file
+                    expect(response).to be_partial
+                end
+            end
+            context 'that closes abruptly' do
+                it 'returns true' do
+                    response = @http.get( "#{@url}/fail_stream", mode: :sync )
+                    expect(response.return_code).to eq :recv_error
                     expect(response).to be_partial
                 end
             end
@@ -330,12 +464,6 @@ describe Arachni::HTTP::Response do
             expect(r.body).to eq(body)
         end
-        it 'freezes it' do
-            r = described_class.new( url: url )
-            r.body = 'Stuff...'
-            expect(r.body).to be_frozen
-        end
         it 'forces it to a string' do
             r = described_class.new( url: url )
             r.body = nil

data/spec/arachni/issue_spec.rb CHANGED Viewed

@@ -26,6 +26,25 @@ describe Arachni::Issue do
         expect(issue.name).to eq("Check name \u2713")
     end
+    it 'is comparable' do
+        informational = issue.dup.tap { |i| i.severity = Arachni::Issue::Severity::INFORMATIONAL }
+        low           = issue.dup.tap { |i| i.severity = Arachni::Issue::Severity::LOW }
+        medium        = issue.dup.tap { |i| i.severity = Arachni::Issue::Severity::MEDIUM }
+        high          = issue.dup.tap { |i| i.severity = Arachni::Issue::Severity::HIGH }
+        expect(informational).to be < low
+        expect(low).to be < medium
+        expect(medium).to be < high
+        expect(high).to be > medium
+        expect(medium).to be > low
+        expect(low).to be > informational
+        expect([low, informational, high, medium].sort).to eq(
+            [informational, low, medium, high]
+        )
+    end
     describe '#recheck' do
         it 'rechecks the issue' do
             Arachni::Options.paths.checks = fixtures_path + '/signature_check/'
@@ -393,7 +412,7 @@ describe Arachni::Issue do
                     targets:     {
                         'Generic' => 'all'
                     },
-                    elements:    [:link, :form_dom],
+                    elements:    [:link],
                     shortname:   'test'
                 },
                 trusted:         true,
@@ -413,7 +432,7 @@ describe Arachni::Issue do
             )
             i = passive_issue
-            expect(i.unique_id).to eq("#{i.name}:#{i.proof}:#{i.vector.url}")
+            expect(i.unique_id).to eq("#{i.name}:#{i.proof}:#{i.vector.affected_input_name}:#{i.vector.url}")
         end
     end

data/spec/arachni/option_groups/browser_cluster_spec.rb CHANGED Viewed

@@ -52,4 +52,21 @@ describe Arachni::OptionGroups::BrowserCluster do
             end
         end
     end
+    describe '#session_storage' do
+        context 'when passed a Hash' do
+            it 'sets it' do
+                subject.session_storage = { 1 => 2 }
+                expect(subject.session_storage).to eq({ 1 => 2 })
+            end
+        end
+        context 'when passed anything other than Hash' do
+            it 'raises ArgumentError' do
+                expect do
+                    subject.session_storage = 1
+                end.to raise_error ArgumentError
+            end
+        end
+    end
 end

data/spec/arachni/option_groups/http_spec.rb CHANGED Viewed

@@ -14,20 +14,20 @@ describe Arachni::OptionGroups::HTTP do
     end
     describe '#user_agent' do
-        it "defaults to Arachni/v#{Arachni::VERSION}" do
-            expect(subject.user_agent).to eq('Arachni/v' + Arachni::VERSION.to_s)
+        it "defaults to Mozilla/5.0 (Gecko) Arachni/v#{Arachni::VERSION}" do
+            expect(subject.user_agent).to eq('Mozilla/5.0 (Gecko) Arachni/v' + Arachni::VERSION.to_s)
         end
     end
     describe '#request_concurrency' do
-        it 'defaults to 20' do
-            expect(subject.request_concurrency).to eq(20)
+        it 'defaults to 10' do
+            expect(subject.request_concurrency).to eq(10)
         end
     end
     describe '#request_timeout' do
-        it 'defaults to 10000' do
-            expect(subject.request_timeout).to eq(10000)
+        it 'defaults to 20000' do
+            expect(subject.request_timeout).to eq(20000)
         end
     end
@@ -37,6 +37,21 @@ describe Arachni::OptionGroups::HTTP do
         end
     end
+    describe '#authentication_type=' do
+        it 'sets #authentication_type' do
+            subject.authentication_type = 'ntlm'
+            expect(subject.authentication_type).to eq('ntlm')
+        end
+        context 'when given an invalid type' do
+            it "raises #{described_class::Error::InvalidAuthenticationType}" do
+                expect do
+                    subject.authentication_type = 'stuff'
+                end.to raise_error described_class::Error::InvalidAuthenticationType
+            end
+        end
+    end
     describe '#proxy_type=' do
         it 'sets #proxy_type' do
             subject.proxy_type = 'http'

data/spec/arachni/option_groups/paths_spec.rb CHANGED Viewed

@@ -14,7 +14,7 @@ describe Arachni::OptionGroups::Paths do
         end
     end
-    let(:paths_config_file) { "#{Arachni.tmpdir}/paths-#{Process.pid}.yml" }
+    let(:paths_config_file) { "#{Arachni::Options.paths.tmpdir}/paths-#{Process.pid}.yml" }
     %w(root arachni components logs checks reporters plugins services
         path_extractors fingerprinters lib support mixins snapshots).each do |method|
@@ -29,6 +29,28 @@ describe Arachni::OptionGroups::Paths do
         it { is_expected.to respond_to "#{method}=" }
     end
+    describe '#tmpdir' do
+        context 'when no tmpdir has been specified via config' do
+            it 'defaults to the OS tmpdir' do
+                expect(subject.tmpdir).to eq Arachni.get_long_win32_filename( Dir.tmpdir )
+            end
+        end
+        context "when #{described_class}.config['framework']['tmpdir']" do
+            it 'returns its value' do
+                allow(described_class).to receive(:config) do
+                    {
+                        'framework' => {
+                            'tmpdir' => '/my/tmpdir/'
+                        }
+                    }
+                end
+                expect(subject.tmpdir).to eq('/my/tmpdir/')
+            end
+        end
+    end
     describe '#logs' do
         it 'returns the default location' do
             expect(subject.logs).to eq("#{subject.root}logs/")

data/spec/arachni/option_groups/scope_spec.rb CHANGED Viewed

@@ -7,7 +7,7 @@ describe Arachni::OptionGroups::Scope do
     %w(directory_depth_limit dom_depth_limit page_limit restrict_paths extend_paths
         redundant_path_patterns auto_redundant_paths include_path_patterns
         exclude_path_patterns exclude_content_patterns include_subdomains https_only
-        url_rewrites exclude_binaries exclude_file_extensions
+        url_rewrites exclude_binaries exclude_file_extensions dom_event_limit
     ).each do |method|
         it { is_expected.to respond_to method }
         it { is_expected.to respond_to "#{method}=" }
@@ -54,12 +54,7 @@ describe Arachni::OptionGroups::Scope do
         end
         describe 'when #auto_redundant_paths has been disabled' do
             it 'returns false' do
-                subject.auto_redundant_paths = nil
-                expect(subject.auto_redundant?).to be_falsey
-            end
-        end
-        describe 'by default' do
-            it 'returns false' do
+                subject.auto_redundant_paths = 0
                 expect(subject.auto_redundant?).to be_falsey
             end
         end
@@ -138,6 +133,31 @@ describe Arachni::OptionGroups::Scope do
         end
     end
+    describe '#dom_event_limit_reached?' do
+        context 'when #page_limit has' do
+            context 'not been set' do
+                it 'returns false' do
+                    expect(subject.dom_event_limit_reached?( 44 )).to be_falsey
+                end
+            end
+            context 'not been reached' do
+                it 'returns false' do
+                    subject.dom_event_limit = 5
+                    expect(subject.dom_event_limit_reached?( 2 )).to be_falsey
+                end
+            end
+            context 'been reached' do
+                it 'returns true' do
+                    subject.dom_event_limit = 5
+                    expect(subject.dom_event_limit_reached?( 5 )).to be_truthy
+                    expect(subject.dom_event_limit_reached?( 6 )).to be_truthy
+                end
+            end
+        end
+    end
     describe '#restrict_paths=' do
         it 'converts its param to an array of strings' do
             restrict_paths = %w(my_restrict_paths my_other_restrict_paths)

data/spec/arachni/options_spec.rb CHANGED Viewed

@@ -96,6 +96,13 @@ describe Arachni::Options do
         end
     end
+    describe '#parsed_url' do
+        it 'returns a parsed version of #url' do
+            subject.url = 'http://test.com/'
+            expect(subject.parsed_url).to eq Arachni::URI( subject.url )
+        end
+    end
     describe '#url=' do
         it 'normalizes its argument' do
             subject.url = 'http://test.com/my path'
@@ -113,7 +120,7 @@ describe Arachni::Options do
         end
         context 'when passed reserved host' do
-            %w(localhost 127.0.0.1).each do |hostname|
+            %w(localhost 127.0.0.1 127.0.0.2 127.1.1.1).each do |hostname|
                 context hostname do
                     it "raises #{described_class::Error::ReservedHostname}" do
                         expect { subject.url = "http://#{hostname}" }.to raise_error

data/spec/arachni/page/dom_spec.rb CHANGED Viewed

@@ -39,6 +39,12 @@ describe Arachni::Page::DOM do
         expect(subject).to eq(Arachni::RPC::Serializer.deep_clone( subject ))
     end
+    it 'Marshaling ignores the page' do
+        expect(subject.page).to be_kind_of Arachni::Page
+        dom = Marshal.load( Marshal.dump( subject ) )
+        expect(dom.page).to be_nil
+    end
     describe '#to_rpc_data' do
         let(:data) { subject.to_rpc_data }
@@ -48,7 +54,7 @@ describe Arachni::Page::DOM do
             end
         end
-        %w(data_flow_sinks execution_flow_sinks).each do |attribute|
+        %w(cookies data_flow_sinks execution_flow_sinks cookies).each do |attribute|
             it "includes '#{attribute}'" do
                 expect(data[attribute]).to eq(subject.send(attribute).map(&:to_rpc_data))
             end
@@ -63,7 +69,7 @@ describe Arachni::Page::DOM do
         let(:restored) { described_class.from_rpc_data data }
         let(:data) { Arachni::RPC::Serializer.rpc_data( subject ) }
-        %w(url transitions digest skip_states data_flow_sinks
+        %w(url cookies transitions digest skip_states data_flow_sinks
             execution_flow_sinks).each do |attribute|
             it "restores '#{attribute}'" do
                 expect(restored.send( attribute )).to eq(subject.send( attribute ))
@@ -223,6 +229,12 @@ describe Arachni::Page::DOM do
         it 'returns a hash with DOM data' do
             data = {
                 url:         'http://test/dom',
+                cookies:     [
+                    Arachni::Element::Cookie.new(
+                        url:    'http://test/dom',
+                        inputs: { 'name' => 'val' }
+                    )
+                ],
                 skip_states: Arachni::Support::LookUp::HashSet.new.tap { |h| h << 0 },
                 transitions: [
                     { element:  :stuffed },
@@ -236,15 +248,17 @@ describe Arachni::Page::DOM do
             data[:transitions].each do |t|
                 empty_dom.push_transition t
             end
+            empty_dom.cookies = data[:cookies]
             empty_dom.skip_states = data[:skip_states]
             empty_dom.data_flow_sinks = data[:data_flow_sinks]
             empty_dom.execution_flow_sinks = data[:execution_flow_sinks]
             expect(empty_dom.to_h).to eq({
-                url:                 data[:url],
-                transitions:         data[:transitions].map(&:to_hash),
-                digest:              empty_dom.digest,
-                skip_states:         data[:skip_states],
+                url:                  data[:url],
+                cookies:              data[:cookies].map(&:to_hash),
+                transitions:          data[:transitions].map(&:to_hash),
+                digest:               empty_dom.digest,
+                skip_states:          data[:skip_states],
                 data_flow_sinks:      data[:data_flow_sinks].map(&:to_hash),
                 execution_flow_sinks: data[:execution_flow_sinks].map(&:to_hash)
             })

data/spec/arachni/page_spec.rb CHANGED Viewed

@@ -106,7 +106,7 @@ describe Arachni::Page do
         it 'restores Arachni::Element::Form#node of #forms' do
             form = subject.forms.last
-            expect(form.node).to be_kind_of Nokogiri::XML::Element
+            expect(form.node).to be_kind_of Arachni::Parser::Nodes::Element
             expect(form.node).to be_truthy
             expect(restored.forms.last.node.to_s).to eq(form.node.to_s)
@@ -114,7 +114,7 @@ describe Arachni::Page do
         it 'restores Arachni::Element::Link#node of #links' do
             link = subject.links.last
-            expect(link.node).to be_kind_of Nokogiri::XML::Element
+            expect(link.node).to be_kind_of Arachni::Parser::Nodes::Element
             expect(link.node).to be_truthy
             expect(restored.links.last.node.to_s).to eq(link.node.to_s)
@@ -644,13 +644,14 @@ describe Arachni::Page do
     describe '#elements' do
         it 'returns all page elements' do
-            expect(page.elements).to eq(page.links | page.forms | page.cookies | page.headers)
+            expect(page.elements).to eq(page.links | page.forms | page.cookies |
+                                            page.nested_cookies | page.headers)
         end
     end
     describe '#elements_within_scope' do
         it 'returns all elements that are within scope' do
-            Arachni::Options.audit.elements :links, :forms, :cookies, :headers
+            Arachni::Options.audit.elements :links, :forms, :cookies, :nested_cookies, :headers
             elements = page.elements
             element = elements.pop
@@ -867,7 +868,7 @@ describe Arachni::Page do
             it 'preserves Arachni::Element::Form#node of #forms' do
                 form = subject.forms.last
-                expect(form.node).to be_kind_of Nokogiri::XML::Element
+                expect(form.node).to be_kind_of Arachni::Parser::Nodes::Element
                 expect(form.node).to be_truthy
                 expect(subject.send(method).forms.last.node.to_s).to eq(form.node.to_s)
@@ -875,7 +876,7 @@ describe Arachni::Page do
             it 'preserves Arachni::Element::Link#node of #links' do
                 link = subject.links.last
-                expect(link.node).to be_kind_of Nokogiri::XML::Element
+                expect(link.node).to be_kind_of Arachni::Parser::Nodes::Element
                 expect(link.node).to be_truthy
                 expect(subject.send(method).links.last.node.to_s).to eq(link.node.to_s)
@@ -994,7 +995,7 @@ describe Arachni::Page do
                 expect(page.links).to eq([])
                 expect(page.forms).to eq([])
                 expect(page.cookies).to eq([])
-                expect(page.headers).to eq([])
+                expect(page.headers).to eq(page.parser.headers)
                 expect(page.cookie_jar).to eq([])

data/spec/arachni/parser/document_spec.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require 'spec_helper'
+describe Arachni::Parser::Document do
+    let(:options) do
+        {}
+    end
+    subject { Arachni::Parser.parse( html, options ) }
+    let(:html) do
+        <<-EOHTML
+        <html>
+            <div id="my-id">
+                <!-- My comment -->
+                <p class="my-class">
+                    <a href="/stuff">Stuff</a>
+                </p>
+                My text
+            </div>
+        </html>
+        EOHTML
+    end
+    describe '#name' do
+        it 'returns self' do
+            expect(subject.name).to be :document
+        end
+    end
+    describe '#to_html' do
+        it 'generates HTML code from nodes' do
+            html = <<-EOHTML
+<!DOCTYPE html>
+<html>
+  <div id="my-id">
+    <!-- My comment -->
+    <p class="my-class">
+      <a href="/stuff">
+        Stuff
+      </a>
+    </p>
+    My text
+  </div>
+</html>
+            EOHTML
+            expect(subject.to_html.strip).to eq html.strip
+        end
+    end
+end

data/spec/arachni/parser/nodes/comment_spec.rb ADDED Viewed

@@ -0,0 +1,24 @@
+require 'spec_helper'
+describe Arachni::Parser::Nodes::Comment do
+    subject { described_class.new( value ) }
+    let(:value) { 'my comment' }
+    describe '#value' do
+        it 'returns the given value' do
+            expect(subject.value).to eq value
+        end
+    end
+    describe '#text' do
+        it 'returns the given value' do
+            expect(subject.text).to eq value
+        end
+    end
+    describe '#to_html' do
+        it 'returns the given value' do
+            expect(subject.to_html).to eq "<!-- my comment -->\n"
+        end
+    end
+end

data/spec/arachni/parser/nodes/element/with_attributes/attributes_spec.rb ADDED Viewed

@@ -0,0 +1,40 @@
+require 'spec_helper'
+describe Arachni::Parser::Nodes::Element::WithAttributes::Attributes do
+    subject { described_class.new }
+    describe '#[]' do
+        it 'converts the key to string' do
+            subject[:key] = 'val'
+            expect(subject).to eq( 'key' => 'val' )
+        end
+        it 'is case insensitive' do
+            subject[:kEy] = 'val'
+            expect(subject).to eq( 'key' => 'val' )
+        end
+    end
+    describe '#[]=' do
+        it 'converts the key to string' do
+            subject['key'] = 'val'
+            expect(subject).to eq( 'key' => 'val' )
+        end
+        it 'is case insensitive' do
+            subject[:kEy]  = 'val'
+            subject['key'] = 'val2'
+            expect(subject).to eq( 'key' => 'val2' )
+        end
+        it 'freezes the value' do
+            subject['key'] = 'val'
+            expect(subject['key']).to be_frozen
+        end
+    end
+end