arachni 1.5 → 1.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (718) hide show
  1. checksums.yaml +5 -5
  2. data/CHANGELOG.md +63 -0
  3. data/Gemfile +2 -4
  4. data/LICENSE.md +1 -1
  5. data/README.md +112 -111
  6. data/Rakefile +1 -43
  7. data/arachni.gemspec +26 -26
  8. data/bin/arachni +1 -1
  9. data/bin/arachni_console +1 -1
  10. data/bin/arachni_multi +1 -1
  11. data/bin/arachni_reporter +1 -1
  12. data/bin/arachni_reproduce +1 -1
  13. data/bin/arachni_rest_server +1 -1
  14. data/bin/arachni_restore +1 -1
  15. data/bin/arachni_rpc +1 -1
  16. data/bin/arachni_rpcd +1 -1
  17. data/bin/arachni_rpcd_monitor +1 -1
  18. data/bin/arachni_script +1 -1
  19. data/components/checks/active/code_injection.rb +1 -1
  20. data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
  21. data/components/checks/active/code_injection_timing.rb +1 -1
  22. data/components/checks/active/csrf.rb +7 -2
  23. data/components/checks/active/file_inclusion.rb +1 -1
  24. data/components/checks/active/ldap_injection.rb +1 -1
  25. data/components/checks/active/no_sql_injection.rb +1 -1
  26. data/components/checks/active/no_sql_injection_differential.rb +3 -3
  27. data/components/checks/active/os_cmd_injection.rb +1 -1
  28. data/components/checks/active/os_cmd_injection_timing.rb +1 -1
  29. data/components/checks/active/path_traversal.rb +1 -1
  30. data/components/checks/active/response_splitting.rb +1 -1
  31. data/components/checks/active/rfi.rb +1 -1
  32. data/components/checks/active/session_fixation.rb +1 -1
  33. data/components/checks/active/source_code_disclosure.rb +1 -1
  34. data/components/checks/active/sql_injection.rb +1 -1
  35. data/components/checks/active/sql_injection_differential.rb +3 -3
  36. data/components/checks/active/sql_injection_timing.rb +1 -1
  37. data/components/checks/active/trainer.rb +1 -1
  38. data/components/checks/active/unvalidated_redirect.rb +1 -1
  39. data/components/checks/active/unvalidated_redirect_dom.rb +1 -1
  40. data/components/checks/active/xpath_injection.rb +1 -1
  41. data/components/checks/active/xss.rb +4 -4
  42. data/components/checks/active/xss_dom.rb +1 -1
  43. data/components/checks/active/xss_dom_script_context.rb +1 -1
  44. data/components/checks/active/xss_event.rb +3 -3
  45. data/components/checks/active/xss_path.rb +1 -1
  46. data/components/checks/active/xss_script_context.rb +3 -3
  47. data/components/checks/active/xss_tag.rb +4 -3
  48. data/components/checks/active/xxe.rb +1 -1
  49. data/components/checks/passive/allowed_methods.rb +1 -1
  50. data/components/checks/passive/backdoors.rb +1 -1
  51. data/components/checks/passive/backup_directories.rb +1 -1
  52. data/components/checks/passive/backup_files.rb +2 -2
  53. data/components/checks/passive/common_admin_interfaces.rb +1 -1
  54. data/components/checks/passive/common_directories/directories.txt +1 -0
  55. data/components/checks/passive/common_directories.rb +1 -1
  56. data/components/checks/passive/common_files.rb +1 -1
  57. data/components/checks/passive/directory_listing.rb +1 -1
  58. data/components/checks/passive/grep/captcha.rb +1 -1
  59. data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
  60. data/components/checks/passive/grep/credit_card.rb +1 -1
  61. data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
  62. data/components/checks/passive/grep/emails.rb +1 -1
  63. data/components/checks/passive/grep/form_upload.rb +1 -1
  64. data/components/checks/passive/grep/hsts.rb +1 -1
  65. data/components/checks/passive/grep/html_objects.rb +1 -1
  66. data/components/checks/passive/grep/http_only_cookies.rb +1 -1
  67. data/components/checks/passive/grep/insecure_cookies.rb +1 -1
  68. data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
  69. data/components/checks/passive/grep/mixed_resource.rb +1 -1
  70. data/components/checks/passive/grep/password_autocomplete.rb +1 -1
  71. data/components/checks/passive/grep/private_ip.rb +1 -1
  72. data/components/checks/passive/grep/ssn.rb +1 -1
  73. data/components/checks/passive/grep/unencrypted_password_forms.rb +1 -1
  74. data/components/checks/passive/grep/x_frame_options.rb +4 -4
  75. data/components/checks/passive/htaccess_limit.rb +1 -1
  76. data/components/checks/passive/http_put.rb +1 -1
  77. data/components/checks/passive/insecure_client_access_policy.rb +1 -1
  78. data/components/checks/passive/insecure_cross_domain_policy_access.rb +1 -1
  79. data/components/checks/passive/insecure_cross_domain_policy_headers.rb +1 -1
  80. data/components/checks/passive/interesting_responses.rb +1 -1
  81. data/components/checks/passive/localstart_asp.rb +1 -1
  82. data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
  83. data/components/checks/passive/webdav.rb +1 -1
  84. data/components/checks/passive/xst.rb +1 -1
  85. data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
  86. data/components/fingerprinters/frameworks/cakephp.rb +1 -1
  87. data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
  88. data/components/fingerprinters/frameworks/django.rb +1 -1
  89. data/components/fingerprinters/frameworks/jsf.rb +1 -1
  90. data/components/fingerprinters/frameworks/nette.rb +1 -1
  91. data/components/fingerprinters/frameworks/rack.rb +1 -1
  92. data/components/fingerprinters/frameworks/rails.rb +1 -1
  93. data/components/fingerprinters/frameworks/symfony.rb +1 -1
  94. data/components/fingerprinters/languages/asp.rb +1 -1
  95. data/components/fingerprinters/languages/aspx.rb +1 -1
  96. data/components/fingerprinters/languages/java.rb +1 -1
  97. data/components/fingerprinters/languages/php.rb +1 -1
  98. data/components/fingerprinters/languages/python.rb +1 -1
  99. data/components/fingerprinters/languages/ruby.rb +1 -1
  100. data/components/fingerprinters/os/bsd.rb +1 -1
  101. data/components/fingerprinters/os/linux.rb +1 -1
  102. data/components/fingerprinters/os/solaris.rb +1 -1
  103. data/components/fingerprinters/os/unix.rb +1 -1
  104. data/components/fingerprinters/os/windows.rb +1 -1
  105. data/components/fingerprinters/servers/apache.rb +1 -1
  106. data/components/fingerprinters/servers/gunicorn.rb +1 -1
  107. data/components/fingerprinters/servers/iis.rb +1 -1
  108. data/components/fingerprinters/servers/jetty.rb +1 -1
  109. data/components/fingerprinters/servers/nginx.rb +1 -1
  110. data/components/fingerprinters/servers/tomcat.rb +1 -1
  111. data/components/path_extractors/anchors.rb +1 -1
  112. data/components/path_extractors/areas.rb +1 -1
  113. data/components/path_extractors/comments.rb +1 -1
  114. data/components/path_extractors/data_url.rb +1 -1
  115. data/components/path_extractors/forms.rb +1 -1
  116. data/components/path_extractors/frames.rb +1 -1
  117. data/components/path_extractors/generic.rb +1 -1
  118. data/components/path_extractors/links.rb +1 -1
  119. data/components/path_extractors/meta_refresh.rb +1 -1
  120. data/components/path_extractors/scripts.rb +2 -2
  121. data/components/plugins/autologin.rb +1 -1
  122. data/components/plugins/beep_notify.rb +1 -1
  123. data/components/plugins/content_types.rb +1 -1
  124. data/components/plugins/cookie_collector.rb +1 -1
  125. data/components/plugins/debug/browser_cluster_job_monitor.rb +1 -1
  126. data/components/plugins/defaults/autothrottle.rb +1 -1
  127. data/components/plugins/defaults/healthmap.rb +2 -2
  128. data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
  129. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
  130. data/components/plugins/defaults/meta/uniformity.rb +1 -1
  131. data/components/plugins/email_notify.rb +1 -1
  132. data/components/plugins/exec.rb +1 -1
  133. data/components/plugins/form_dicattack.rb +1 -1
  134. data/components/plugins/headers_collector.rb +1 -1
  135. data/components/plugins/http_dicattack.rb +1 -1
  136. data/components/plugins/login_script.rb +1 -1
  137. data/components/plugins/metrics.rb +20 -20
  138. data/components/plugins/page_dump.rb +1 -1
  139. data/components/plugins/proxy/panel/verify_login_sequence.html.erb +1 -1
  140. data/components/plugins/proxy/template_scope.rb +1 -1
  141. data/components/plugins/proxy.rb +3 -2
  142. data/components/plugins/rate_limiter.rb +1 -1
  143. data/components/plugins/restrict_to_dom_state.rb +1 -1
  144. data/components/plugins/script.rb +1 -1
  145. data/components/plugins/uncommon_headers.rb +1 -1
  146. data/components/plugins/vector_collector.rb +1 -1
  147. data/components/plugins/vector_feed.rb +1 -1
  148. data/components/plugins/waf_detector.rb +1 -1
  149. data/components/plugins/webhook_notify.rb +1 -1
  150. data/components/reporters/ap.rb +1 -1
  151. data/components/reporters/html/default.erb +3 -1
  152. data/components/reporters/html.rb +5 -7
  153. data/components/reporters/json.rb +1 -1
  154. data/components/reporters/marshal.rb +1 -1
  155. data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
  156. data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
  157. data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
  158. data/components/reporters/plugin_formatters/html/exec.rb +1 -1
  159. data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
  160. data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
  161. data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
  162. data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
  163. data/components/reporters/plugin_formatters/html/metrics.rb +1 -1
  164. data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
  165. data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
  166. data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
  167. data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
  168. data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
  169. data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
  170. data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
  171. data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
  172. data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
  173. data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
  174. data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
  175. data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
  176. data/components/reporters/plugin_formatters/stdout/metrics.rb +1 -1
  177. data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
  178. data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
  179. data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
  180. data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
  181. data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
  182. data/components/reporters/plugin_formatters/xml/content_types.rb +1 -1
  183. data/components/reporters/plugin_formatters/xml/cookie_collector.rb +1 -1
  184. data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
  185. data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
  186. data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
  187. data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
  188. data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
  189. data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
  190. data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +1 -1
  191. data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
  192. data/components/reporters/plugin_formatters/xml/vector_collector.rb +1 -1
  193. data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
  194. data/components/reporters/stdout.rb +1 -1
  195. data/components/reporters/txt.rb +1 -1
  196. data/components/reporters/xml/schema.xsd +1 -0
  197. data/components/reporters/xml.rb +3 -3
  198. data/components/reporters/yaml.rb +1 -1
  199. data/config/write_paths.yml +4 -0
  200. data/lib/arachni/banner.rb +1 -1
  201. data/lib/arachni/browser/element_locator.rb +1 -1
  202. data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
  203. data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
  204. data/lib/arachni/browser/javascript/proxy.rb +1 -1
  205. data/lib/arachni/browser/javascript/scripts/dom_monitor.js +39 -26
  206. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +58 -40
  207. data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
  208. data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
  209. data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
  210. data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
  211. data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
  212. data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
  213. data/lib/arachni/browser/javascript.rb +14 -36
  214. data/lib/arachni/browser.rb +133 -216
  215. data/lib/arachni/browser_cluster/job/result.rb +1 -1
  216. data/lib/arachni/browser_cluster/job.rb +1 -1
  217. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +1 -1
  218. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
  219. data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
  220. data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
  221. data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +1 -1
  222. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
  223. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  224. data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
  225. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
  226. data/lib/arachni/browser_cluster/worker.rb +11 -26
  227. data/lib/arachni/browser_cluster.rb +2 -3
  228. data/lib/arachni/check/auditor.rb +28 -66
  229. data/lib/arachni/check/base.rb +1 -1
  230. data/lib/arachni/check/manager.rb +1 -1
  231. data/lib/arachni/check.rb +1 -1
  232. data/lib/arachni/component/base.rb +1 -1
  233. data/lib/arachni/component/manager.rb +1 -1
  234. data/lib/arachni/component/options/address.rb +1 -1
  235. data/lib/arachni/component/options/base.rb +1 -1
  236. data/lib/arachni/component/options/bool.rb +1 -1
  237. data/lib/arachni/component/options/float.rb +1 -1
  238. data/lib/arachni/component/options/int.rb +1 -1
  239. data/lib/arachni/component/options/multiple_choice.rb +1 -1
  240. data/lib/arachni/component/options/object.rb +1 -1
  241. data/lib/arachni/component/options/path.rb +1 -1
  242. data/lib/arachni/component/options/port.rb +1 -1
  243. data/lib/arachni/component/options/string.rb +1 -1
  244. data/lib/arachni/component/options/url.rb +1 -1
  245. data/lib/arachni/component/options.rb +1 -1
  246. data/lib/arachni/component/output.rb +1 -1
  247. data/lib/arachni/component/utilities.rb +1 -1
  248. data/lib/arachni/component.rb +1 -1
  249. data/lib/arachni/data/framework/rpc.rb +2 -2
  250. data/lib/arachni/data/framework.rb +2 -2
  251. data/lib/arachni/data/issues.rb +1 -1
  252. data/lib/arachni/data/plugins.rb +1 -1
  253. data/lib/arachni/data/session.rb +1 -1
  254. data/lib/arachni/data.rb +1 -1
  255. data/lib/arachni/element/base.rb +1 -1
  256. data/lib/arachni/element/body.rb +1 -1
  257. data/lib/arachni/element/capabilities/analyzable/differential.rb +1 -1
  258. data/lib/arachni/element/capabilities/analyzable/signature.rb +2 -2
  259. data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
  260. data/lib/arachni/element/capabilities/analyzable.rb +1 -1
  261. data/lib/arachni/element/capabilities/auditable/buffered.rb +1 -1
  262. data/lib/arachni/element/capabilities/auditable/line_buffered.rb +1 -1
  263. data/lib/arachni/element/capabilities/auditable.rb +1 -1
  264. data/lib/arachni/element/capabilities/dom_only.rb +1 -1
  265. data/lib/arachni/element/capabilities/inputtable.rb +1 -1
  266. data/lib/arachni/element/capabilities/mutable.rb +1 -1
  267. data/lib/arachni/element/capabilities/refreshable.rb +1 -1
  268. data/lib/arachni/element/capabilities/submittable.rb +1 -1
  269. data/lib/arachni/element/capabilities/with_auditor/output.rb +1 -1
  270. data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
  271. data/lib/arachni/element/capabilities/with_dom.rb +1 -1
  272. data/lib/arachni/element/capabilities/with_node.rb +1 -1
  273. data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
  274. data/lib/arachni/element/capabilities/with_scope.rb +1 -1
  275. data/lib/arachni/element/capabilities/with_source.rb +1 -1
  276. data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
  277. data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
  278. data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
  279. data/lib/arachni/element/cookie/dom.rb +1 -1
  280. data/lib/arachni/element/cookie.rb +1 -1
  281. data/lib/arachni/element/dom/capabilities/auditable.rb +1 -1
  282. data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
  283. data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
  284. data/lib/arachni/element/dom/capabilities/mutable.rb +1 -1
  285. data/lib/arachni/element/dom/capabilities/submittable.rb +1 -1
  286. data/lib/arachni/element/dom.rb +1 -1
  287. data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
  288. data/lib/arachni/element/form/capabilities/mutable.rb +1 -1
  289. data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
  290. data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
  291. data/lib/arachni/element/form/dom.rb +1 -1
  292. data/lib/arachni/element/form.rb +1 -1
  293. data/lib/arachni/element/generic_dom.rb +1 -1
  294. data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
  295. data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
  296. data/lib/arachni/element/header.rb +1 -1
  297. data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
  298. data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
  299. data/lib/arachni/element/json.rb +1 -1
  300. data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
  301. data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
  302. data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
  303. data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
  304. data/lib/arachni/element/link/dom.rb +1 -1
  305. data/lib/arachni/element/link.rb +1 -1
  306. data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
  307. data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
  308. data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
  309. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
  310. data/lib/arachni/element/link_template/dom.rb +1 -1
  311. data/lib/arachni/element/link_template.rb +1 -1
  312. data/lib/arachni/element/nested_cookie/capabilities/submittable.rb +35 -0
  313. data/lib/arachni/element/nested_cookie.rb +370 -0
  314. data/lib/arachni/element/path.rb +1 -1
  315. data/lib/arachni/element/server.rb +1 -1
  316. data/lib/arachni/element/ui_form/dom.rb +1 -1
  317. data/lib/arachni/element/ui_form.rb +1 -1
  318. data/lib/arachni/element/ui_input/dom.rb +1 -1
  319. data/lib/arachni/element/ui_input.rb +1 -1
  320. data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
  321. data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
  322. data/lib/arachni/element/xml.rb +1 -1
  323. data/lib/arachni/element_filter.rb +1 -1
  324. data/lib/arachni/error.rb +1 -1
  325. data/lib/arachni/ethon/easy.rb +1 -1
  326. data/lib/arachni/framework/parts/audit.rb +1 -1
  327. data/lib/arachni/framework/parts/browser.rb +1 -1
  328. data/lib/arachni/framework/parts/check.rb +1 -1
  329. data/lib/arachni/framework/parts/data.rb +1 -1
  330. data/lib/arachni/framework/parts/platform.rb +1 -1
  331. data/lib/arachni/framework/parts/plugin.rb +1 -1
  332. data/lib/arachni/framework/parts/report.rb +2 -2
  333. data/lib/arachni/framework/parts/scope.rb +1 -1
  334. data/lib/arachni/framework/parts/state.rb +1 -1
  335. data/lib/arachni/framework.rb +1 -1
  336. data/lib/arachni/http/client/dynamic_404_handler.rb +1 -1
  337. data/lib/arachni/http/client.rb +7 -5
  338. data/lib/arachni/http/cookie_jar.rb +1 -1
  339. data/lib/arachni/http/headers.rb +1 -1
  340. data/lib/arachni/http/message/scope.rb +1 -1
  341. data/lib/arachni/http/message.rb +2 -2
  342. data/lib/arachni/http/proxy_server/connection.rb +3 -8
  343. data/lib/arachni/http/proxy_server/ssl-interceptor-cacert.pem +18 -32
  344. data/lib/arachni/http/proxy_server/ssl-interceptor-cakey.pem +28 -49
  345. data/lib/arachni/http/proxy_server/ssl_interceptor.rb +7 -6
  346. data/lib/arachni/http/proxy_server/tunnel.rb +1 -1
  347. data/lib/arachni/http/proxy_server.rb +1 -1
  348. data/lib/arachni/http/request/scope.rb +1 -1
  349. data/lib/arachni/http/request.rb +8 -2
  350. data/lib/arachni/http/response/scope.rb +1 -1
  351. data/lib/arachni/http/response.rb +3 -3
  352. data/lib/arachni/http.rb +1 -1
  353. data/lib/arachni/issue/severity/base.rb +1 -1
  354. data/lib/arachni/issue/severity.rb +1 -1
  355. data/lib/arachni/issue.rb +1 -1
  356. data/lib/arachni/option_group.rb +1 -1
  357. data/lib/arachni/option_groups/audit.rb +11 -2
  358. data/lib/arachni/option_groups/browser_cluster.rb +28 -4
  359. data/lib/arachni/option_groups/datastore.rb +1 -1
  360. data/lib/arachni/option_groups/dispatcher.rb +1 -1
  361. data/lib/arachni/option_groups/http.rb +5 -5
  362. data/lib/arachni/option_groups/input.rb +1 -1
  363. data/lib/arachni/option_groups/output.rb +1 -1
  364. data/lib/arachni/option_groups/paths.rb +12 -1
  365. data/lib/arachni/option_groups/rpc.rb +1 -1
  366. data/lib/arachni/option_groups/scope.rb +46 -4
  367. data/lib/arachni/option_groups/session.rb +1 -1
  368. data/lib/arachni/option_groups/snapshot.rb +1 -1
  369. data/lib/arachni/option_groups.rb +1 -1
  370. data/lib/arachni/options.rb +2 -2
  371. data/lib/arachni/page/dom/transition.rb +1 -1
  372. data/lib/arachni/page/dom.rb +1 -1
  373. data/lib/arachni/page/scope.rb +1 -1
  374. data/lib/arachni/page.rb +3 -3
  375. data/lib/arachni/parser/document.rb +1 -1
  376. data/lib/arachni/parser/extractors/base.rb +1 -1
  377. data/lib/arachni/parser/nodes/base.rb +1 -1
  378. data/lib/arachni/parser/nodes/comment.rb +1 -1
  379. data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +2 -2
  380. data/lib/arachni/parser/nodes/element/with_attributes.rb +1 -1
  381. data/lib/arachni/parser/nodes/element.rb +1 -1
  382. data/lib/arachni/parser/nodes/text.rb +2 -2
  383. data/lib/arachni/parser/nodes/with_value.rb +2 -2
  384. data/lib/arachni/parser/sax.rb +2 -1
  385. data/lib/arachni/parser/with_children/search.rb +1 -1
  386. data/lib/arachni/parser/with_children.rb +2 -2
  387. data/lib/arachni/parser.rb +33 -10
  388. data/lib/arachni/platform/fingerprinter.rb +1 -1
  389. data/lib/arachni/platform/list.rb +1 -1
  390. data/lib/arachni/platform/manager.rb +1 -1
  391. data/lib/arachni/platform.rb +1 -1
  392. data/lib/arachni/plugin/base.rb +1 -1
  393. data/lib/arachni/plugin/formatter.rb +1 -1
  394. data/lib/arachni/plugin/manager.rb +1 -1
  395. data/lib/arachni/plugin.rb +1 -1
  396. data/lib/arachni/processes/dispatchers.rb +1 -1
  397. data/lib/arachni/processes/executables/base.rb +2 -1
  398. data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
  399. data/lib/arachni/processes/helpers/instances.rb +1 -1
  400. data/lib/arachni/processes/helpers/processes.rb +1 -1
  401. data/lib/arachni/processes/helpers.rb +1 -1
  402. data/lib/arachni/processes/instances.rb +1 -1
  403. data/lib/arachni/processes/manager.rb +9 -5
  404. data/lib/arachni/processes.rb +1 -1
  405. data/lib/arachni/report.rb +1 -1
  406. data/lib/arachni/reporter/base.rb +1 -1
  407. data/lib/arachni/reporter/formatter_manager.rb +1 -1
  408. data/lib/arachni/reporter/manager.rb +1 -1
  409. data/lib/arachni/reporter/options.rb +1 -10
  410. data/lib/arachni/reporter.rb +1 -1
  411. data/lib/arachni/rest/server/instance_helpers.rb +10 -1
  412. data/lib/arachni/rest/server.rb +7 -1
  413. data/lib/arachni/rpc/client/base.rb +1 -1
  414. data/lib/arachni/rpc/client/dispatcher.rb +1 -1
  415. data/lib/arachni/rpc/client/instance/framework.rb +1 -1
  416. data/lib/arachni/rpc/client/instance/service.rb +1 -1
  417. data/lib/arachni/rpc/client/instance.rb +1 -1
  418. data/lib/arachni/rpc/serializer.rb +1 -1
  419. data/lib/arachni/rpc/server/active_options.rb +1 -1
  420. data/lib/arachni/rpc/server/base.rb +1 -1
  421. data/lib/arachni/rpc/server/check/manager.rb +1 -1
  422. data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
  423. data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
  424. data/lib/arachni/rpc/server/dispatcher.rb +1 -1
  425. data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
  426. data/lib/arachni/rpc/server/framework/master.rb +1 -1
  427. data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
  428. data/lib/arachni/rpc/server/framework/slave.rb +1 -1
  429. data/lib/arachni/rpc/server/framework.rb +1 -1
  430. data/lib/arachni/rpc/server/instance.rb +1 -1
  431. data/lib/arachni/rpc/server/output.rb +1 -1
  432. data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
  433. data/lib/arachni/ruby/array.rb +1 -1
  434. data/lib/arachni/ruby/hash.rb +1 -1
  435. data/lib/arachni/ruby/object.rb +1 -1
  436. data/lib/arachni/ruby/set.rb +1 -1
  437. data/lib/arachni/ruby/string.rb +1 -1
  438. data/lib/arachni/ruby/webrick/cookie.rb +1 -1
  439. data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
  440. data/lib/arachni/ruby/webrick.rb +1 -1
  441. data/lib/arachni/ruby.rb +1 -1
  442. data/lib/arachni/scope.rb +1 -1
  443. data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +6 -16
  444. data/lib/arachni/session.rb +1 -1
  445. data/lib/arachni/snapshot.rb +2 -2
  446. data/lib/arachni/state/audit.rb +1 -1
  447. data/lib/arachni/state/element_filter.rb +1 -1
  448. data/lib/arachni/state/framework/rpc.rb +1 -1
  449. data/lib/arachni/state/framework.rb +1 -1
  450. data/lib/arachni/state/http.rb +1 -1
  451. data/lib/arachni/state/options.rb +1 -1
  452. data/lib/arachni/state/plugins.rb +1 -1
  453. data/lib/arachni/state.rb +1 -1
  454. data/lib/arachni/support/buffer/autoflush.rb +1 -1
  455. data/lib/arachni/support/buffer/base.rb +1 -1
  456. data/lib/arachni/support/buffer.rb +1 -1
  457. data/lib/arachni/support/cache/base.rb +1 -1
  458. data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
  459. data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
  460. data/lib/arachni/support/cache/least_recently_used.rb +1 -1
  461. data/lib/arachni/support/cache/preference.rb +1 -1
  462. data/lib/arachni/support/cache/random_replacement.rb +1 -1
  463. data/lib/arachni/support/cache.rb +1 -1
  464. data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
  465. data/lib/arachni/support/crypto.rb +1 -1
  466. data/lib/arachni/support/database/base.rb +16 -10
  467. data/lib/arachni/support/database/hash.rb +1 -1
  468. data/lib/arachni/support/database/queue.rb +1 -1
  469. data/lib/arachni/support/database.rb +1 -1
  470. data/lib/arachni/support/glob.rb +1 -1
  471. data/lib/arachni/support/lookup/base.rb +1 -1
  472. data/lib/arachni/support/lookup/hash_set.rb +1 -1
  473. data/lib/arachni/support/lookup/moolb.rb +1 -1
  474. data/lib/arachni/support/lookup.rb +1 -1
  475. data/lib/arachni/support/mixins/observable.rb +1 -1
  476. data/lib/arachni/support/mixins/terminal.rb +1 -1
  477. data/lib/arachni/support/mixins.rb +1 -1
  478. data/lib/arachni/support/profiler.rb +1 -1
  479. data/lib/arachni/support/signature.rb +1 -1
  480. data/lib/arachni/support.rb +1 -1
  481. data/lib/arachni/trainer.rb +1 -1
  482. data/lib/arachni/ui/foo/output.rb +1 -1
  483. data/lib/arachni/uri/scope.rb +1 -1
  484. data/lib/arachni/uri.rb +6 -9
  485. data/lib/arachni/utilities.rb +1 -1
  486. data/lib/arachni/version.rb +1 -1
  487. data/lib/arachni.rb +1 -7
  488. data/lib/version +1 -1
  489. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +81 -77
  490. data/spec/arachni/browser/javascript/proxy_spec.rb +0 -10
  491. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +68 -90
  492. data/spec/arachni/browser/javascript_spec.rb +10 -16
  493. data/spec/arachni/browser_cluster/worker_spec.rb +23 -55
  494. data/spec/arachni/browser_spec.rb +160 -158
  495. data/spec/arachni/check/auditor_spec.rb +44 -165
  496. data/spec/arachni/data/framework/rpc_spec.rb +1 -1
  497. data/spec/arachni/data/framework_spec.rb +1 -1
  498. data/spec/arachni/element/cookie_spec.rb +1 -1
  499. data/spec/arachni/element/nested_cookie_spec.rb +687 -0
  500. data/spec/arachni/element/ui_form_spec.rb +2 -2
  501. data/spec/arachni/element/ui_input_spec.rb +1 -1
  502. data/spec/arachni/http/client_spec.rb +14 -26
  503. data/spec/arachni/http/cookie_jar_spec.rb +2 -2
  504. data/spec/arachni/http/proxy_server_spec.rb +2 -0
  505. data/spec/arachni/http/request_spec.rb +3 -2
  506. data/spec/arachni/issue_spec.rb +1 -1
  507. data/spec/arachni/option_groups/browser_cluster_spec.rb +17 -0
  508. data/spec/arachni/option_groups/http_spec.rb +6 -6
  509. data/spec/arachni/option_groups/paths_spec.rb +23 -1
  510. data/spec/arachni/option_groups/scope_spec.rb +1 -6
  511. data/spec/arachni/page_spec.rb +3 -2
  512. data/spec/arachni/parser_spec.rb +45 -1
  513. data/spec/arachni/platform/list_spec.rb +1 -2
  514. data/spec/arachni/reporter/options_spec.rb +0 -14
  515. data/spec/arachni/rest/server_spec.rb +39 -2
  516. data/spec/arachni/snapshot_spec.rb +1 -1
  517. data/spec/arachni/state/framework_spec.rb +2 -2
  518. data/spec/arachni/uri_spec.rb +1 -1
  519. data/spec/components/checks/active/code_injection_spec.rb +12 -7
  520. data/spec/components/checks/active/code_injection_timing_spec.rb +4 -3
  521. data/spec/components/checks/active/file_inclusion_spec.rb +15 -10
  522. data/spec/components/checks/active/ldap_injection_spec.rb +5 -4
  523. data/spec/components/checks/active/no_sql_injection_differential_spec.rb +1 -1
  524. data/spec/components/checks/active/no_sql_injection_spec.rb +5 -4
  525. data/spec/components/checks/active/os_cmd_injection_spec.rb +6 -4
  526. data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -3
  527. data/spec/components/checks/active/path_traversal_spec.rb +10 -7
  528. data/spec/components/checks/active/response_splitting_spec.rb +5 -4
  529. data/spec/components/checks/active/rfi_spec.rb +9 -8
  530. data/spec/components/checks/active/source_code_disclosure_spec.rb +33 -10
  531. data/spec/components/checks/active/sql_injection_differential_spec.rb +1 -1
  532. data/spec/components/checks/active/sql_injection_spec.rb +53 -36
  533. data/spec/components/checks/active/sql_injection_timing_spec.rb +11 -8
  534. data/spec/components/checks/active/unvalidated_redirect_spec.rb +9 -8
  535. data/spec/components/checks/active/xpath_injection_spec.rb +5 -4
  536. data/spec/components/checks/active/xss_dom_script_context_spec.rb +5 -5
  537. data/spec/components/checks/active/xss_event_spec.rb +5 -3
  538. data/spec/components/checks/active/xss_script_context_spec.rb +4 -3
  539. data/spec/components/checks/active/xss_spec.rb +5 -4
  540. data/spec/components/checks/active/xss_tag_spec.rb +11 -3
  541. data/spec/components/checks/passive/backup_files_spec.rb +0 -4
  542. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +6 -0
  543. data/spec/spec_helper.rb +2 -1
  544. data/spec/support/factories/http/response.rb +1 -1
  545. data/spec/support/factories/issue.rb +1 -2
  546. data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
  547. data/spec/support/fixtures/checks/test.rb +4 -4
  548. data/spec/support/fixtures/checks/test2.rb +1 -1
  549. data/spec/support/fixtures/checks/test3.rb +1 -1
  550. data/spec/support/fixtures/cookies.txt +1 -1
  551. data/spec/support/fixtures/executables/node.rb +2 -3
  552. data/spec/support/fixtures/fingerprinters/test.rb +1 -1
  553. data/spec/support/fixtures/nested_cookies.txt +11 -0
  554. data/spec/support/fixtures/plugins/bad.rb +1 -1
  555. data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
  556. data/spec/support/fixtures/plugins/distributable.rb +1 -1
  557. data/spec/support/fixtures/plugins/loop.rb +1 -1
  558. data/spec/support/fixtures/plugins/suspendable.rb +1 -1
  559. data/spec/support/fixtures/plugins/wait.rb +1 -1
  560. data/spec/support/fixtures/plugins/with_options.rb +1 -1
  561. data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
  562. data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
  563. data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
  564. data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
  565. data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
  566. data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
  567. data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
  568. data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
  569. data/spec/support/fixtures/report.afr +0 -0
  570. data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
  571. data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
  572. data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
  573. data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
  574. data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
  575. data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
  576. data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
  577. data/spec/support/fixtures/run_check/body.rb +1 -1
  578. data/spec/support/fixtures/run_check/cookies.rb +1 -1
  579. data/spec/support/fixtures/run_check/empty.rb +1 -1
  580. data/spec/support/fixtures/run_check/flch.rb +1 -1
  581. data/spec/support/fixtures/run_check/forms.rb +1 -1
  582. data/spec/support/fixtures/run_check/headers.rb +1 -1
  583. data/spec/support/fixtures/run_check/links.rb +1 -1
  584. data/spec/support/fixtures/run_check/nil.rb +1 -1
  585. data/spec/support/fixtures/run_check/path.rb +1 -1
  586. data/spec/support/fixtures/run_check/server.rb +1 -1
  587. data/spec/support/fixtures/signature_check/signature.rb +1 -1
  588. data/spec/support/fixtures/wait_check/wait.rb +1 -1
  589. data/spec/support/helpers/framework.rb +1 -1
  590. data/spec/support/helpers/misc.rb +1 -1
  591. data/spec/support/helpers/paths.rb +1 -1
  592. data/spec/support/helpers/requires.rb +1 -1
  593. data/spec/support/helpers/resets.rb +1 -1
  594. data/spec/support/helpers/web_server.rb +1 -1
  595. data/spec/support/lib/factory.rb +1 -1
  596. data/spec/support/lib/web_server_client.rb +1 -1
  597. data/spec/support/lib/web_server_dispatcher.rb +1 -1
  598. data/spec/support/lib/web_server_manager.rb +1 -1
  599. data/spec/support/servers/arachni/check/auditor.rb +1 -0
  600. data/spec/support/servers/arachni/element/form/form_dom.rb +1 -0
  601. data/spec/support/servers/arachni/element/form.rb +4 -4
  602. data/spec/support/servers/arachni/element/header.rb +1 -1
  603. data/spec/support/servers/arachni/element/nested_cookie.rb +84 -0
  604. data/spec/support/servers/arachni/parser.rb +6 -0
  605. data/spec/support/servers/checks/active/code_injection.rb +18 -0
  606. data/spec/support/servers/checks/active/code_injection_timing.rb +18 -0
  607. data/spec/support/servers/checks/active/file_inclusion.rb +19 -1
  608. data/spec/support/servers/checks/active/ldap_injection.rb +18 -0
  609. data/spec/support/servers/checks/active/no_sql_injection.rb +27 -0
  610. data/spec/support/servers/checks/active/no_sql_injection_differential.rb +19 -0
  611. data/spec/support/servers/checks/active/os_cmd_injection.rb +29 -0
  612. data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +18 -1
  613. data/spec/support/servers/checks/active/path_traversal.rb +30 -3
  614. data/spec/support/servers/checks/active/response_splitting.rb +30 -1
  615. data/spec/support/servers/checks/active/rfi.rb +30 -2
  616. data/spec/support/servers/checks/active/session_fixation.rb +1 -3
  617. data/spec/support/servers/checks/active/source_code_disclosure.rb +16 -0
  618. data/spec/support/servers/checks/active/sql_injection.rb +27 -0
  619. data/spec/support/servers/checks/active/sql_injection_differential.rb +19 -0
  620. data/spec/support/servers/checks/active/sql_injection_timing.rb +19 -1
  621. data/spec/support/servers/checks/active/unvalidated_redirect.rb +40 -1
  622. data/spec/support/servers/checks/active/xpath_injection.rb +27 -0
  623. data/spec/support/servers/checks/active/xss.rb +40 -0
  624. data/spec/support/servers/checks/active/xss_event.rb +22 -1
  625. data/spec/support/servers/checks/active/xss_script_context.rb +18 -0
  626. data/spec/support/servers/checks/active/xss_tag.rb +40 -0
  627. data/spec/support/servers/checks/passive/grep/x_frame_options.rb +5 -0
  628. data/spec/support/shared/check.rb +1 -0
  629. data/spec/support/shared/element/capabilities/auditable/buffered.rb +2 -2
  630. data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +2 -2
  631. data/spec/support/shared/element/capabilities/auditable.rb +2 -2
  632. data/ui/cli/framework/option_parser.rb +44 -8
  633. data/ui/cli/framework.rb +6 -5
  634. data/ui/cli/option_parser.rb +1 -1
  635. data/ui/cli/output.rb +1 -1
  636. data/ui/cli/reporter/option_parser.rb +1 -1
  637. data/ui/cli/reporter.rb +1 -1
  638. data/ui/cli/reproduce/option_parser.rb +1 -1
  639. data/ui/cli/reproduce.rb +1 -1
  640. data/ui/cli/rest/server/option_parser.rb +1 -1
  641. data/ui/cli/rest/server.rb +1 -1
  642. data/ui/cli/restored_framework/option_parser.rb +1 -1
  643. data/ui/cli/restored_framework.rb +1 -1
  644. data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
  645. data/ui/cli/rpc/client/dispatcher_monitor.rb +1 -1
  646. data/ui/cli/rpc/client/instance.rb +7 -4
  647. data/ui/cli/rpc/client/local/option_parser.rb +1 -1
  648. data/ui/cli/rpc/client/local.rb +1 -1
  649. data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
  650. data/ui/cli/rpc/client/remote.rb +1 -1
  651. data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
  652. data/ui/cli/rpc/server/dispatcher.rb +1 -1
  653. data/ui/cli/utilities.rb +1 -1
  654. metadata +602 -707
  655. data/logs/error-11897.log +0 -2006
  656. data/logs/error-3855.log +0 -382
  657. data/spec/support/logs/Dispatcher - 1024-31864.log +0 -10
  658. data/spec/support/logs/Dispatcher - 1047-41465.log +0 -10
  659. data/spec/support/logs/Dispatcher - 1274-60799.log +0 -64
  660. data/spec/support/logs/Dispatcher - 1295-1058.log +0 -44
  661. data/spec/support/logs/Dispatcher - 1313-27076.log +0 -40
  662. data/spec/support/logs/Dispatcher - 1332-17127.log +0 -35
  663. data/spec/support/logs/Dispatcher - 1350-7351.log +0 -29
  664. data/spec/support/logs/Dispatcher - 1368-38528.log +0 -22
  665. data/spec/support/logs/Dispatcher - 1386-17419.log +0 -14
  666. data/spec/support/logs/Dispatcher - 31030-26156.log +0 -10
  667. data/spec/support/logs/Dispatcher - 321-27189.log +0 -12
  668. data/spec/support/logs/Dispatcher - 32353-50061.log +0 -20
  669. data/spec/support/logs/Dispatcher - 32450-61574.log +0 -10
  670. data/spec/support/logs/Dispatcher - 32470-53874.log +0 -20
  671. data/spec/support/logs/Dispatcher - 32491-10523.log +0 -18
  672. data/spec/support/logs/Dispatcher - 32509-8583.log +0 -14
  673. data/spec/support/logs/Dispatcher - 32536-21209.log +0 -10
  674. data/spec/support/logs/Dispatcher - 32556-53881.log +0 -10
  675. data/spec/support/logs/Dispatcher - 32579-49083.log +0 -50
  676. data/spec/support/logs/Dispatcher - 32761-20025.log +0 -12
  677. data/spec/support/logs/Dispatcher - 347-17512.log +0 -12
  678. data/spec/support/logs/Dispatcher - 3489-43230.log +0 -24
  679. data/spec/support/logs/Dispatcher - 3524-57459.log +0 -26
  680. data/spec/support/logs/Dispatcher - 3559-21544.log +0 -20
  681. data/spec/support/logs/Dispatcher - 3764-33844.log +0 -25
  682. data/spec/support/logs/Dispatcher - 3798-45350.log +0 -26
  683. data/spec/support/logs/Dispatcher - 382-15725.log +0 -12
  684. data/spec/support/logs/Dispatcher - 3836-6205.log +0 -21
  685. data/spec/support/logs/Dispatcher - 4112-45433.log +0 -22
  686. data/spec/support/logs/Dispatcher - 4148-53510.log +0 -26
  687. data/spec/support/logs/Dispatcher - 415-29873.log +0 -14
  688. data/spec/support/logs/Dispatcher - 4185-29736.log +0 -18
  689. data/spec/support/logs/Dispatcher - 4268-60912.log +0 -25
  690. data/spec/support/logs/Dispatcher - 4303-39372.log +0 -26
  691. data/spec/support/logs/Dispatcher - 4342-42190.log +0 -21
  692. data/spec/support/logs/Dispatcher - 463-55220.log +0 -26
  693. data/spec/support/logs/Dispatcher - 4649-12104.log +0 -22
  694. data/spec/support/logs/Dispatcher - 4683-32355.log +0 -26
  695. data/spec/support/logs/Dispatcher - 4724-41636.log +0 -18
  696. data/spec/support/logs/Dispatcher - 4881-57692.log +0 -22
  697. data/spec/support/logs/Dispatcher - 4961-64665.log +0 -26
  698. data/spec/support/logs/Dispatcher - 502-8742.log +0 -25
  699. data/spec/support/logs/Dispatcher - 5052-61726.log +0 -18
  700. data/spec/support/logs/Dispatcher - 536-15972.log +0 -22
  701. data/spec/support/logs/Dispatcher - 620-2220.log +0 -20
  702. data/spec/support/logs/Dispatcher - 638-17826.log +0 -18
  703. data/spec/support/logs/Dispatcher - 656-23967.log +0 -16
  704. data/spec/support/logs/Dispatcher - 700-15701.log +0 -12
  705. data/spec/support/logs/Dispatcher - 726-6080.log +0 -10
  706. data/spec/support/logs/Dispatcher - 749-56590.log +0 -18
  707. data/spec/support/logs/Dispatcher - 807-19073.log +0 -18
  708. data/spec/support/logs/Dispatcher - 871-8764.log +0 -10
  709. data/spec/support/logs/Dispatcher - 898-21496.log +0 -12
  710. data/spec/support/logs/Dispatcher - 933-64070.log +0 -12
  711. data/spec/support/logs/Instance - 1577-32284.error.log +0 -151
  712. data/spec/support/logs/Instance - 1625-58174.error.log +0 -154
  713. data/spec/support/logs/Instance - 2727-57968.error.log +0 -151
  714. data/spec/support/logs/Instance - 2898-20648.error.log +0 -303
  715. data/spec/support/logs/Instance - 2901-30845.error.log +0 -429
  716. data/spec/support/logs/Instance - 31185-37600.error.log +0 -174
  717. data/spec/support/logs/Instance - 3319-20111.error.log +0 -175
  718. data/spec/support/logs/error-3855.log +0 -5132
data/components/reporters/plugin_formatters/xml/autologin.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/content_types.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/cookie_collector.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/exec.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/form_dicattack.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/healthmap.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/http_dicattack.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/login_script.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/metrics.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/uncommon_headers.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/uniformity.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/vector_collector.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/plugin_formatters/xml/waf_detector.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/stdout.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/txt.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/components/reporters/xml/schema.xsd CHANGED
@@ -762,6 +762,7 @@
762
762
  <xs:enumeration value="Arachni::Element::Link::DOM"/>
763
763
  <xs:enumeration value="Arachni::Element::Cookie" />
764
764
  <xs:enumeration value="Arachni::Element::Cookie::DOM" />
765
+ <xs:enumeration value="Arachni::Element::NestedCookie" />
765
766
  <xs:enumeration value="Arachni::Element::Header" />
766
767
  <xs:enumeration value="Arachni::Element::LinkTemplate" />
767
768
  <xs:enumeration value="Arachni::Element::LinkTemplate::DOM"/>
data/components/reporters/xml.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
@@ -181,8 +181,8 @@ class Arachni::Reporters::XML < Arachni::Reporter::Base
181
181
  description: %q{Exports the audit results as an XML (.xml) file.},
182
182
  content_type: 'text/xml',
183
183
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
184
- version: '0.3.6',
185
- options: [ Options.outfile( '.xml' ), Options.skip_responses ]
184
+ version: '0.3.8',
185
+ options: [ Options.outfile( '.xml' ) ]
186
186
  }
187
187
  end
188
188
 
data/components/reporters/yaml.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/config/write_paths.yml CHANGED
@@ -13,3 +13,7 @@ framework:
13
13
  # Default directory for scan snapshots generated either by the CLI
14
14
  # or by RPC Instances.
15
15
  snapshots:
16
+ # Directory for temporary files -- like for excess workload that's been
17
+ # offloaded to disk etc..
18
+ # Will default to the OS temporary directory.
19
+ tmpdir:
data/lib/arachni/banner.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/element_locator.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/dom_monitor.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/proxy/stub.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/proxy.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/scripts/dom_monitor.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /*
2
- * Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ * Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
  *
4
4
  * This file is part of the Arachni Framework project and is subject to
5
5
  * redistribution and commercial restrictions. Please see the Arachni Framework
@@ -23,12 +23,11 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
23
23
  // for this document.
24
24
  initialized: false,
25
25
 
26
+ event_inheritance_limit: null,
27
+
26
28
  // Keeps track of setTimeout() calls.
27
29
  timeouts: [],
28
30
 
29
- // Keeps track of setInterval() calls.
30
- intervals: [],
31
-
32
31
  // Don't include these elements in the `digest` computation.
33
32
  exclude_tags_from_digest: ['P'],
34
33
 
@@ -152,11 +151,12 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
152
151
  "input" : true
153
152
  },
154
153
 
155
- initialize: function () {
154
+ initialize: function ( event_inheritance_limit ) {
156
155
  if( _tokenDOMMonitor.initialized ) return;
157
156
 
157
+ _tokenDOMMonitor.event_inheritance_limit = event_inheritance_limit;
158
+
158
159
  _tokenDOMMonitor.track_setTimeout();
159
- _tokenDOMMonitor.track_setInterval();
160
160
  _tokenDOMMonitor.track_addEventListener();
161
161
 
162
162
  _tokenDOMMonitor.initialized = true
@@ -195,6 +195,8 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
195
195
  // `offset` and `batch_size`.
196
196
  var relevant_element_index = 0;
197
197
 
198
+ var event_inheritance_limit = 0;
199
+
198
200
  for( var i = 0; i < length; i++ ) {
199
201
  var element = elements[i];
200
202
 
@@ -209,7 +211,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
209
211
  if( tag_name_whitelist.length > 0 && !whitelist[tag_name] ) continue;
210
212
 
211
213
  // Skip invisible elements.
212
- if( element.offsetWidth <= 0 && element.offsetHeight <= 0 ) continue;
214
+ if( !_tokenDOMMonitor.is_visible( element ) ) continue;
213
215
 
214
216
  var e = {
215
217
  tag_name: tag_name,
@@ -217,11 +219,19 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
217
219
  attributes: {}
218
220
  };
219
221
 
220
- // If the current element is allowed to have inherited events
221
- // merge them with its own.
222
- if( _tokenDOMMonitor.is_allowed_element_with_inherited_events( e.tag_name ) ) {
222
+ // If we haven't reached the event bubbling depth limit and the
223
+ // current element is allowed to have inherited events, merge them
224
+ // with its own.
225
+ if(
226
+ (
227
+ !_tokenDOMMonitor.event_inheritance_limit ||
228
+ event_inheritance_limit < _tokenDOMMonitor.event_inheritance_limit
229
+ ) && _tokenDOMMonitor.is_allowed_element_with_inherited_events( e.tag_name )
230
+ ) {
223
231
  e.events = e.events.concat( element._arachni_inherited_events || [] );
224
232
  e.events = _tokenDOMMonitor.arrayUnique( e.events.concat( global_events ) );
233
+
234
+ event_inheritance_limit++;
225
235
  }
226
236
 
227
237
  var attributes = element.attributes;
@@ -269,7 +279,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
269
279
  }
270
280
 
271
281
  grouped_events[event_name] = grouped_events[event_name] || [];
272
- grouped_events[event_name].push( event_handler );
282
+ grouped_events[event_name].push( event_handler.toString() );
273
283
  }
274
284
  e.events = grouped_events;
275
285
 
@@ -376,17 +386,6 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
376
386
  return _tokenDOMMonitor.hashCode( digest );
377
387
  },
378
388
 
379
- // Override setInterval() so that we'll know to wait for it to be triggered
380
- // during DOM analysis to provide sufficient coverage.
381
- track_setInterval: function () {
382
- var original_setInterval = window.setInterval;
383
-
384
- window.setInterval = function() {
385
- _tokenDOMMonitor.intervals.push( arguments );
386
- original_setInterval.apply( this, arguments );
387
- };
388
- },
389
-
390
389
  // Override setTimeout() so that we'll know to wait for it to be triggered
391
390
  // during DOM analysis to provide sufficient coverage.
392
391
  track_setTimeout: function () {
@@ -394,7 +393,15 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
394
393
 
395
394
  window.setTimeout = function() {
396
395
  arguments[1] = parseInt( arguments[1] );
397
- _tokenDOMMonitor.timeouts.push( arguments );
396
+
397
+ args = [];
398
+ for( i = 0; i < arguments.length; i++ ) {
399
+ args[i] = arguments[i];
400
+ }
401
+ args[0] = args[0].toString();
402
+
403
+ _tokenDOMMonitor.timeouts.push( args );
404
+
398
405
  original_setTimeout.apply( this, arguments );
399
406
  };
400
407
  },
@@ -492,7 +499,7 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
492
499
  }
493
500
 
494
501
  // All is well, register the event with the element.
495
- element['_arachni_events'].push( [event, handler] );
502
+ element['_arachni_events'].push( [event, handler.toString()] );
496
503
  },
497
504
 
498
505
  // Sets a unique enough custom ID attribute to elements that lack proper IDs.
@@ -521,6 +528,14 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
521
528
  }
522
529
  },
523
530
 
531
+ is_visible: function( element ) {
532
+ return !!(
533
+ element.offsetWidth ||
534
+ element.offsetHeight ||
535
+ element.getClientRects().length
536
+ );
537
+ },
538
+
524
539
  is_valid_event: function ( event ) {
525
540
  return Object.prototype.hasOwnProperty.call(
526
541
  _tokenDOMMonitor.valid_events,
@@ -576,5 +591,3 @@ var _tokenDOMMonitor = _tokenDOMMonitor || {
576
591
  return hash;
577
592
  }
578
593
  };
579
-
580
- _tokenDOMMonitor.initialize();
data/lib/arachni/browser/javascript/scripts/taint_tracer.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /*
2
- * Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ * Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
  *
4
4
  * This file is part of the Arachni Framework project and is subject to
5
5
  * redistribution and commercial restrictions. Please see the Arachni Framework
@@ -70,7 +70,6 @@ var _tokenTaintTracer = _tokenTaintTracer || {
70
70
  'decodeURI', 'escape', 'unescape'
71
71
  ]
72
72
  ],
73
- [Text.prototype, ['replaceWholeText']],
74
73
  [Document.prototype, ['createTextNode']],
75
74
  [HTMLDocument.prototype, ['write', 'writeln']],
76
75
  [Element.prototype, ['setAttribute']],
@@ -260,13 +259,15 @@ var _tokenTaintTracer = _tokenTaintTracer || {
260
259
  trace = [];
261
260
 
262
261
  depth_offset = parseInt( depth_offset ) || 3;
263
- for( var i = 0; i < depth_offset - 1; i++ ) {
262
+ for( var i = 0; i < depth_offset - 2; i++ ) {
264
263
  if( f ) f = f.caller;
265
264
  }
266
265
 
267
266
  var error = _tokenTaintTracer.get_error_object();
268
267
  var stackArrayOffset = depth_offset;
269
268
 
269
+ var current_url = window.location.href;
270
+
270
271
  var stack_messages = error.stack.split( '\n' );
271
272
  while( stackArrayOffset <= stack_messages.length - 1 ) {
272
273
  // Skip our own functions from the trace.
@@ -276,37 +277,41 @@ var _tokenTaintTracer = _tokenTaintTracer || {
276
277
  };
277
278
 
278
279
  if( f ) {
279
- frame.function.source = f;
280
+ frame.function.source = f.toString();
280
281
 
281
282
  // Scripts with 'use strict' don't let us access arguments.
282
283
  try {
283
284
  frame.function.arguments =
284
285
  _tokenTaintTracer.sanitize_arguments( f.arguments );
285
- } catch(e){}
286
+ } catch( e ){ console.log( e ) }
286
287
  }
287
288
 
288
- var stack = stack_messages[stackArrayOffset];
289
+ var stack_frame = stack_messages[stackArrayOffset].split( 'at ', 2 ).pop();
289
290
 
290
- var name_rest_splits;
291
- if( stack.indexOf( '@' ) !== -1 ) {
292
- name_rest_splits = stack.split( '@', 2 );
293
- frame.function.name = name_rest_splits.shift();
294
- } else {
295
- name_rest_splits = [stack];
291
+ var name_rest_splits = stack_frame.split( ' (' );
292
+ if( name_rest_splits.length > 1 ) {
293
+ frame.function.name = name_rest_splits.shift().split( '.', 2 ).pop();
296
294
  }
297
295
 
298
- if( name_rest_splits.length > 0 ) {
299
- stack = name_rest_splits.shift();
300
- var url_line_splits = stack.split( ':' );
296
+ var url_line_col_splits = name_rest_splits.pop().split( ':' );
297
+
298
+ // Remove the column.
299
+ url_line_col_splits.pop();
300
+ var url_line_splits = url_line_col_splits;
301
+
302
+ frame.line = parseInt( url_line_splits.pop() );
301
303
 
302
- // Remove the column.
303
- url_line_splits.pop();
304
+ frame.url = url_line_splits.join( ':' ).split( ' (' ).pop();
304
305
 
305
- frame.line = parseInt( url_line_splits.pop() );
306
- frame.url = url_line_splits.join( ':' );
306
+ // Line numbers in the current page will be off by one after the
307
+ // JS env has been removed, adjust accordingly.
308
+ if( frame.url == current_url && frame.line > 0 ) {
309
+ frame.line--;
307
310
  }
308
311
 
309
- trace.push( frame );
312
+ if( frame.url != '<anonymous>' ) {
313
+ trace.push( frame );
314
+ }
310
315
  }
311
316
 
312
317
  // Scripts with 'use strict' don't let us access function callers.
@@ -429,7 +434,7 @@ var _tokenTaintTracer = _tokenTaintTracer || {
429
434
 
430
435
  _tokenTaintTracer.log_data_flow_sink( taint, {
431
436
  function: {
432
- source: func,
437
+ source: func.toString(),
433
438
  name: func.name || function_name,
434
439
  arguments: arguments
435
440
  },
@@ -506,19 +511,25 @@ var _tokenTaintTracer = _tokenTaintTracer || {
506
511
  for( var name in namespace ){
507
512
  if( !namespace.hasOwnProperty( name ) ) continue;
508
513
 
509
- var potentialFunction = namespace[name];
514
+ try {
515
+ var potentialFunction = namespace[name];
510
516
 
511
- if( Object.prototype.toString.call(potentialFunction) !== '[object Function]' )
512
- continue;
517
+ if (Object.prototype.toString.call(potentialFunction) !== '[object Function]')
518
+ continue;
513
519
 
514
- if( _tokenTaintTracer.ignore[potentialFunction.name] ) continue;
520
+ if (_tokenTaintTracer.ignore[potentialFunction.name]) continue;
515
521
 
516
- var namespace_function_name = Object.prototype.toString.call(namespace) +
517
- '-' + potentialFunction.name;
518
- if( _tokenTaintTracer.traced[namespace_function_name] ) continue;
522
+ var namespace_function_name = Object.prototype.toString.call(namespace) +
523
+ '-' + potentialFunction.name;
524
+ if (_tokenTaintTracer.traced[namespace_function_name]) continue;
519
525
 
520
- _tokenTaintTracer.add_trace_to_function( namespace, name, _tokenTaintTracer.object_to_name(namespace) );
521
- _tokenTaintTracer.traced[namespace_function_name] = true;
526
+ _tokenTaintTracer.add_trace_to_function(
527
+ namespace, name, _tokenTaintTracer.object_to_name( namespace )
528
+ );
529
+ _tokenTaintTracer.traced[namespace_function_name] = true;
530
+ } catch(e) {
531
+ console.log( e )
532
+ }
522
533
  }
523
534
  },
524
535
 
@@ -543,9 +554,15 @@ var _tokenTaintTracer = _tokenTaintTracer || {
543
554
  },
544
555
 
545
556
  add_trace_to_function: function ( object, name, object_name ){
546
- // Don't trace a tracer.
547
- if( _tokenTaintTracer.get_traced_function().toString() == (object[name] || '').toString() )
557
+ // object[name].toString() can fail for certain functions so play it
558
+ // safe and bail out.
559
+ try {
560
+ // Don't trace a tracer.
561
+ if( _tokenTaintTracer.get_traced_function().toString() == (object[name] || '').toString() )
562
+ return;
563
+ } catch (e) {
548
564
  return;
565
+ }
549
566
 
550
567
  var function_needle = 'function ' + name + '(';
551
568
 
@@ -556,21 +573,22 @@ var _tokenTaintTracer = _tokenTaintTracer || {
556
573
  // are unknown; framework-specified ones have been vetted.
557
574
  if(
558
575
  object == window && object[name] &&
576
+ (
577
+ // The name should be the same as the function name...
578
+ object[name].toString().substring( 0, function_needle.length ) !== function_needle ||
579
+
580
+ // .. and the prototype needs to not have any members.
559
581
  (
560
- // The name should be the same as the function name...
561
- object[name].toString().substring( 0, function_needle.length ) !== function_needle ||
562
-
563
- // .. and the prototype needs to not have any members.
564
- (
565
- object[name].prototype &&
566
- !_tokenTaintTracer.isEmpty( object[name].prototype )
567
- )
582
+ object[name].prototype &&
583
+ !_tokenTaintTracer.isEmpty( object[name].prototype )
568
584
  )
585
+ )
569
586
  ) return;
570
587
 
571
588
  object[name] = _tokenTaintTracer.get_traced_function(
572
589
  object[name], object_name || _tokenTaintTracer.object_to_name( object ), name
573
590
  );
591
+
574
592
  },
575
593
 
576
594
  install_tracers_from_list: function( list ) {
data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/taint_tracer/frame.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework
data/lib/arachni/browser/javascript/taint_tracer.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  =begin
2
- Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
2
+ Copyright 2010-2022 Ecsypno <http://www.ecsypno.com>
3
3
 
4
4
  This file is part of the Arachni Framework project and is subject to
5
5
  redistribution and commercial restrictions. Please see the Arachni Framework