RubyGems - arachni - Versions diffs - 1.5 → 1.6.1 - Mend

arachni 1.5 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (718) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +63 -0
data/Gemfile +2 -4
data/LICENSE.md +1 -1
data/README.md +112 -111
data/Rakefile +1 -43
data/arachni.gemspec +26 -26
data/bin/arachni +1 -1
data/bin/arachni_console +1 -1
data/bin/arachni_multi +1 -1
data/bin/arachni_reporter +1 -1
data/bin/arachni_reproduce +1 -1
data/bin/arachni_rest_server +1 -1
data/bin/arachni_restore +1 -1
data/bin/arachni_rpc +1 -1
data/bin/arachni_rpcd +1 -1
data/bin/arachni_rpcd_monitor +1 -1
data/bin/arachni_script +1 -1
data/components/checks/active/code_injection.rb +1 -1
data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
data/components/checks/active/code_injection_timing.rb +1 -1
data/components/checks/active/csrf.rb +7 -2
data/components/checks/active/file_inclusion.rb +1 -1
data/components/checks/active/ldap_injection.rb +1 -1
data/components/checks/active/no_sql_injection.rb +1 -1
data/components/checks/active/no_sql_injection_differential.rb +3 -3
data/components/checks/active/os_cmd_injection.rb +1 -1
data/components/checks/active/os_cmd_injection_timing.rb +1 -1
data/components/checks/active/path_traversal.rb +1 -1
data/components/checks/active/response_splitting.rb +1 -1
data/components/checks/active/rfi.rb +1 -1
data/components/checks/active/session_fixation.rb +1 -1
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/sql_injection.rb +1 -1
data/components/checks/active/sql_injection_differential.rb +3 -3
data/components/checks/active/sql_injection_timing.rb +1 -1
data/components/checks/active/trainer.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +1 -1
data/components/checks/active/unvalidated_redirect_dom.rb +1 -1
data/components/checks/active/xpath_injection.rb +1 -1
data/components/checks/active/xss.rb +4 -4
data/components/checks/active/xss_dom.rb +1 -1
data/components/checks/active/xss_dom_script_context.rb +1 -1
data/components/checks/active/xss_event.rb +3 -3
data/components/checks/active/xss_path.rb +1 -1
data/components/checks/active/xss_script_context.rb +3 -3
data/components/checks/active/xss_tag.rb +4 -3
data/components/checks/active/xxe.rb +1 -1
data/components/checks/passive/allowed_methods.rb +1 -1
data/components/checks/passive/backdoors.rb +1 -1
data/components/checks/passive/backup_directories.rb +1 -1
data/components/checks/passive/backup_files.rb +2 -2
data/components/checks/passive/common_admin_interfaces.rb +1 -1
data/components/checks/passive/common_directories/directories.txt +1 -0
data/components/checks/passive/common_directories.rb +1 -1
data/components/checks/passive/common_files.rb +1 -1
data/components/checks/passive/directory_listing.rb +1 -1
data/components/checks/passive/grep/captcha.rb +1 -1
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
data/components/checks/passive/grep/credit_card.rb +1 -1
data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
data/components/checks/passive/grep/emails.rb +1 -1
data/components/checks/passive/grep/form_upload.rb +1 -1
data/components/checks/passive/grep/hsts.rb +1 -1
data/components/checks/passive/grep/html_objects.rb +1 -1
data/components/checks/passive/grep/http_only_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
data/components/checks/passive/grep/mixed_resource.rb +1 -1
data/components/checks/passive/grep/password_autocomplete.rb +1 -1
data/components/checks/passive/grep/private_ip.rb +1 -1
data/components/checks/passive/grep/ssn.rb +1 -1
data/components/checks/passive/grep/unencrypted_password_forms.rb +1 -1
data/components/checks/passive/grep/x_frame_options.rb +4 -4
data/components/checks/passive/htaccess_limit.rb +1 -1
data/components/checks/passive/http_put.rb +1 -1
data/components/checks/passive/insecure_client_access_policy.rb +1 -1
data/components/checks/passive/insecure_cross_domain_policy_access.rb +1 -1
data/components/checks/passive/insecure_cross_domain_policy_headers.rb +1 -1
data/components/checks/passive/interesting_responses.rb +1 -1
data/components/checks/passive/localstart_asp.rb +1 -1
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
data/components/checks/passive/webdav.rb +1 -1
data/components/checks/passive/xst.rb +1 -1
data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
data/components/fingerprinters/frameworks/cakephp.rb +1 -1
data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
data/components/fingerprinters/frameworks/django.rb +1 -1
data/components/fingerprinters/frameworks/jsf.rb +1 -1
data/components/fingerprinters/frameworks/nette.rb +1 -1
data/components/fingerprinters/frameworks/rack.rb +1 -1
data/components/fingerprinters/frameworks/rails.rb +1 -1
data/components/fingerprinters/frameworks/symfony.rb +1 -1
data/components/fingerprinters/languages/asp.rb +1 -1
data/components/fingerprinters/languages/aspx.rb +1 -1
data/components/fingerprinters/languages/java.rb +1 -1
data/components/fingerprinters/languages/php.rb +1 -1
data/components/fingerprinters/languages/python.rb +1 -1
data/components/fingerprinters/languages/ruby.rb +1 -1
data/components/fingerprinters/os/bsd.rb +1 -1
data/components/fingerprinters/os/linux.rb +1 -1
data/components/fingerprinters/os/solaris.rb +1 -1
data/components/fingerprinters/os/unix.rb +1 -1
data/components/fingerprinters/os/windows.rb +1 -1
data/components/fingerprinters/servers/apache.rb +1 -1
data/components/fingerprinters/servers/gunicorn.rb +1 -1
data/components/fingerprinters/servers/iis.rb +1 -1
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/nginx.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +1 -1
data/components/path_extractors/anchors.rb +1 -1
data/components/path_extractors/areas.rb +1 -1
data/components/path_extractors/comments.rb +1 -1
data/components/path_extractors/data_url.rb +1 -1
data/components/path_extractors/forms.rb +1 -1
data/components/path_extractors/frames.rb +1 -1
data/components/path_extractors/generic.rb +1 -1
data/components/path_extractors/links.rb +1 -1
data/components/path_extractors/meta_refresh.rb +1 -1
data/components/path_extractors/scripts.rb +2 -2
data/components/plugins/autologin.rb +1 -1
data/components/plugins/beep_notify.rb +1 -1
data/components/plugins/content_types.rb +1 -1
data/components/plugins/cookie_collector.rb +1 -1
data/components/plugins/debug/browser_cluster_job_monitor.rb +1 -1
data/components/plugins/defaults/autothrottle.rb +1 -1
data/components/plugins/defaults/healthmap.rb +2 -2
data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
data/components/plugins/defaults/meta/uniformity.rb +1 -1
data/components/plugins/email_notify.rb +1 -1
data/components/plugins/exec.rb +1 -1
data/components/plugins/form_dicattack.rb +1 -1
data/components/plugins/headers_collector.rb +1 -1
data/components/plugins/http_dicattack.rb +1 -1
data/components/plugins/login_script.rb +1 -1
data/components/plugins/metrics.rb +20 -20
data/components/plugins/page_dump.rb +1 -1
data/components/plugins/proxy/panel/verify_login_sequence.html.erb +1 -1
data/components/plugins/proxy/template_scope.rb +1 -1
data/components/plugins/proxy.rb +3 -2
data/components/plugins/rate_limiter.rb +1 -1
data/components/plugins/restrict_to_dom_state.rb +1 -1
data/components/plugins/script.rb +1 -1
data/components/plugins/uncommon_headers.rb +1 -1
data/components/plugins/vector_collector.rb +1 -1
data/components/plugins/vector_feed.rb +1 -1
data/components/plugins/waf_detector.rb +1 -1
data/components/plugins/webhook_notify.rb +1 -1
data/components/reporters/ap.rb +1 -1
data/components/reporters/html/default.erb +3 -1
data/components/reporters/html.rb +5 -7
data/components/reporters/json.rb +1 -1
data/components/reporters/marshal.rb +1 -1
data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/exec.rb +1 -1
data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
data/components/reporters/plugin_formatters/html/metrics.rb +1 -1
data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
data/components/reporters/plugin_formatters/stdout/metrics.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
data/components/reporters/plugin_formatters/xml/content_types.rb +1 -1
data/components/reporters/plugin_formatters/xml/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/xml/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
data/components/reporters/stdout.rb +1 -1
data/components/reporters/txt.rb +1 -1
data/components/reporters/xml/schema.xsd +1 -0
data/components/reporters/xml.rb +3 -3
data/components/reporters/yaml.rb +1 -1
data/config/write_paths.yml +4 -0
data/lib/arachni/banner.rb +1 -1
data/lib/arachni/browser/element_locator.rb +1 -1
data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
data/lib/arachni/browser/javascript/proxy.rb +1 -1
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +39 -26
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +58 -40
data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
data/lib/arachni/browser/javascript.rb +14 -36
data/lib/arachni/browser.rb +133 -216
data/lib/arachni/browser_cluster/job/result.rb +1 -1
data/lib/arachni/browser_cluster/job.rb +1 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +11 -26
data/lib/arachni/browser_cluster.rb +2 -3
data/lib/arachni/check/auditor.rb +28 -66
data/lib/arachni/check/base.rb +1 -1
data/lib/arachni/check/manager.rb +1 -1
data/lib/arachni/check.rb +1 -1
data/lib/arachni/component/base.rb +1 -1
data/lib/arachni/component/manager.rb +1 -1
data/lib/arachni/component/options/address.rb +1 -1
data/lib/arachni/component/options/base.rb +1 -1
data/lib/arachni/component/options/bool.rb +1 -1
data/lib/arachni/component/options/float.rb +1 -1
data/lib/arachni/component/options/int.rb +1 -1
data/lib/arachni/component/options/multiple_choice.rb +1 -1
data/lib/arachni/component/options/object.rb +1 -1
data/lib/arachni/component/options/path.rb +1 -1
data/lib/arachni/component/options/port.rb +1 -1
data/lib/arachni/component/options/string.rb +1 -1
data/lib/arachni/component/options/url.rb +1 -1
data/lib/arachni/component/options.rb +1 -1
data/lib/arachni/component/output.rb +1 -1
data/lib/arachni/component/utilities.rb +1 -1
data/lib/arachni/component.rb +1 -1
data/lib/arachni/data/framework/rpc.rb +2 -2
data/lib/arachni/data/framework.rb +2 -2
data/lib/arachni/data/issues.rb +1 -1
data/lib/arachni/data/plugins.rb +1 -1
data/lib/arachni/data/session.rb +1 -1
data/lib/arachni/data.rb +1 -1
data/lib/arachni/element/base.rb +1 -1
data/lib/arachni/element/body.rb +1 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +1 -1
data/lib/arachni/element/capabilities/analyzable/signature.rb +2 -2
data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
data/lib/arachni/element/capabilities/analyzable.rb +1 -1
data/lib/arachni/element/capabilities/auditable/buffered.rb +1 -1
data/lib/arachni/element/capabilities/auditable/line_buffered.rb +1 -1
data/lib/arachni/element/capabilities/auditable.rb +1 -1
data/lib/arachni/element/capabilities/dom_only.rb +1 -1
data/lib/arachni/element/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/capabilities/mutable.rb +1 -1
data/lib/arachni/element/capabilities/refreshable.rb +1 -1
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor/output.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
data/lib/arachni/element/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/capabilities/with_node.rb +1 -1
data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
data/lib/arachni/element/capabilities/with_scope.rb +1 -1
data/lib/arachni/element/capabilities/with_source.rb +1 -1
data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/cookie/dom.rb +1 -1
data/lib/arachni/element/cookie.rb +1 -1
data/lib/arachni/element/dom/capabilities/auditable.rb +1 -1
data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
data/lib/arachni/element/dom/capabilities/mutable.rb +1 -1
data/lib/arachni/element/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/dom.rb +1 -1
data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
data/lib/arachni/element/form/capabilities/mutable.rb +1 -1
data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/form/dom.rb +1 -1
data/lib/arachni/element/form.rb +1 -1
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
data/lib/arachni/element/header.rb +1 -1
data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/json.rb +1 -1
data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link/dom.rb +1 -1
data/lib/arachni/element/link.rb +1 -1
data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link_template/dom.rb +1 -1
data/lib/arachni/element/link_template.rb +1 -1
data/lib/arachni/element/nested_cookie/capabilities/submittable.rb +35 -0
data/lib/arachni/element/nested_cookie.rb +370 -0
data/lib/arachni/element/path.rb +1 -1
data/lib/arachni/element/server.rb +1 -1
data/lib/arachni/element/ui_form/dom.rb +1 -1
data/lib/arachni/element/ui_form.rb +1 -1
data/lib/arachni/element/ui_input/dom.rb +1 -1
data/lib/arachni/element/ui_input.rb +1 -1
data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
data/lib/arachni/element/xml.rb +1 -1
data/lib/arachni/element_filter.rb +1 -1
data/lib/arachni/error.rb +1 -1
data/lib/arachni/ethon/easy.rb +1 -1
data/lib/arachni/framework/parts/audit.rb +1 -1
data/lib/arachni/framework/parts/browser.rb +1 -1
data/lib/arachni/framework/parts/check.rb +1 -1
data/lib/arachni/framework/parts/data.rb +1 -1
data/lib/arachni/framework/parts/platform.rb +1 -1
data/lib/arachni/framework/parts/plugin.rb +1 -1
data/lib/arachni/framework/parts/report.rb +2 -2
data/lib/arachni/framework/parts/scope.rb +1 -1
data/lib/arachni/framework/parts/state.rb +1 -1
data/lib/arachni/framework.rb +1 -1
data/lib/arachni/http/client/dynamic_404_handler.rb +1 -1
data/lib/arachni/http/client.rb +7 -5
data/lib/arachni/http/cookie_jar.rb +1 -1
data/lib/arachni/http/headers.rb +1 -1
data/lib/arachni/http/message/scope.rb +1 -1
data/lib/arachni/http/message.rb +2 -2
data/lib/arachni/http/proxy_server/connection.rb +3 -8
data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +18 -32
data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +28 -49
data/lib/arachni/http/proxy_server/ssl_interceptor.rb +7 -6
data/lib/arachni/http/proxy_server/tunnel.rb +1 -1
data/lib/arachni/http/proxy_server.rb +1 -1
data/lib/arachni/http/request/scope.rb +1 -1
data/lib/arachni/http/request.rb +8 -2
data/lib/arachni/http/response/scope.rb +1 -1
data/lib/arachni/http/response.rb +3 -3
data/lib/arachni/http.rb +1 -1
data/lib/arachni/issue/severity/base.rb +1 -1
data/lib/arachni/issue/severity.rb +1 -1
data/lib/arachni/issue.rb +1 -1
data/lib/arachni/option_group.rb +1 -1
data/lib/arachni/option_groups/audit.rb +11 -2
data/lib/arachni/option_groups/browser_cluster.rb +28 -4
data/lib/arachni/option_groups/datastore.rb +1 -1
data/lib/arachni/option_groups/dispatcher.rb +1 -1
data/lib/arachni/option_groups/http.rb +5 -5
data/lib/arachni/option_groups/input.rb +1 -1
data/lib/arachni/option_groups/output.rb +1 -1
data/lib/arachni/option_groups/paths.rb +12 -1
data/lib/arachni/option_groups/rpc.rb +1 -1
data/lib/arachni/option_groups/scope.rb +46 -4
data/lib/arachni/option_groups/session.rb +1 -1
data/lib/arachni/option_groups/snapshot.rb +1 -1
data/lib/arachni/option_groups.rb +1 -1
data/lib/arachni/options.rb +2 -2
data/lib/arachni/page/dom/transition.rb +1 -1
data/lib/arachni/page/dom.rb +1 -1
data/lib/arachni/page/scope.rb +1 -1
data/lib/arachni/page.rb +3 -3
data/lib/arachni/parser/document.rb +1 -1
data/lib/arachni/parser/extractors/base.rb +1 -1
data/lib/arachni/parser/nodes/base.rb +1 -1
data/lib/arachni/parser/nodes/comment.rb +1 -1
data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +2 -2
data/lib/arachni/parser/nodes/element/with_attributes.rb +1 -1
data/lib/arachni/parser/nodes/element.rb +1 -1
data/lib/arachni/parser/nodes/text.rb +2 -2
data/lib/arachni/parser/nodes/with_value.rb +2 -2
data/lib/arachni/parser/sax.rb +2 -1
data/lib/arachni/parser/with_children/search.rb +1 -1
data/lib/arachni/parser/with_children.rb +2 -2
data/lib/arachni/parser.rb +33 -10
data/lib/arachni/platform/fingerprinter.rb +1 -1
data/lib/arachni/platform/list.rb +1 -1
data/lib/arachni/platform/manager.rb +1 -1
data/lib/arachni/platform.rb +1 -1
data/lib/arachni/plugin/base.rb +1 -1
data/lib/arachni/plugin/formatter.rb +1 -1
data/lib/arachni/plugin/manager.rb +1 -1
data/lib/arachni/plugin.rb +1 -1
data/lib/arachni/processes/dispatchers.rb +1 -1
data/lib/arachni/processes/executables/base.rb +2 -1
data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
data/lib/arachni/processes/helpers/instances.rb +1 -1
data/lib/arachni/processes/helpers/processes.rb +1 -1
data/lib/arachni/processes/helpers.rb +1 -1
data/lib/arachni/processes/instances.rb +1 -1
data/lib/arachni/processes/manager.rb +9 -5
data/lib/arachni/processes.rb +1 -1
data/lib/arachni/report.rb +1 -1
data/lib/arachni/reporter/base.rb +1 -1
data/lib/arachni/reporter/formatter_manager.rb +1 -1
data/lib/arachni/reporter/manager.rb +1 -1
data/lib/arachni/reporter/options.rb +1 -10
data/lib/arachni/reporter.rb +1 -1
data/lib/arachni/rest/server/instance_helpers.rb +10 -1
data/lib/arachni/rest/server.rb +7 -1
data/lib/arachni/rpc/client/base.rb +1 -1
data/lib/arachni/rpc/client/dispatcher.rb +1 -1
data/lib/arachni/rpc/client/instance/framework.rb +1 -1
data/lib/arachni/rpc/client/instance/service.rb +1 -1
data/lib/arachni/rpc/client/instance.rb +1 -1
data/lib/arachni/rpc/serializer.rb +1 -1
data/lib/arachni/rpc/server/active_options.rb +1 -1
data/lib/arachni/rpc/server/base.rb +1 -1
data/lib/arachni/rpc/server/check/manager.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
data/lib/arachni/rpc/server/dispatcher.rb +1 -1
data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
data/lib/arachni/rpc/server/framework/master.rb +1 -1
data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
data/lib/arachni/rpc/server/framework/slave.rb +1 -1
data/lib/arachni/rpc/server/framework.rb +1 -1
data/lib/arachni/rpc/server/instance.rb +1 -1
data/lib/arachni/rpc/server/output.rb +1 -1
data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
data/lib/arachni/ruby/array.rb +1 -1
data/lib/arachni/ruby/hash.rb +1 -1
data/lib/arachni/ruby/object.rb +1 -1
data/lib/arachni/ruby/set.rb +1 -1
data/lib/arachni/ruby/string.rb +1 -1
data/lib/arachni/ruby/webrick/cookie.rb +1 -1
data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
data/lib/arachni/ruby/webrick.rb +1 -1
data/lib/arachni/ruby.rb +1 -1
data/lib/arachni/scope.rb +1 -1
data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +6 -16
data/lib/arachni/session.rb +1 -1
data/lib/arachni/snapshot.rb +2 -2
data/lib/arachni/state/audit.rb +1 -1
data/lib/arachni/state/element_filter.rb +1 -1
data/lib/arachni/state/framework/rpc.rb +1 -1
data/lib/arachni/state/framework.rb +1 -1
data/lib/arachni/state/http.rb +1 -1
data/lib/arachni/state/options.rb +1 -1
data/lib/arachni/state/plugins.rb +1 -1
data/lib/arachni/state.rb +1 -1
data/lib/arachni/support/buffer/autoflush.rb +1 -1
data/lib/arachni/support/buffer/base.rb +1 -1
data/lib/arachni/support/buffer.rb +1 -1
data/lib/arachni/support/cache/base.rb +1 -1
data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
data/lib/arachni/support/cache/least_recently_used.rb +1 -1
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -1
data/lib/arachni/support/cache.rb +1 -1
data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
data/lib/arachni/support/crypto.rb +1 -1
data/lib/arachni/support/database/base.rb +16 -10
data/lib/arachni/support/database/hash.rb +1 -1
data/lib/arachni/support/database/queue.rb +1 -1
data/lib/arachni/support/database.rb +1 -1
data/lib/arachni/support/glob.rb +1 -1
data/lib/arachni/support/lookup/base.rb +1 -1
data/lib/arachni/support/lookup/hash_set.rb +1 -1
data/lib/arachni/support/lookup/moolb.rb +1 -1
data/lib/arachni/support/lookup.rb +1 -1
data/lib/arachni/support/mixins/observable.rb +1 -1
data/lib/arachni/support/mixins/terminal.rb +1 -1
data/lib/arachni/support/mixins.rb +1 -1
data/lib/arachni/support/profiler.rb +1 -1
data/lib/arachni/support/signature.rb +1 -1
data/lib/arachni/support.rb +1 -1
data/lib/arachni/trainer.rb +1 -1
data/lib/arachni/ui/foo/output.rb +1 -1
data/lib/arachni/uri/scope.rb +1 -1
data/lib/arachni/uri.rb +6 -9
data/lib/arachni/utilities.rb +1 -1
data/lib/arachni/version.rb +1 -1
data/lib/arachni.rb +1 -7
data/lib/version +1 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +81 -77
data/spec/arachni/browser/javascript/proxy_spec.rb +0 -10
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +68 -90
data/spec/arachni/browser/javascript_spec.rb +10 -16
data/spec/arachni/browser_cluster/worker_spec.rb +23 -55
data/spec/arachni/browser_spec.rb +160 -158
data/spec/arachni/check/auditor_spec.rb +44 -165
data/spec/arachni/data/framework/rpc_spec.rb +1 -1
data/spec/arachni/data/framework_spec.rb +1 -1
data/spec/arachni/element/cookie_spec.rb +1 -1
data/spec/arachni/element/nested_cookie_spec.rb +687 -0
data/spec/arachni/element/ui_form_spec.rb +2 -2
data/spec/arachni/element/ui_input_spec.rb +1 -1
data/spec/arachni/http/client_spec.rb +14 -26
data/spec/arachni/http/cookie_jar_spec.rb +2 -2
data/spec/arachni/http/proxy_server_spec.rb +2 -0
data/spec/arachni/http/request_spec.rb +3 -2
data/spec/arachni/issue_spec.rb +1 -1
data/spec/arachni/option_groups/browser_cluster_spec.rb +17 -0
data/spec/arachni/option_groups/http_spec.rb +6 -6
data/spec/arachni/option_groups/paths_spec.rb +23 -1
data/spec/arachni/option_groups/scope_spec.rb +1 -6
data/spec/arachni/page_spec.rb +3 -2
data/spec/arachni/parser_spec.rb +45 -1
data/spec/arachni/platform/list_spec.rb +1 -2
data/spec/arachni/reporter/options_spec.rb +0 -14
data/spec/arachni/rest/server_spec.rb +39 -2
data/spec/arachni/snapshot_spec.rb +1 -1
data/spec/arachni/state/framework_spec.rb +2 -2
data/spec/arachni/uri_spec.rb +1 -1
data/spec/components/checks/active/code_injection_spec.rb +12 -7
data/spec/components/checks/active/code_injection_timing_spec.rb +4 -3
data/spec/components/checks/active/file_inclusion_spec.rb +15 -10
data/spec/components/checks/active/ldap_injection_spec.rb +5 -4
data/spec/components/checks/active/no_sql_injection_differential_spec.rb +1 -1
data/spec/components/checks/active/no_sql_injection_spec.rb +5 -4
data/spec/components/checks/active/os_cmd_injection_spec.rb +6 -4
data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -3
data/spec/components/checks/active/path_traversal_spec.rb +10 -7
data/spec/components/checks/active/response_splitting_spec.rb +5 -4
data/spec/components/checks/active/rfi_spec.rb +9 -8
data/spec/components/checks/active/source_code_disclosure_spec.rb +33 -10
data/spec/components/checks/active/sql_injection_differential_spec.rb +1 -1
data/spec/components/checks/active/sql_injection_spec.rb +53 -36
data/spec/components/checks/active/sql_injection_timing_spec.rb +11 -8
data/spec/components/checks/active/unvalidated_redirect_spec.rb +9 -8
data/spec/components/checks/active/xpath_injection_spec.rb +5 -4
data/spec/components/checks/active/xss_dom_script_context_spec.rb +5 -5
data/spec/components/checks/active/xss_event_spec.rb +5 -3
data/spec/components/checks/active/xss_script_context_spec.rb +4 -3
data/spec/components/checks/active/xss_spec.rb +5 -4
data/spec/components/checks/active/xss_tag_spec.rb +11 -3
data/spec/components/checks/passive/backup_files_spec.rb +0 -4
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +6 -0
data/spec/spec_helper.rb +2 -1
data/spec/support/factories/http/response.rb +1 -1
data/spec/support/factories/issue.rb +1 -2
data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
data/spec/support/fixtures/checks/test.rb +4 -4
data/spec/support/fixtures/checks/test2.rb +1 -1
data/spec/support/fixtures/checks/test3.rb +1 -1
data/spec/support/fixtures/cookies.txt +1 -1
data/spec/support/fixtures/executables/node.rb +2 -3
data/spec/support/fixtures/fingerprinters/test.rb +1 -1
data/spec/support/fixtures/nested_cookies.txt +11 -0
data/spec/support/fixtures/plugins/bad.rb +1 -1
data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
data/spec/support/fixtures/plugins/distributable.rb +1 -1
data/spec/support/fixtures/plugins/loop.rb +1 -1
data/spec/support/fixtures/plugins/suspendable.rb +1 -1
data/spec/support/fixtures/plugins/wait.rb +1 -1
data/spec/support/fixtures/plugins/with_options.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
data/spec/support/fixtures/run_check/body.rb +1 -1
data/spec/support/fixtures/run_check/cookies.rb +1 -1
data/spec/support/fixtures/run_check/empty.rb +1 -1
data/spec/support/fixtures/run_check/flch.rb +1 -1
data/spec/support/fixtures/run_check/forms.rb +1 -1
data/spec/support/fixtures/run_check/headers.rb +1 -1
data/spec/support/fixtures/run_check/links.rb +1 -1
data/spec/support/fixtures/run_check/nil.rb +1 -1
data/spec/support/fixtures/run_check/path.rb +1 -1
data/spec/support/fixtures/run_check/server.rb +1 -1
data/spec/support/fixtures/signature_check/signature.rb +1 -1
data/spec/support/fixtures/wait_check/wait.rb +1 -1
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/misc.rb +1 -1
data/spec/support/helpers/paths.rb +1 -1
data/spec/support/helpers/requires.rb +1 -1
data/spec/support/helpers/resets.rb +1 -1
data/spec/support/helpers/web_server.rb +1 -1
data/spec/support/lib/factory.rb +1 -1
data/spec/support/lib/web_server_client.rb +1 -1
data/spec/support/lib/web_server_dispatcher.rb +1 -1
data/spec/support/lib/web_server_manager.rb +1 -1
data/spec/support/servers/arachni/check/auditor.rb +1 -0
data/spec/support/servers/arachni/element/form/form_dom.rb +1 -0
data/spec/support/servers/arachni/element/form.rb +4 -4
data/spec/support/servers/arachni/element/header.rb +1 -1
data/spec/support/servers/arachni/element/nested_cookie.rb +84 -0
data/spec/support/servers/arachni/parser.rb +6 -0
data/spec/support/servers/checks/active/code_injection.rb +18 -0
data/spec/support/servers/checks/active/code_injection_timing.rb +18 -0
data/spec/support/servers/checks/active/file_inclusion.rb +19 -1
data/spec/support/servers/checks/active/ldap_injection.rb +18 -0
data/spec/support/servers/checks/active/no_sql_injection.rb +27 -0
data/spec/support/servers/checks/active/no_sql_injection_differential.rb +19 -0
data/spec/support/servers/checks/active/os_cmd_injection.rb +29 -0
data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +18 -1
data/spec/support/servers/checks/active/path_traversal.rb +30 -3
data/spec/support/servers/checks/active/response_splitting.rb +30 -1
data/spec/support/servers/checks/active/rfi.rb +30 -2
data/spec/support/servers/checks/active/session_fixation.rb +1 -3
data/spec/support/servers/checks/active/source_code_disclosure.rb +16 -0
data/spec/support/servers/checks/active/sql_injection.rb +27 -0
data/spec/support/servers/checks/active/sql_injection_differential.rb +19 -0
data/spec/support/servers/checks/active/sql_injection_timing.rb +19 -1
data/spec/support/servers/checks/active/unvalidated_redirect.rb +40 -1
data/spec/support/servers/checks/active/xpath_injection.rb +27 -0
data/spec/support/servers/checks/active/xss.rb +40 -0
data/spec/support/servers/checks/active/xss_event.rb +22 -1
data/spec/support/servers/checks/active/xss_script_context.rb +18 -0
data/spec/support/servers/checks/active/xss_tag.rb +40 -0
data/spec/support/servers/checks/passive/grep/x_frame_options.rb +5 -0
data/spec/support/shared/check.rb +1 -0
data/spec/support/shared/element/capabilities/auditable/buffered.rb +2 -2
data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +2 -2
data/spec/support/shared/element/capabilities/auditable.rb +2 -2
data/ui/cli/framework/option_parser.rb +44 -8
data/ui/cli/framework.rb +6 -5
data/ui/cli/option_parser.rb +1 -1
data/ui/cli/output.rb +1 -1
data/ui/cli/reporter/option_parser.rb +1 -1
data/ui/cli/reporter.rb +1 -1
data/ui/cli/reproduce/option_parser.rb +1 -1
data/ui/cli/reproduce.rb +1 -1
data/ui/cli/rest/server/option_parser.rb +1 -1
data/ui/cli/rest/server.rb +1 -1
data/ui/cli/restored_framework/option_parser.rb +1 -1
data/ui/cli/restored_framework.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor.rb +1 -1
data/ui/cli/rpc/client/instance.rb +7 -4
data/ui/cli/rpc/client/local/option_parser.rb +1 -1
data/ui/cli/rpc/client/local.rb +1 -1
data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
data/ui/cli/rpc/client/remote.rb +1 -1
data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
data/ui/cli/rpc/server/dispatcher.rb +1 -1
data/ui/cli/utilities.rb +1 -1
metadata +602 -707
data/logs/error-11897.log +0 -2006
data/logs/error-3855.log +0 -382
data/spec/support/logs/Dispatcher - 1024-31864.log +0 -10
data/spec/support/logs/Dispatcher - 1047-41465.log +0 -10
data/spec/support/logs/Dispatcher - 1274-60799.log +0 -64
data/spec/support/logs/Dispatcher - 1295-1058.log +0 -44
data/spec/support/logs/Dispatcher - 1313-27076.log +0 -40
data/spec/support/logs/Dispatcher - 1332-17127.log +0 -35
data/spec/support/logs/Dispatcher - 1350-7351.log +0 -29
data/spec/support/logs/Dispatcher - 1368-38528.log +0 -22
data/spec/support/logs/Dispatcher - 1386-17419.log +0 -14
data/spec/support/logs/Dispatcher - 31030-26156.log +0 -10
data/spec/support/logs/Dispatcher - 321-27189.log +0 -12
data/spec/support/logs/Dispatcher - 32353-50061.log +0 -20
data/spec/support/logs/Dispatcher - 32450-61574.log +0 -10
data/spec/support/logs/Dispatcher - 32470-53874.log +0 -20
data/spec/support/logs/Dispatcher - 32491-10523.log +0 -18
data/spec/support/logs/Dispatcher - 32509-8583.log +0 -14
data/spec/support/logs/Dispatcher - 32536-21209.log +0 -10
data/spec/support/logs/Dispatcher - 32556-53881.log +0 -10
data/spec/support/logs/Dispatcher - 32579-49083.log +0 -50
data/spec/support/logs/Dispatcher - 32761-20025.log +0 -12
data/spec/support/logs/Dispatcher - 347-17512.log +0 -12
data/spec/support/logs/Dispatcher - 3489-43230.log +0 -24
data/spec/support/logs/Dispatcher - 3524-57459.log +0 -26
data/spec/support/logs/Dispatcher - 3559-21544.log +0 -20
data/spec/support/logs/Dispatcher - 3764-33844.log +0 -25
data/spec/support/logs/Dispatcher - 3798-45350.log +0 -26
data/spec/support/logs/Dispatcher - 382-15725.log +0 -12
data/spec/support/logs/Dispatcher - 3836-6205.log +0 -21
data/spec/support/logs/Dispatcher - 4112-45433.log +0 -22
data/spec/support/logs/Dispatcher - 4148-53510.log +0 -26
data/spec/support/logs/Dispatcher - 415-29873.log +0 -14
data/spec/support/logs/Dispatcher - 4185-29736.log +0 -18
data/spec/support/logs/Dispatcher - 4268-60912.log +0 -25
data/spec/support/logs/Dispatcher - 4303-39372.log +0 -26
data/spec/support/logs/Dispatcher - 4342-42190.log +0 -21
data/spec/support/logs/Dispatcher - 463-55220.log +0 -26
data/spec/support/logs/Dispatcher - 4649-12104.log +0 -22
data/spec/support/logs/Dispatcher - 4683-32355.log +0 -26
data/spec/support/logs/Dispatcher - 4724-41636.log +0 -18
data/spec/support/logs/Dispatcher - 4881-57692.log +0 -22
data/spec/support/logs/Dispatcher - 4961-64665.log +0 -26
data/spec/support/logs/Dispatcher - 502-8742.log +0 -25
data/spec/support/logs/Dispatcher - 5052-61726.log +0 -18
data/spec/support/logs/Dispatcher - 536-15972.log +0 -22
data/spec/support/logs/Dispatcher - 620-2220.log +0 -20
data/spec/support/logs/Dispatcher - 638-17826.log +0 -18
data/spec/support/logs/Dispatcher - 656-23967.log +0 -16
data/spec/support/logs/Dispatcher - 700-15701.log +0 -12
data/spec/support/logs/Dispatcher - 726-6080.log +0 -10
data/spec/support/logs/Dispatcher - 749-56590.log +0 -18
data/spec/support/logs/Dispatcher - 807-19073.log +0 -18
data/spec/support/logs/Dispatcher - 871-8764.log +0 -10
data/spec/support/logs/Dispatcher - 898-21496.log +0 -12
data/spec/support/logs/Dispatcher - 933-64070.log +0 -12
data/spec/support/logs/Instance - 1577-32284.error.log +0 -151
data/spec/support/logs/Instance - 1625-58174.error.log +0 -154
data/spec/support/logs/Instance - 2727-57968.error.log +0 -151
data/spec/support/logs/Instance - 2898-20648.error.log +0 -303
data/spec/support/logs/Instance - 2901-30845.error.log +0 -429
data/spec/support/logs/Instance - 31185-37600.error.log +0 -174
data/spec/support/logs/Instance - 3319-20111.error.log +0 -175
data/spec/support/logs/error-3855.log +0 -5132

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9258760c9e75d398da9ab655640904e5d51544c4
-  data.tar.gz: b7f5f56e8f1977916b7a87465954c354892cc4d3
+SHA256:
+  metadata.gz: bf786db138bf57e440712a7fab2a8b4cd4fb97f1e908a5ec29a41889daec526f
+  data.tar.gz: 7485ca9d6093da52bd4d5d8f6c139a6fa4305719cbd518af4d37455a84ebd723
 SHA512:
-  metadata.gz: baef5531633d799813d4bbfdfc89a44aa682feb5b502349e40c19ec9036ef074f2cf4f8838403487e79b2ac905ace671863b5ee092515251418d0180f0db659b
-  data.tar.gz: 43e379175dff426bc078a5055dda4b0d65dee05f47df7032559501ce1603d5e4c32517ff0c9fb69669a0d21b7710df4f62b2899de099e32ebcc530165a039c46
+  metadata.gz: f7ce0f442dd3dfc68dba6eb331703ec75cc5d57021b5cb2daee5acd6050fa8f9249bfcdb4b697fc5fe9f48bdf2c34530c4b4af4bed5e69455b78f070d36520ff
+  data.tar.gz: 73392cf4dd5ea8e2fbd183beb6b7ef41331313e79fdfdc2c5c06012f6ec935c1bb82a065c16b9437e268a0cecf827f92b89b5a50914d2ef93adae931403b1d7c

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,68 @@
 # ChangeLog
+## 1.6.1 _(March 20, 2022)_
+ - `Browser#eelenium` -- Disable sandbox.
+## 1.6.0 _(March 4, 2022)_
+- Options
+    - Scope
+        - `--scope-dom-depth-limit` -- Changed default from `5` to `4`.
+        - `--scope-auto-redundant` -- Changed default from `inf` to `15`.
+        - `--scope-directory-depth-limit` -- Changed default from `inf` to `10`.
+    - Browser cluster
+        - `--browser-cluster-pool-size` -- Changed default from `5` to `4`.
+    - HTTP
+       - `--http-max-concurrency` -- Changed default from `20` to `10`.
+    - New
+        - `--scope-dom-event-inheritance-limit` -- Limits the amount of inherited events.
+        - `--browser-cluster-session-storage` -- Sets the browsers' session storage.
+        - `--browser-cluster-wait-for-timers` -- Wait for the maximum `setTimeout()`
+           -- Used to be hardcoded to `true`, now defaults to `false`.
+- `URI`
+    - `#encode` -- Fixed encoding order of `+`.
+    - `#decode` -- Fixed decoding order of `+`.
+- `Element`
+    - Added `NestedCookie`: Handles key-value pairs inside individual cookies.
+- `Browser` -- Replaced PhantomJS with headless Chrome.
+    - `Javascript`
+        - `DOMMonitor`
+            - `#elements_with_events` -- Optionally limits event inheritance.
+- `Rest::Server`
+    - Added `/scans/:id/report.afr`.
+    - Added error handling for when trying to connect to killed instances.
+- `Support`
+    - `Database` -- Updated to compress disk data.
+- `Parser` -- Recode node data to UTF-8.
+- `Process`
+    - `Manager`
+        - `#spawn` -- Pass Arachni options via `ENV` rather than `ARGV`.
+- Checks
+    - Active
+        - `xss` -- Fixed proof data to return HTML.
+        - `csrf` -- Disabled for pages with DOM transitions due to FPs.
+    - Passive
+        - `x_frame_options` -- Ignore non-200 pages.
+        - `common_directories` -- Look for `.git`.
+- Plugins
+    - `proxy` -- Fixed error on login sequence recording.
+## 1.5.1 _(March 29, 2017)_
+- `config/write_paths.yml` -- Added configurable temporary directory.
+- `Parser`
+    - `#document` -- Updated to lazy parse the document.
+- `Browser`
+    - `Javascript`
+        - `DOMMonitor` -- Don't track `setInterval()`s since we're not using them.
+        - `TaintTracer`
+            - `add_trace_to_function()` -- Catch and return on error.
+- Path extractors
+    - `scripts` -- Fixed `nil` error.
+- Plugins
+    - `metrics` -- Fixed type error due to race condition.
 ## 1.5 _(January 31, 2017)_
 - Executables

data/Gemfile CHANGED Viewed

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
-gem 'rake', '11.3.0'
+gem 'rake', '>= 12.3.3'
 gem 'pry'
 group :docs do
@@ -9,9 +9,7 @@ group :docs do
 end
 group :spec do
-    gem 'simplecov', require: false, group: :test
-    gem 'rspec', '2.99.0'
+    gem 'rspec'
     gem 'faker'
 end

data/LICENSE.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # License
-Copyright 2010-2017 [Sarosys LLC](http://www.sarosys.com).
+Copyright 2010-2022 [Ecsypno](http://www.ecsypno.com).
 ```
                     Arachni Public Source License

data/README.md CHANGED Viewed

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.5</td>
+        <td>1.6.1</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -38,7 +38,7 @@
     </tr>
     <tr>
         <th>Copyright</th>
-        <td>2010-2017 <a href="http://www.sarosys.com">Sarosys LLC</a></td>
+        <td>2010-2022 <a href="http://www.ecsypno.com">Ecsypno</a></td>
     </tr>
     <tr>
         <th>License</th>
@@ -112,27 +112,27 @@ you with its findings.
 ### General
- - Cookie-jar/cookie-string support.
- - Custom header support.
- - SSL support with fine-grained options.
- - User Agent spoofing.
- - Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
- - Proxy authentication.
- - Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
- - Automatic log-out detection and re-login during the scan (when the initial
-    login was performed via the `autologin`, `login_script` or `proxy` plugins).
- - Custom 404 page detection.
- - UI abstraction:
+- Cookie-jar/cookie-string support.
+- Custom header support.
+- SSL support with fine-grained options.
+- User Agent spoofing.
+- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
+- Proxy authentication.
+- Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
+- Automatic log-out detection and re-login during the scan (when the initial
+  login was performed via the `autologin`, `login_script` or `proxy` plugins).
+- Custom 404 page detection.
+- UI abstraction:
     - [Command-line Interface](https://github.com/Arachni/arachni/wiki/Executables).
     - [Web User Interface](https://github.com/Arachni/arachni-ui-web).
- - Pause/resume functionality.
- - Hibernation support -- Suspend to and restore from disk.
- - High performance asynchronous HTTP requests.
+- Pause/resume functionality.
+- Hibernation support -- Suspend to and restore from disk.
+- High performance asynchronous HTTP requests.
     - With adjustable concurrency.
     - With the ability to auto-detect server health and adjust its concurrency
-        automatically.
- - Support for custom default input values, using pairs of patterns (to be matched
-    against input names) and values to be used to fill in matching inputs.
+      automatically.
+- Support for custom default input values, using pairs of patterns (to be matched
+  against input names) and values to be used to fill in matching inputs.
 ### Integrated browser environment
@@ -155,27 +155,27 @@ with a great deal of information regarding the state of the page at the time.
 Relevant information include:
- - Page DOM, as HTML code.
-     - With a list of DOM transitions required to restore the state of the
-         page to the one at the time it was logged.
- - Original DOM (i.e. prior to the action that caused the page to be logged),
-     as HTML code.
-     - With a list of DOM transitions.
- - Data-flow sinks -- Each sink is a JS method which received a tainted argument.
-     - Parent object of the method (ex.: `DOMWindow`).
-     - Method signature (ex.: `decodeURIComponent()`).
-     - Arguments list.
-         - With the identified taint located recursively in the included objects.
-     - Method source code.
-     - JS stacktrace.
- - Execution flow sinks -- Each sink is a successfully executed JS payload,
-     as injected by the security checks.
-     - Includes a JS stacktrace.
- - JavaScript stack-traces include:
-     - Method names.
-     - Method locations.
-     - Method source codes.
-     - Argument lists.
+- Page DOM, as HTML code.
+    - With a list of DOM transitions required to restore the state of the
+      page to the one at the time it was logged.
+- Original DOM (i.e. prior to the action that caused the page to be logged),
+  as HTML code.
+    - With a list of DOM transitions.
+- Data-flow sinks -- Each sink is a JS method which received a tainted argument.
+    - Parent object of the method (ex.: `DOMWindow`).
+    - Method signature (ex.: `decodeURIComponent()`).
+    - Arguments list.
+        - With the identified taint located recursively in the included objects.
+    - Method source code.
+    - JS stacktrace.
+- Execution flow sinks -- Each sink is a successfully executed JS payload,
+  as injected by the security checks.
+    - Includes a JS stacktrace.
+- JavaScript stack-traces include:
+    - Method names.
+    - Method locations.
+    - Method source codes.
+    - Argument lists.
 In essence, you have access to roughly the same information that your favorite
 debugger (for example, FireBug) would provide, as if you had set a breakpoint to
@@ -189,15 +189,15 @@ consuming in a high-performance fashion.
 Configuration options include:
- - Adjustable pool-size, i.e. the amount of browser workers to utilize.
- - Timeout for each job.
- - Worker TTL counted in jobs -- Workers which exceed the TTL have their browser
-     process respawned.
- - Ability to disable loading images.
- - Adjustable screen width and height.
-     - Can be used to analyze responsive and mobile applications.
- - Ability to wait until certain elements appear in the page.
- - Configurable local storage data.
+- Adjustable pool-size, i.e. the amount of browser workers to utilize.
+- Timeout for each job.
+- Worker TTL counted in jobs -- Workers which exceed the TTL have their browser
+  process respawned.
+- Ability to disable loading images.
+- Adjustable screen width and height.
+    - Can be used to analyze responsive and mobile applications.
+- Ability to wait until certain elements appear in the page.
+- Configurable local storage data.
 ### Coverage
@@ -212,27 +212,28 @@ order to provide coverage for a full set of possible scenarios.
 By inspecting all possible pages and their states (when using client-side code)
 Arachni is able to extract and audit the following elements and their inputs:
- - Forms
+- Forms
     - Along with ones that require interaction via a real browser due to DOM events.
- - User-interface Forms
+- User-interface Forms
     - Input and button groups which don't belong to an HTML `<form>` element but
-        are instead associated via JS code.
- - User-interface Inputs
+      are instead associated via JS code.
+- User-interface Inputs
     - Orphan `<input>` elements with associated DOM events.
- - Links
+- Links
     - Along with ones that have client-side parameters in their fragment, i.e.:
-        `http://example.com/#/?param=val&param2=val2`
+      `http://example.com/#/?param=val&param2=val2`
     - With support for rewrite rules.
- - LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,
-    based on user-supplied templates -- useful when rewrite rules are not available.
+- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,
+  based on user-supplied templates -- useful when rewrite rules are not available.
     - Along with ones that have client-side parameters in their URL fragments, i.e.:
-            `http://example.com/#/param/val/param2/val2`
- - Cookies
- - Headers
- - Generic client-side elements which have associated DOM events.
- - AJAX-request parameters.
- - JSON request data.
- - XML request data.
+      `http://example.com/#/param/val/param2/val2`
+- Cookies
+    - Also supports nested cookies, containing key-value pairs inside individual cookies.
+- Headers
+- Generic client-side elements which have associated DOM events.
+- AJAX-request parameters.
+- JSON request data.
+- XML request data.
 ### Open [distributed architecture](https://github.com/Arachni/arachni/wiki/Distributed-components)
@@ -246,7 +247,7 @@ Both approaches allow you to:
 - Remotely monitor and manage scans.
 - Perform multiple scans at the same time -- Each scan is compartmentalized to
-    its own OS process to take advantage of:
+  its own OS process to take advantage of:
     - Multi-core/SMP architectures.
     - OS-level scheduling/restrictions.
     - Sandboxed failure propagation.
@@ -260,51 +261,51 @@ Both approaches allow you to:
     - Uses JSON to format messages.
 - Stateful scan monitoring.
     - Unique sessions automatically only receive updates when polling for progress,
-        rather than full data.
+      rather than full data.
 #### [RPC API](https://github.com/Arachni/arachni/wiki/RPC-API)
 - High-performance/low-bandwidth [communication protocol](https://github.com/Arachni/arachni-rpc).
     - `MessagePack` serialization for performance, efficiency and ease of
-        integration with 3rd party systems.
+      integration with 3rd party systems.
 - Grid:
     - Self-healing.
     - Scale up/down by hot-plugging/hot-unplugging nodes.
         - Can scale up infinitely by adding nodes to increase scan capacity.
     - _(Always-on)_ Load-balancing -- All Instances are automatically provided
-        by the least burdened Grid member.
+      by the least burdened Grid member.
         - With optional per-scan opt-out/override.
     - _(Optional)_ High-Performance mode -- Combines the resources of
-        multiple nodes to perform multi-Instance scans.
+      multiple nodes to perform multi-Instance scans.
         - Enabled on a per-scan basis.
 ### Scope configuration
- - Filters for redundant pages like galleries, catalogs, etc. based on regular
-    expressions and counters.
+- Filters for redundant pages like galleries, catalogs, etc. based on regular
+  expressions and counters.
     - Can optionally detect and ignore redundant pages automatically.
- - URL exclusion filters using regular expressions.
- - Page exclusion filters based on content, using regular expressions.
- - URL inclusion filters using regular expressions.
- - Can be forced to only follow HTTPS paths and not downgrade to HTTP.
- - Can optionally follow subdomains.
- - Adjustable page count limit.
- - Adjustable redirect limit.
- - Adjustable directory depth limit.
- - Adjustable DOM depth limit.
- - Adjustment using URL-rewrite rules.
- - Can read paths from multiple user supplied files (to both restrict and extend
-    the scope).
+- URL exclusion filters using regular expressions.
+- Page exclusion filters based on content, using regular expressions.
+- URL inclusion filters using regular expressions.
+- Can be forced to only follow HTTPS paths and not downgrade to HTTP.
+- Can optionally follow subdomains.
+- Adjustable page count limit.
+- Adjustable redirect limit.
+- Adjustable directory depth limit.
+- Adjustable DOM depth limit.
+- Adjustment using URL-rewrite rules.
+- Can read paths from multiple user supplied files (to both restrict and extend
+  the scope).
 ### Audit
- - Can audit:
+- Can audit:
     - Forms
         - Can automatically refresh nonce tokens.
         - Can submit them via the integrated browser environment.
-     - User-interface Forms
+    - User-interface Forms
         - Input and button groups which don't belong to an HTML `<form>` element
-            but are instead associated via JS code.
+          but are instead associated via JS code.
     - User-interface Inputs
         - Orphan `<input>` elements with associated DOM events.
     - Links
@@ -317,13 +318,13 @@ Both approaches allow you to:
     - Generic client-side DOM elements.
     - JSON request data.
     - XML request data.
- - Can ignore binary/non-text pages.
- - Can audit elements using both `GET` and `POST` HTTP methods.
- - Can inject both raw and HTTP encoded payloads.
- - Can submit all links and forms of the page along with the cookie
-    permutations to provide extensive cookie-audit coverage.
- - Can exclude specific input vectors by name.
- - Can include specific input vectors by name.
+- Can ignore binary/non-text pages.
+- Can audit elements using both `GET` and `POST` HTTP methods.
+- Can inject both raw and HTTP encoded payloads.
+- Can submit all links and forms of the page along with the cookie
+  permutations to provide extensive cookie-audit coverage.
+- Can exclude specific input vectors by name.
+- Can include specific input vectors by name.
 ### Components
@@ -514,7 +515,7 @@ Passive checks look for the existence of files, folders and signatures.
 - Standard output
 - [HTML](http://www.arachni-scanner.com/reports/report.html/)
-    ([zip](http://www.arachni-scanner.com/reports/report.html.zip)) (`html`).
+  ([zip](http://www.arachni-scanner.com/reports/report.html.zip)) (`html`).
 - [XML](http://www.arachni-scanner.com/reports/report.xml) (`xml`).
 - [Text](http://www.arachni-scanner.com/reports/report.txt) (`text`).
 - [JSON](http://www.arachni-scanner.com/reports/report.json) (`json`)
@@ -529,32 +530,32 @@ Plugins add extra functionality to the system in a modular fashion, this way the
 core remains lean and makes it easy for anyone to add arbitrary functionality.
 - Passive Proxy  (`proxy`) -- Analyzes requests and responses between the web app and
-    the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
+  the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
 - Form based login (`autologin`).
 - Script based login (`login_script`).
 - Dictionary attacker for HTTP Auth (`http_dicattack`).
 - Dictionary attacker for form based authentication (`form_dicattack`).
 - Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.
 - WAF (Web Application Firewall) Detector (`waf_detector`) -- Establishes a baseline of
-    normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
+  normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
 - BeepNotify (`beep_notify`) -- Beeps when the scan finishes.
 - EmailNotify (`email_notify`) -- Sends a notification (and optionally a report) over SMTP at
-    the end of the scan.
+  the end of the scan.
 - VectorFeed (`vector_feed`) -- Reads in vector data from which it creates elements to be
-    audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
-    Useful for unit-testing or a gazillion other things.
+  audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
+  Useful for unit-testing or a gazillion other things.
 - Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,
-    used for debugging and general hackery.
+  used for debugging and general hackery.
 - Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
 - Content-types (`content_types`) -- Logs content-types of server responses aiding in the
-    identification of interesting (possibly leaked) files.
+  identification of interesting (possibly leaked) files.
 - Vector collector (`vector_collector`) -- Collects information about all seen input vectors
-    which are within the scan scope.
+  which are within the scan scope.
 - Headers collector (`headers_collector`) -- Collects response headers based on specified criteria.
 - Exec (`exec`) -- Calls external executables at different scan stages.
 - Metrics (`metrics`) -- Captures metrics about multiple aspects of the scan and the web application.
 - Restrict to DOM state (`restrict_to_dom_state`) -- Restricts the audit to a single page's DOM
-    state, based on a URL fragment.
+  state, based on a URL fragment.
 - Webhook notify (`webhook_notify`) -- Sends a webhook payload over HTTP at the end of the scan.
 - Rate limiter (`rate_limiter`) -- Rate limits HTTP requests.
 - Page dump (`page_dump`) -- Dumps page data to disk as YAML.
@@ -564,7 +565,7 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
 Default plugins will run for every scan and are placed under `/plugins/defaults/`.
 - AutoThrottle (`autothrottle`) -- Dynamically adjusts HTTP throughput during the scan for
-    maximum bandwidth utilization.
+  maximum bandwidth utilization.
 - Healthmap (`healthmap`) -- Generates sitemap showing the health of each crawled/audited URL
 ###### Meta
@@ -573,12 +574,12 @@ Plugins under `/plugins/defaults/meta/` perform analysis on the scan results
 to determine trustworthiness or just add context information or general insights.
 - TimingAttacks (`timing_attacks`) -- Provides a notice for issues uncovered by timing attacks
-    when the affected audited pages returned unusually high response times to begin with.
-    It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
+  when the affected audited pages returned unusually high response times to begin with.
+  It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
 - Discovery (`discovery`) -- Performs anomaly detection on issues logged by discovery
-    checks and warns of the possibility of false positives where applicable.
+  checks and warns of the possibility of false positives where applicable.
 - Uniformity (`uniformity`) -- Reports inputs that are uniformly vulnerable across a number
-    of pages hinting to the lack of a central point of input sanitization.
+  of pages hinting to the lack of a central point of input sanitization.
 ### Trainer subsystem
@@ -611,7 +612,7 @@ You can run `rake spec` to run **all** specs or you can run them selectively usi
 **Please be warned**, the core specs will require a beast of a machine due to the
 necessity to test the Grid/multi-Instance features of the system.
-**Note**: _The check specs will take about 90 minutes due to the timing-attack tests._
+**Note**: _The check specs will take many hours to complete due to the timing-attack tests._
 ## Bug reports/Feature requests
@@ -628,10 +629,10 @@ need to follow in order to contribute code:
 * Fork the project.
 * Start a feature branch based on the [experimental](https://github.com/Arachni/arachni/tree/experimental)
-    branch (`git checkout -b <feature-name> experimental`).
+  branch (`git checkout -b <feature-name> experimental`).
 * Add specs for your code.
 * Run the spec suite to make sure you didn't break anything (`rake spec:core`
-    for the core libs or `rake spec` for everything).
+  for the core libs or `rake spec` for everything).
 * Commit and push your changes.
 * Issue a pull request and wait for your code to be reviewed.

data/Rakefile CHANGED Viewed

@@ -1,5 +1,5 @@
 =begin
-    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
+    Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -197,7 +197,6 @@ end
 desc 'Generate docs.'
 task :docs do
     outdir = "../arachni-docs"
     sh "rm -rf #{outdir}"
     sh "mkdir -p #{outdir}"
@@ -207,47 +206,6 @@ task :docs do
     sh "rm -rf .yardoc"
 end
-desc 'Generate graphics.'
-task :gfx do
-    outdir = 'gfx/compiled'
-    srcdir = 'gfx/source'
-    sh 'mkdir -p ~/.fonts'
-    sh 'cp gfx/font/Beneath_the_Surface.ttf ~/.fonts'
-    Dir.glob( "#{srcdir}/*.svg" ).each do |src|
-        sh "inkscape #{src} --export-png=#{outdir}/#{File.basename( src, '.svg' )}.png"
-    end
-    cp "#{outdir}/icon.png", "#{outdir}/favicon.ico"
-    sh 'rm -f ~/.fonts/Beneath_the_Surface.ttf'
-end
-#
-# Simple profiler using perftools[1].
-#
-# To install perftools for Ruby:
-#   gem install perftools.rb
-#
-# [1] https://github.com/tmm1/perftools.rb
-#
-desc 'Profile Arachni.'
-task :profile do
-    if !Gem::Specification.find_all_by_name( 'perftools.rb' ).empty?
-        sh "CPUPROFILE_FREQUENCY=500 CPUPROFILE=/tmp/profile.dat " +
-               "RUBYOPT=\"-r`gem which perftools | tail -1`\" " +
-               " ./bin/arachni http://demo.testfire.net && " +
-               "pprof.rb --gif /tmp/profile.dat > profile.gif"
-    else
-        puts 'If you want to run the profiler please install perftools.rb first:'
-        puts '  gem install perftools.rb'
-    end
-end
 desc 'Remove reporter and log files.'
 task :clean do
     files = %w(error.log *.afr *.afs *.yaml *.json *.marshal *.gem pkg/*.gem