arachni 0.4.7 → 1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -13
- data/AUTHORS.md +1 -1
- data/CHANGELOG.md +211 -0
- data/CONTRIBUTORS.md +1 -0
- data/Gemfile +23 -2
- data/LICENSE.md +34 -1
- data/README.md +211 -127
- data/Rakefile +79 -67
- data/arachni.gemspec +54 -62
- data/bin/arachni +6 -18
- data/bin/arachni_console +5 -13
- data/bin/arachni_multi +6 -16
- data/bin/arachni_reporter +12 -0
- data/bin/arachni_restore +12 -0
- data/bin/arachni_rpc +6 -16
- data/bin/arachni_rpcd +6 -17
- data/bin/arachni_rpcd_monitor +6 -18
- data/bin/arachni_script +8 -19
- data/components/checks/active/code_injection.rb +123 -0
- data/components/checks/active/code_injection_php_input_wrapper.rb +99 -0
- data/components/checks/active/code_injection_timing.rb +106 -0
- data/components/checks/active/csrf.rb +218 -0
- data/components/checks/active/file_inclusion.rb +152 -0
- data/components/checks/active/ldap_injection.rb +109 -0
- data/{modules/audit/ldapi → components/checks/active/ldap_injection}/errors.txt +0 -0
- data/components/checks/active/no_sql_injection.rb +94 -0
- data/components/checks/active/no_sql_injection/patterns/mongodb +1 -0
- data/{extras/placeholder → components/checks/active/no_sql_injection/regexp_ignore.txt} +0 -0
- data/components/checks/active/no_sql_injection_differential.rb +78 -0
- data/components/checks/active/os_cmd_injection.rb +116 -0
- data/components/checks/active/os_cmd_injection_timing.rb +92 -0
- data/components/checks/active/path_traversal.rb +174 -0
- data/components/checks/active/response_splitting.rb +94 -0
- data/components/checks/active/rfi.rb +172 -0
- data/components/checks/active/session_fixation.rb +117 -0
- data/components/checks/active/source_code_disclosure.rb +177 -0
- data/components/checks/active/sql_injection.rb +123 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/access +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/coldfusion +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/db2 +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/emc +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/firebird +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/frontbase +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/hsqldb +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/informix +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/ingres +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/interbase +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/maxdb +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/mssql +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/mysql +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/oracle +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/pgsql +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/sqlite +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/patterns/sybase +0 -0
- data/{modules/audit/sqli → components/checks/active/sql_injection}/regexp_ignore.txt +0 -0
- data/components/checks/active/sql_injection_differential.rb +114 -0
- data/{modules/audit/sqli_blind_rdiff → components/checks/active/sql_injection_differential}/payloads.txt +0 -0
- data/components/checks/active/sql_injection_timing.rb +98 -0
- data/{modules/audit/sqli_blind_timing → components/checks/active/sql_injection_timing}/mssql.txt +0 -0
- data/{modules/audit/sqli_blind_timing → components/checks/active/sql_injection_timing}/mysql.txt +0 -0
- data/{modules/audit/sqli_blind_timing → components/checks/active/sql_injection_timing}/pgsql.txt +0 -0
- data/components/checks/active/trainer.rb +40 -0
- data/components/checks/active/unvalidated_redirect.rb +108 -0
- data/components/checks/active/xpath_injection.rb +87 -0
- data/{modules/audit/xpath → components/checks/active/xpath_injection}/errors.txt +0 -0
- data/components/checks/active/xss.rb +169 -0
- data/components/checks/active/xss_dom.rb +119 -0
- data/components/checks/active/xss_dom_inputs.rb +132 -0
- data/components/checks/active/xss_dom_script_context.rb +118 -0
- data/components/checks/active/xss_event.rb +165 -0
- data/components/checks/active/xss_path.rb +146 -0
- data/components/checks/active/xss_script_context.rb +207 -0
- data/components/checks/active/xss_tag.rb +135 -0
- data/components/checks/passive/allowed_methods.rb +92 -0
- data/components/checks/passive/backdoors.rb +79 -0
- data/{modules/recon → components/checks/passive}/backdoors/filenames.txt +0 -0
- data/components/checks/passive/backup_directories.rb +86 -0
- data/components/checks/passive/backup_directories/formats.txt +56 -0
- data/components/checks/passive/backup_files.rb +99 -0
- data/components/checks/passive/backup_files/formats.txt +106 -0
- data/components/checks/passive/common_directories.rb +81 -0
- data/{modules/recon → components/checks/passive}/common_directories/directories.txt +0 -0
- data/components/checks/passive/common_files.rb +73 -0
- data/components/checks/passive/common_files/filenames.txt +24 -0
- data/components/checks/passive/directory_listing.rb +129 -0
- data/components/checks/passive/grep/captcha.rb +73 -0
- data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +71 -0
- data/components/checks/passive/grep/credit_card.rb +124 -0
- data/components/checks/passive/grep/cvs_svn_users.rb +75 -0
- data/components/checks/passive/grep/emails.rb +53 -0
- data/components/checks/passive/grep/form_upload.rb +75 -0
- data/components/checks/passive/grep/hsts.rb +74 -0
- data/components/checks/passive/grep/html_objects.rb +45 -0
- data/components/checks/passive/grep/http_only_cookies.rb +72 -0
- data/components/checks/passive/grep/insecure_cookies.rb +74 -0
- data/components/checks/passive/grep/mixed_resource.rb +109 -0
- data/components/checks/passive/grep/password_autocomplete.rb +80 -0
- data/components/checks/passive/grep/private_ip.rb +73 -0
- data/components/checks/passive/grep/ssn.rb +62 -0
- data/components/checks/passive/grep/unencrypted_password_forms.rb +88 -0
- data/components/checks/passive/htaccess_limit.rb +71 -0
- data/components/checks/passive/http_put.rb +91 -0
- data/components/checks/passive/interesting_responses.rb +88 -0
- data/components/checks/passive/localstart_asp.rb +88 -0
- data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +83 -0
- data/components/checks/passive/webdav.rb +101 -0
- data/components/checks/passive/xst.rb +90 -0
- data/components/fingerprinters/frameworks/rack.rb +33 -0
- data/components/fingerprinters/languages/asp.rb +34 -0
- data/components/fingerprinters/languages/aspx.rb +55 -0
- data/components/fingerprinters/languages/jsp.rb +34 -0
- data/components/fingerprinters/languages/php.rb +35 -0
- data/components/fingerprinters/languages/python.rb +32 -0
- data/components/fingerprinters/languages/ruby.rb +33 -0
- data/components/fingerprinters/os/bsd.rb +28 -0
- data/components/fingerprinters/os/linux.rb +34 -0
- data/components/fingerprinters/os/solaris.rb +33 -0
- data/components/fingerprinters/os/unix.rb +28 -0
- data/components/fingerprinters/os/windows.rb +33 -0
- data/components/fingerprinters/servers/apache.rb +28 -0
- data/components/fingerprinters/servers/iis.rb +28 -0
- data/components/fingerprinters/servers/jetty.rb +28 -0
- data/components/fingerprinters/servers/nginx.rb +28 -0
- data/components/fingerprinters/servers/tomcat.rb +28 -0
- data/components/path_extractors/anchors.rb +29 -0
- data/components/path_extractors/areas.rb +29 -0
- data/components/path_extractors/comments.rb +21 -0
- data/components/path_extractors/forms.rb +29 -0
- data/components/path_extractors/frames.rb +29 -0
- data/components/path_extractors/generic.rb +76 -0
- data/components/path_extractors/links.rb +29 -0
- data/components/path_extractors/meta_refresh.rb +50 -0
- data/components/path_extractors/scripts.rb +31 -0
- data/components/plugins/autologin.rb +120 -0
- data/components/plugins/beep_notify.rb +43 -0
- data/components/plugins/content_types.rb +110 -0
- data/components/plugins/cookie_collector.rb +94 -0
- data/components/plugins/defaults/autothrottle.rb +73 -0
- data/components/plugins/defaults/healthmap.rb +79 -0
- data/components/plugins/defaults/meta/remedies/discovery.rb +122 -0
- data/components/plugins/defaults/meta/remedies/timing_attacks.rb +98 -0
- data/components/plugins/defaults/meta/uniformity.rb +55 -0
- data/components/plugins/email_notify.rb +112 -0
- data/components/plugins/form_dicattack.rb +128 -0
- data/components/plugins/http_dicattack.rb +102 -0
- data/components/plugins/proxy.rb +492 -0
- data/{plugins → components/plugins}/proxy/panel/403_forbidden.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/404_not_found.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/css/bootstrap-responsive.css +0 -0
- data/{plugins → components/plugins}/proxy/panel/css/bootstrap.min.css +0 -0
- data/{plugins → components/plugins}/proxy/panel/css/panel.css +0 -0
- data/{plugins → components/plugins}/proxy/panel/help.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/img/glyphicons-halflings-white.png +0 -0
- data/{plugins → components/plugins}/proxy/panel/img/glyphicons-halflings.png +0 -0
- data/{plugins → components/plugins}/proxy/panel/img/record.png +0 -0
- data/{plugins → components/plugins}/proxy/panel/inspect.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/js/bootstrap.min.js +0 -0
- data/{plugins → components/plugins}/proxy/panel/js/jquery.min.js +0 -0
- data/{plugins → components/plugins}/proxy/panel/js/panel.js +0 -0
- data/{plugins → components/plugins}/proxy/panel/layout.html.erb +0 -0
- data/components/plugins/proxy/panel/page_accordion.html.erb +67 -0
- data/{plugins → components/plugins}/proxy/panel/page_twin_accordion.html.erb +0 -0
- data/components/plugins/proxy/panel/panel.html.erb +69 -0
- data/{plugins → components/plugins}/proxy/panel/shutdown_message.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/sign_in.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/vectors.yml.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/verify_login_check.html.erb +0 -0
- data/{plugins → components/plugins}/proxy/panel/verify_login_final.html.erb +0 -0
- data/components/plugins/proxy/panel/verify_login_sequence.html.erb +45 -0
- data/components/plugins/proxy/template_scope.rb +130 -0
- data/components/plugins/script.rb +48 -0
- data/components/plugins/uncommon_headers.rb +92 -0
- data/components/plugins/vector_feed.rb +225 -0
- data/components/plugins/waf_detector.rb +169 -0
- data/components/reporters/ap.rb +38 -0
- data/components/reporters/html.rb +468 -0
- data/components/reporters/html/default.erb +68 -0
- data/components/reporters/html/default/configuration.erb +78 -0
- data/components/reporters/html/default/css/lib/bootstrap-theme.min.css +7 -0
- data/components/reporters/html/default/css/lib/bootstrap.min.css +7 -0
- data/components/reporters/html/default/css/lib/c3.css +203 -0
- data/components/reporters/html/default/css/lib/font-awesome.min.css +4 -0
- data/components/reporters/html/default/css/main.css +140 -0
- data/components/reporters/html/default/fonts/FontAwesome.otf +0 -0
- data/components/reporters/html/default/fonts/fontawesome-webfont.eot +0 -0
- data/components/reporters/html/default/fonts/fontawesome-webfont.svg +504 -0
- data/components/reporters/html/default/fonts/fontawesome-webfont.ttf +0 -0
- data/components/reporters/html/default/fonts/fontawesome-webfont.woff +0 -0
- data/components/reporters/html/default/fonts/glyphicons-halflings-regular.eot +0 -0
- data/components/reporters/html/default/fonts/glyphicons-halflings-regular.svg +229 -0
- data/components/reporters/html/default/fonts/glyphicons-halflings-regular.ttf +0 -0
- data/components/reporters/html/default/fonts/glyphicons-halflings-regular.woff +0 -0
- data/components/reporters/html/default/issue.erb +81 -0
- data/components/reporters/html/default/issue/details.erb +68 -0
- data/components/reporters/html/default/issue/info.erb +74 -0
- data/components/reporters/html/default/issue/page.erb +117 -0
- data/components/reporters/html/default/issue/page/body.erb +42 -0
- data/components/reporters/html/default/issue/page/sink/data_flow.erb +95 -0
- data/components/reporters/html/default/issue/page/sink/data_flow/arguments.erb +70 -0
- data/components/reporters/html/default/issue/page/sink/data_flow/source.erb +1 -0
- data/components/reporters/html/default/issue/page/sink/execution_flow.erb +63 -0
- data/components/reporters/html/default/issue/page/sink/frame/source.erb +32 -0
- data/components/reporters/html/default/issue/page/sink/trace/table.erb +127 -0
- data/components/reporters/html/default/issue/page/transitions.erb +86 -0
- data/components/reporters/html/default/issue/platform.erb +8 -0
- data/components/reporters/html/default/issue/remarks.erb +28 -0
- data/components/reporters/html/default/issue/vector.erb +40 -0
- data/components/reporters/html/default/issues.erb +46 -0
- data/components/reporters/html/default/issues/grouped.erb +147 -0
- data/components/reporters/html/default/js/charts.js.erb +117 -0
- data/components/reporters/html/default/js/configuration.js.erb +12 -0
- data/components/reporters/html/default/js/helpers.js +107 -0
- data/components/reporters/html/default/js/init.js.erb +23 -0
- data/components/reporters/html/default/js/lib/bootstrap.min.js +6 -0
- data/components/reporters/html/default/js/lib/c3.min.js +3 -0
- data/components/reporters/html/default/js/lib/d3.min.js +5 -0
- data/components/reporters/html/default/js/lib/jquery.min.js +4 -0
- data/components/reporters/html/default/navigation.erb +136 -0
- data/components/reporters/html/default/plugins.erb +30 -0
- data/components/reporters/html/default/shared/hash.erb +10 -0
- data/components/reporters/html/default/shared/hash_table.erb +22 -0
- data/components/reporters/html/default/sitemap.erb +29 -0
- data/components/reporters/html/default/summary.erb +34 -0
- data/components/reporters/html/default/summary/charts.erb +67 -0
- data/components/reporters/html/default/summary/issues.erb +129 -0
- data/components/reporters/json.rb +44 -0
- data/components/reporters/marshal.rb +38 -0
- data/components/reporters/plugin_formatters/html/autologin.rb +50 -0
- data/components/reporters/plugin_formatters/html/content_types.rb +59 -0
- data/components/reporters/plugin_formatters/html/cookie_collector.rb +46 -0
- data/components/reporters/plugin_formatters/html/form_dicattack.rb +36 -0
- data/components/reporters/plugin_formatters/html/healthmap.rb +88 -0
- data/components/reporters/plugin_formatters/html/http_dicattack.rb +36 -0
- data/components/reporters/plugin_formatters/html/uncommon_headers.rb +40 -0
- data/components/reporters/plugin_formatters/html/uniformity.rb +55 -0
- data/components/reporters/plugin_formatters/html/waf_detector.rb +69 -0
- data/components/reporters/plugin_formatters/stdout/autologin.rb +25 -0
- data/components/reporters/plugin_formatters/stdout/content_types.rb +39 -0
- data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +31 -0
- data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +24 -0
- data/components/reporters/plugin_formatters/stdout/healthmap.rb +41 -0
- data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +24 -0
- data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +29 -0
- data/components/reporters/plugin_formatters/stdout/uniformity.rb +35 -0
- data/components/reporters/plugin_formatters/stdout/waf_detector.rb +21 -0
- data/components/reporters/plugin_formatters/xml/autologin.rb +28 -0
- data/components/reporters/plugin_formatters/xml/content_types.rb +36 -0
- data/components/reporters/plugin_formatters/xml/cookie_collector.rb +32 -0
- data/components/reporters/plugin_formatters/xml/form_dicattack.rb +22 -0
- data/components/reporters/plugin_formatters/xml/healthmap.rb +30 -0
- data/components/reporters/plugin_formatters/xml/http_dicattack.rb +22 -0
- data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +29 -0
- data/components/reporters/plugin_formatters/xml/uniformity.rb +23 -0
- data/components/reporters/plugin_formatters/xml/waf_detector.rb +22 -0
- data/components/reporters/stdout.rb +226 -0
- data/components/reporters/txt.rb +50 -0
- data/components/reporters/xml.rb +285 -0
- data/components/reporters/xml/schema.xsd +664 -0
- data/components/reporters/yaml.rb +37 -0
- data/{rpcd_handlers → components/services}/placeholder +0 -0
- data/lib/arachni.rb +29 -18
- data/lib/arachni/banner.rb +5 -13
- data/lib/arachni/browser.rb +1292 -0
- data/lib/arachni/browser/element_locator.rb +137 -0
- data/lib/arachni/browser/javascript.rb +383 -0
- data/lib/arachni/browser/javascript/dom_monitor.rb +31 -0
- data/lib/arachni/browser/javascript/proxy.rb +92 -0
- data/lib/arachni/browser/javascript/proxy/stub.rb +90 -0
- data/lib/arachni/browser/javascript/scripts/dom_monitor.js +146 -0
- data/lib/arachni/browser/javascript/scripts/taint_tracer.js +486 -0
- data/lib/arachni/browser/javascript/taint_tracer.rb +101 -0
- data/lib/arachni/browser/javascript/taint_tracer/frame.rb +73 -0
- data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +78 -0
- data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +63 -0
- data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +83 -0
- data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +30 -0
- data/lib/arachni/browser_cluster.rb +414 -0
- data/lib/arachni/browser_cluster/job.rb +193 -0
- data/lib/arachni/browser_cluster/job/result.rb +29 -0
- data/lib/arachni/browser_cluster/jobs/browser_provider.rb +27 -0
- data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +60 -0
- data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +43 -0
- data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result.rb +23 -0
- data/lib/arachni/browser_cluster/jobs/resource_exploration/result.rb +23 -0
- data/lib/arachni/browser_cluster/jobs/taint_trace.rb +48 -0
- data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +33 -0
- data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +23 -0
- data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +23 -0
- data/lib/arachni/browser_cluster/worker.rb +277 -0
- data/lib/arachni/check.rb +12 -0
- data/lib/arachni/check/auditor.rb +612 -0
- data/lib/arachni/check/base.rb +177 -0
- data/lib/arachni/check/manager.rb +137 -0
- data/lib/arachni/component.rb +11 -0
- data/lib/arachni/component/base.rb +62 -0
- data/lib/arachni/component/manager.rb +92 -90
- data/lib/arachni/component/options.rb +6 -28
- data/lib/arachni/component/options/address.rb +14 -30
- data/lib/arachni/component/options/base.rb +96 -81
- data/lib/arachni/component/options/bool.rb +20 -37
- data/lib/arachni/component/options/float.rb +12 -31
- data/lib/arachni/component/options/int.rb +14 -31
- data/lib/arachni/component/options/multiple_choice.rb +40 -0
- data/lib/arachni/component/options/object.rb +16 -0
- data/lib/arachni/component/options/path.rb +12 -25
- data/lib/arachni/component/options/port.rb +15 -25
- data/lib/arachni/component/options/string.rb +10 -32
- data/lib/arachni/component/options/url.rb +15 -30
- data/lib/arachni/component/output.rb +33 -0
- data/lib/arachni/component/utilities.rb +49 -0
- data/lib/arachni/data.rb +109 -0
- data/lib/arachni/data/framework.rb +160 -0
- data/lib/arachni/data/framework/rpc.rb +68 -0
- data/lib/arachni/data/issues.rb +227 -0
- data/lib/arachni/data/plugins.rb +109 -0
- data/lib/arachni/data/session.rb +48 -0
- data/lib/arachni/element/base.rb +131 -82
- data/lib/arachni/element/body.rb +43 -13
- data/lib/arachni/element/capabilities/analyzable.rb +46 -0
- data/lib/arachni/element/capabilities/analyzable/differential.rb +436 -0
- data/lib/arachni/element/capabilities/analyzable/taint.rb +218 -0
- data/lib/arachni/element/capabilities/analyzable/timeout.rb +433 -0
- data/lib/arachni/element/capabilities/auditable.rb +172 -577
- data/lib/arachni/element/capabilities/auditable/dom.rb +156 -0
- data/lib/arachni/element/capabilities/inputtable.rb +267 -0
- data/lib/arachni/element/capabilities/mutable.rb +197 -155
- data/lib/arachni/element/capabilities/refreshable.rb +31 -24
- data/lib/arachni/element/capabilities/submittable.rb +128 -0
- data/lib/arachni/element/capabilities/with_auditor.rb +60 -0
- data/lib/arachni/element/capabilities/with_auditor/output.rb +33 -0
- data/lib/arachni/element/capabilities/with_dom.rb +40 -0
- data/lib/arachni/element/capabilities/with_node.rb +52 -0
- data/lib/arachni/element/capabilities/with_scope.rb +25 -0
- data/lib/arachni/element/capabilities/with_scope/scope.rb +38 -0
- data/lib/arachni/element/cookie.rb +337 -862
- data/lib/arachni/element/cookie/dom.rb +67 -0
- data/lib/arachni/element/form.rb +326 -756
- data/lib/arachni/element/form/dom.rb +52 -0
- data/lib/arachni/element/generic_dom.rb +133 -0
- data/lib/arachni/element/header.rb +46 -46
- data/lib/arachni/element/link.rb +134 -172
- data/lib/arachni/element/link/dom.rb +128 -0
- data/lib/arachni/element/link_template.rb +268 -0
- data/lib/arachni/element/link_template/dom.rb +143 -0
- data/lib/arachni/element/path.rb +24 -13
- data/lib/arachni/element/server.rb +89 -13
- data/lib/arachni/element_filter.rb +101 -99
- data/lib/arachni/error.rb +5 -15
- data/lib/arachni/ethon/easy.rb +22 -0
- data/lib/arachni/framework.rb +841 -476
- data/lib/arachni/http.rb +6 -714
- data/lib/arachni/http/client.rb +801 -0
- data/lib/arachni/http/cookie_jar.rb +50 -51
- data/lib/arachni/http/headers.rb +122 -0
- data/lib/arachni/http/message.rb +76 -0
- data/lib/arachni/http/message/scope.rb +35 -0
- data/lib/arachni/http/proxy_server.rb +303 -0
- data/{plugins/proxy → lib/arachni/http/proxy_server}/ssl-interceptor-cert.pem +0 -0
- data/{plugins/proxy → lib/arachni/http/proxy_server}/ssl-interceptor-pkey.pem +0 -0
- data/lib/arachni/http/request.rb +471 -0
- data/lib/arachni/http/request/scope.rb +30 -0
- data/lib/arachni/http/response.rb +226 -0
- data/lib/arachni/http/response/scope.rb +67 -0
- data/lib/arachni/issue.rb +389 -223
- data/lib/arachni/issue/severity.rb +34 -0
- data/lib/arachni/issue/severity/base.rb +39 -0
- data/lib/arachni/option_group.rb +137 -0
- data/lib/arachni/option_groups.rb +13 -0
- data/lib/arachni/option_groups/audit.rb +226 -0
- data/lib/arachni/option_groups/browser_cluster.rb +50 -0
- data/lib/arachni/option_groups/datastore.rb +31 -0
- data/lib/arachni/option_groups/dispatcher.rb +132 -0
- data/lib/arachni/option_groups/http.rb +174 -0
- data/lib/arachni/option_groups/input.rb +156 -0
- data/lib/arachni/option_groups/output.rb +22 -0
- data/lib/arachni/option_groups/paths.rb +63 -0
- data/lib/arachni/option_groups/rpc.rb +87 -0
- data/lib/arachni/option_groups/scope.rb +233 -0
- data/lib/arachni/option_groups/session.rb +54 -0
- data/lib/arachni/option_groups/snapshot.rb +22 -0
- data/lib/arachni/options.rb +286 -1486
- data/lib/arachni/page.rb +504 -108
- data/lib/arachni/page/dom.rb +280 -0
- data/lib/arachni/page/dom/transition.rb +302 -0
- data/lib/arachni/page/scope.rb +53 -0
- data/lib/arachni/parser.rb +177 -210
- data/lib/arachni/platform.rb +5 -13
- data/lib/arachni/platform/fingerprinter.rb +24 -23
- data/lib/arachni/platform/list.rb +48 -27
- data/lib/arachni/platform/manager.rb +146 -83
- data/lib/arachni/plugin.rb +5 -13
- data/lib/arachni/plugin/base.rb +90 -110
- data/lib/arachni/plugin/formatter.rb +40 -0
- data/lib/arachni/plugin/manager.rb +129 -108
- data/lib/arachni/processes.rb +6 -14
- data/lib/arachni/processes/dispatchers.rb +51 -58
- data/lib/arachni/processes/executables/base.rb +9 -0
- data/lib/arachni/processes/executables/dispatcher.rb +6 -0
- data/lib/arachni/processes/executables/instance.rb +13 -0
- data/lib/arachni/processes/helpers.rb +4 -12
- data/lib/arachni/processes/helpers/dispatchers.rb +8 -12
- data/lib/arachni/processes/helpers/instances.rb +13 -13
- data/lib/arachni/processes/helpers/processes.rb +8 -28
- data/lib/arachni/processes/instances.rb +86 -63
- data/lib/arachni/processes/manager.rb +89 -52
- data/lib/arachni/report.rb +282 -15
- data/lib/arachni/reporter.rb +12 -0
- data/lib/arachni/reporter/base.rb +126 -0
- data/lib/arachni/reporter/formatter_manager.rb +20 -0
- data/lib/arachni/reporter/manager.rb +54 -0
- data/lib/arachni/reporter/options.rb +47 -0
- data/lib/arachni/rpc/client/base.rb +27 -35
- data/lib/arachni/rpc/client/dispatcher.rb +13 -21
- data/lib/arachni/rpc/client/instance.rb +45 -40
- data/lib/arachni/rpc/client/instance/framework.rb +88 -0
- data/lib/arachni/rpc/client/instance/service.rb +106 -0
- data/lib/arachni/rpc/serializer.rb +98 -0
- data/lib/arachni/rpc/server/active_options.rb +26 -42
- data/lib/arachni/rpc/server/base.rb +35 -26
- data/lib/arachni/rpc/server/check/manager.rb +38 -0
- data/lib/arachni/rpc/server/dispatcher.rb +125 -211
- data/lib/arachni/rpc/server/dispatcher/node.rb +36 -50
- data/lib/arachni/rpc/server/dispatcher/service.rb +153 -0
- data/lib/arachni/rpc/server/framework.rb +83 -176
- data/lib/arachni/rpc/server/framework/distributor.rb +292 -271
- data/lib/arachni/rpc/server/framework/master.rb +164 -296
- data/lib/arachni/rpc/server/framework/multi_instance.rb +96 -128
- data/lib/arachni/rpc/server/framework/slave.rb +79 -89
- data/lib/arachni/rpc/server/instance.rb +362 -413
- data/lib/arachni/rpc/server/output.rb +33 -147
- data/lib/arachni/rpc/server/plugin/manager.rb +18 -54
- data/lib/arachni/ruby.rb +5 -14
- data/lib/arachni/ruby/array.rb +4 -14
- data/lib/arachni/ruby/hash.rb +47 -15
- data/lib/arachni/ruby/io.rb +4 -14
- data/lib/arachni/ruby/object.rb +10 -52
- data/lib/arachni/ruby/set.rb +4 -12
- data/lib/arachni/ruby/string.rb +60 -40
- data/lib/arachni/ruby/webrick.rb +4 -12
- data/lib/arachni/ruby/webrick/cookie.rb +4 -12
- data/lib/arachni/ruby/webrick/httprequest.rb +4 -12
- data/lib/arachni/scope.rb +40 -0
- data/lib/arachni/selenium/webdriver/remote/http/typhoeus.rb +46 -0
- data/lib/arachni/session.rb +150 -173
- data/lib/arachni/snapshot.rb +181 -0
- data/lib/arachni/state.rb +122 -0
- data/lib/arachni/state/audit.rb +57 -0
- data/lib/arachni/state/element_filter.rb +67 -0
- data/lib/arachni/state/framework.rb +419 -0
- data/lib/arachni/state/framework/rpc.rb +63 -0
- data/lib/arachni/state/http.rb +60 -0
- data/lib/arachni/state/options.rb +39 -0
- data/lib/arachni/state/plugins.rb +94 -0
- data/lib/arachni/support.rb +6 -15
- data/lib/arachni/support/buffer.rb +5 -13
- data/lib/arachni/support/buffer/autoflush.rb +5 -15
- data/lib/arachni/support/buffer/base.rb +41 -70
- data/lib/arachni/support/cache.rb +5 -13
- data/lib/arachni/support/cache/base.rb +45 -50
- data/lib/arachni/support/cache/least_cost_replacement.rb +9 -19
- data/lib/arachni/support/cache/least_recently_used.rb +5 -15
- data/lib/arachni/support/cache/preference.rb +11 -20
- data/lib/arachni/support/cache/random_replacement.rb +10 -15
- data/lib/arachni/support/crypto.rb +5 -13
- data/lib/arachni/support/crypto/rsa_aes_cbc.rb +15 -27
- data/lib/arachni/support/database.rb +5 -13
- data/lib/arachni/support/database/base.rb +20 -37
- data/lib/arachni/support/database/hash.rb +265 -350
- data/lib/arachni/support/database/queue.rb +86 -27
- data/lib/arachni/support/lookup.rb +5 -13
- data/lib/arachni/support/lookup/base.rb +33 -26
- data/lib/arachni/support/lookup/hash_set.rb +11 -15
- data/lib/arachni/support/lookup/moolb.rb +9 -20
- data/lib/arachni/support/mixins.rb +14 -0
- data/lib/arachni/support/mixins/observable.rb +105 -0
- data/lib/arachni/support/mixins/terminal.rb +65 -0
- data/lib/arachni/support/profiler.rb +130 -0
- data/lib/arachni/support/signature.rb +37 -67
- data/lib/arachni/trainer.rb +57 -97
- data/lib/arachni/ui/foo/output.rb +31 -33
- data/lib/arachni/uri.rb +456 -462
- data/lib/arachni/uri/scope.rb +168 -0
- data/lib/arachni/utilities.rb +125 -147
- data/lib/arachni/version.rb +4 -12
- data/lib/arachni/watir/element.rb +17 -0
- data/lib/version +1 -1
- data/{spec/support/servers/modules/audit/sqli/jdbc → profiles/placeholder} +0 -0
- data/spec/arachni/browser/element_locator_spec.rb +228 -0
- data/spec/arachni/browser/javascript/dom_monitor_spec.rb +195 -0
- data/spec/arachni/browser/javascript/proxy/stub_spec.rb +106 -0
- data/spec/arachni/browser/javascript/proxy_spec.rb +144 -0
- data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +72 -0
- data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +46 -0
- data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +81 -0
- data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +47 -0
- data/spec/arachni/browser/javascript/taint_tracer_spec.rb +1304 -0
- data/spec/arachni/browser/javascript_spec.rb +355 -0
- data/spec/arachni/browser_cluster/job/result_spec.rb +14 -0
- data/spec/arachni/browser_cluster/job_spec.rb +264 -0
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +7 -0
- data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +68 -0
- data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +7 -0
- data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +89 -0
- data/spec/arachni/browser_cluster/jobs/taint_tracer_spec.rb +149 -0
- data/spec/arachni/browser_cluster/worker_spec.rb +314 -0
- data/spec/arachni/browser_cluster_spec.rb +543 -0
- data/spec/arachni/browser_spec.rb +2368 -0
- data/spec/arachni/check/auditor_spec.rb +1089 -0
- data/spec/arachni/check/base_spec.rb +33 -0
- data/spec/arachni/check/manager_spec.rb +100 -0
- data/spec/arachni/component/base_spec.rb +64 -0
- data/spec/arachni/component/manager_spec.rb +37 -26
- data/spec/arachni/component/options/address_spec.rb +5 -11
- data/spec/arachni/component/options/base_spec.rb +29 -81
- data/spec/arachni/component/options/bool_spec.rb +16 -19
- data/spec/arachni/component/options/float_spec.rb +17 -16
- data/spec/arachni/component/options/int_spec.rb +17 -20
- data/spec/arachni/component/options/multiple_choice_spec.rb +82 -0
- data/spec/arachni/component/options/object_spec.rb +24 -0
- data/spec/arachni/component/options/path_spec.rb +8 -11
- data/spec/arachni/component/options/port_spec.rb +16 -15
- data/spec/arachni/component/options/string_spec.rb +8 -17
- data/spec/arachni/component/options/url_spec.rb +16 -14
- data/spec/arachni/component/utilities_spec.rb +30 -0
- data/spec/arachni/{module → component}/utilities_spec/read_file.txt +0 -0
- data/spec/arachni/data/framework/rpc_spec.rb +72 -0
- data/spec/arachni/data/framework_spec.rb +266 -0
- data/spec/arachni/data/issues_spec.rb +347 -0
- data/spec/arachni/data/plugins_spec.rb +102 -0
- data/spec/arachni/data/session_spec.rb +59 -0
- data/spec/arachni/data_spec.rb +71 -0
- data/spec/arachni/element/body_spec.rb +63 -4
- data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +135 -0
- data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +355 -0
- data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +386 -0
- data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +25 -0
- data/spec/arachni/element/cookie/dom_spec.rb +145 -0
- data/spec/arachni/element/cookie_spec.rb +147 -108
- data/spec/arachni/element/form/dom_spec.rb +146 -0
- data/spec/arachni/element/form_spec.rb +519 -271
- data/spec/arachni/element/generic_dom_spec.rb +113 -0
- data/spec/arachni/element/header_spec.rb +68 -20
- data/spec/arachni/element/link/dom_spec.rb +206 -0
- data/spec/arachni/element/link_spec.rb +218 -130
- data/spec/arachni/element/link_template/dom_spec.rb +218 -0
- data/spec/arachni/element/link_template_spec.rb +403 -0
- data/spec/arachni/element/path_spec.rb +28 -4
- data/spec/arachni/element/server_spec.rb +171 -4
- data/spec/arachni/element_filter_spec.rb +227 -96
- data/spec/arachni/framework_spec.rb +1099 -759
- data/spec/arachni/http/client_spec.rb +1470 -0
- data/spec/arachni/http/cookie_jar_spec.rb +164 -130
- data/spec/arachni/http/headers_spec.rb +111 -0
- data/spec/arachni/http/message_spec.rb +5 -0
- data/spec/arachni/http/proxy_server_spec.rb +354 -0
- data/spec/arachni/http/request_spec.rb +602 -0
- data/spec/arachni/http/response/scope_spec.rb +135 -0
- data/spec/arachni/http/response_spec.rb +350 -0
- data/spec/arachni/issue/severity/base_spec.rb +15 -0
- data/spec/arachni/issue/severity_spec.rb +43 -0
- data/spec/arachni/issue_spec.rb +547 -284
- data/spec/arachni/option_groups/audit_spec.rb +298 -0
- data/spec/arachni/option_groups/browser_cluster_spec.rb +12 -0
- data/spec/arachni/option_groups/datastore_spec.rb +54 -0
- data/spec/arachni/option_groups/dispatcher_spec.rb +123 -0
- data/spec/arachni/option_groups/http_spec.rb +42 -0
- data/spec/arachni/option_groups/input_spec.rb +202 -0
- data/spec/arachni/option_groups/output_spec.rb +11 -0
- data/spec/arachni/option_groups/paths_spec.rb +34 -0
- data/spec/arachni/option_groups/rpc_spec.rb +13 -0
- data/spec/arachni/option_groups/scope_spec.rb +237 -0
- data/spec/arachni/option_groups/session_spec.rb +51 -0
- data/spec/arachni/option_groups/snapshot_spec.rb +11 -0
- data/spec/arachni/options_spec.rb +202 -756
- data/spec/arachni/page/dom/transition_spec.rb +515 -0
- data/spec/arachni/page/dom_spec.rb +308 -0
- data/spec/arachni/page/scope_spec.rb +80 -0
- data/spec/arachni/page_spec.rb +789 -175
- data/spec/arachni/parser_spec.rb +308 -200
- data/spec/arachni/platform/fingerprinter_spec.rb +51 -52
- data/spec/arachni/platform/manager_spec.rb +146 -34
- data/spec/arachni/plugin/base_spec.rb +97 -0
- data/spec/arachni/plugin/manager_spec.rb +186 -80
- data/spec/arachni/report_spec.rb +275 -0
- data/spec/arachni/reporter/base_spec.rb +96 -0
- data/spec/arachni/reporter/manager_spec.rb +38 -0
- data/spec/arachni/reporter/options_spec.rb +48 -0
- data/spec/arachni/rpc/client/base_spec.rb +43 -45
- data/spec/arachni/rpc/client/dispatcher_spec.rb +3 -3
- data/spec/arachni/rpc/client/instance_spec.rb +18 -40
- data/spec/arachni/rpc/server/active_options_spec.rb +35 -296
- data/spec/arachni/rpc/server/base_spec.rb +12 -6
- data/spec/arachni/rpc/server/checks/manager_spec.rb +48 -0
- data/spec/arachni/rpc/server/dispatcher/node_spec.rb +47 -74
- data/spec/arachni/rpc/server/dispatcher/service_spec.rb +99 -0
- data/spec/arachni/rpc/server/dispatcher_spec.rb +77 -38
- data/spec/arachni/rpc/server/framework/distributor_spec.rb +356 -396
- data/spec/arachni/rpc/server/framework_multi_spec.rb +336 -0
- data/spec/arachni/rpc/server/framework_spec.rb +396 -0
- data/spec/arachni/rpc/server/instance_spec.rb +480 -281
- data/spec/arachni/rpc/server/output_spec.rb +9 -212
- data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -11
- data/spec/arachni/ruby/hash_spec.rb +30 -0
- data/spec/arachni/ruby/object_spec.rb +0 -16
- data/spec/arachni/ruby/string_spec.rb +98 -6
- data/spec/arachni/scope_spec.rb +13 -0
- data/spec/arachni/session_spec.rb +279 -251
- data/spec/arachni/snapshot_spec.rb +127 -0
- data/spec/arachni/state/audit_spec.rb +107 -0
- data/spec/arachni/state/element_filter_spec.rb +66 -0
- data/spec/arachni/state/framework/rpc_spec.rb +85 -0
- data/spec/arachni/state/framework_spec.rb +853 -0
- data/spec/arachni/state/http_spec.rb +63 -0
- data/spec/arachni/state/options_spec.rb +55 -0
- data/spec/arachni/state/plugins_spec.rb +76 -0
- data/spec/arachni/state_spec.rb +87 -0
- data/spec/arachni/support/cache/least_cost_replacement_spec.rb +30 -32
- data/spec/arachni/support/cache/least_recently_used_spec.rb +39 -40
- data/spec/arachni/support/cache/preference_spec.rb +17 -18
- data/spec/arachni/support/cache/random_replacement_spec.rb +19 -20
- data/spec/arachni/support/database/queue_spec.rb +200 -32
- data/spec/arachni/support/lookup/hash_set_spec.rb +74 -0
- data/spec/arachni/support/mixins/observable_spec.rb +81 -0
- data/spec/arachni/support/signature_spec.rb +9 -25
- data/spec/arachni/trainer_spec.rb +141 -124
- data/spec/arachni/uri/scope_spec.rb +416 -0
- data/spec/arachni/uri_spec.rb +187 -195
- data/spec/arachni/utilities_spec.rb +178 -525
- data/spec/components/checks/active/code_injection_spec.rb +26 -0
- data/spec/components/checks/active/code_injection_timing_spec.rb +26 -0
- data/spec/components/checks/active/csrf_spec.rb +44 -0
- data/spec/components/checks/active/file_inclusion_spec.rb +56 -0
- data/spec/components/checks/active/ldap_injection_spec.rb +16 -0
- data/spec/components/checks/active/no_sql_injection_differential_spec.rb +15 -0
- data/spec/components/checks/active/no_sql_injection_spec.rb +28 -0
- data/spec/components/checks/active/os_cmd_injection_spec.rb +26 -0
- data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +26 -0
- data/spec/components/checks/active/path_traversal_spec.rb +42 -0
- data/spec/components/checks/active/response_splitting_spec.rb +22 -0
- data/spec/components/checks/active/rfi_spec.rb +20 -0
- data/spec/components/checks/active/session_fixation_spec.rb +20 -0
- data/spec/components/checks/active/source_code_disclosure_spec.rb +26 -0
- data/spec/components/checks/active/sql_injection_differential_spec.rb +15 -0
- data/spec/components/checks/active/sql_injection_spec.rb +142 -0
- data/spec/components/checks/active/sql_injection_timing_spec.rb +24 -0
- data/spec/components/checks/active/trainer_spec.rb +36 -0
- data/spec/components/checks/active/unvalidated_redirect_spec.rb +20 -0
- data/spec/components/checks/active/xpath_injection_spec.rb +16 -0
- data/spec/components/checks/active/xss_dom_inputs_spec.rb +32 -0
- data/spec/components/checks/active/xss_dom_script_context_spec.rb +63 -0
- data/spec/components/checks/active/xss_dom_spec.rb +67 -0
- data/spec/components/checks/active/xss_event_spec.rb +15 -0
- data/spec/components/checks/active/xss_path_spec.rb +15 -0
- data/spec/components/checks/active/xss_script_context_spec.rb +22 -0
- data/spec/components/checks/active/xss_spec.rb +22 -0
- data/spec/components/checks/active/xss_tag_spec.rb +15 -0
- data/spec/components/checks/passive/allowed_methods_spec.rb +15 -0
- data/spec/components/checks/passive/backdoors_spec.rb +15 -0
- data/spec/components/checks/passive/backup_directories_spec.rb +15 -0
- data/spec/components/checks/passive/backup_files_spec.rb +15 -0
- data/spec/components/checks/passive/common_directories_spec.rb +15 -0
- data/spec/components/checks/passive/common_files_spec.rb +15 -0
- data/spec/components/checks/passive/directory_listing_spec.rb +15 -0
- data/spec/components/checks/passive/grep/captcha_spec.rb +15 -0
- data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +15 -0
- data/spec/components/checks/passive/grep/credit_card_spec.rb +15 -0
- data/spec/components/checks/passive/grep/cvs_svn_users_spec.rb +15 -0
- data/spec/components/checks/passive/grep/emails_spec.rb +15 -0
- data/spec/components/checks/passive/grep/form_upload_spec.rb +15 -0
- data/spec/components/checks/passive/grep/hsts_spec.rb +17 -0
- data/spec/components/checks/passive/grep/html_objects_spec.rb +15 -0
- data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +15 -0
- data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +15 -0
- data/spec/components/checks/passive/grep/mixed_resource_spec.rb +16 -0
- data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +15 -0
- data/spec/components/checks/passive/grep/private_ip_spec.rb +22 -0
- data/spec/components/checks/passive/grep/ssn_spec.rb +15 -0
- data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +15 -0
- data/spec/components/checks/passive/htaccess_limit_spec.rb +15 -0
- data/spec/components/checks/passive/http_put_spec.rb +15 -0
- data/spec/components/checks/passive/interesting_responses_spec.rb +23 -0
- data/spec/components/checks/passive/localstart_asp_spec.rb +15 -0
- data/spec/components/checks/passive/origin_spoof_access_restriction_bypass_spec.rb +15 -0
- data/spec/components/checks/passive/webdav_spec.rb +15 -0
- data/spec/components/checks/passive/xst_spec.rb +15 -0
- data/spec/components/fingerprinters/frameworks/rack_spec.rb +42 -0
- data/spec/components/fingerprinters/languages/asp_spec.rb +38 -0
- data/spec/components/fingerprinters/languages/aspx_spec.rb +79 -0
- data/spec/components/fingerprinters/languages/jsp_spec.rb +56 -0
- data/spec/components/fingerprinters/languages/php_spec.rb +59 -0
- data/spec/components/fingerprinters/languages/python_spec.rb +23 -0
- data/spec/components/fingerprinters/languages/ruby.rb +34 -0
- data/spec/components/fingerprinters/os/bsd_spec.rb +26 -0
- data/spec/components/fingerprinters/os/linux_spec.rb +34 -0
- data/spec/components/fingerprinters/os/solaris_spec.rb +34 -0
- data/spec/components/fingerprinters/os/unix_spec.rb +26 -0
- data/spec/components/fingerprinters/os/windows_spec.rb +34 -0
- data/spec/components/fingerprinters/servers/apache_spec.rb +26 -0
- data/spec/components/fingerprinters/servers/iis_spec.rb +28 -0
- data/spec/components/fingerprinters/servers/jetty_spec.rb +28 -0
- data/spec/components/fingerprinters/servers/nginx_spec.rb +26 -0
- data/spec/components/fingerprinters/servers/tomcat_spec.rb +28 -0
- data/spec/{path_extractors → components/path_extractors}/anchors_spec.rb +0 -0
- data/spec/{path_extractors → components/path_extractors}/areas_spec.rb +0 -0
- data/spec/components/path_extractors/comments_spec.rb +23 -0
- data/spec/{path_extractors → components/path_extractors}/forms_spec.rb +0 -0
- data/spec/{path_extractors → components/path_extractors}/frames_spec.rb +0 -0
- data/spec/{path_extractors → components/path_extractors}/generic_spec.rb +0 -0
- data/spec/{path_extractors → components/path_extractors}/links_spec.rb +0 -0
- data/spec/{path_extractors → components/path_extractors}/meta_refresh_spec.rb +0 -0
- data/spec/components/path_extractors/scripts_spec.rb +30 -0
- data/spec/components/plugins/autologin_spec.rb +96 -0
- data/spec/components/plugins/autothrottle_spec.rb +56 -0
- data/spec/components/plugins/content_types_spec.rb +91 -0
- data/spec/components/plugins/cookie_collector_spec.rb +41 -0
- data/spec/components/plugins/form_dicattack_spec.rb +54 -0
- data/spec/components/plugins/healthmap_spec.rb +40 -0
- data/spec/components/plugins/http_dicattack_spec.rb +40 -0
- data/spec/components/plugins/meta/remedies/discovery_spec.rb +23 -0
- data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +31 -0
- data/spec/components/plugins/meta/uniformity_spec.rb +29 -0
- data/spec/components/plugins/script_spec.rb +13 -0
- data/spec/components/plugins/uncommon_headers_spec.rb +64 -0
- data/spec/components/plugins/vector_feed_spec.rb +169 -0
- data/spec/components/plugins/waf_detector_spec.rb +50 -0
- data/spec/components/reporters/ap_spec.rb +9 -0
- data/spec/components/reporters/html_spec.rb +9 -0
- data/spec/components/reporters/json_spec.rb +17 -0
- data/spec/components/reporters/marshal_spec.rb +13 -0
- data/spec/components/reporters/stdout_spec.rb +9 -0
- data/spec/components/reporters/txt_spec.rb +8 -0
- data/spec/components/reporters/xml_spec.rb +9 -0
- data/spec/components/reporters/yaml_spec.rb +14 -0
- data/spec/external/wavsep/active/lfi_spec.rb +1 -1
- data/spec/external/wavsep/active/obsolete_files_spec.rb +225 -0
- data/spec/external/wavsep/active/rfi_spec.rb +1 -1
- data/spec/external/wavsep/active/sqli_spec.rb +8 -6
- data/spec/external/wavsep/active/unvalidated_redirect_spec.rb +57 -0
- data/spec/external/wavsep/active/xss_dom_spec.rb +27 -0
- data/spec/external/wavsep/active/xss_spec.rb +13 -3
- data/spec/external/wavsep/false_positives/lfi_spec.rb +4 -16
- data/spec/external/wavsep/false_positives/obsolete_files_spec.rb +21 -0
- data/spec/external/wavsep/false_positives/rfi_spec.rb +2 -2
- data/spec/external/wavsep/false_positives/sqli_spec.rb +4 -15
- data/spec/external/wavsep/false_positives/unvalidated_redirect_spec.rb +21 -0
- data/spec/external/wavsep/false_positives/xss_spec.rb +2 -2
- data/spec/spec_helper.rb +17 -18
- data/spec/support/factories/browser/javascript/taint_tracer/frame.rb +10 -0
- data/spec/support/factories/browser/javascript/taint_tracer/frame/called_function.rb +11 -0
- data/spec/support/factories/browser/javascript/taint_tracer/sink/data_flow.rb +14 -0
- data/spec/support/factories/browser/javascript/taint_tracer/sink/execution_flow.rb +10 -0
- data/spec/support/factories/browser_cluster/job.rb +27 -0
- data/spec/support/factories/element/cookie.rb +7 -0
- data/spec/support/factories/element/form.rb +12 -0
- data/spec/support/factories/element/header.rb +5 -0
- data/spec/support/factories/element/link.rb +11 -0
- data/spec/support/factories/element/link_template.rb +11 -0
- data/spec/support/factories/http/request.rb +9 -0
- data/spec/support/factories/http/response.rb +42 -0
- data/spec/support/factories/issue.rb +67 -0
- data/spec/support/factories/page.rb +7 -0
- data/spec/support/factories/page/dom.rb +13 -0
- data/spec/support/factories/page/dom/transition.rb +21 -0
- data/spec/support/factories/scan_report.rb +35 -0
- data/spec/support/factories/vector.rb +32 -0
- data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +37 -0
- data/spec/support/fixtures/checks/test.rb +58 -0
- data/spec/support/fixtures/checks/test2.rb +41 -0
- data/spec/support/fixtures/checks/test3.rb +41 -0
- data/spec/support/fixtures/executables/node.rb +47 -0
- data/spec/support/fixtures/fingerprinters/test.rb +5 -13
- data/spec/support/fixtures/option_groups/input.yml +2 -0
- data/spec/support/fixtures/plugins/bad.rb +5 -13
- data/spec/support/fixtures/plugins/defaults/default.rb +6 -14
- data/spec/support/fixtures/plugins/distributable.rb +7 -15
- data/spec/support/fixtures/plugins/loop.rb +5 -13
- data/spec/support/fixtures/plugins/suspendable.rb +44 -0
- data/spec/support/fixtures/plugins/wait.rb +6 -14
- data/spec/support/fixtures/plugins/with_options.rb +20 -16
- data/spec/support/fixtures/plugins_with_priorities/p0.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p00.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p1.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p2.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p22.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p222.rb +17 -0
- data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +16 -0
- data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +16 -0
- data/spec/support/fixtures/report.afr +0 -0
- data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +13 -0
- data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +15 -0
- data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +16 -0
- data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +12 -0
- data/spec/support/fixtures/reporters/manager_spec/afr.rb +13 -0
- data/spec/support/fixtures/reporters/manager_spec/foo.rb +18 -0
- data/spec/support/fixtures/rescan.afr.tpl +4 -5
- data/spec/support/fixtures/run_check/body.rb +48 -0
- data/spec/support/fixtures/run_check/cookies.rb +48 -0
- data/spec/support/fixtures/run_check/empty.rb +34 -0
- data/spec/support/fixtures/run_check/flch.rb +53 -0
- data/spec/support/fixtures/run_check/forms.rb +48 -0
- data/spec/support/fixtures/run_check/headers.rb +48 -0
- data/spec/support/fixtures/run_check/links.rb +48 -0
- data/spec/support/fixtures/run_check/nil.rb +47 -0
- data/spec/support/fixtures/run_check/path.rb +48 -0
- data/spec/support/fixtures/run_check/server.rb +48 -0
- data/spec/support/fixtures/services/echo.rb +64 -0
- data/spec/support/fixtures/taint_check/taint.rb +38 -0
- data/spec/support/fixtures/wait_check/wait.rb +38 -0
- data/spec/support/helpers/auditor.rb +18 -5
- data/spec/support/helpers/browser.rb +6 -0
- data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +32 -0
- data/spec/support/helpers/framework.rb +5 -13
- data/spec/support/helpers/misc.rb +4 -12
- data/spec/support/helpers/pages.rb +18 -0
- data/spec/support/helpers/paths.rb +4 -12
- data/spec/support/helpers/requires.rb +5 -13
- data/spec/support/helpers/resets.rb +12 -19
- data/spec/support/helpers/web_server.rb +11 -15
- data/spec/support/lib/factory.rb +115 -0
- data/spec/support/lib/web_server_client.rb +49 -0
- data/spec/support/lib/web_server_dispatcher.rb +33 -0
- data/spec/support/lib/web_server_manager.rb +29 -32
- data/spec/support/pems/cacert.pem +35 -37
- data/spec/support/pems/client/cert.pem +35 -37
- data/spec/support/pems/client/key.pem +49 -49
- data/spec/support/pems/server/cert.pem +35 -37
- data/spec/support/pems/server/key.pem +49 -49
- data/spec/support/servers/arachni/browser.rb +836 -0
- data/spec/support/servers/arachni/browser/javascript.rb +7 -0
- data/spec/support/servers/arachni/browser/javascript/angular-1.2.8.js +20554 -0
- data/spec/support/servers/arachni/browser/javascript/angular-route.js +911 -0
- data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +90 -0
- data/spec/support/servers/arachni/browser/javascript/jquery-2.0.3.js +8829 -0
- data/spec/support/servers/arachni/browser/javascript/proxy.rb +17 -0
- data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +714 -0
- data/spec/support/servers/arachni/browser_cluster/jobs/event_trigger.rb +25 -0
- data/spec/support/servers/arachni/browser_https.rb +60 -0
- data/spec/support/servers/arachni/check/auditor.rb +247 -0
- data/spec/support/servers/arachni/element/body.rb +5 -0
- data/spec/support/servers/arachni/element/capabilities/analyzable/differential.rb +162 -0
- data/spec/support/servers/arachni/element/capabilities/{auditable → analyzable}/taint.rb +0 -0
- data/spec/support/servers/arachni/element/capabilities/analyzable/timeout.rb +37 -0
- data/spec/support/servers/arachni/element/cookie.rb +1 -1
- data/spec/support/servers/arachni/element/cookie/cookie_dom.rb +21 -0
- data/spec/support/servers/arachni/element/form.rb +6 -22
- data/spec/support/servers/arachni/element/form/form_dom.rb +50 -0
- data/spec/support/servers/arachni/element/header.rb +7 -8
- data/spec/support/servers/arachni/element/link.rb +15 -7
- data/spec/support/servers/arachni/element/link/link_dom.rb +49 -0
- data/spec/support/servers/arachni/element/link_template.rb +11 -0
- data/spec/support/servers/arachni/element/link_template/link_template_dom.rb +43 -0
- data/spec/support/servers/arachni/framework.rb +18 -0
- data/spec/support/servers/arachni/http/client.rb +176 -0
- data/spec/support/servers/arachni/http/proxy_server.rb +9 -0
- data/spec/support/servers/arachni/http/proxy_server_https.rb +25 -0
- data/spec/support/servers/arachni/page/page_dom.rb +83 -0
- data/spec/support/servers/arachni/parser.rb +4 -0
- data/spec/support/servers/arachni/rpc/server/{framework_hpg.rb → framework_multi.rb} +0 -0
- data/spec/support/servers/arachni/session.rb +43 -9
- data/spec/support/servers/arachni/trainer.rb +11 -7
- data/spec/support/servers/checks/active/code_injection.rb +163 -0
- data/spec/support/servers/checks/active/code_injection_timing.rb +134 -0
- data/spec/support/servers/{modules/audit → checks/active}/csrf.rb +0 -0
- data/spec/support/servers/checks/active/file_inclusion.rb +228 -0
- data/spec/support/servers/checks/active/ldap_injection.rb +88 -0
- data/spec/support/servers/checks/active/no_sql_injection.rb +134 -0
- data/spec/support/servers/checks/active/no_sql_injection/mongodb +1 -0
- data/spec/support/servers/checks/active/no_sql_injection_differential.rb +61 -0
- data/spec/support/servers/checks/active/os_cmd_injection.rb +172 -0
- data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +118 -0
- data/spec/support/servers/checks/active/path_traversal.rb +219 -0
- data/spec/support/servers/checks/active/response_splitting.rb +138 -0
- data/spec/support/servers/{modules/audit → checks/active}/rfi.rb +0 -0
- data/spec/support/servers/checks/active/session_fixation.rb +111 -0
- data/spec/support/servers/checks/active/source_code_disclosure.rb +118 -0
- data/spec/support/servers/checks/active/sql_injection.rb +133 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/access +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/coldfusion +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/db2 +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/emc +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/firebird +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/frontbase +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/hsqldb +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/informix +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/ingres +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/interbase +0 -0
- data/spec/support/servers/checks/active/sql_injection/jdbc +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/maxdb +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/mssql +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/mysql +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/oracle +0 -0
- data/spec/support/servers/{modules/audit/sqli/postgresql → checks/active/sql_injection/pgsql} +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/sqlite +0 -0
- data/spec/support/servers/{modules/audit/sqli → checks/active/sql_injection}/sybase +0 -0
- data/spec/support/servers/{modules/audit/sqli_blind_rdiff.rb → checks/active/sql_injection_differential.rb} +0 -0
- data/spec/support/servers/checks/active/sql_injection_timing.rb +145 -0
- data/spec/support/servers/{modules/audit/trainer_module.rb → checks/active/trainer_check.rb} +0 -0
- data/spec/support/servers/checks/active/unvalidated_redirect.rb +141 -0
- data/spec/support/servers/checks/active/xpath_injection.rb +121 -0
- data/spec/support/servers/{modules/audit/xpath → checks/active/xpath_injection}/dotnet +0 -0
- data/spec/support/servers/{modules/audit/xpath → checks/active/xpath_injection}/general +0 -0
- data/spec/support/servers/{modules/audit/xpath → checks/active/xpath_injection}/java +0 -0
- data/spec/support/servers/{modules/audit/xpath → checks/active/xpath_injection}/libxml2 +0 -0
- data/spec/support/servers/{modules/audit/xpath → checks/active/xpath_injection}/php +0 -0
- data/spec/support/servers/checks/active/xss.rb +239 -0
- data/spec/support/servers/checks/active/xss_dom.rb +133 -0
- data/spec/support/servers/checks/active/xss_dom_inputs.rb +35 -0
- data/spec/support/servers/checks/active/xss_dom_script_context.rb +139 -0
- data/spec/support/servers/checks/active/xss_event.rb +80 -0
- data/spec/support/servers/{modules/audit → checks/active}/xss_path.rb +0 -0
- data/spec/support/servers/checks/active/xss_script_context.rb +90 -0
- data/spec/support/servers/{modules/audit → checks/active}/xss_tag.rb +0 -0
- data/spec/support/servers/checks/check_server.rb +14 -0
- data/spec/support/servers/{modules/recon → checks/passive}/allowed_methods.rb +0 -0
- data/spec/support/servers/checks/passive/backdoors.rb +4 -0
- data/spec/support/servers/checks/passive/backup_directories.rb +15 -0
- data/spec/support/servers/checks/passive/backup_files.rb +15 -0
- data/spec/support/servers/checks/passive/common_directories.rb +6 -0
- data/spec/support/servers/checks/passive/common_files.rb +6 -0
- data/spec/support/servers/checks/passive/directory_listing.rb +30 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/captcha.rb +0 -0
- data/spec/support/servers/checks/passive/grep/cookie_set_for_parent_domain.rb +21 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/credit_card.rb +0 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/cvs_svn_users.rb +0 -0
- data/spec/support/servers/checks/passive/grep/emails.rb +23 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/form_upload.rb +0 -0
- data/spec/support/servers/checks/passive/grep/hsts_https.rb +37 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/html_objects.rb +0 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/http_only_cookies.rb +0 -0
- data/spec/support/servers/checks/passive/grep/insecure_cookies_https.rb +40 -0
- data/spec/support/servers/checks/passive/grep/mixed_resource_https.rb +69 -0
- data/spec/support/servers/checks/passive/grep/password_autocomplete.rb +33 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/private_ip.rb +0 -0
- data/spec/support/servers/{modules/recon → checks/passive}/grep/ssn.rb +0 -0
- data/spec/support/servers/checks/passive/grep/unencrypted_password_forms.rb +33 -0
- data/spec/support/servers/{modules/recon → checks/passive}/htaccess_limit.rb +0 -0
- data/spec/support/servers/checks/passive/http_put.rb +7 -0
- data/spec/support/servers/checks/passive/interesting_responses.rb +5 -0
- data/spec/support/servers/{modules/recon → checks/passive}/localstart_asp.rb +0 -0
- data/spec/support/servers/checks/passive/origin_spoof_access_restriction_bypass.rb +30 -0
- data/spec/support/servers/checks/passive/webdav.rb +25 -0
- data/spec/support/servers/{modules/recon → checks/passive}/xst.rb +0 -0
- data/spec/support/servers/plugins/meta/remedies/discovery.rb +2 -2
- data/spec/support/servers/plugins/meta/remedies/timing_attacks.rb +2 -0
- data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +36 -0
- data/spec/support/shared/check.rb +198 -0
- data/spec/support/shared/component.rb +15 -4
- data/spec/support/shared/component/options/base.rb +187 -0
- data/spec/support/shared/element/base.rb +131 -0
- data/spec/support/shared/element/capabilities/auditable.rb +371 -604
- data/spec/support/shared/element/capabilities/auditable/dom.rb +303 -0
- data/spec/support/shared/element/capabilities/inputtable.rb +499 -0
- data/spec/support/shared/element/capabilities/mutable.rb +362 -0
- data/spec/support/shared/element/capabilities/refreshable.rb +26 -26
- data/spec/support/shared/element/capabilities/submitable.rb +155 -0
- data/spec/support/shared/element/capabilities/with_auditor.rb +75 -0
- data/spec/support/shared/element/capabilities/with_dom.rb +39 -0
- data/spec/support/shared/element/capabilities/with_node.rb +42 -0
- data/spec/support/shared/element/capabilities/with_scope.rb +22 -0
- data/spec/support/shared/external/wavsep.rb +30 -9
- data/spec/support/shared/http/message.rb +72 -0
- data/spec/support/shared/option_group.rb +98 -0
- data/spec/support/shared/path_extractor.rb +1 -1
- data/spec/support/shared/plugin.rb +33 -16
- data/spec/support/shared/reporter.rb +41 -0
- data/spec/support/shared/support/cache.rb +341 -0
- data/spec/support/shared/support/lookup.rb +93 -13
- data/ui/cli/framework.rb +466 -0
- data/ui/cli/framework/option_parser.rb +628 -0
- data/ui/cli/option_parser.rb +104 -0
- data/ui/cli/output.rb +377 -0
- data/ui/cli/reporter.rb +52 -0
- data/ui/cli/reporter/option_parser.rb +102 -0
- data/ui/cli/restored_framework.rb +127 -0
- data/ui/cli/restored_framework/option_parser.rb +115 -0
- data/ui/cli/rpc/client/dispatcher_monitor.rb +157 -0
- data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +41 -0
- data/ui/cli/rpc/client/instance.rb +294 -0
- data/ui/cli/rpc/client/local.rb +65 -0
- data/ui/cli/rpc/client/local/option_parser.rb +35 -0
- data/ui/cli/rpc/client/remote.rb +84 -0
- data/ui/cli/rpc/client/remote/option_parser.rb +99 -0
- data/ui/cli/rpc/server/dispatcher.rb +36 -0
- data/ui/cli/rpc/server/dispatcher/option_parser.rb +165 -0
- data/ui/cli/utilities.rb +228 -0
- metadata +1260 -1266
- data/EXPLOITATION.md +0 -431
- data/HACKING.md +0 -120
- data/NOTICE +0 -12
- data/data/crypto/public.pem +0 -9
- data/external/metasploit/LICENSE +0 -24
- data/external/metasploit/plugins/arachni.rb +0 -516
- data/external/metasploit/plugins/arachni/modules/auxiliary/arachni_sqlmap.rb +0 -91
- data/external/metasploit/plugins/arachni/modules/exploits/unix/webapp/arachni_exec.rb +0 -142
- data/external/metasploit/plugins/arachni/modules/exploits/unix/webapp/arachni_path_traversal.rb +0 -113
- data/external/metasploit/plugins/arachni/modules/exploits/unix/webapp/arachni_php_eval.rb +0 -150
- data/external/metasploit/plugins/arachni/modules/exploits/unix/webapp/arachni_php_include.rb +0 -141
- data/fingerprinters/frameworks/rack.rb +0 -41
- data/fingerprinters/languages/asp.rb +0 -42
- data/fingerprinters/languages/aspx.rb +0 -63
- data/fingerprinters/languages/jsp.rb +0 -42
- data/fingerprinters/languages/php.rb +0 -43
- data/fingerprinters/languages/python.rb +0 -40
- data/fingerprinters/languages/ruby.rb +0 -41
- data/fingerprinters/os/bsd.rb +0 -36
- data/fingerprinters/os/linux.rb +0 -42
- data/fingerprinters/os/solaris.rb +0 -41
- data/fingerprinters/os/unix.rb +0 -36
- data/fingerprinters/os/windows.rb +0 -41
- data/fingerprinters/servers/apache.rb +0 -36
- data/fingerprinters/servers/iis.rb +0 -36
- data/fingerprinters/servers/jetty.rb +0 -36
- data/fingerprinters/servers/nginx.rb +0 -36
- data/fingerprinters/servers/tomcat.rb +0 -36
- data/gfx/README.md +0 -18
- data/gfx/compiled/banner.png +0 -0
- data/gfx/compiled/favicon.ico +0 -0
- data/gfx/compiled/icon.png +0 -0
- data/gfx/compiled/logo.png +0 -0
- data/gfx/compiled/spider.png +0 -0
- data/gfx/font/Beneath_the_Surface.ttf +0 -0
- data/gfx/font/bts_readme.txt +0 -14
- data/gfx/source/banner.svg +0 -999
- data/gfx/source/icon.svg +0 -627
- data/gfx/source/logo.svg +0 -672
- data/gfx/source/spider.png +0 -0
- data/gfx/source/spider.svg +0 -277
- data/lib/arachni/audit_store.rb +0 -321
- data/lib/arachni/component/options/enum.rb +0 -51
- data/lib/arachni/element/capabilities/auditable/rdiff.rb +0 -489
- data/lib/arachni/element/capabilities/auditable/taint.rb +0 -238
- data/lib/arachni/element/capabilities/auditable/timeout.rb +0 -469
- data/lib/arachni/mixins/observable.rb +0 -91
- data/lib/arachni/mixins/progress_bar.rb +0 -87
- data/lib/arachni/mixins/terminal.rb +0 -112
- data/lib/arachni/module.rb +0 -20
- data/lib/arachni/module/auditor.rb +0 -618
- data/lib/arachni/module/base.rb +0 -188
- data/lib/arachni/module/manager.rb +0 -255
- data/lib/arachni/module/output.rb +0 -68
- data/lib/arachni/module/utilities.rb +0 -64
- data/lib/arachni/report/base.rb +0 -201
- data/lib/arachni/report/manager.rb +0 -86
- data/lib/arachni/rpc/server/dispatcher/handler.rb +0 -166
- data/lib/arachni/rpc/server/module/manager.rb +0 -46
- data/lib/arachni/rpc/server/spider.rb +0 -404
- data/lib/arachni/ruby/enumerable.rb +0 -29
- data/lib/arachni/spider.rb +0 -477
- data/lib/arachni/support/key_filler.rb +0 -68
- data/lib/arachni/support/queue.rb +0 -18
- data/lib/arachni/support/queue/disk.rb +0 -171
- data/lib/arachni/typhoeus/hydra.rb +0 -56
- data/lib/arachni/typhoeus/request.rb +0 -80
- data/lib/arachni/typhoeus/response.rb +0 -103
- data/lib/arachni/typhoeus/utils.rb +0 -25
- data/lib/arachni/ui/cli/cli.rb +0 -469
- data/lib/arachni/ui/cli/output.rb +0 -391
- data/lib/arachni/ui/cli/rpc/dispatcher_monitor.rb +0 -188
- data/lib/arachni/ui/cli/rpc/instance.rb +0 -407
- data/lib/arachni/ui/cli/rpc/local.rb +0 -80
- data/lib/arachni/ui/cli/rpc/remote.rb +0 -134
- data/lib/arachni/ui/cli/utilities.rb +0 -509
- data/modules/audit/code_injection.rb +0 -137
- data/modules/audit/code_injection_php_input_wrapper.rb +0 -109
- data/modules/audit/code_injection_timing.rb +0 -122
- data/modules/audit/csrf.rb +0 -225
- data/modules/audit/file_inclusion.rb +0 -156
- data/modules/audit/ldapi.rb +0 -97
- data/modules/audit/os_cmd_injection.rb +0 -109
- data/modules/audit/os_cmd_injection_timing.rb +0 -98
- data/modules/audit/path_traversal.rb +0 -170
- data/modules/audit/response_splitting.rb +0 -99
- data/modules/audit/rfi.rb +0 -181
- data/modules/audit/session_fixation.rb +0 -117
- data/modules/audit/source_code_disclosure.rb +0 -179
- data/modules/audit/sqli.rb +0 -148
- data/modules/audit/sqli_blind_rdiff.rb +0 -138
- data/modules/audit/sqli_blind_timing.rb +0 -126
- data/modules/audit/trainer.rb +0 -49
- data/modules/audit/unvalidated_redirect.rb +0 -91
- data/modules/audit/xpath.rb +0 -97
- data/modules/audit/xss.rb +0 -154
- data/modules/audit/xss_event.rb +0 -153
- data/modules/audit/xss_path.rb +0 -152
- data/modules/audit/xss_script_tag.rb +0 -137
- data/modules/audit/xss_tag.rb +0 -137
- data/modules/recon/allowed_methods.rb +0 -99
- data/modules/recon/backdoors.rb +0 -82
- data/modules/recon/backup_files.rb +0 -100
- data/modules/recon/backup_files/extensions.txt +0 -28
- data/modules/recon/common_directories.rb +0 -87
- data/modules/recon/common_files.rb +0 -78
- data/modules/recon/common_files/filenames.txt +0 -21
- data/modules/recon/directory_listing.rb +0 -133
- data/modules/recon/grep/captcha.rb +0 -74
- data/modules/recon/grep/credit_card.rb +0 -128
- data/modules/recon/grep/cvs_svn_users.rb +0 -81
- data/modules/recon/grep/emails.rb +0 -73
- data/modules/recon/grep/form_upload.rb +0 -86
- data/modules/recon/grep/html_objects.rb +0 -56
- data/modules/recon/grep/http_only_cookies.rb +0 -82
- data/modules/recon/grep/insecure_cookies.rb +0 -82
- data/modules/recon/grep/mixed_resource.rb +0 -113
- data/modules/recon/grep/password_autocomplete.rb +0 -85
- data/modules/recon/grep/private_ip.rb +0 -70
- data/modules/recon/grep/ssn.rb +0 -66
- data/modules/recon/grep/unencrypted_password_forms.rb +0 -103
- data/modules/recon/htaccess_limit.rb +0 -76
- data/modules/recon/http_put.rb +0 -95
- data/modules/recon/interesting_responses.rb +0 -91
- data/modules/recon/localstart_asp.rb +0 -97
- data/modules/recon/webdav.rb +0 -106
- data/modules/recon/x_forwarded_for_access_restriction_bypass.rb +0 -76
- data/modules/recon/xst.rb +0 -103
- data/path_extractors/anchors.rb +0 -37
- data/path_extractors/areas.rb +0 -37
- data/path_extractors/forms.rb +0 -37
- data/path_extractors/frames.rb +0 -37
- data/path_extractors/generic.rb +0 -84
- data/path_extractors/links.rb +0 -37
- data/path_extractors/meta_refresh.rb +0 -58
- data/path_extractors/scripts.rb +0 -38
- data/plugins/autologin.rb +0 -133
- data/plugins/beep_notify.rb +0 -49
- data/plugins/content_types.rb +0 -107
- data/plugins/cookie_collector.rb +0 -85
- data/plugins/defaults/autothrottle.rb +0 -78
- data/plugins/defaults/healthmap.rb +0 -89
- data/plugins/defaults/meta/remedies/discovery.rb +0 -138
- data/plugins/defaults/meta/remedies/timing_attacks.rb +0 -117
- data/plugins/defaults/meta/uniformity.rb +0 -82
- data/plugins/defaults/resolver.rb +0 -60
- data/plugins/email_notify.rb +0 -106
- data/plugins/form_dicattack.rb +0 -123
- data/plugins/http_dicattack.rb +0 -108
- data/plugins/libnotify.rb +0 -82
- data/plugins/profiler.rb +0 -179
- data/plugins/proxy.rb +0 -502
- data/plugins/proxy/panel/page_accordion.html.erb +0 -67
- data/plugins/proxy/panel/panel.html.erb +0 -69
- data/plugins/proxy/panel/verify_login_sequence.html.erb +0 -45
- data/plugins/proxy/server.rb +0 -215
- data/plugins/proxy/template_scope.rb +0 -138
- data/plugins/rescan.rb +0 -59
- data/plugins/script.rb +0 -53
- data/plugins/uncommon_headers.rb +0 -92
- data/plugins/vector_feed.rb +0 -226
- data/plugins/waf_detector.rb +0 -167
- data/profiles/full.afp +0 -48
- data/reports/afr.rb +0 -44
- data/reports/ap.rb +0 -46
- data/reports/html.rb +0 -273
- data/reports/html/default.erb +0 -82
- data/reports/html/default/configuration.erb +0 -126
- data/reports/html/default/css/jquery-ui.css +0 -570
- data/reports/html/default/css/jquery.jqplot.min.css +0 -1
- data/reports/html/default/css/main.css +0 -391
- data/reports/html/default/headers.erb +0 -19
- data/reports/html/default/issue.erb +0 -178
- data/reports/html/default/issues.erb +0 -52
- data/reports/html/default/js/charts.js +0 -147
- data/reports/html/default/js/helpers.js +0 -53
- data/reports/html/default/js/init.js +0 -72
- data/reports/html/default/js/lib/jqplot.barRenderer.min.js +0 -57
- data/reports/html/default/js/lib/jqplot.categoryAxisRenderer.min.js +0 -57
- data/reports/html/default/js/lib/jqplot.cursor.min.js +0 -57
- data/reports/html/default/js/lib/jqplot.pieRenderer.min.js +0 -57
- data/reports/html/default/js/lib/jqplot.pointLabels.min.js +0 -57
- data/reports/html/default/js/lib/jquery-ui.min.js +0 -404
- data/reports/html/default/js/lib/jquery.jqplot.min.js +0 -57
- data/reports/html/default/js/lib/jquery.min.js +0 -167
- data/reports/html/default/plugins.erb +0 -22
- data/reports/html/default/search.erb +0 -8
- data/reports/html/default/sitemap.erb +0 -15
- data/reports/html/default/summary.erb +0 -75
- data/reports/html/default/summary_issue.erb +0 -20
- data/reports/json.rb +0 -52
- data/reports/marshal.rb +0 -46
- data/reports/metareport.rb +0 -104
- data/reports/plugin_formatters/html/autologin.rb +0 -45
- data/reports/plugin_formatters/html/content_types.rb +0 -67
- data/reports/plugin_formatters/html/cookie_collector.rb +0 -52
- data/reports/plugin_formatters/html/discovery.rb +0 -45
- data/reports/plugin_formatters/html/form_dicattack.rb +0 -40
- data/reports/plugin_formatters/html/healthmap.rb +0 -60
- data/reports/plugin_formatters/html/http_dicattack.rb +0 -40
- data/reports/plugin_formatters/html/profiler.rb +0 -36
- data/reports/plugin_formatters/html/profiler/template.erb +0 -84
- data/reports/plugin_formatters/html/resolver.rb +0 -55
- data/reports/plugin_formatters/html/timing_attacks.rb +0 -51
- data/reports/plugin_formatters/html/uncommon_headers.rb +0 -47
- data/reports/plugin_formatters/html/uniformity.rb +0 -54
- data/reports/plugin_formatters/html/waf_detector.rb +0 -38
- data/reports/plugin_formatters/stdout/autologin.rb +0 -38
- data/reports/plugin_formatters/stdout/content_types.rb +0 -51
- data/reports/plugin_formatters/stdout/cookie_collector.rb +0 -43
- data/reports/plugin_formatters/stdout/discovery.rb +0 -37
- data/reports/plugin_formatters/stdout/form_dicattack.rb +0 -34
- data/reports/plugin_formatters/stdout/healthmap.rb +0 -49
- data/reports/plugin_formatters/stdout/http_dicattack.rb +0 -34
- data/reports/plugin_formatters/stdout/profiler.rb +0 -66
- data/reports/plugin_formatters/stdout/resolver.rb +0 -29
- data/reports/plugin_formatters/stdout/timing_attacks.rb +0 -37
- data/reports/plugin_formatters/stdout/uncommon_headers.rb +0 -37
- data/reports/plugin_formatters/stdout/uniformity.rb +0 -48
- data/reports/plugin_formatters/stdout/waf_detector.rb +0 -31
- data/reports/plugin_formatters/xml/autologin.rb +0 -41
- data/reports/plugin_formatters/xml/content_types.rb +0 -61
- data/reports/plugin_formatters/xml/cookie_collector.rb +0 -45
- data/reports/plugin_formatters/xml/discovery.rb +0 -38
- data/reports/plugin_formatters/xml/form_dicattack.rb +0 -34
- data/reports/plugin_formatters/xml/healthmap.rb +0 -58
- data/reports/plugin_formatters/xml/http_dicattack.rb +0 -33
- data/reports/plugin_formatters/xml/profiler.rb +0 -80
- data/reports/plugin_formatters/xml/resolver.rb +0 -33
- data/reports/plugin_formatters/xml/timing_attacks.rb +0 -39
- data/reports/plugin_formatters/xml/uncommon_headers.rb +0 -38
- data/reports/plugin_formatters/xml/uniformity.rb +0 -54
- data/reports/plugin_formatters/xml/waf_detector.rb +0 -34
- data/reports/stdout.rb +0 -203
- data/reports/txt.rb +0 -58
- data/reports/xml.rb +0 -176
- data/reports/xml/buffer.rb +0 -97
- data/reports/yaml.rb +0 -46
- data/spec/arachni/audit_store_spec.rb +0 -239
- data/spec/arachni/component/options/enum_spec.rb +0 -51
- data/spec/arachni/element/base_spec.rb +0 -138
- data/spec/arachni/element/capabilities/auditable/rdiff_spec.rb +0 -134
- data/spec/arachni/element/capabilities/auditable/taint_spec.rb +0 -409
- data/spec/arachni/element/capabilities/auditable/timeout_spec.rb +0 -157
- data/spec/arachni/element/capabilities/mutable_spec.rb +0 -284
- data/spec/arachni/http_spec.rb +0 -962
- data/spec/arachni/mixins/observable_spec.rb +0 -75
- data/spec/arachni/mixins/progress_bar_spec.rb +0 -47
- data/spec/arachni/module/auditor_spec.rb +0 -544
- data/spec/arachni/module/manager_spec.rb +0 -150
- data/spec/arachni/module/utilities_spec.rb +0 -30
- data/spec/arachni/report/base_spec.rb +0 -61
- data/spec/arachni/report/manager_spec.rb +0 -82
- data/spec/arachni/rpc/server/dispatcher/handler_spec.rb +0 -102
- data/spec/arachni/rpc/server/framework_hpg_spec.rb +0 -376
- data/spec/arachni/rpc/server/framework_simple_spec.rb +0 -501
- data/spec/arachni/rpc/server/modules/manager_spec.rb +0 -47
- data/spec/arachni/rpc/server/spider_spec.rb +0 -68
- data/spec/arachni/ruby/enumerable_spec.rb +0 -37
- data/spec/arachni/spider_spec.rb +0 -539
- data/spec/arachni/support/cache/base_spec.rb +0 -282
- data/spec/arachni/support/key_filler.rb +0 -60
- data/spec/arachni/support/queue/disk_spec.rb +0 -116
- data/spec/arachni/typhoeus/requrest_spec.rb +0 -58
- data/spec/arachni/typhoeus/response_spec.rb +0 -171
- data/spec/fingerprinters/frameworks/rack_spec.rb +0 -41
- data/spec/fingerprinters/languages/asp_spec.rb +0 -40
- data/spec/fingerprinters/languages/aspx_spec.rb +0 -78
- data/spec/fingerprinters/languages/jsp_spec.rb +0 -58
- data/spec/fingerprinters/languages/php_spec.rb +0 -61
- data/spec/fingerprinters/languages/python_spec.rb +0 -23
- data/spec/fingerprinters/languages/ruby.rb +0 -34
- data/spec/fingerprinters/os/bsd_spec.rb +0 -26
- data/spec/fingerprinters/os/linux_spec.rb +0 -34
- data/spec/fingerprinters/os/solaris_spec.rb +0 -34
- data/spec/fingerprinters/os/unix_spec.rb +0 -26
- data/spec/fingerprinters/os/windows_spec.rb +0 -34
- data/spec/fingerprinters/servers/apache_spec.rb +0 -26
- data/spec/fingerprinters/servers/iis_spec.rb +0 -28
- data/spec/fingerprinters/servers/jetty_spec.rb +0 -28
- data/spec/fingerprinters/servers/nginx_spec.rb +0 -26
- data/spec/fingerprinters/servers/tomcat_spec.rb +0 -28
- data/spec/modules/audit/code_injection_spec.rb +0 -25
- data/spec/modules/audit/code_injection_timing_spec.rb +0 -24
- data/spec/modules/audit/csrf_spec.rb +0 -45
- data/spec/modules/audit/file_inclusion_spec.rb +0 -25
- data/spec/modules/audit/ldapi_spec.rb +0 -19
- data/spec/modules/audit/os_cmd_injection_spec.rb +0 -24
- data/spec/modules/audit/os_cmd_injection_timing_spec.rb +0 -24
- data/spec/modules/audit/path_traversal_spec.rb +0 -23
- data/spec/modules/audit/response_splitting_spec.rb +0 -19
- data/spec/modules/audit/rfi_spec.rb +0 -19
- data/spec/modules/audit/session_fixation_spec.rb +0 -23
- data/spec/modules/audit/source_code_disclosure_spec.rb +0 -24
- data/spec/modules/audit/sqli_blind_rdiff_spec.rb +0 -19
- data/spec/modules/audit/sqli_blind_timing_spec.rb +0 -23
- data/spec/modules/audit/sqli_spec.rb +0 -25
- data/spec/modules/audit/trainer_spec.rb +0 -35
- data/spec/modules/audit/unvalidated_redirect_spec.rb +0 -24
- data/spec/modules/audit/xpath_spec.rb +0 -25
- data/spec/modules/audit/xss_event_spec.rb +0 -19
- data/spec/modules/audit/xss_path_spec.rb +0 -19
- data/spec/modules/audit/xss_script_tag_spec.rb +0 -27
- data/spec/modules/audit/xss_spec.rb +0 -24
- data/spec/modules/audit/xss_tag_spec.rb +0 -19
- data/spec/modules/recon/allowed_methods_spec.rb +0 -19
- data/spec/modules/recon/backdoors_spec.rb +0 -19
- data/spec/modules/recon/backup_files_spec.rb +0 -19
- data/spec/modules/recon/common_directories_spec.rb +0 -19
- data/spec/modules/recon/common_files_spec.rb +0 -19
- data/spec/modules/recon/directory_listing_spec.rb +0 -19
- data/spec/modules/recon/grep/captcha_spec.rb +0 -19
- data/spec/modules/recon/grep/credit_card_spec.rb +0 -19
- data/spec/modules/recon/grep/cvs_svn_users_spec.rb +0 -19
- data/spec/modules/recon/grep/emails_spec.rb +0 -19
- data/spec/modules/recon/grep/form_upload_spec.rb +0 -19
- data/spec/modules/recon/grep/html_objects_spec.rb +0 -19
- data/spec/modules/recon/grep/http_only_cookies_spec.rb +0 -19
- data/spec/modules/recon/grep/insecure_cookies_spec.rb +0 -19
- data/spec/modules/recon/grep/mixed_resource_spec.rb +0 -20
- data/spec/modules/recon/grep/password_autocomplete_spec.rb +0 -19
- data/spec/modules/recon/grep/private_ip_spec.rb +0 -26
- data/spec/modules/recon/grep/ssn_spec.rb +0 -19
- data/spec/modules/recon/grep/unencrypted_password_forms_spec.rb +0 -19
- data/spec/modules/recon/htaccess_limit_spec.rb +0 -19
- data/spec/modules/recon/http_put_spec.rb +0 -19
- data/spec/modules/recon/interesting_responses_spec.rb +0 -30
- data/spec/modules/recon/localstart_asp_spec.rb +0 -19
- data/spec/modules/recon/webdav_spec.rb +0 -19
- data/spec/modules/recon/x_forwarded_for_access_restriction_bypass_spec.rb +0 -19
- data/spec/modules/recon/xst_spec.rb +0 -19
- data/spec/path_extractors/scripts_spec.rb +0 -19
- data/spec/plugins/autologin_spec.rb +0 -94
- data/spec/plugins/autothrottle_spec.rb +0 -45
- data/spec/plugins/content_types_spec.rb +0 -93
- data/spec/plugins/cookie_collector_spec.rb +0 -49
- data/spec/plugins/form_dicattack_spec.rb +0 -60
- data/spec/plugins/healthmap_spec.rb +0 -40
- data/spec/plugins/http_dicattack_spec.rb +0 -40
- data/spec/plugins/meta/remedies/discovery_spec.rb +0 -21
- data/spec/plugins/meta/remedies/timing_attacks_spec.rb +0 -34
- data/spec/plugins/meta/uniformity_spec.rb +0 -83
- data/spec/plugins/profiler_spec.rb +0 -82
- data/spec/plugins/rescan_spec.rb +0 -26
- data/spec/plugins/resolver_spec.rb +0 -16
- data/spec/plugins/script_spec.rb +0 -12
- data/spec/plugins/uncommon_headers_spec.rb +0 -64
- data/spec/plugins/vector_feed_spec.rb +0 -167
- data/spec/plugins/waf_detector_spec.rb +0 -41
- data/spec/reports/afr_spec.rb +0 -13
- data/spec/reports/ap_spec.rb +0 -9
- data/spec/reports/html_spec.rb +0 -13
- data/spec/reports/json_spec.rb +0 -17
- data/spec/reports/marshal_spec.rb +0 -13
- data/spec/reports/stdout_spec.rb +0 -9
- data/spec/reports/txt_spec.rb +0 -8
- data/spec/reports/xml_spec.rb +0 -13
- data/spec/reports/yaml_spec.rb +0 -13
- data/spec/support/fixtures/auditstore.afr +0 -76074
- data/spec/support/fixtures/modules/test.rb +0 -58
- data/spec/support/fixtures/modules/test2.rb +0 -46
- data/spec/support/fixtures/modules/test3.rb +0 -46
- data/spec/support/fixtures/plugins/spider_hook.rb +0 -50
- data/spec/support/fixtures/reports/base_spec/plugin_formatters/with_formatters/foobar.rb +0 -21
- data/spec/support/fixtures/reports/base_spec/with_formatters.rb +0 -23
- data/spec/support/fixtures/reports/base_spec/with_outfile.rb +0 -24
- data/spec/support/fixtures/reports/base_spec/without_outfile.rb +0 -20
- data/spec/support/fixtures/reports/manager_spec/afr.rb +0 -21
- data/spec/support/fixtures/reports/manager_spec/foo.rb +0 -26
- data/spec/support/fixtures/rpcd_handlers/echo.rb +0 -68
- data/spec/support/fixtures/run_mod/body.rb +0 -58
- data/spec/support/fixtures/run_mod/cookies.rb +0 -58
- data/spec/support/fixtures/run_mod/empty.rb +0 -58
- data/spec/support/fixtures/run_mod/flch.rb +0 -63
- data/spec/support/fixtures/run_mod/forms.rb +0 -58
- data/spec/support/fixtures/run_mod/headers.rb +0 -58
- data/spec/support/fixtures/run_mod/links.rb +0 -58
- data/spec/support/fixtures/run_mod/nil.rb +0 -57
- data/spec/support/fixtures/run_mod/path.rb +0 -58
- data/spec/support/fixtures/run_mod/server.rb +0 -58
- data/spec/support/fixtures/taint_module/taint.rb +0 -48
- data/spec/support/fixtures/wait_module/wait.rb +0 -48
- data/spec/support/logs/Dispatcher - 1332-56847.log +0 -9
- data/spec/support/logs/Dispatcher - 1361-63434.log +0 -21
- data/spec/support/logs/Dispatcher - 1545-55308.log +0 -9
- data/spec/support/logs/Dispatcher - 1559-18938.log +0 -19
- data/spec/support/logs/Dispatcher - 1568-25013.log +0 -17
- data/spec/support/logs/Dispatcher - 1577-55689.log +0 -13
- data/spec/support/logs/Dispatcher - 1586-18577.log +0 -9
- data/spec/support/logs/Dispatcher - 1595-49353.log +0 -9
- data/spec/support/logs/Dispatcher - 1604-27831.log +0 -11
- data/spec/support/logs/Dispatcher - 1617-57444.log +0 -11
- data/spec/support/logs/Dispatcher - 1631-28737.log +0 -11
- data/spec/support/logs/Dispatcher - 1644-21815.log +0 -33
- data/spec/support/logs/Dispatcher - 1738-53470.log +0 -21
- data/spec/support/logs/Dispatcher - 1747-64173.log +0 -21
- data/spec/support/logs/Dispatcher - 1756-11866.log +0 -23
- data/spec/support/logs/Dispatcher - 1798-12175.log +0 -19
- data/spec/support/logs/Dispatcher - 1807-22790.log +0 -17
- data/spec/support/logs/Dispatcher - 1816-57823.log +0 -15
- data/spec/support/logs/Dispatcher - 1831-64825.log +0 -11
- data/spec/support/logs/Dispatcher - 1845-27623.log +0 -9
- data/spec/support/logs/Dispatcher - 1854-26066.log +0 -9
- data/spec/support/logs/Dispatcher - 1863-37486.log +0 -9
- data/spec/support/logs/Dispatcher - 1874-22463.log +0 -9
- data/spec/support/logs/Dispatcher - 1883-41263.log +0 -11
- data/spec/support/logs/Dispatcher - 1900-53660.log +0 -9
- data/spec/support/logs/Dispatcher - 1909-44423.log +0 -9
- data/spec/support/logs/Dispatcher - 1921-58931.log +0 -9
- data/spec/support/logs/Dispatcher - 1993-6448.log +0 -63
- data/spec/support/logs/Dispatcher - 2002-19206.log +0 -43
- data/spec/support/logs/Dispatcher - 2011-11852.log +0 -39
- data/spec/support/logs/Dispatcher - 2020-65055.log +0 -34
- data/spec/support/logs/Dispatcher - 2029-48445.log +0 -28
- data/spec/support/logs/Dispatcher - 2038-55271.log +0 -21
- data/spec/support/logs/Dispatcher - 2047-45722.log +0 -13
- data/spec/support/logs/Dispatcher - 2057-48194.log +0 -9
- data/spec/support/logs/Dispatcher - 2189-39843.log +0 -19
- data/spec/support/logs/Dispatcher - 2199-15985.log +0 -21
- data/spec/support/logs/Dispatcher - 2208-22080.log +0 -15
- data/spec/support/logs/Dispatcher - 2221-37690.log +0 -19
- data/spec/support/logs/Dispatcher - 2230-47867.log +0 -21
- data/spec/support/logs/Dispatcher - 2239-27060.log +0 -15
- data/spec/support/logs/Dispatcher - 2358-8967.log +0 -17
- data/spec/support/logs/Dispatcher - 2367-27103.log +0 -21
- data/spec/support/logs/Dispatcher - 2376-16287.log +0 -13
- data/spec/support/logs/Dispatcher - 2389-9109.log +0 -19
- data/spec/support/logs/Dispatcher - 2398-62926.log +0 -21
- data/spec/support/logs/Dispatcher - 2407-48685.log +0 -15
- data/spec/support/logs/Dispatcher - 2459-62480.log +0 -17
- data/spec/support/logs/Dispatcher - 2470-57894.log +0 -21
- data/spec/support/logs/Dispatcher - 2479-51883.log +0 -13
- data/spec/support/logs/Dispatcher - 2493-36944.log +0 -17
- data/spec/support/logs/Dispatcher - 2503-59143.log +0 -21
- data/spec/support/logs/Dispatcher - 2513-33084.log +0 -13
- data/spec/support/logs/Dispatcher - 25430-46306.log +0 -9
- data/spec/support/logs/Dispatcher - 25457-10711.log +0 -23
- data/spec/support/logs/Dispatcher - 25603-48892.log +0 -9
- data/spec/support/logs/Dispatcher - 25613-24775.log +0 -19
- data/spec/support/logs/Dispatcher - 25622-59684.log +0 -17
- data/spec/support/logs/Dispatcher - 25631-23195.log +0 -13
- data/spec/support/logs/Dispatcher - 25640-9810.log +0 -9
- data/spec/support/logs/Dispatcher - 25649-52757.log +0 -9
- data/spec/support/logs/Dispatcher - 25658-58550.log +0 -11
- data/spec/support/logs/Dispatcher - 25671-30871.log +0 -11
- data/spec/support/logs/Dispatcher - 25684-48620.log +0 -11
- data/spec/support/logs/Dispatcher - 25697-18124.log +0 -37
- data/spec/support/logs/Dispatcher - 25762-35321.log +0 -21
- data/spec/support/logs/Dispatcher - 25771-64633.log +0 -21
- data/spec/support/logs/Dispatcher - 25780-43558.log +0 -23
- data/spec/support/logs/Dispatcher - 25821-43561.log +0 -19
- data/spec/support/logs/Dispatcher - 25830-39112.log +0 -17
- data/spec/support/logs/Dispatcher - 25839-44093.log +0 -15
- data/spec/support/logs/Dispatcher - 25852-12057.log +0 -11
- data/spec/support/logs/Dispatcher - 25866-49029.log +0 -9
- data/spec/support/logs/Dispatcher - 25875-32179.log +0 -9
- data/spec/support/logs/Dispatcher - 25884-62703.log +0 -9
- data/spec/support/logs/Dispatcher - 25894-4228.log +0 -9
- data/spec/support/logs/Dispatcher - 25903-6709.log +0 -11
- data/spec/support/logs/Dispatcher - 25917-29651.log +0 -9
- data/spec/support/logs/Dispatcher - 25926-12708.log +0 -9
- data/spec/support/logs/Dispatcher - 25935-54092.log +0 -9
- data/spec/support/logs/Dispatcher - 25990-26756.log +0 -63
- data/spec/support/logs/Dispatcher - 25999-4016.log +0 -43
- data/spec/support/logs/Dispatcher - 26008-52076.log +0 -39
- data/spec/support/logs/Dispatcher - 26017-48497.log +0 -34
- data/spec/support/logs/Dispatcher - 26026-28839.log +0 -28
- data/spec/support/logs/Dispatcher - 26035-54215.log +0 -21
- data/spec/support/logs/Dispatcher - 26044-27216.log +0 -13
- data/spec/support/logs/Dispatcher - 26054-53464.log +0 -9
- data/spec/support/logs/Dispatcher - 26163-65271.log +0 -19
- data/spec/support/logs/Dispatcher - 26173-58105.log +0 -21
- data/spec/support/logs/Dispatcher - 26182-40848.log +0 -15
- data/spec/support/logs/Dispatcher - 26195-2855.log +0 -19
- data/spec/support/logs/Dispatcher - 26204-35297.log +0 -21
- data/spec/support/logs/Dispatcher - 26213-59588.log +0 -15
- data/spec/support/logs/Dispatcher - 26333-40774.log +0 -17
- data/spec/support/logs/Dispatcher - 26342-45541.log +0 -21
- data/spec/support/logs/Dispatcher - 26351-3349.log +0 -13
- data/spec/support/logs/Dispatcher - 26364-37456.log +0 -19
- data/spec/support/logs/Dispatcher - 26373-37340.log +0 -21
- data/spec/support/logs/Dispatcher - 26382-54864.log +0 -15
- data/spec/support/logs/Dispatcher - 26434-3070.log +0 -17
- data/spec/support/logs/Dispatcher - 26448-14295.log +0 -21
- data/spec/support/logs/Dispatcher - 26474-30587.log +0 -13
- data/spec/support/logs/Dispatcher - 26500-32529.log +0 -17
- data/spec/support/logs/Dispatcher - 26509-16952.log +0 -21
- data/spec/support/logs/Dispatcher - 26519-43332.log +0 -13
- data/spec/support/logs/Dispatcher - 26750-61867.log +0 -19
- data/spec/support/logs/Dispatcher - 26759-22532.log +0 -21
- data/spec/support/logs/Dispatcher - 26768-18231.log +0 -15
- data/spec/support/logs/Dispatcher - 26792-41661.log +0 -21
- data/spec/support/logs/Dispatcher - 26801-14384.log +0 -25
- data/spec/support/logs/Dispatcher - 26810-2591.log +0 -15
- data/spec/support/logs/Dispatcher - 26846-14591.log +0 -17
- data/spec/support/logs/Dispatcher - 26855-15708.log +0 -21
- data/spec/support/logs/Dispatcher - 26864-2062.log +0 -13
- data/spec/support/logs/Dispatcher - 26877-14471.log +0 -21
- data/spec/support/logs/Dispatcher - 26886-49795.log +0 -25
- data/spec/support/logs/Dispatcher - 26895-21093.log +0 -15
- data/spec/support/logs/Dispatcher - 26931-30049.log +0 -17
- data/spec/support/logs/Dispatcher - 26940-34273.log +0 -21
- data/spec/support/logs/Dispatcher - 26949-30040.log +0 -13
- data/spec/support/logs/Dispatcher - 26962-8152.log +0 -17
- data/spec/support/logs/Dispatcher - 26971-53062.log +0 -21
- data/spec/support/logs/Dispatcher - 26980-7548.log +0 -13
- data/spec/support/logs/Dispatcher - 2737-20989.log +0 -19
- data/spec/support/logs/Dispatcher - 2746-5423.log +0 -21
- data/spec/support/logs/Dispatcher - 2755-53393.log +0 -15
- data/spec/support/logs/Dispatcher - 27615-41812.log +0 -19
- data/spec/support/logs/Dispatcher - 27624-43683.log +0 -21
- data/spec/support/logs/Dispatcher - 27633-11593.log +0 -15
- data/spec/support/logs/Dispatcher - 27658-12186.log +0 -21
- data/spec/support/logs/Dispatcher - 27667-15575.log +0 -25
- data/spec/support/logs/Dispatcher - 27676-17207.log +0 -15
- data/spec/support/logs/Dispatcher - 27712-2233.log +0 -17
- data/spec/support/logs/Dispatcher - 27721-3842.log +0 -21
- data/spec/support/logs/Dispatcher - 27730-22695.log +0 -13
- data/spec/support/logs/Dispatcher - 27743-8364.log +0 -21
- data/spec/support/logs/Dispatcher - 27752-6140.log +0 -25
- data/spec/support/logs/Dispatcher - 27761-25015.log +0 -15
- data/spec/support/logs/Dispatcher - 27797-9270.log +0 -17
- data/spec/support/logs/Dispatcher - 2780-58168.log +0 -21
- data/spec/support/logs/Dispatcher - 27806-48623.log +0 -21
- data/spec/support/logs/Dispatcher - 27815-58778.log +0 -13
- data/spec/support/logs/Dispatcher - 27828-29742.log +0 -17
- data/spec/support/logs/Dispatcher - 27837-46211.log +0 -21
- data/spec/support/logs/Dispatcher - 27846-16143.log +0 -13
- data/spec/support/logs/Dispatcher - 2789-29375.log +0 -25
- data/spec/support/logs/Dispatcher - 2798-10983.log +0 -15
- data/spec/support/logs/Dispatcher - 2836-2354.log +0 -17
- data/spec/support/logs/Dispatcher - 2845-65341.log +0 -21
- data/spec/support/logs/Dispatcher - 2854-18936.log +0 -13
- data/spec/support/logs/Dispatcher - 2867-51979.log +0 -21
- data/spec/support/logs/Dispatcher - 2876-21086.log +0 -25
- data/spec/support/logs/Dispatcher - 2887-17393.log +0 -15
- data/spec/support/logs/Dispatcher - 2930-37394.log +0 -17
- data/spec/support/logs/Dispatcher - 2943-46737.log +0 -21
- data/spec/support/logs/Dispatcher - 2956-37866.log +0 -13
- data/spec/support/logs/Dispatcher - 2976-21012.log +0 -17
- data/spec/support/logs/Dispatcher - 2990-48082.log +0 -21
- data/spec/support/logs/Dispatcher - 2999-16391.log +0 -13
- data/spec/support/logs/Instance - 2204-45164.error.log +0 -356
- data/spec/support/logs/Instance - 2475-49789.error.log +0 -356
- data/spec/support/logs/Instance - 2509-39450.error.log +0 -455
- data/spec/support/logs/Instance - 2533-5785.error.log +0 -354
- data/spec/support/logs/Instance - 2539-42941.error.log +0 -356
- data/spec/support/logs/Instance - 26178-57631.error.log +0 -324
- data/spec/support/logs/Instance - 26458-60253.error.log +0 -326
- data/spec/support/logs/Instance - 26514-44685.error.log +0 -423
- data/spec/support/logs/Instance - 26538-43093.error.log +0 -322
- data/spec/support/logs/Instance - 26544-52217.error.log +0 -328
- data/spec/support/logs/Instance - 26682-37056.error.log +0 -345
- data/spec/support/logs/Instance - 2669-56818.error.log +0 -354
- data/spec/support/logs/Instance - 27547-3928.error.log +0 -309
- data/spec/support/servers/arachni/element/capabilities/auditable/rdiff.rb +0 -162
- data/spec/support/servers/arachni/element/capabilities/auditable/timeout.rb +0 -34
- data/spec/support/servers/arachni/http.rb +0 -127
- data/spec/support/servers/arachni/http_auth.rb +0 -9
- data/spec/support/servers/arachni/module/auditor.rb +0 -136
- data/spec/support/servers/arachni/rpc/server/framework_simple.rb +0 -30
- data/spec/support/servers/arachni/spider.rb +0 -234
- data/spec/support/servers/arachni/spider_https.rb +0 -58
- data/spec/support/servers/modules/audit/code_injection.rb +0 -139
- data/spec/support/servers/modules/audit/code_injection_timing.rb +0 -110
- data/spec/support/servers/modules/audit/file_inclusion.rb +0 -202
- data/spec/support/servers/modules/audit/ldapi.rb +0 -73
- data/spec/support/servers/modules/audit/os_cmd_injection.rb +0 -140
- data/spec/support/servers/modules/audit/os_cmd_injection_timing.rb +0 -103
- data/spec/support/servers/modules/audit/path_traversal.rb +0 -197
- data/spec/support/servers/modules/audit/response_splitting.rb +0 -114
- data/spec/support/servers/modules/audit/session_fixation.rb +0 -87
- data/spec/support/servers/modules/audit/source_code_disclosure.rb +0 -95
- data/spec/support/servers/modules/audit/sqli.rb +0 -118
- data/spec/support/servers/modules/audit/sqli_blind_timing.rb +0 -121
- data/spec/support/servers/modules/audit/unvalidated_redirect.rb +0 -115
- data/spec/support/servers/modules/audit/xpath.rb +0 -111
- data/spec/support/servers/modules/audit/xss.rb +0 -152
- data/spec/support/servers/modules/audit/xss_event.rb +0 -80
- data/spec/support/servers/modules/audit/xss_script_tag.rb +0 -73
- data/spec/support/servers/modules/module_server.rb +0 -14
- data/spec/support/servers/modules/recon/backdoors.rb +0 -4
- data/spec/support/servers/modules/recon/backup_files.rb +0 -28
- data/spec/support/servers/modules/recon/common_directories.rb +0 -6
- data/spec/support/servers/modules/recon/common_files.rb +0 -6
- data/spec/support/servers/modules/recon/directory_listing.rb +0 -30
- data/spec/support/servers/modules/recon/grep/emails.rb +0 -21
- data/spec/support/servers/modules/recon/grep/insecure_cookies.rb +0 -21
- data/spec/support/servers/modules/recon/grep/mixed_resource.rb +0 -83
- data/spec/support/servers/modules/recon/grep/password_autocomplete.rb +0 -33
- data/spec/support/servers/modules/recon/grep/unencrypted_password_forms.rb +0 -33
- data/spec/support/servers/modules/recon/http_put.rb +0 -7
- data/spec/support/servers/modules/recon/interesting_responses.rb +0 -5
- data/spec/support/servers/modules/recon/webdav.rb +0 -25
- data/spec/support/servers/modules/recon/x_forwarded_for_access_restriction_bypass.rb +0 -16
- data/spec/support/servers/plugins/profiler.rb +0 -82
- data/spec/support/servers/plugins/rescan.rb +0 -31
- data/spec/support/shared/module.rb +0 -162
- data/spec/support/shared/reports.rb +0 -47
checksums.yaml
CHANGED
@@ -1,15 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
|
5
|
-
data.tar.gz: !binary |-
|
6
|
-
ZGExNDM4ZjUyMzhhOTY2MTEyODY4MThjMjQ0MDE0Njg2MTBkNTY1Yw==
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 0bbd91e8fb1bcbcf5164c22e187397214e1894ac
|
4
|
+
data.tar.gz: 16adc7946a2fa8da04a50b2417cd8b731d291652
|
7
5
|
SHA512:
|
8
|
-
metadata.gz:
|
9
|
-
|
10
|
-
MjE5ZmFkNjIzNjNmYWVkOWZmMzI1ZDBhOWFlYjY4NmFjNmVmNmI2NmZhYzE3
|
11
|
-
MTAwZDhjMDFjYmE5YWJhYmE5YzZjOTA5ZGJmM2Q3MzEzZTYzMGQ=
|
12
|
-
data.tar.gz: !binary |-
|
13
|
-
ZTA0ZWFhNDE2Mjk2ODcwNjk0MWEyNjMyZGI3NGRmMTQyOGMxYTJkMzUwZDFj
|
14
|
-
Y2NlMzlmODNjNzdkNWJiODU0ZTllZjRmODQ1MjQ2Y2Y0ZTAwYzIxOGI2YjRj
|
15
|
-
ZTVlNDU4MGViZjY5ODU1ZmZlOTg0MzQyOTg4NDNmOGIwNjI0ZDY=
|
6
|
+
metadata.gz: 913913c30128c176a2e55614ee95530343fd6f300cdf3008cbd6df69cf93b78c2b9c87ea748ae330524061a32a160563fb1aafdfc2b06ad4dcf853e5f9eb8b50
|
7
|
+
data.tar.gz: 59bd68596db84ed440707cde96554f13d6397a52ca0025f9019073ba250bf0e32296adbebd50ac099c02262bff40ac5c27d9d3bcffeb0d2afe74666577816b3d
|
data/AUTHORS.md
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,211 @@
|
|
1
1
|
# ChangeLog
|
2
2
|
|
3
|
+
## 1.0 _(August 29, 2014)_
|
4
|
+
|
5
|
+
- Executables:
|
6
|
+
- Added
|
7
|
+
- `arachni_restore` (`UI::CLI::RestoredFramework`)
|
8
|
+
- Restores snapshots of suspended scans.
|
9
|
+
- Prints snapshot metadata.
|
10
|
+
- `arachni_report` (`UI::CLI::Report`)
|
11
|
+
- Creates reports from `.afr` files.
|
12
|
+
- `arachni` (`UI::CLI::Framework`)
|
13
|
+
- `Ctrl+C` (`SIGINT`) now aborts the scan.
|
14
|
+
- Hitting `Enter` now toggles between the progress message and the
|
15
|
+
command screens.
|
16
|
+
- Updated to provide access to the new suspend-to-disk feature.
|
17
|
+
- Moved reporting functionality to `arachni_report`.
|
18
|
+
- `Framework`
|
19
|
+
- `#audit_page` -- Updated to perform DOM/JS/AJAX analysis on the page and
|
20
|
+
feed DOM page snapshots and new paths back to the `Framework`.
|
21
|
+
- `#stats` renamed to `#statistics` with the return hash cleaned-up.
|
22
|
+
- `#opts` renamed to `#options`.
|
23
|
+
- `Session`
|
24
|
+
- Updated to support login forms which depend on DOM/Javascript.
|
25
|
+
- Added `State` -- Stores and provides access to the system's state.
|
26
|
+
- `Plugins` -- Stores plugin runtime states when suspending.
|
27
|
+
- `HTTP` -- Stores client headers and cookies.
|
28
|
+
- `Audit` -- Stores audit operations.
|
29
|
+
- `ElementFilter` -- Stores seen elements.
|
30
|
+
- `Framework` -- Stores the `Framework` state.
|
31
|
+
- `RPC` -- Stores the `RPC::Server::Framework` state.
|
32
|
+
- Added `Data` -- Stores and provides access to the system's data.
|
33
|
+
- `Issues` -- Stores logged `Issue` objects.
|
34
|
+
- `Plugins` -- Stores plugin results.
|
35
|
+
- `Session` -- Stores login configuration.
|
36
|
+
- `Framework` -- Stores the `Framework` audit workload.
|
37
|
+
- `RPC` -- Stores the `RPC::Server::Framework` audit workload.
|
38
|
+
- Added `Snapshot`
|
39
|
+
- Dumps and loads `State` and `Data` to and from disk to suspend and restore
|
40
|
+
active scans.
|
41
|
+
- Removed the `Spider`.
|
42
|
+
- The Framework has grown to encompass a process providing the same
|
43
|
+
functionality as a result of `Browser` analysis.
|
44
|
+
- `Element`
|
45
|
+
- Cleaned up initializers.
|
46
|
+
- Now passed a single Hash argument with configuration options.
|
47
|
+
- Added `GenericDOM`
|
48
|
+
- Provides an interface similar to traditional elements in order for
|
49
|
+
generic DOM elements to be logged and assigned as vectors to issues.
|
50
|
+
- Added `LinkTemplate`
|
51
|
+
- Basing its vector identification and manipulation to a user-provided
|
52
|
+
template to satisfy cases like ModRewrite and similar.
|
53
|
+
- Including `#dom` pointing to a `Auditable::DOM` object handling browser-based
|
54
|
+
link submissions/audits.
|
55
|
+
- `Form`
|
56
|
+
- Added `#dom` pointing to a `Auditable::DOM` object handling browser-based
|
57
|
+
form submissions/audits.
|
58
|
+
- `Link`
|
59
|
+
- Added `#dom` pointing to a `Auditable::DOM` object handling browser-based
|
60
|
+
link submissions/audits.
|
61
|
+
- `Cookie`
|
62
|
+
- Added `#dom` pointing to a `Auditable::DOM` object handling browser-based
|
63
|
+
cookie submissions/audits.
|
64
|
+
- `Capabilities::Auditable`
|
65
|
+
- Removed `#use_anonymous_auditor`
|
66
|
+
- `#auditable` => `#inputs`
|
67
|
+
- `#orig` => `#default_inputs`
|
68
|
+
- `#opts` => `#audit_options`
|
69
|
+
- `#audit` - Callback now get passed the HTTP response and element mutation
|
70
|
+
instead of response, audit options and mutation -- options can now be
|
71
|
+
accessed via the element's `#audit_options` attribute.
|
72
|
+
- Added `DOM` -- To handle DOM submission/auditing of elements.
|
73
|
+
- Split into the following `Capabilities`:
|
74
|
+
- `Analyzable`
|
75
|
+
- `Timeout`
|
76
|
+
- General refactoring and code cleanup.
|
77
|
+
- Updated the algorithm to ensure server responsiveness before each phase.
|
78
|
+
- Lowered the amount of performed requests.
|
79
|
+
- No longer downloads response bodies.
|
80
|
+
- `RDiff` => `Differential`
|
81
|
+
- `Taint`
|
82
|
+
- `Submittable`
|
83
|
+
- `Inputtable`
|
84
|
+
- `RPC`
|
85
|
+
- `Serializer` -- Replaced `Marshal` and `YAML` as RPC serialization providers.
|
86
|
+
- Delegates to `MessagePack`.
|
87
|
+
- Supports message compression -- applied based on message size to minimize overhead.
|
88
|
+
- `opts` handler renamed to `options`.
|
89
|
+
- `Server`
|
90
|
+
- `Dispatcher`
|
91
|
+
- `#dispatch` -- Returns `false` when the pool is empty as a signal
|
92
|
+
to check back later.
|
93
|
+
- Removed `#proc_info` method.
|
94
|
+
- Removed `proc` from job info data.
|
95
|
+
- `Handler` renamed to `Service`.
|
96
|
+
- `Instance`
|
97
|
+
- Removed `#output`.
|
98
|
+
- `Framework`
|
99
|
+
- Removed `#output`.
|
100
|
+
- `#progress`
|
101
|
+
- `:messages` now returns `Framework#status_messages` instead of
|
102
|
+
output messages.
|
103
|
+
- Cleaned up return data.
|
104
|
+
- Removed `#progress_data` alias.
|
105
|
+
- `HTTP` expanded to be a complete wrapper around Typhoeus, providing:
|
106
|
+
- `Headers`
|
107
|
+
- `Message`
|
108
|
+
- `Request`
|
109
|
+
- `Response`
|
110
|
+
- `Client`
|
111
|
+
- `#request` options:
|
112
|
+
- `:params` => `:parameters`
|
113
|
+
- `:async` => `:mode` (with values of `:async` and `:sync`)
|
114
|
+
- Added `:http_max_response_size`.
|
115
|
+
- `ProxyServer` -- Moved the proxy server out of the `Proxy` plugin and
|
116
|
+
updated it to work with `Arachni::HTTP` objects.
|
117
|
+
- `Browser` -- Real browser driver providing DOM/JS/AJAX support.
|
118
|
+
- `BrowserCluster` -- Maintains a pool of `Arachni::Browser` instances
|
119
|
+
and distributes the analysis workload of multiple resources.
|
120
|
+
- `Page`
|
121
|
+
- Cleaned-up attributes.
|
122
|
+
- Attributes (`#links`, `#forms`, `#paths` etc.) are lazy-parsed on-demand.
|
123
|
+
- Added:
|
124
|
+
- `#response` -- Associated `HTTP::Response`.
|
125
|
+
- `#dom` -- Associated `Arachni::Page::DOM`.
|
126
|
+
- `Page::DOM` -- Static DOM snapshot as computed by a real browser.
|
127
|
+
- `Parser` -- Updated to **only** operate under the context of the
|
128
|
+
`HTTP::Response` with which it was initialized -- no longer supports parsing
|
129
|
+
data from external sources.
|
130
|
+
- `Options` -- Rewritten with renamed option names and grouped relevant options together.
|
131
|
+
- `Report` (Renamed from `AuditStore`)
|
132
|
+
- `#save` -- Updated to store a compressed `Marshal` dump of the instance.
|
133
|
+
- `.load` -- Updated to load the new `#save` format.
|
134
|
+
- `Component::Options` -- Refactored initializers and API.
|
135
|
+
- `Enum` renamed to `MultipleChoice`.
|
136
|
+
- `Reporters` (Renamed from `Reports`)
|
137
|
+
- Removed `metareport`.
|
138
|
+
- All updated to the new format.
|
139
|
+
- Plugins
|
140
|
+
- Descriptions have been converted to GitHub-flavored Markdown.
|
141
|
+
- `resolver` -- Removed as the report now contains that information in the
|
142
|
+
responses associated with each issue.
|
143
|
+
- `proxy`
|
144
|
+
- Updated to use `HTTP::ProxyServer`.
|
145
|
+
- Added `ignore_responses` option.
|
146
|
+
- Forces the proxy to only extract vector information from observed
|
147
|
+
HTTP requests and not analyze responses.
|
148
|
+
- `autologin`
|
149
|
+
- `params` option renames to `parameters`.
|
150
|
+
- Changed results to include `status` (`String`) and `message` (`String`)
|
151
|
+
instead of `code` (`Integer`) and `msg` (`String`).
|
152
|
+
- Updated to abort the scan upon login failure.
|
153
|
+
- `content_types`
|
154
|
+
- Renamed `params` in logged results to `parameters`.
|
155
|
+
- `cookie_collector`
|
156
|
+
- Renamed `res` in logged results to `response`.
|
157
|
+
- `waf_detector`
|
158
|
+
- Changed results to include `status` (`Symbol`) and `message` (`String`)
|
159
|
+
instead of `code` (`Integer`) and `msg` (`String`).
|
160
|
+
- `healthmap`
|
161
|
+
- Changed results to use `with_issues` and `without_issues` instead of
|
162
|
+
`unsafe` and `safe`.
|
163
|
+
- Path extractors
|
164
|
+
- Added:
|
165
|
+
- Extract partial paths from HTML comments (`comments`).
|
166
|
+
- `script` - Extract partial paths from scripts.
|
167
|
+
- Moved all Framework components (`modules`, `plugins`, `reports`, etc.)
|
168
|
+
under `components/`.
|
169
|
+
- Renamed `modules` to `checks`, also:
|
170
|
+
- _Audit_ checks renamed to _Active_ checks.
|
171
|
+
- _Recon_ checks renamed to _Passive_ checks.
|
172
|
+
- Checks
|
173
|
+
- Descriptions and `remedy_guidance` have been converted to GitHub-flavored Markdown.
|
174
|
+
- Renamed
|
175
|
+
- `xpath` => `xpath_injection`
|
176
|
+
- `ldapi` => `ldap_injection`
|
177
|
+
- `sqli` => `sql_injection`
|
178
|
+
- `sqli_blind_rdiff` => `sql_injection_differential`
|
179
|
+
- `sqli_blind_timing` => `sql_injection_timing`
|
180
|
+
- `htaccess` => `htaccess_limit`
|
181
|
+
- Active
|
182
|
+
- New
|
183
|
+
- `xss_dom` -- Injects HTML code via DOM-based links, forms and cookies.
|
184
|
+
- `xss_dom_inputs` -- Injects HTML code via orphan text inputs with
|
185
|
+
associated DOM events.
|
186
|
+
- `xss_dom_script_context` -- Injects JavaScript code via DOM-based
|
187
|
+
links, forms and cookies.
|
188
|
+
- `no_sql_injection` -- NoSQL Injection (error-based) .
|
189
|
+
- `no_sql_injection_differential` -- Blind NoSQL Injection (differential analysis).
|
190
|
+
- `xss` -- Added support for Browser-based taint-analysis.
|
191
|
+
- `xss_script_context` -- Added support for Browser-based taint-analysis.
|
192
|
+
- Renamed from `xss_script_tag`.
|
193
|
+
- `unvalidated_redirect` -- Updated to also use full browser evaluation
|
194
|
+
in order to detect JS redirects.
|
195
|
+
- `os_cmd_injection` -- Added payloads for *BSD and AIX.
|
196
|
+
- Passive
|
197
|
+
- New
|
198
|
+
- `backup_directories` -- Backup directories.
|
199
|
+
- `cookie_set_for_parent_domain` -- Cookie set for parent domain.
|
200
|
+
- Grep
|
201
|
+
- `hsts` - Checks HTTPS pages for missing `Strict-Transport-Security` headers.
|
202
|
+
- `backup_files` -- Updated filename formats.
|
203
|
+
- `x_forwarded_for_access_restriction_bypass` renamed to `origin_spoof_access_restriction_bypass`.
|
204
|
+
- Also updated to use more origin headers.
|
205
|
+
- Grep
|
206
|
+
- `emails` - Updated to handle simple (`[at]` and `[dot]`) obfuscation.
|
207
|
+
- `insecure_cookies` - Only check HTTPS pages.
|
208
|
+
|
3
209
|
## 0.4.7 _(April 12, 2014)_
|
4
210
|
|
5
211
|
- `Spider`
|
@@ -104,6 +310,10 @@
|
|
104
310
|
- Check for an ASP platform instead of a Windows one.
|
105
311
|
- Fixed `LocalJumpError`.
|
106
312
|
- Plugins
|
313
|
+
- Removed
|
314
|
+
- `libnotify`
|
315
|
+
- `profiler`
|
316
|
+
- `rescan`
|
107
317
|
- `autologin`
|
108
318
|
- Changed `print_bad` to `print_error` so that errors are written to the
|
109
319
|
error log.
|
@@ -442,6 +652,7 @@
|
|
442
652
|
- Protocol -- Now supports both ```Marshal``` and ```YAML``` automatically.
|
443
653
|
- ```Marshal``` by default since it's many times faster than ```YAML```.
|
444
654
|
- ```YAML``` as an automatic fallback in order to maintain backwards compatibility and ease of integration with 3rd parties.
|
655
|
+
- Updated to use the Ruby-default ```Psych``` engine.
|
445
656
|
- ```Framework```
|
446
657
|
- Updated gathering of slave status -- once a slave is done it reports back to the master.
|
447
658
|
- Clean-up happens automatically, clients no longer need to call ```#clean_up``` (like previously mentioned).
|
data/CONTRIBUTORS.md
CHANGED
@@ -15,6 +15,7 @@ suggestions or testing it.
|
|
15
15
|
- [Evan Beard](mailto:beard.evan@gmail.com) for feedback and patches.
|
16
16
|
- [Michael Borohovski](mailto:borski@mit.edu) for testing, feedback and patches.
|
17
17
|
- [Ben Sedat](mailto:bsedat@alum.mit.edu) for testing, feedback and patches.
|
18
|
+
- [Simon Treadaway](mailto:ssgtreadaway@outlook.com) for testing and feedback.
|
18
19
|
- [Michiel van Es](mailto:mve@pragmasec.nl) for relentless testing and feedback.
|
19
20
|
|
20
21
|
A big thanks to my buddy [Andreas](mailto:rainmakergr@gmail.com) for the original
|
data/Gemfile
CHANGED
@@ -1,6 +1,27 @@
|
|
1
1
|
source 'https://rubygems.org'
|
2
2
|
|
3
|
-
gem '
|
4
|
-
|
3
|
+
gem 'rake'
|
4
|
+
|
5
|
+
group :docs do
|
6
|
+
gem 'yard'
|
7
|
+
gem 'redcarpet'
|
8
|
+
end
|
9
|
+
|
10
|
+
group :spec do
|
11
|
+
gem 'simplecov', require: false, group: :test
|
12
|
+
|
13
|
+
gem 'rspec', '2.99'
|
14
|
+
gem 'faker'
|
15
|
+
|
16
|
+
gem 'puma' if !Gem.win_platform? || RUBY_PLATFORM == 'java'
|
17
|
+
|
18
|
+
gem 'sinatra'
|
19
|
+
gem 'sinatra-contrib'
|
20
|
+
end
|
21
|
+
|
22
|
+
group :prof do
|
23
|
+
gem 'stackprof'
|
24
|
+
end
|
5
25
|
|
6
26
|
gemspec
|
27
|
+
|
data/LICENSE.md
CHANGED
@@ -1,5 +1,38 @@
|
|
1
1
|
# License
|
2
2
|
|
3
|
+
Copyright 2010-2014 [Tasos Laskos](mailto:tasos.laskos@arachni-scanner.com).
|
4
|
+
|
5
|
+
The Arachni Framework (henceforth referred to simply as "Arachni") is dual-licensed.
|
6
|
+
|
7
|
+
Cases that include **commercialization** of Arachni require a commercial,
|
8
|
+
non-free license. Otherwise, the system can be used under the terms of
|
9
|
+
Apache License v2.0, found at the bottom of this document.
|
10
|
+
|
11
|
+
Cases of **commercialization** are:
|
12
|
+
|
13
|
+
* Using Arachni to provide commercial managed/Software-as-a-Service services.
|
14
|
+
* Distributing Arachni as a commercial product or as part of one.
|
15
|
+
|
16
|
+
Cases which **don't** require a commercial license, and thus fall under
|
17
|
+
the terms of Apache License v2.0, include (but are not limited to):
|
18
|
+
|
19
|
+
* Penetration testers (or penetration testing organizations) using Arachni as
|
20
|
+
part of their assessment toolkit.
|
21
|
+
* So long as that doesn't conflict with the **commercialization** clause.
|
22
|
+
* Using Arachni to test your own systems.
|
23
|
+
* Any non-commercial use of Arachni.
|
24
|
+
|
25
|
+
If you need to acquire a commercial license or are unsure about whether you
|
26
|
+
need to acquire a commercial license, please get in touch, we'll be happy to
|
27
|
+
clarify things for you and work with you to accommodate your requirements.
|
28
|
+
|
29
|
+
You can use the [licensing contact form](http://www.arachni-scanner.com/license)
|
30
|
+
to contact us about these matters.
|
31
|
+
|
32
|
+
Code contributions will be accepted under the Apache License v2.0.
|
33
|
+
|
34
|
+
## Apache License v2.0
|
35
|
+
|
3
36
|
```
|
4
37
|
Apache License
|
5
38
|
Version 2.0, January 2004
|
@@ -175,4 +208,4 @@
|
|
175
208
|
defend, and hold each Contributor harmless for any liability
|
176
209
|
incurred by, or claims asserted against, such Contributor by reason
|
177
210
|
of your accepting any such warranty or additional liability.
|
178
|
-
```
|
211
|
+
```
|
data/README.md
CHANGED
@@ -1,9 +1,17 @@
|
|
1
|
+
**NOTICE**:
|
2
|
+
|
3
|
+
* Arachni's license has changed, please see the _LICENSE_ file before working
|
4
|
+
with the project.
|
5
|
+
* v1.0 is not backwards compatible.
|
6
|
+
|
7
|
+
<hr/>
|
8
|
+
|
1
9
|
# Arachni - Web Application Security Scanner Framework
|
2
10
|
|
3
11
|
<table>
|
4
12
|
<tr>
|
5
13
|
<th>Version</th>
|
6
|
-
<td>0
|
14
|
+
<td>1.0</td>
|
7
15
|
</tr>
|
8
16
|
<tr>
|
9
17
|
<th>Homepage</th>
|
@@ -30,7 +38,7 @@
|
|
30
38
|
</tr>
|
31
39
|
<tr>
|
32
40
|
<th>Author</th>
|
33
|
-
<td><a href="mailto:tasos.laskos@
|
41
|
+
<td><a href="mailto:tasos.laskos@arachni-scanner.com">Tasos Laskos</a> (<a href="http://twitter.com/Zap0tek">@Zap0tek</a>)</td>
|
34
42
|
</tr>
|
35
43
|
<tr>
|
36
44
|
<th>Twitter</th>
|
@@ -42,7 +50,7 @@
|
|
42
50
|
</tr>
|
43
51
|
<tr>
|
44
52
|
<th>License</th>
|
45
|
-
<td
|
53
|
+
<td>Dual-licensed (Apache License v2.0/Commercial) - (see LICENSE file)</td>
|
46
54
|
</tr>
|
47
55
|
</table>
|
48
56
|
|
@@ -54,20 +62,19 @@ Arachni is an Open Source, feature-full, modular, high-performance Ruby framewor
|
|
54
62
|
aimed towards helping penetration testers and administrators evaluate the security
|
55
63
|
of web applications.
|
56
64
|
|
57
|
-
It is smart, it trains itself by learning from the
|
58
|
-
during the
|
65
|
+
It is smart, it trains itself by monitoring and learning from the web application's
|
66
|
+
behavior during the scan process and is able to perform meta-analysis using a number of
|
59
67
|
factors in order to correctly assess the trustworthiness of results and intelligently
|
60
|
-
identify false-positives.
|
68
|
+
identify (or avoid) false-positives.
|
61
69
|
|
62
70
|
Unlike other scanners, it takes into account the dynamic nature of web applications,
|
63
71
|
can detect changes caused while travelling through the paths of a web application’s
|
64
|
-
cyclomatic complexity and is able to adjust itself accordingly. This way attack/input
|
65
|
-
vectors that would otherwise be undetectable by non-humans
|
72
|
+
cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input
|
73
|
+
vectors that would otherwise be undetectable by non-humans can be handled seamlessly.
|
66
74
|
|
67
|
-
Moreover,
|
68
|
-
|
69
|
-
|
70
|
-
fast scans. Thus, you’ll only be limited by the responsiveness of the server under audit.
|
75
|
+
Moreover, due to its integrated browser environment, it can also audit and inspect
|
76
|
+
client-side code, as well as support highly complicated web applications which make
|
77
|
+
heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.
|
71
78
|
|
72
79
|
Finally, it is versatile enough to cover a great deal of use cases, ranging from
|
73
80
|
a simple command line scanner utility, to a global high performance grid of
|
@@ -75,14 +82,14 @@ scanners, to a Ruby library allowing for scripted audits, to a multi-user
|
|
75
82
|
multi-scan web collaboration platform.
|
76
83
|
|
77
84
|
**Note**: Despite the fact that Arachni is mostly targeted towards web application
|
78
|
-
security, it can easily be used for
|
79
|
-
with the addition of custom
|
85
|
+
security, it can easily be used for general purpose scraping, data-mining, etc.
|
86
|
+
with the addition of custom components.
|
80
87
|
|
81
88
|
### Arachni offers:
|
82
89
|
|
83
90
|
#### A stable, efficient, high-performance framework
|
84
91
|
|
85
|
-
|
92
|
+
`Check`, `report` and `plugin` developers are allowed to easily and quickly create and
|
86
93
|
deploy their components with the minimum amount of restrictions imposed upon them,
|
87
94
|
while provided with the necessary infrastructure to accomplish their goals.
|
88
95
|
|
@@ -120,24 +127,118 @@ you with its findings.
|
|
120
127
|
- User Agent spoofing.
|
121
128
|
- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
|
122
129
|
- Proxy authentication.
|
123
|
-
- Site authentication (Automated form-based, Cookie-Jar, Basic-Digest,
|
124
|
-
- Automatic log-out detection and re-login during the
|
125
|
-
login was performed via the
|
130
|
+
- Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLMv1 and others).
|
131
|
+
- Automatic log-out detection and re-login during the scan (when the initial
|
132
|
+
login was performed via the `autologin` or `proxy` plugins).
|
126
133
|
- Custom 404 page detection.
|
127
134
|
- UI abstraction:
|
128
135
|
- [Command-line Interface](https://github.com/Arachni/arachni/wiki/Executables).
|
129
136
|
- [Web User Interface](https://github.com/Arachni/arachni-ui-web).
|
130
137
|
- Pause/resume functionality.
|
138
|
+
- Hibernation support -- Suspend to and restore from disk.
|
131
139
|
- High performance asynchronous HTTP requests.
|
132
140
|
- With adjustable concurrency.
|
141
|
+
- With the ability to auto-detect server health and adjust its concurrency
|
142
|
+
automatically.
|
143
|
+
- Support for custom default input values, using pairs of patterns (to be matched
|
144
|
+
against input names) and values to be used to fill in matching inputs.
|
145
|
+
|
146
|
+
### Integrated browser environment
|
147
|
+
|
148
|
+
Arachni includes an integrated, real browser environment in order to provide
|
149
|
+
sufficient coverage to modern web applications which make use of technologies
|
150
|
+
such as HTML5, JavaScript, DOM manipulation, AJAX, etc.
|
151
|
+
|
152
|
+
In addition to the monitoring of the vanilla DOM and JavaScript environments,
|
153
|
+
Arachni's browsers also hook into popular frameworks to make the logged data
|
154
|
+
easier to digest:
|
155
|
+
|
156
|
+
- [JQuery](http://jquery.com/)
|
157
|
+
- [AngularJS](https://angularjs.org/)
|
158
|
+
- More to come...
|
159
|
+
|
160
|
+
In essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to
|
161
|
+
monitor DOM events and JavaScript data and execution flows. As a result, not only
|
162
|
+
can the system trigger and identify DOM-based issues, but it will accompany them
|
163
|
+
with a great deal of information regarding the state of the page at the time.
|
164
|
+
|
165
|
+
Relevant information include:
|
166
|
+
|
167
|
+
- Page DOM, as HTML code.
|
168
|
+
- With a list of DOM transitions required to restore the state of the
|
169
|
+
page to the one at the time it was logged.
|
170
|
+
- Original DOM (i.e. prior to the action that caused the page to be logged),
|
171
|
+
as HTML code.
|
172
|
+
- With a list of DOM transitions.
|
173
|
+
- Data-flow sinks -- Each sink is a JS method which received a tainted argument.
|
174
|
+
- Parent object of the method (ex.: `DOMWindow`).
|
175
|
+
- Method signature (ex.: `decodeURIComponent()`).
|
176
|
+
- Arguments list.
|
177
|
+
- With the identified taint located recursively in the included objects.
|
178
|
+
- Method source code.
|
179
|
+
- JS stacktrace.
|
180
|
+
- Execution flow sinks -- Each sink is a successfully executed JS payload,
|
181
|
+
as injected by the security checks.
|
182
|
+
- Includes a JS stacktrace.
|
183
|
+
- JavaScript stack-traces include:
|
184
|
+
- Method names.
|
185
|
+
- Method locations.
|
186
|
+
- Method source codes.
|
187
|
+
- Argument lists.
|
188
|
+
|
189
|
+
In essence, you have access to roughly the same information that your favorite
|
190
|
+
debugger (for example, FireBug) would provide, as if you had set a breakpoint to
|
191
|
+
take place at the right time for identifying an issue.
|
192
|
+
|
193
|
+
#### Browser-cluster
|
194
|
+
|
195
|
+
The browser-cluster is what coordinates the browser analysis of resources and
|
196
|
+
allows the system to perform operations which would normally be quite time
|
197
|
+
consuming in a high-performance fashion.
|
198
|
+
|
199
|
+
Configuration options include:
|
200
|
+
|
201
|
+
- Adjustable pool-size, i.e. the amount of browser workers to utilize.
|
202
|
+
- Timeout for each job.
|
203
|
+
- Worker TTL counted in jobs -- Workers which exceed the TTL have their browser
|
204
|
+
process respawned.
|
205
|
+
- Ability to disable loading images.
|
206
|
+
- Adjustable screen width and height.
|
207
|
+
- Can be used to analyze responsive and mobile applications.
|
208
|
+
|
209
|
+
### Coverage
|
210
|
+
|
211
|
+
The system can provide great coverage to modern web applications due to its
|
212
|
+
integrated browser environment. This allows it to interact with complex applications
|
213
|
+
that make heavy use of client-side code (like JavaScript) just like a human would.
|
214
|
+
|
215
|
+
In addition to that, it also knows about which browser state changes the application
|
216
|
+
has been programmed to handle and is able to trigger them programatically in
|
217
|
+
order to provide coverage for a full set of possible scenarios.
|
218
|
+
|
219
|
+
By inspecting all possible pages and their states (when using client-side code)
|
220
|
+
Arachni is able to extract and audit the following elements and their inputs:
|
221
|
+
|
222
|
+
- Forms
|
223
|
+
- Along with ones that require interaction with a real browser due to DOM events.
|
224
|
+
- Links
|
225
|
+
- Along with ones that have client-side parameters in their fragment, i.e.:
|
226
|
+
`http://example.com/#/?param=val¶m2=val2`
|
227
|
+
- With support for rewrite rules.
|
228
|
+
- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,
|
229
|
+
based on user-supplied templates -- useful when rewrite rules are not available.
|
230
|
+
- Along with ones that have client-side parameters in their URL fragments, i.e.:
|
231
|
+
`http://example.com/#/param/val/param2/val2`
|
232
|
+
- Cookies
|
233
|
+
- Headers
|
234
|
+
- Generic client-side elements like `input`s which have associated DOM events.
|
235
|
+
- AJAX-request parameters.
|
133
236
|
|
134
237
|
### Open [distributed architecture](https://github.com/Arachni/arachni/wiki/Distributed-components)
|
135
238
|
|
136
|
-
- High-performance/low-bandwidth [communication protocol](https://github.com/Arachni/arachni-rpc
|
137
|
-
- `
|
138
|
-
|
139
|
-
- TCP/IP for general network communications.
|
140
|
-
- UNIX domain sockets for multi-Instance IPC.
|
239
|
+
- High-performance/low-bandwidth [communication protocol](https://github.com/Arachni/arachni-rpc).
|
240
|
+
- `MessagePack` serialization for performance, efficiency and ease of
|
241
|
+
integration with 3rd party systems.
|
141
242
|
- Remote monitoring and management of Dispatchers and Instances.
|
142
243
|
- Parallel scans -- Each scan is compartmentalized to its own OS process to take
|
143
244
|
advantage of:
|
@@ -148,51 +249,71 @@ you with its findings.
|
|
148
249
|
Instances to:
|
149
250
|
- Take advantage of multi-core/SMP architectures.
|
150
251
|
- Greatly diminish scan-times.
|
151
|
-
- Dispatcher
|
152
|
-
-
|
153
|
-
|
154
|
-
-
|
252
|
+
- Dispatcher Grid:
|
253
|
+
- Self-healing.
|
254
|
+
- Scale up/down by hot-plugging/hot-unplugging nodes.
|
255
|
+
- Can scale up infinitely by adding nodes to increase scan capacity.
|
155
256
|
- _(Always-on)_ Load-balancing -- All Instances are automatically provided
|
156
257
|
by the least burdened Grid member.
|
157
258
|
- With optional per-scan opt-out/override.
|
259
|
+
- _(Optional)_ High-Performance mode -- Combines the resources of
|
260
|
+
multiple nodes to perform multi-Instance scans.
|
261
|
+
- Enabled on a per-scan basis.
|
158
262
|
- SSL encryption (with optional peer authentication).
|
159
263
|
|
160
|
-
###
|
264
|
+
### Scope configuration
|
161
265
|
|
162
|
-
- Filters for redundant pages like galleries, catalogs, etc based on regular
|
266
|
+
- Filters for redundant pages like galleries, catalogs, etc. based on regular
|
163
267
|
expressions and counters.
|
164
268
|
- Can optionally detect and ignore redundant pages automatically.
|
165
|
-
- URL exclusion
|
166
|
-
- Page exclusion
|
167
|
-
- URL inclusion
|
269
|
+
- URL exclusion filters using regular expressions.
|
270
|
+
- Page exclusion filters based on content, using regular expressions.
|
271
|
+
- URL inclusion filters using regular expressions.
|
168
272
|
- Can be forced to only follow HTTPS paths and not downgrade to HTTP.
|
169
273
|
- Can optionally follow subdomains.
|
170
|
-
- Adjustable
|
274
|
+
- Adjustable page count limit.
|
171
275
|
- Adjustable redirect limit.
|
172
|
-
- Adjustable depth limit.
|
173
|
-
-
|
276
|
+
- Adjustable directory depth limit.
|
277
|
+
- Adjustable DOM depth limit.
|
278
|
+
- Adjustment using URL-rewrite rules.
|
174
279
|
- Can read paths from multiple user supplied files (to both restrict and extend
|
175
|
-
the scope
|
280
|
+
the scope).
|
176
281
|
|
177
|
-
###
|
282
|
+
### Audit
|
178
283
|
|
179
284
|
- Can audit:
|
180
285
|
- Forms
|
181
|
-
- Can refresh nonce tokens.
|
286
|
+
- Can automatically refresh nonce tokens.
|
287
|
+
- Can submit them via the integrated browser environment.
|
182
288
|
- Links
|
289
|
+
- Can load them via the integrated browser environment.
|
290
|
+
- LinkTemplates
|
291
|
+
- Can load them via the integrated browser environment.
|
183
292
|
- Cookies
|
293
|
+
- Can load them via the integrated browser environment.
|
184
294
|
- Headers
|
295
|
+
- Generic client-side DOM elements like `input`s.
|
185
296
|
- Can ignore binary/non-text pages.
|
186
|
-
- Can optionally audit
|
297
|
+
- Can optionally audit elements using both `GET` and `POST` HTTP methods.
|
187
298
|
- Can optionally submit all links and forms of the page along with the cookie
|
188
299
|
permutations to provide extensive cookie-audit coverage.
|
189
300
|
- Can exclude specific input vectors by name.
|
301
|
+
- Can include specific input vectors by name.
|
190
302
|
|
191
|
-
###
|
303
|
+
### Components
|
192
304
|
|
193
|
-
|
194
|
-
|
195
|
-
|
305
|
+
Arachni is a highly modular system, employing several components of distinct
|
306
|
+
types to perform its duties.
|
307
|
+
|
308
|
+
In addition to enabling or disabling the bundled components so as to adjust the
|
309
|
+
system's behavior and features as needed, functionality can be extended via the
|
310
|
+
addition of user-created components to suit almost every need.
|
311
|
+
|
312
|
+
#### Platform fingerprinters
|
313
|
+
|
314
|
+
In order to make efficient use of the available bandwidth, Arachni performs
|
315
|
+
rudimentary platform fingerprinting and tailors the audit process to the server-side
|
316
|
+
deployed technologies by only using applicable payloads.
|
196
317
|
|
197
318
|
Currently, the following platforms can be identified:
|
198
319
|
|
@@ -225,34 +346,15 @@ can be disabled altogether.
|
|
225
346
|
Finally, Arachni will always err on the side of caution and send all available
|
226
347
|
payloads when it fails to identify specific platforms.
|
227
348
|
|
228
|
-
|
229
|
-
|
230
|
-
Can extract and analyze:
|
349
|
+
#### Checks
|
231
350
|
|
232
|
-
|
233
|
-
- Links
|
234
|
-
- Cookies
|
235
|
-
- Headers
|
236
|
-
|
237
|
-
### Module Management
|
351
|
+
_Checks_ are system components which perform security checks and log issues.
|
238
352
|
|
239
|
-
|
240
|
-
- Helper audit methods:
|
241
|
-
- For form, link, cookie and header auditing.
|
242
|
-
- A wide range of injection strings/input combinations.
|
243
|
-
- For taint analysis, timing attacks, differential analysis, server-side
|
244
|
-
file/directory detection and more.
|
245
|
-
- Writing RFI, SQL injection, XSS etc modules is a matter of minutes, if not seconds.
|
353
|
+
##### Active
|
246
354
|
|
247
|
-
|
355
|
+
Active checks engage the web application via its inputs.
|
248
356
|
|
249
|
-
|
250
|
-
|
251
|
-
##### Audit (Active)
|
252
|
-
|
253
|
-
Audit modules actively engage the web application via its inputs.
|
254
|
-
|
255
|
-
- SQL injection (`sqli`) -- Error based vulnerability detection.
|
357
|
+
- SQL injection (`sql_injection`) -- Error based detection.
|
256
358
|
- Oracle
|
257
359
|
- ColdFusion
|
258
360
|
- InterBase
|
@@ -270,11 +372,14 @@ Audit modules actively engage the web application via its inputs.
|
|
270
372
|
- Ingres
|
271
373
|
- HSQLDB
|
272
374
|
- MS Access
|
273
|
-
- Blind SQL injection using
|
274
|
-
- Blind SQL injection using timing attacks (`
|
375
|
+
- Blind SQL injection using differential analysis (`sql_injection_differential`).
|
376
|
+
- Blind SQL injection using timing attacks (`sql_injection_timing`).
|
275
377
|
- MySQL
|
276
378
|
- PostgreSQL
|
277
379
|
- MSSQL
|
380
|
+
- NoSQL injection (`no_sql_injection`) -- Error based vulnerability detection.
|
381
|
+
- MongoDB
|
382
|
+
- Blind NoSQL injection using differential analysis (`no_sql_injection_differential`).
|
278
383
|
- CSRF detection (`csrf`).
|
279
384
|
- Code injection (`code_injection`).
|
280
385
|
- PHP
|
@@ -288,7 +393,7 @@ Audit modules actively engage the web application via its inputs.
|
|
288
393
|
- Python
|
289
394
|
- JSP
|
290
395
|
- ASP.NET
|
291
|
-
- LDAP injection (`
|
396
|
+
- LDAP injection (`ldap_injection`).
|
292
397
|
- Path traversal (`path_traversal`).
|
293
398
|
- *nix
|
294
399
|
- Windows
|
@@ -302,6 +407,8 @@ Audit modules actively engage the web application via its inputs.
|
|
302
407
|
- Response splitting (`response_splitting`).
|
303
408
|
- OS command injection (`os_cmd_injection`).
|
304
409
|
- *nix
|
410
|
+
- *BSD
|
411
|
+
- IBM AIX
|
305
412
|
- Windows
|
306
413
|
- Blind OS command injection using timing attacks (`os_cmd_injection_timing`).
|
307
414
|
- Linux
|
@@ -310,7 +417,7 @@ Audit modules actively engage the web application via its inputs.
|
|
310
417
|
- Windows
|
311
418
|
- Remote file inclusion (`rfi`).
|
312
419
|
- Unvalidated redirects (`unvalidated_redirect`).
|
313
|
-
- XPath injection (`
|
420
|
+
- XPath injection (`xpath_injection`).
|
314
421
|
- Generic
|
315
422
|
- PHP
|
316
423
|
- Java
|
@@ -320,15 +427,16 @@ Audit modules actively engage the web application via its inputs.
|
|
320
427
|
- Path XSS (`xss_path`).
|
321
428
|
- XSS in event attributes of HTML elements (`xss_event`).
|
322
429
|
- XSS in HTML tags (`xss_tag`).
|
323
|
-
- XSS in
|
430
|
+
- XSS in "script" context (`xss_script_context`).
|
324
431
|
- Source code disclosure (`source_code_disclosure`)
|
325
432
|
|
326
|
-
#####
|
433
|
+
##### Passive
|
327
434
|
|
328
|
-
|
435
|
+
Passive checks look for the existence of files, folders and signatures.
|
329
436
|
|
330
437
|
- Allowed HTTP methods (`allowed_methods`).
|
331
438
|
- Back-up files (`backup_files`).
|
439
|
+
- Backup directories (`backup_directories`)
|
332
440
|
- Common directories (`common_directories`).
|
333
441
|
- Common files (`common_files`).
|
334
442
|
- HTTP PUT (`http_put`).
|
@@ -349,52 +457,39 @@ Recon modules look for the existence of files, folders and signatures.
|
|
349
457
|
- Insecure cookies (`insecure_cookies`).
|
350
458
|
- HttpOnly cookies (`http_only_cookies`).
|
351
459
|
- Auto-complete for password form fields (`password_autocomplete`).
|
352
|
-
-
|
460
|
+
- Origin Spoof Access Restriction Bypass (`origin_spoof_access_restriction_bypass`)
|
353
461
|
- Form-based upload (`form_upload`)
|
354
462
|
- localstart.asp (`localstart_asp`)
|
463
|
+
- Cookie set for parent domain (`cookie_set_for_parent_domain`)
|
464
|
+
- Missing `Strict-Transport-Security` headers for HTTPS sites (`hsts`).
|
355
465
|
|
356
|
-
|
357
|
-
|
358
|
-
- Modular design.
|
359
|
-
|
360
|
-
#### Available reports
|
466
|
+
#### Reporters
|
361
467
|
|
362
468
|
- Standard output
|
363
|
-
- HTML
|
364
|
-
-
|
365
|
-
-
|
366
|
-
-
|
367
|
-
- JSON (`json`)
|
368
|
-
- Marshal (`marshal`)
|
369
|
-
- YAML (`yaml`)
|
370
|
-
-
|
371
|
-
|
372
|
-
|
373
|
-
|
374
|
-
|
375
|
-
- Modular design.
|
376
|
-
- Plug-ins are framework demi-gods, they have direct access to the framework instance.
|
377
|
-
- Can be used to add abstract functionality to Arachni.
|
378
|
-
|
379
|
-
#### Available plugins
|
469
|
+
- [HTML](http://downloads.arachni-scanner.com/dev/reports/report.html/)
|
470
|
+
([zip](http://downloads.arachni-scanner.com/dev/reports/report.html.zip)) (`html`).
|
471
|
+
- [XML](http://downloads.arachni-scanner.com/dev/reports/report.xml) (`xml`).
|
472
|
+
- [Text](http://downloads.arachni-scanner.com/dev/reports/report.txt) (`text`).
|
473
|
+
- [JSON](http://downloads.arachni-scanner.com/dev/reports/report.json) (`json`)
|
474
|
+
- [Marshal](http://downloads.arachni-scanner.com/dev/reports/report.marshal) (`marshal`)
|
475
|
+
- [YAML](http://downloads.arachni-scanner.com/dev/reports/report.yml) (`yaml`)
|
476
|
+
- [AFR](http://downloads.arachni-scanner.com/dev/reports/report.afr) (`afr`)
|
477
|
+
- The default Arachni Framework Report format.
|
478
|
+
|
479
|
+
#### Plugins
|
380
480
|
|
381
481
|
Plugins add extra functionality to the system in a modular fashion, this way the
|
382
482
|
core remains lean and makes it easy for anyone to add arbitrary functionality.
|
383
483
|
|
384
|
-
- ReScan (`rescan`)-- It uses the AFR report of a previous scan to extract the sitemap
|
385
|
-
in order to avoid a redundant crawl.
|
386
484
|
- Passive Proxy (`proxy`) -- Analyzes requests and responses between the web app and
|
387
485
|
the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
|
388
486
|
- Form based AutoLogin (`autologin`).
|
389
487
|
- Dictionary attacker for HTTP Auth (`http_dicattack`).
|
390
488
|
- Dictionary attacker for form based authentication (`form_dicattack`).
|
391
|
-
- Profiler (`profiler`) -- Performs taint analysis (with benign inputs) and response time analysis.
|
392
489
|
- Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.
|
393
490
|
- WAF (Web Application Firewall) Detector (`waf_detector`) -- Establishes a baseline of
|
394
491
|
normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
|
395
492
|
- BeepNotify (`beep_notify`) -- Beeps when the scan finishes.
|
396
|
-
- LibNotify (`libnotify`) -- Uses the libnotify library to send notifications for each
|
397
|
-
discovered issue and a summary at the end of the scan.
|
398
493
|
- EmailNotify (`email_notify`) -- Sends a notification (and optionally a report) over SMTP at
|
399
494
|
the end of the scan.
|
400
495
|
- VectorFeed (`vector_feed`) -- Reads in vector data from which it creates elements to be
|
@@ -406,7 +501,7 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
|
|
406
501
|
- Content-types (`content_types`) -- Logs content-types of server responses aiding in the
|
407
502
|
identification of interesting (possibly leaked) files.
|
408
503
|
|
409
|
-
|
504
|
+
##### Defaults
|
410
505
|
|
411
506
|
Default plugins will run for every scan and are placed under `/plugins/defaults/`.
|
412
507
|
|
@@ -415,7 +510,7 @@ Default plugins will run for every scan and are placed under `/plugins/defaults/
|
|
415
510
|
- Healthmap (`healthmap`) -- Generates sitemap showing the health of each crawled/audited URL
|
416
511
|
- Resolver (`resolver`) -- Resolves vulnerable hostnames to IP addresses.
|
417
512
|
|
418
|
-
|
513
|
+
###### Meta
|
419
514
|
|
420
515
|
Plugins under `/plugins/defaults/meta/` perform analysis on the scan results
|
421
516
|
to determine trustworthiness or just add context information or general insights.
|
@@ -424,7 +519,7 @@ to determine trustworthiness or just add context information or general insights
|
|
424
519
|
when the affected audited pages returned unusually high response times to begin with.
|
425
520
|
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
|
426
521
|
- Discovery (`discovery`) -- Performs anomaly detection on issues logged by discovery
|
427
|
-
|
522
|
+
checks and warns of the possibility of false positives where applicable.
|
428
523
|
- Uniformity (`uniformity`) -- Reports inputs that are uniformly vulnerable across a number
|
429
524
|
of pages hinting to the lack of a central point of input sanitization.
|
430
525
|
|
@@ -433,36 +528,25 @@ to determine trustworthiness or just add context information or general insights
|
|
433
528
|
The Trainer is what enables Arachni to learn from the scan it performs and
|
434
529
|
incorporate that knowledge, on the fly, for the duration of the audit.
|
435
530
|
|
436
|
-
|
531
|
+
Checks have the ability to individually force the Framework to learn from the
|
437
532
|
HTTP responses they are going to induce.
|
438
533
|
|
439
534
|
However, this is usually not required since Arachni is aware of which requests
|
440
|
-
are more likely to uncover new elements or attack vectors and will adapt itself
|
535
|
+
are more likely to uncover new elements or attack vectors and will adapt itself
|
536
|
+
accordingly.
|
441
537
|
|
442
|
-
Still, this can be an invaluable asset to Fuzzer
|
538
|
+
Still, this can be an invaluable asset to Fuzzer checks.
|
443
539
|
|
444
540
|
## [Installation](https://github.com/Arachni/arachni/wiki/Installation)
|
445
541
|
|
446
542
|
## [Usage](https://github.com/Arachni/arachni/wiki/User-guide)
|
447
543
|
|
448
|
-
## Configuration of _extras_
|
449
|
-
|
450
|
-
The _extras_ directory holds components that are considered too specialised,
|
451
|
-
dangerous or in some way unsuitable for utilising without explicit user interaction.
|
452
|
-
|
453
|
-
This directory was mainly added to distribute modules which can be helpful but
|
454
|
-
should not be put in the default _modules_ directory to prevent them from
|
455
|
-
being automatically loaded.
|
456
|
-
|
457
|
-
Should you want to use these extra components simply move them from the
|
458
|
-
_extras_ folder to their appropriate system directories.
|
459
|
-
|
460
544
|
## Running the specs
|
461
545
|
|
462
546
|
You can run `rake spec` to run **all** specs or you can run them selectively using the following:
|
463
547
|
|
464
548
|
rake spec:core # for the core libraries
|
465
|
-
rake spec:
|
549
|
+
rake spec:checks # for the checks
|
466
550
|
rake spec:plugins # for the plugins
|
467
551
|
rake spec:reports # for the reports
|
468
552
|
rake spec:path_extractors # for the path extractors
|
@@ -470,7 +554,7 @@ You can run `rake spec` to run **all** specs or you can run them selectively usi
|
|
470
554
|
**Please be warned**, the core specs will require a beast of a machine due to the
|
471
555
|
necessity to test the Grid/multi-Instance features of the system.
|
472
556
|
|
473
|
-
**Note**: _The
|
557
|
+
**Note**: _The check specs will take about 90 minutes due to the timing-attack tests._
|
474
558
|
|
475
559
|
## Bug reports/Feature requests
|
476
560
|
|
@@ -486,7 +570,7 @@ We're happy to accept help from fellow code-monkeys and these are the steps you
|
|
486
570
|
need to follow in order to contribute code:
|
487
571
|
|
488
572
|
* Fork the project.
|
489
|
-
* Start a feature branch based on the [experimental](https://github.com/Arachni/arachni
|
573
|
+
* Start a feature branch based on the [experimental](https://github.com/Arachni/arachni/tree/experimental)
|
490
574
|
branch (`git checkout -b <feature-name> experimental`).
|
491
575
|
* Add specs for your code.
|
492
576
|
* Run the spec suite to make sure you didn't break anything (`rake spec:core`
|
@@ -496,11 +580,11 @@ need to follow in order to contribute code:
|
|
496
580
|
|
497
581
|
## License
|
498
582
|
|
499
|
-
|
500
|
-
|
583
|
+
Dual-licensed (Apache License v2.0/Commercial) -- please see the _LICENSE_ file
|
584
|
+
for more information.
|
501
585
|
|
502
586
|
## Disclaimer
|
503
587
|
|
504
588
|
This is free software and you are allowed to use it as you see fit.
|
505
|
-
However, neither the development team nor any of our contributors can held
|
506
|
-
responsible for your actions
|
589
|
+
However, neither the development team nor any of our contributors can be held
|
590
|
+
responsible for your actions nor for any damage caused by the use of this software.
|