arachni 1.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0bbd91e8fb1bcbcf5164c22e187397214e1894ac
-  data.tar.gz: 16adc7946a2fa8da04a50b2417cd8b731d291652
+  metadata.gz: a4f1fba6f25f0dd437f9d31c82b3f036d4b87ec9
+  data.tar.gz: eaa9814da188578b10283e23101525828d42b17a
 SHA512:
-  metadata.gz: 913913c30128c176a2e55614ee95530343fd6f300cdf3008cbd6df69cf93b78c2b9c87ea748ae330524061a32a160563fb1aafdfc2b06ad4dcf853e5f9eb8b50
-  data.tar.gz: 59bd68596db84ed440707cde96554f13d6397a52ca0025f9019073ba250bf0e32296adbebd50ac099c02262bff40ac5c27d9d3bcffeb0d2afe74666577816b3d
+  metadata.gz: a98cde207400471e0ba80cffc9fce6ce46348d43e76c509cbd06f5c7e6b4867f62f9e5382bedaa7b500d731a82428cde04d23db0ea72a4cfceb9087c8fe8062a
+  data.tar.gz: a66344c76f782b7042f003c0e7b525b5ea173d2f72257d77f9a4673be35280624d4c73a5f874c157b4b66fd5b3eb46a0196480d9b91379639da6cf26e288c045

data/CHANGELOG.md

@@ -1,5 +1,52 @@
 # ChangeLog
 
+## 1.0.1 _(September 7, 2014)_
+
+- `RPC::Server::Dispatcher`
+    - Check for Instance status via the bind address, not the external one.
+    - Added more status and debugging messages
+    - Fixed RPC connection leak when in Grid configuration.
+    - `Node`
+        - Don't raise error if the initial neighbour is unreachable, just add
+            it to the dead list as usual.
+- `Browser`
+    - Fixed issue causing the removal of cookie HttpOnly flags.
+- `Parser`
+    - `#link_vars` -- Return empty `Hash` when dealing with unparsable URL.
+- `HTTP::Client`
+    - Debugging messages now include the `HTTP::Request#performer`.
+- `HTTP::Request`
+    - `#to_typhoeus` -- Converted proxy type to `Symbol` to prevent the option
+        from being ignored.
+- `UI::CLI::Utilities`
+    - `#print_issues` -- Updated to include all inputs of the given vector in
+        the message, if the issue is passive.
+- `Check::Auditor`
+    - `#log` -- Updated to include all inputs of the given vector in the success
+        message, if the issue is passive.
+- `Element::Cookie`
+    - `.encode` -- Encode `'` and `"`.
+- `Hash` -- Renamed added methods to avoid clashes with `ActiveSupport`.
+    - `stringify_keys` => `my_stringify_keys`
+    - `symbolize_keys` => `my_symbolize_keys`
+    - `stringify` => `my_stringify`
+- Plugins
+    - `proxy` -- Show control panel URL in output.
+- Reporters
+    - `stdout`
+        - Updated to print out information about all available vector inputs.
+    - `html`
+        - Updated to include information about all available vector inputs in
+            issue title for passive issues.
+- Checks
+    - Active
+        - `code_injection_php_input_wrapper` -- Fixed `nil` error when
+            manipulating mutations.
+        - `file_inclusion` -- Fixed `nil` error when manipulating mutations.
+        - `path_traversal` -- Fixed `nil` error when manipulating mutations.
+    - Passive
+        - `cookie_set_for_parent_domain` -- Only check `HTTP::Response` cookies.
+
 ## 1.0 _(August 29, 2014)_
 
 - Executables:

data/README.md

@@ -2,7 +2,7 @@
 
 * Arachni's license has changed, please see the _LICENSE_ file before working
     with the project.
-* v1.0 is not backwards compatible.
+* v1.0 is not backwards compatible with v0.4.
 
 <hr/>
 
@@ -11,7 +11,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.0</td>
+        <td>1.0.1</td>
     </tr>
     <tr>
         <th>Homepage</th>

data/arachni.gemspec

@@ -61,7 +61,7 @@ Gem::Specification.new do |s|
     end
 
     # RPC client/server implementation.
-    s.add_dependency 'arachni-rpc',       '0.2.0'
+    s.add_dependency 'arachni-rpc',       '0.2.1.1'
 
     # HTTP client.
     s.add_dependency 'typhoeus',          '0.6.9'

data/components/checks/active/code_injection_php_input_wrapper.rb

@@ -6,9 +6,9 @@
     web site for more information on licensing and terms of use.
 =end
 
-# @see OWASP    https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
+# @see OWASP    https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
 class Arachni::Checks::CodeInjectionPhpInputWrapper < Arachni::Check::Base
 
     def self.options
@@ -20,6 +20,11 @@ class Arachni::Checks::CodeInjectionPhpInputWrapper < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
+                next if !mutation.affected_input_value ||
+                    (mutation.is_a?( Arachni::Form ) &&
+                        (mutation.mutation_with_original_values? ||
+                            mutation.mutation_with_sample_values?))
+
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
 
@@ -51,7 +56,7 @@ to try and load it.
 },
             elements:    [ Element::Form, Element::Link, Element::Cookie, Element::Header ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1',
+            version:     '0.1.1',
             platforms:   [:php],
 
             issue:       {

data/components/checks/active/file_inclusion.rb

@@ -9,8 +9,7 @@
 # File inclusion check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.1.1
+# @version 0.1.2
 #
 # @see http://cwe.mitre.org/data/definitions/98.html
 # @see https://www.owasp.org/index.php/PHP_File_Inclusion
@@ -51,6 +50,11 @@ class Arachni::Checks::FileInclusion < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
+                next if !mutation.affected_input_value ||
+                    (mutation.is_a?( Arachni::Form ) &&
+                        (mutation.mutation_with_original_values? ||
+                            mutation.mutation_with_sample_values?))
+
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
 
@@ -101,7 +105,7 @@ content or errors in the HTTP response body.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1.1',
+            version:     '0.1.2',
             platforms:   options[:regexp].keys,
 
             issue:       {

data/components/checks/active/path_traversal.rb

@@ -9,8 +9,7 @@
 # Path Traversal check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-#
-# @version 0.4.1
+# @version 0.4.2
 #
 # @see http://cwe.mitre.org/data/definitions/22.html
 # @see http://www.owasp.org/index.php/Path_Traversal
@@ -40,6 +39,11 @@ class Arachni::Checks::PathTraversal < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
+                next if !mutation.affected_input_value ||
+                    (mutation.is_a?( Arachni::Form ) &&
+                        (mutation.mutation_with_original_values? ||
+                            mutation.mutation_with_sample_values?))
+
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
 
@@ -111,7 +115,7 @@ of relevant content in the HTML responses.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.4.1',
+            version:     '0.4.2',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/passive/grep/cookie_set_for_parent_domain.rb

@@ -7,11 +7,13 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::CookieSetForParentDomain < Arachni::Check::Base
 
     def run
-        page.cookies.each do |cookie|
+        return if !page.parser
+
+        page.parser.cookies.each do |cookie|
             next if !cookie.domain.start_with?( '.' ) || audited?( cookie.name )
 
             log( vector: cookie )
@@ -25,7 +27,7 @@ class Arachni::Checks::CookieSetForParentDomain < Arachni::Check::Base
             description: %q{Logs cookies that are accessible by all subdomains.},
             elements:    [ Element::Cookie ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
 
             issue:       {
                 name:        %q{Cookie set for parent domain},

data/components/plugins/cookie_collector.rb

@@ -44,7 +44,7 @@ class Arachni::Plugins::CookieCollector < Arachni::Plugin::Base
 
         @cookies << {
             'time'     => Time.now.to_s,
-            'response' => response_hash.stringify_keys,
+            'response' => response_hash.my_stringify_keys,
             'cookies'  => cookies
         }
     end

data/components/plugins/proxy.rb

@@ -16,7 +16,7 @@ require 'ostruct'
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.3
+# @version 0.3.1
 class Arachni::Plugins::Proxy < Arachni::Plugin::Base
 
     BASEDIR  = "#{File.dirname( __FILE__ )}/proxy/"
@@ -58,7 +58,8 @@ class Arachni::Plugins::Proxy < Arachni::Plugin::Base
     def run
         print_status "Listening on: http://#{@server[:BindAddress]}:#{@server[:Port]}"
 
-        print_status "Shutdown URL: #{url_for( :shutdown )}"
+        print_info "Control panel URL: #{url_for( :panel )}"
+        print_info "Shutdown URL:      #{url_for( :shutdown )}"
         print_info 'The scan will resume once you visit the shutdown URL.'
 
         print_info
@@ -463,7 +464,7 @@ a way to restrict usage enough to avoid users unwittingly interfering with each
 others' sessions.
 },
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.3',
+            version:     '0.3.1',
             options:     [
                 Options::Port.new( :port,
                     description: 'Port to bind to.',

data/components/plugins/vector_feed.rb

@@ -58,7 +58,7 @@ class Arachni::Plugins::VectorFeed < Arachni::Plugin::Base
         page_buffer = []
         print_status "Imported #{feed.size} vectors."
         feed.each do |obj|
-            vector = (obj.respond_to?( :value ) ? obj.value : obj).symbolize_keys( false )
+            vector = (obj.respond_to?( :value ) ? obj.value : obj).my_symbolize_keys( false )
 
             exception_jail false do
                 if page?( vector )

data/components/reporters/html/default/issue.erb

@@ -10,6 +10,11 @@
                             <% if issue.active? %>
                                 input
                                 <code><%= issue.affected_input_name %></code>
+                            <% elsif issue.vector.respond_to? :inputs %>
+                                with inputs
+                                <% issue.vector.inputs.keys.map do |iname| %>
+                                    <code><%= iname %></code>
+                                <% end.join( ', ') %>
                             <% end %>
 
                             <% if issue.variations.first.request %>

data/components/reporters/stdout.rb

@@ -109,6 +109,10 @@ class Arachni::Reporters::Stdout < Arachni::Reporter::Base
                 print_info "Input name: #{issue.affected_input_name}"
             end
 
+            if issue.vector.respond_to? :inputs
+                print_info "All inputs: #{issue.vector.inputs.keys.join(', ')}"
+            end
+
             print_line
             print_info "Tags: #{issue.tags.join(', ')}" if issue.tags.is_a?( Array )
             print_line

data/lib/arachni/browser.rb

@@ -308,6 +308,7 @@ class Browser
 
             @javascript.wait_till_ready
             wait_for_timers
+
             wait_for_pending_requests
         end
 
@@ -553,7 +554,7 @@ class Browser
         event   = event.to_s.downcase.sub( /^on/, '' ).to_sym
         locator = nil
 
-        options[:inputs] = options[:inputs].stringify if options[:inputs]
+        options[:inputs] = options[:inputs].my_stringify if options[:inputs]
 
         if element.is_a? ElementLocator
             locator = element
@@ -792,10 +793,22 @@ class Browser
     # @return   [Array<Cookie>]
     #   Browser cookies.
     def cookies
+        js_cookies = begin
+            # Watir doesn't tell us if cookies are HttpOnly, so we need to figure
+            # this out ourselves, by checking for JS visibility.
+            javascript.run( 'return document.cookie' )
+        # We may not have a page.
+        rescue Selenium::WebDriver::Error::UnknownError
+            ''
+        end
+
         watir.cookies.to_a.map do |c|
-            c[:path]  = '/' if c[:path] == '//'
-            c[:name]  = Cookie.decode( c[:name].to_s )
-            c[:value] = Cookie.decode( c[:value].to_s )
+            original_name = c[:name].to_s
+
+            c[:path]     = '/' if c[:path] == '//'
+            c[:name]     = Cookie.decode( c[:name].to_s )
+            c[:value]    = Cookie.decode( c[:value].to_s )
+            c[:httponly] = !js_cookies.include?( original_name )
 
             Cookie.new c.merge( url: @last_url )
         end
@@ -944,7 +957,8 @@ class Browser
                         self.class.executable,
                         "--webdriver=#{port}",
                         "--proxy=http://#{@proxy.address}/",
-                        '--ignore-ssl-errors=true'
+                        '--ignore-ssl-errors=true',
+                        "--debug=#{!!debug?}"
                     )
                     @process.detach = true
 
@@ -1065,7 +1079,12 @@ class Browser
             set_cookies[cookie.name] = cookie
         end
         cookies.each do |name, value|
-            set_cookies[name] = Cookie.new( url: url, inputs: { name => value } )
+            if set_cookies[name]
+                set_cookies[name] = set_cookies[name].dup
+                set_cookies[name].update( name => value )
+            else
+                set_cookies[name] = Cookie.new( url: url, inputs: { name => value } )
+            end
         end
 
         url = "#{url}/set-cookies-#{request_token}"

data/lib/arachni/browser/element_locator.rb

@@ -91,7 +91,7 @@ class ElementLocator
     # @return   [Hash]
     #   Data representing this instance that are suitable the RPC transmission.
     def to_rpc_data
-        to_h.stringify_keys
+        to_h.my_stringify_keys
     end
 
     # @param    [Hash]  data    {#to_rpc_data}

data/lib/arachni/browser/javascript/taint_tracer.rb

@@ -74,9 +74,9 @@ class TaintTracer < Proxy
         return [] if !data
 
         data.map do |entry|
-            Sink::DataFlow.new( (entry['data'] || {}).symbolize_keys( false ).merge(
+            Sink::DataFlow.new( (entry['data'] || {}).my_symbolize_keys( false ).merge(
                 trace: [entry['trace']].flatten.compact.
-                          map { |h| Frame.new h.symbolize_keys( false ) }
+                          map { |h| Frame.new h.my_symbolize_keys( false ) }
                 )
             )
         end
@@ -88,7 +88,7 @@ class TaintTracer < Proxy
         data.map do |entry|
             Sink::ExecutionFlow.new( entry.merge(
                 trace: [entry['trace']].flatten.compact.
-                           map { |h| Frame.new h.symbolize_keys( false ) }
+                           map { |h| Frame.new h.my_symbolize_keys( false ) }
                 )
             )
         end

data/lib/arachni/browser/javascript/taint_tracer/frame.rb

@@ -35,7 +35,7 @@ class Frame
             @function = CalledFunction.new( options.delete(:function) )
         end
 
-        options.symbolize_keys(false).each do |k, v|
+        options.my_symbolize_keys(false).each do |k, v|
             send( "#{k}=", v )
         end
     end

data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb

@@ -28,7 +28,7 @@ class CalledFunction
     attr_accessor :arguments
 
     def initialize( options = {} )
-        options.symbolize_keys(false).each do |k, v|
+        options.my_symbolize_keys(false).each do |k, v|
             send( "#{k}=", v )
         end
     end

data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb

@@ -20,7 +20,7 @@ class Base
     attr_accessor :trace
 
     def initialize( options = {} )
-        options.symbolize_keys(false).each do |k, v|
+        options.my_symbolize_keys(false).each do |k, v|
             send( "#{k}=", v )
         end
 

data/lib/arachni/check/auditor.rb

@@ -271,6 +271,8 @@ module Auditor
 
         if active
             msg << " input '#{vector.affected_input_name}'"
+        elsif vector.respond_to?( :inputs )
+            msg << " with inputs '#{vector.inputs.keys.join(', ')}'"
         end
 
         print_ok "#{msg} with action #{vector.action}"

data/lib/arachni/component/manager.rb

@@ -172,7 +172,7 @@ class Manager < Hash
         return {} if !info.include?( :options ) || info[:options].empty?
 
         user_opts ||= {}
-        user_opts   = user_opts.symbolize_keys(false)
+        user_opts   = user_opts.my_symbolize_keys(false)
 
         options     = {}
         errors      = {}
@@ -209,7 +209,7 @@ class Manager < Hash
                  format_error_string( component_name, errors )
         end
 
-        options.symbolize_keys( false )
+        options.my_symbolize_keys( false )
     end
 
     # It parses the component array making sure that its structure is valid

data/lib/arachni/component/options/base.rb

@@ -117,7 +117,7 @@ class Arachni::Component::Options::Base
     # @return   [Hash]
     #   Data representing this instance that are suitable the RPC transmission.
     def to_rpc_data
-        to_h.merge( class: self.class.to_s ).stringify_keys
+        to_h.merge( class: self.class.to_s ).my_stringify_keys
     end
 
     # @param    [Hash]  data    {#to_rpc_data}
@@ -127,7 +127,7 @@ class Arachni::Component::Options::Base
         data.delete('class')
         name = data.delete('name')
 
-        new name, data.symbolize_keys(false)
+        new name, data.my_symbolize_keys(false)
     end
 
     def ==( option )