arachni 0.4 → 0.4.0.1

data/CHANGELOG.md

@@ -1,6 +1,10 @@
-
 # ChangeLog
 
+## Version 0.4.0.1 _(January 9, 2012)_
+- Reports
+   - XML -- added missing Issue attributes
+- Added draconian run-time exception handling to all components.
+
 ## Version 0.4 _(January 7, 2012)_
 - RPC Infrastructure (**New**)
    - Dispatcher

data/README.md

@@ -2,11 +2,11 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>0.4</td>
+        <td>0.4.0.1</td>
     </tr>
     <tr>
         <th>Homepage</th>
-        <td><a href="http://arachni.segfault.gr">http://arachni.segfault.gr</a></td>
+        <td><a href="http://arachni-scanner.com">http://arachni-scanner.com</a></td>
     </tr>
     <tr>
         <th>Blog</th>
@@ -100,12 +100,12 @@ From a user's or a component developer's point of view everything appears simple
  - Pause/resume functionality.
  - High performance asynchronous HTTP requests.
  - Open [RPC](https://github.com/Zapotek/arachni/wiki/RPC-API) Client/Dispatcher Infrastructure
-    - Distributed deployment
+    - [Distributed deployment](https://github.com/Zapotek/arachni/wiki/Distributed-components)
     - Multiple clients
     - Parallel scans
     - SSL encryption (with peer authentication)
     - Remote monitoring
-    - Support for [High Performance Grid](https://github.com/Zapotek/arachni/wiki/RPC-server#wiki-grid) configuration, combining the resources of multiple nodes to perform fast scans.
+    - Support for [High Performance Grid](https://github.com/Zapotek/arachni/wiki/HPG) configuration, combining the resources of multiple nodes to perform fast scans.
 
 ### Website Crawler
 
@@ -245,6 +245,12 @@ CDE packages are self contained and thus alleviate the need for Ruby and other d
 You can download the latest CDE package from the [download](https://github.com/Zapotek/arachni/downloads) page and escape the dependency hell.<br/>
 If you decide to go the CDE route you can skip the rest, you're done.
 
+### Cygwin packages for Windows
+
+Arachni does not yet run natively on Windows systems, however until that day comes you can download a pre-configured Cygwin environment containing Arachni and its dependencies.
+All you need to do is download the [latest self-extracting archive](http://downloads.segfault.gr/arachni/), select a directory for it, open it up and then execute the Cygwin batch file.
+You will then be presented with a Bash shell, after that you'll be able to use Arachni as if you were on a Linux system.
+
 ### Gem
 
 To install the Gem or work with the source code you'll also need the following system libraries:
@@ -268,9 +274,6 @@ If you want to clone the repository and work with the source code then you'll ne
     rake install
 
 
-### [Windows -- under Cygwin](https://github.com/Zapotek/arachni/wiki/Installation)
-
-
 ## Usage
 
 ### [Command line interface](https://github.com/Zapotek/arachni/wiki/Command-line-user-interface)
@@ -292,7 +295,7 @@ Should you want to use these extra components simply move them from the <em>extr
 
 Arachni should work on all *nix and POSIX compliant platforms with Ruby and the aforementioned requirements.
 
-Windows users can run Arachni in Cygwin by following these [instructions](https://github.com/Zapotek/arachni/wiki/Installation).
+Windows users can download the pre-configured Cygwin package, see the [installation instructions](https://github.com/Zapotek/arachni/wiki/Installation).
 
 ## Bug reports/Feature requests
 Please send your feedback using Github's issue system at

data/lib/arachni/module/manager.rb

@@ -32,6 +32,7 @@ module Module
 class Manager < Arachni::ComponentManager
 
     include Arachni::UI::Output
+    include Arachni::Module::Utilities
 
     @@results             ||= []
     @@on_register_results ||= []
@@ -54,7 +55,7 @@ class Manager < Arachni::ComponentManager
     # @param    [::Arachni::Framework]   framework  to be assigned to modules
     #
     def run( page, framework = nil )
-        keys.each { |mod| run_one( mod, page, framework ) }
+        keys.each { |mod| exception_jail( false ){ run_one( mod, page, framework ) } }
     end
 
     #

data/lib/arachni/parser/parser.rb

@@ -43,7 +43,7 @@ require opts.dir['lib'] + 'component_manager'
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2.1
+# @version: 0.2.2
 #
 class Parser
     include Arachni::UI::Output
@@ -244,7 +244,7 @@ class Parser
     #
     # @return    [Hash]    HTTP header fields
     #
-    def headers( )
+    def headers
         headers_arr  = []
         {
             'accept'          => 'text/html,application/xhtml+xml,application' +
@@ -642,7 +642,7 @@ class Parser
 
             return @@manager.available.map {
                 |name|
-                @@manager[name].new.run( doc )
+                exception_jail( false ){ @@manager[name].new.run( doc ) }
             }.flatten.uniq.compact.
             map { |path| to_absolute( url_sanitize( path ) ) }.
             reject { |path| skip?( path ) }

data/lib/arachni/plugin/manager.rb

@@ -24,7 +24,7 @@ module Plugin
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class Manager < Arachni::ComponentManager
 
@@ -73,7 +73,7 @@ class Manager < Arachni::ComponentManager
 
             @jobs << Thread.new {
 
-                exception_jail {
+                exception_jail( false ) {
                     Thread.current[:name] = name
 
                     plugin_new = create( name )

data/lib/arachni/report/base.rb

@@ -60,13 +60,14 @@ end
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 # @abstract
 #
 class Base
 
     # get the output interface
     include Arachni::UI::Output
+    include Arachni::Module::Utilities
 
     # where to report false positives <br/>
     # info about this should be included in all templates
@@ -88,7 +89,7 @@ class Base
     #
     # REQUIRED
     #
-    def run( )
+    def run
 
     end
 
@@ -129,7 +130,9 @@ class Base
             plugin_results = plugins[name]
             next if !plugin_results || plugin_results[:results].empty?
 
-            formatted[name] = formatter.new( plugin_results.deep_clone ).run
+            exception_jail( false ) {
+                formatted[name] = formatter.new( plugin_results.deep_clone ).run
+            }
         }
 
         return formatted
@@ -150,7 +153,7 @@ class Base
             ],
             :description    => %q{This class should be extended by all reports.},
             :author         => 'zapotek',
-            :version        => '0.1',
+            :version        => '0.1.1',
         }
     end
 

data/lib/arachni/report/manager.rb

@@ -26,10 +26,12 @@ module Report
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr> <br/>
-# @version: 0.1
+# @version: 0.1.1
 #
 class Manager < Arachni::ComponentManager
 
+    include Arachni::Module::Utilities
+
     # the extension of the Arachni Framework Report files
     EXTENSION   = '.afr'
 
@@ -54,7 +56,9 @@ class Manager < Arachni::ComponentManager
 
         self.each {
             |name, report|
-            run_one( name, audit_store.deep_clone )
+            exception_jail( false ){
+                run_one( name, audit_store.deep_clone )
+            }
         }
     end
 

data/lib/arachni/ui/web/report_manager.rb

@@ -191,7 +191,7 @@ class ReportManager
     def get( type, id )
         return if !valid_class?( type )
 
-        begin
+        # begin
             location = savedir + Report.get( id ).filename + EXTENSION
 
             # if it's the default report type don't waste time converting
@@ -200,11 +200,11 @@ class ReportManager
             else
                 return convert( type, ::Arachni::AuditStore.load( location ) )
             end
-        rescue Exception => e
-            ap e
-            ap e.backtrace
-            return nil
-        end
+        # rescue Exception => e
+            # ap e
+            # ap e.backtrace
+            # return nil
+        # end
     end
 
     #

data/lib/arachni/version.rb

@@ -11,6 +11,6 @@
 module Arachni
 
     # the universal system version
-    VERSION      = '0.4'
+    VERSION      = '0.4.0.1'
 
 end

data/plugins/defaults/metamodules/remedies/discovery.rb

@@ -55,9 +55,11 @@ class Discovery < Arachni::Plugin::Base
         # URL path => size of responses
         response_size_per_path  = {}
 
-        on_relevant_issues {
+        @framework.audit_store.issues.each_with_index {
             |issue, idx|
 
+            next if !includes_tags?( issue.tags )
+
             # discovery issues only have 1 variation
             variation = issue.variations.first
 
@@ -66,7 +68,14 @@ class Discovery < Arachni::Plugin::Base
             # will control the behavior under that path
             #
             # did that make any sense?
-            path = File.dirname( URI( normalize_url( variation['url'] ) ).path )
+            path = ''
+            begin
+                exception_jail {
+                    path = File.dirname( URI( normalize_url( variation['url'] ) ).path )
+                }
+            rescue
+                next
+            end
 
             # gathering total response sizes for issues per path
             response_size_per_path[path] ||= 0
@@ -113,21 +122,6 @@ class Discovery < Arachni::Plugin::Base
         register_results( issues ) if !issues.empty?
     end
 
-    #
-    # Passes each issue that was logged by a discovery module to the block.
-    #
-    # @param    [Proc]   &block
-    #
-    def on_relevant_issues( &block )
-        @framework.audit_store.issues.each_with_index {
-            |issue, idx|
-
-            if includes_tags?( issue.tags )
-                block.call( issue, idx )
-            end
-        }
-    end
-
     #
     # Checks if 'tags' contain any item in {TAGS}
     #

data/plugins/defaults/metamodules/remedies/timing_attacks.rb

@@ -18,7 +18,7 @@ module Plugins
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1.3
+# @version: 0.1.4
 #
 class TimingAttacks < Arachni::Plugin::Base
 
@@ -42,15 +42,27 @@ class TimingAttacks < Arachni::Plugin::Base
             # we don't care about non OK responses
             next if res.code != 200
 
-            path = URI( normalize_url( res.effective_url ) ).path
-            path = '/' if path.empty?
-            @counter[path] ||= @times[path] ||= 0
-
-            # add up all request times for a specific path
-            @times[path] += res.start_transfer_time
-
-            # add up all requests for each path
-            @counter[path] += 1
+            begin
+                path = nil
+                # let's hope for a proper and clean parse but be prepared for
+                # all hell to break loose too...
+                begin
+                    path = URI( normalize_url( res.effective_url ) ).path
+                rescue
+                    url = res.effective_url.split( '?' ).first
+                    path = URI( normalize_url( res.effective_url ) ).path
+                end
+
+                path = '/' if path.empty?
+                @counter[path] ||= @times[path] ||= 0
+
+                # add up all request times for a specific path
+                @times[path] += res.start_transfer_time
+
+                # add up all requests for each path
+                @counter[path] += 1
+            rescue
+            end
         }
 
         wait_while_framework_running
@@ -111,7 +123,7 @@ class TimingAttacks < Arachni::Plugin::Base
                 Pages with high response times usually include heavy-duty processing
                 which makes them prime targets for Denial-of-Service attacks.},
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.1.3',
+            :version        => '0.1.4',
             :tags           => [ 'anomaly' , 'timing', 'attacks', 'meta' ]
         }
     end

data/reports/afr.rb

@@ -17,22 +17,12 @@ module Reports
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.1
+# @version: 0.1.1
 #
 class AFR < Arachni::Report::Base
 
-    #
-    # @param [AuditStore]  audit_store
-    # @param [Hash]   options    options passed to the report
-    #
-    def initialize( audit_store, options )
-        @audit_store   = audit_store
-        @options       = options
-    end
-
-    def run( )
-
-        print_line( )
+    def run
+        print_line
         print_status( 'Dumping audit results in \'' + @options['outfile']  + '\'.' )
 
         @audit_store.save( @options['outfile'] )

data/reports/plugin_formatters/html/profiler/template.erb

@@ -18,7 +18,7 @@
         <%end%>
 
         <%if item['element']['action']%>
-        pointing to <a href="<%=CGI.escapeHTML( item['element']['action'] )%>"> <%=item['element']['action']%>  </a>
+        pointing to <a href="<%=CGI.escapeHTML( item['element']['action'] ) %>"> <%=item['element']['action']%>  </a>
         <%end%>
 
         <%if item['element']['method']%>
@@ -71,7 +71,7 @@
             <% if item['request']['params'] %>
             <form style="display:inline" action="<%=item['request']['url']%>" target="_blank" method="<%=item['request']['method']%>">
               <% item['request']['params'].each_pair do |name, value|%>
-              <input type="hidden" name="<%=CGI.escapeHTML(name)%>" value="<%=CGI.escapeHTML( value )%>" />
+              <input type="hidden" name="<%=CGI.escapeHTML( name || '' )%>" value="<%=CGI.escapeHTML( value || '' )%>" />
               <%end%>
               <input type="submit" value="Replay" />
             </form>

data/reports/xml.rb

@@ -22,7 +22,7 @@ module Reports
 # @author: Tasos "Zapotek" Laskos
 #                                      <tasos.laskos@gmail.com>
 #                                      <zapotek@segfault.gr>
-# @version: 0.2
+# @version: 0.2.1
 #
 class XML < Arachni::Report::Base
 
@@ -122,16 +122,14 @@ class XML < Arachni::Report::Base
             |issue|
 
             start_tag( 'issue' )
-            simple_tag( 'name', issue.name )
 
-            simple_tag( 'url', issue.url )
-            simple_tag( 'element', issue.elem )
-            simple_tag( 'method', issue.method ) if issue.method
-            add_tags( issue.tags ) if issue.tags.is_a?( Array )
-            simple_tag( 'variable', issue.var ) if issue.var
-            simple_tag( 'description', issue.description )
-            simple_tag( 'manual_verification', issue.verification.to_s )
+            issue.each_pair {
+                |k, v|
+                next if !v.is_a?( String )
+                simple_tag( k, v )
+            }
 
+            add_tags( [issue.tags].flatten.compact )
 
             start_tag( 'references' )
             issue.references.each{
@@ -173,7 +171,7 @@ class XML < Arachni::Report::Base
             :name           => 'XML report',
             :description    => %q{Exports a report as an XML file.},
             :author         => 'Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>',
-            :version        => '0.2',
+            :version        => '0.2.1',
             :options        => [ Arachni::Report::Options.outfile( '.xml' ) ]
         }
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: arachni
 version: !ruby/object:Gem::Version
-  version: '0.4'
+  version: 0.4.0.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-01-07 00:00:00.000000000 Z
+date: 2012-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
-  requirement: &7947780 !ruby/object:Gem::Requirement
+  requirement: &5666540 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: 0.3.3
   type: :runtime
   prerelease: false
-  version_requirements: *7947780
+  version_requirements: *5666540
 - !ruby/object:Gem::Dependency
   name: awesome_print
-  requirement: &7947180 !ruby/object:Gem::Requirement
+  requirement: &5665540 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *7947180
+  version_requirements: *5665540
 - !ruby/object:Gem::Dependency
   name: json
-  requirement: &7944620 !ruby/object:Gem::Requirement
+  requirement: &5664340 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *7944620
+  version_requirements: *5664340
 - !ruby/object:Gem::Dependency
   name: nokogiri
-  requirement: &7930700 !ruby/object:Gem::Requirement
+  requirement: &5663600 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,10 +54,10 @@ dependencies:
         version: 1.5.0
   type: :runtime
   prerelease: false
-  version_requirements: *7930700
+  version_requirements: *5663600
 - !ruby/object:Gem::Dependency
   name: sys-proctable
-  requirement: &7929640 !ruby/object:Gem::Requirement
+  requirement: &5662940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -65,10 +65,10 @@ dependencies:
         version: 0.9.1
   type: :runtime
   prerelease: false
-  version_requirements: *7929640
+  version_requirements: *5662940
 - !ruby/object:Gem::Dependency
   name: terminal-table
-  requirement: &7928680 !ruby/object:Gem::Requirement
+  requirement: &5662460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -76,10 +76,10 @@ dependencies:
         version: 1.4.2
   type: :runtime
   prerelease: false
-  version_requirements: *7928680
+  version_requirements: *5662460
 - !ruby/object:Gem::Dependency
   name: sinatra
-  requirement: &7927880 !ruby/object:Gem::Requirement
+  requirement: &5661740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -87,10 +87,10 @@ dependencies:
         version: 1.3.1
   type: :runtime
   prerelease: false
-  version_requirements: *7927880
+  version_requirements: *5661740
 - !ruby/object:Gem::Dependency
   name: sinatra-flash
-  requirement: &7927080 !ruby/object:Gem::Requirement
+  requirement: &5661040 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -98,10 +98,10 @@ dependencies:
         version: 0.3.0
   type: :runtime
   prerelease: false
-  version_requirements: *7927080
+  version_requirements: *5661040
 - !ruby/object:Gem::Dependency
   name: async_sinatra
-  requirement: &7926520 !ruby/object:Gem::Requirement
+  requirement: &5660460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -109,10 +109,10 @@ dependencies:
         version: 0.5.0
   type: :runtime
   prerelease: false
-  version_requirements: *7926520
+  version_requirements: *5660460
 - !ruby/object:Gem::Dependency
   name: thin
-  requirement: &7926040 !ruby/object:Gem::Requirement
+  requirement: &5659960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -120,10 +120,10 @@ dependencies:
         version: 1.2.11
   type: :runtime
   prerelease: false
-  version_requirements: *7926040
+  version_requirements: *5659960
 - !ruby/object:Gem::Dependency
   name: data_objects
-  requirement: &7925500 !ruby/object:Gem::Requirement
+  requirement: &5238300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
@@ -131,10 +131,10 @@ dependencies:
         version: 0.10.7
   type: :runtime
   prerelease: false
-  version_requirements: *7925500
+  version_requirements: *5238300
 - !ruby/object:Gem::Dependency
   name: datamapper
-  requirement: &7925040 !ruby/object:Gem::Requirement
+  requirement: &5236360 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
@@ -142,10 +142,10 @@ dependencies:
         version: 1.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *7925040
+  version_requirements: *5236360
 - !ruby/object:Gem::Dependency
   name: dm-sqlite-adapter
-  requirement: &7924540 !ruby/object:Gem::Requirement
+  requirement: &5235080 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - =
@@ -153,10 +153,10 @@ dependencies:
         version: 1.1.0
   type: :runtime
   prerelease: false
-  version_requirements: *7924540
+  version_requirements: *5235080
 - !ruby/object:Gem::Dependency
   name: net-ssh
-  requirement: &7923820 !ruby/object:Gem::Requirement
+  requirement: &5233980 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -164,10 +164,10 @@ dependencies:
         version: 2.2.1
   type: :runtime
   prerelease: false
-  version_requirements: *7923820
+  version_requirements: *5233980
 - !ruby/object:Gem::Dependency
   name: net-scp
-  requirement: &7912240 !ruby/object:Gem::Requirement
+  requirement: &5232740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -175,10 +175,10 @@ dependencies:
         version: 1.0.4
   type: :runtime
   prerelease: false
-  version_requirements: *7912240
+  version_requirements: *5232740
 - !ruby/object:Gem::Dependency
   name: eventmachine
-  requirement: &7911200 !ruby/object:Gem::Requirement
+  requirement: &5231640 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -186,10 +186,10 @@ dependencies:
         version: 1.0.0.beta.4
   type: :runtime
   prerelease: false
-  version_requirements: *7911200
+  version_requirements: *5231640
 - !ruby/object:Gem::Dependency
   name: em-synchrony
-  requirement: &7910580 !ruby/object:Gem::Requirement
+  requirement: &4927740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -197,10 +197,10 @@ dependencies:
         version: 1.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *7910580
+  version_requirements: *4927740
 - !ruby/object:Gem::Dependency
   name: arachni-rpc-em
-  requirement: &7909560 !ruby/object:Gem::Requirement
+  requirement: &4926240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -208,7 +208,7 @@ dependencies:
         version: 0.1.1
   type: :runtime
   prerelease: false
-  version_requirements: *7909560
+  version_requirements: *4926240
 description: ! "        Arachni is a feature-full, modular, high-performance Ruby
   framework aimed towards\n        helping penetration testers and administrators
   evaluate the security of web applications.\n\n        Arachni is smart, it trains