arachni 1.0.1 → 1.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a4f1fba6f25f0dd437f9d31c82b3f036d4b87ec9
-  data.tar.gz: eaa9814da188578b10283e23101525828d42b17a
+  metadata.gz: f1ab8801aa396dbd2a6aa10c911a91777b046542
+  data.tar.gz: 2251a40388dec9fc771bc8aa51ddc7680bb4f825
 SHA512:
-  metadata.gz: a98cde207400471e0ba80cffc9fce6ce46348d43e76c509cbd06f5c7e6b4867f62f9e5382bedaa7b500d731a82428cde04d23db0ea72a4cfceb9087c8fe8062a
-  data.tar.gz: a66344c76f782b7042f003c0e7b525b5ea173d2f72257d77f9a4673be35280624d4c73a5f874c157b4b66fd5b3eb46a0196480d9b91379639da6cf26e288c045
+  metadata.gz: ccf69071cb3b2ddb1d880041979ac24d8d2f0d61662eadae5ad77544cbd226d47aa746e8505022d03b466290bece49410efc61957d0fc3fbd9359e5361d0b198
+  data.tar.gz: 8d3f66447ef08172a43b29605b1f611131a0565a06ba70c706ee199d191043ee78c93b1eb8bef80d95e7215950e54a1ad3d650e3d6d440cc9fb5ab2babbb21f1

data/CHANGELOG.md

@@ -1,5 +1,26 @@
 # ChangeLog
 
+## 1.0.2 _(September 13, 2014)_
+
+- `UI::Output` -- Updated null output interface with placeholder debugging methods.
+- `Browser`
+    - Updated to catch exception when trying to manipulate read-only inputs.
+- `BrowserCluster`
+    - Added debugging messages for job processing.
+    - `Worker`
+        - `#run_job` -- Clear the `@window_responses` cache after each job in
+            addition to after each browser re-spawn.
+- `Form`
+    - `#audit` -- `:each_mutation` callback now ignores `#mutation_with_original_values`
+        and `#mutation_with_sample_values`.
+- Checks
+    - Active
+        - `xss_dom_inputs` -- Ignore out-of-scope browser pages.
+        - `code_injection_php_input_wrapper` -- Cleaned up `:each_mutation` callback.
+        - `file_inclusion` -- Cleaned up `:each_mutation` callback.
+        - `path_traversal` -- Cleaned up `:each_mutation` callback.
+        - `source_code_disclosure` -- Cleaned up `:each_mutation` callback.
+
 ## 1.0.1 _(September 7, 2014)_
 
 - `RPC::Server::Dispatcher`

data/Gemfile

@@ -21,6 +21,8 @@ end
 
 group :prof do
     gem 'stackprof'
+    gem 'sys-proctable'
+    gem 'ruby-mass'
 end
 
 gemspec

data/README.md

@@ -11,7 +11,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.0.1</td>
+        <td>1.0.2</td>
     </tr>
     <tr>
         <th>Homepage</th>

data/components/checks/active/code_injection_php_input_wrapper.rb

@@ -7,7 +7,7 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1.1
+# @version 0.1.2
 # @see OWASP    https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution
 class Arachni::Checks::CodeInjectionPhpInputWrapper < Arachni::Check::Base
 
@@ -20,10 +20,7 @@ class Arachni::Checks::CodeInjectionPhpInputWrapper < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
-                next if !mutation.affected_input_value ||
-                    (mutation.is_a?( Arachni::Form ) &&
-                        (mutation.mutation_with_original_values? ||
-                            mutation.mutation_with_sample_values?))
+                next if !mutation.affected_input_value
 
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
@@ -56,7 +53,7 @@ to try and load it.
 },
             elements:    [ Element::Form, Element::Link, Element::Cookie, Element::Header ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1.1',
+            version:     '0.1.2',
             platforms:   [:php],
 
             issue:       {

data/components/checks/active/file_inclusion.rb

@@ -9,7 +9,7 @@
 # File inclusion check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1.2
+# @version 0.1.3
 #
 # @see http://cwe.mitre.org/data/definitions/98.html
 # @see https://www.owasp.org/index.php/PHP_File_Inclusion
@@ -50,10 +50,7 @@ class Arachni::Checks::FileInclusion < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
-                next if !mutation.affected_input_value ||
-                    (mutation.is_a?( Arachni::Form ) &&
-                        (mutation.mutation_with_original_values? ||
-                            mutation.mutation_with_sample_values?))
+                next if !mutation.affected_input_value
 
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
@@ -105,7 +102,7 @@ content or errors in the HTTP response body.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.1.2',
+            version:     '0.1.3',
             platforms:   options[:regexp].keys,
 
             issue:       {

data/components/checks/active/path_traversal.rb

@@ -9,7 +9,7 @@
 # Path Traversal check.
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.4.2
+# @version 0.4.3
 #
 # @see http://cwe.mitre.org/data/definitions/22.html
 # @see http://www.owasp.org/index.php/Path_Traversal
@@ -39,10 +39,7 @@ class Arachni::Checks::PathTraversal < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
-                next if !mutation.affected_input_value ||
-                    (mutation.is_a?( Arachni::Form ) &&
-                        (mutation.mutation_with_original_values? ||
-                            mutation.mutation_with_sample_values?))
+                next if !mutation.affected_input_value
 
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
@@ -115,7 +112,7 @@ of relevant content in the HTML responses.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
-            version:     '0.4.2',
+            version:     '0.4.3',
             platforms:   payloads.keys,
 
             issue:       {

data/components/checks/active/source_code_disclosure.rb

@@ -12,7 +12,7 @@
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 #
-# @version 0.2
+# @version 0.2.1
 #
 # @see http://cwe.mitre.org/data/definitions/540.html
 class Arachni::Checks::SourceCodeDisclosure < Arachni::Check::Base
@@ -39,10 +39,7 @@ class Arachni::Checks::SourceCodeDisclosure < Arachni::Check::Base
             # Add one more mutation (on the fly) which will include the extension
             # of the original value (if that value was a filename) after a null byte.
             each_mutation: proc do |mutation|
-                next if !mutation.affected_input_value ||
-                    (mutation.is_a?( Arachni::Form ) &&
-                        (mutation.mutation_with_original_values? ||
-                            mutation.mutation_with_sample_values?))
+                next if !mutation.affected_input_value
 
                 # Don't bother if the current element type can't carry nulls.
                 next if !mutation.valid_input_value_data?( "\0" )
@@ -122,7 +119,7 @@ source code.
             elements:    [ Element::Form, Element::Link, Element::Cookie,
                            Element::Header, Element::LinkTemplate ],
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.2',
+            version:     '0.2.1',
             platforms:   options[:regexp].keys,
 
             issue:       {

data/components/checks/active/xss_dom_inputs.rb

@@ -7,7 +7,7 @@
 =end
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
-# @version 0.1
+# @version 0.1.1
 class Arachni::Checks::XssDomInputs < Arachni::Check::Base
 
     INPUTS = Set.new([:input, :textarea])
@@ -41,7 +41,9 @@ class Arachni::Checks::XssDomInputs < Arachni::Check::Base
                         transition = b.fire_event( locator, event, value: self.tag )
                         next if !transition
 
-                        p = b.to_page
+                        # Page may be out of scope, some sort of JS redirection.
+                        next if !(p = b.to_page)
+
                         p.dom.transitions << transition
 
                         check_and_log p
@@ -77,7 +79,7 @@ Injects an HTML element into page text fields, triggers their associated events
 and inspects the DOM for proof of vulnerability.
 },
             author:      'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
-            version:     '0.1',
+            version:     '0.1.1',
             elements:    [Element::GenericDOM],
 
             issue:       {

data/lib/arachni/browser.rb

@@ -883,6 +883,7 @@ class Browser
                 input.set( value.to_s )
                 # Disabled inputs and such...
             rescue Watir::Exception::ObjectDisabledException,
+                Watir::Exception::ObjectReadOnlyException,
                 Selenium::WebDriver::Error::InvalidElementStateError => e
                 print_debug_level_2 "Could not fill in form input '#{name_or_id}'" <<
                                         " because: #{e} [#{e.class}"

data/lib/arachni/browser_cluster.rb

@@ -150,6 +150,8 @@ class BrowserCluster
         @done_signal.clear
 
         synchronize do
+            print_debug "Queueing: #{job}"
+
             @pending_job_counter  += 1
             @pending_jobs[job.id] += 1
             @job_callbacks[job.id] = block if block
@@ -200,6 +202,8 @@ class BrowserCluster
     #   {Worker} states.
     def job_done( job )
         synchronize do
+            print_debug "Job done: #{job}"
+
             if !job.never_ending?
                 @skip_states_per_job.delete job.id
                 @job_callbacks.delete job.id
@@ -241,6 +245,8 @@ class BrowserCluster
         return if job_done? result.job
 
         synchronize do
+            print_debug "Got job result: #{result}"
+
             exception_jail( false ) do
                 @job_callbacks[result.job.id].call result
             end

data/lib/arachni/browser_cluster/jobs/browser_provider.rb

@@ -20,6 +20,10 @@ class BrowserProvider < Job
         browser.master.callback_for( self ).call browser
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} callback=#{browser.master.callback_for( self ) if browser && browser.master}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/jobs/resource_exploration.rb

@@ -53,6 +53,10 @@ class ResourceExploration < Job
         super.tap { |j| j.resource = nil }
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} @resource=#{@resource}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb

@@ -35,6 +35,11 @@ class EventTrigger < ResourceExploration
         browser.trigger_event( resource, element, event )
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} @resource=#{@resource} " +
+            "@event=#{@event.inspect} @element=#{@element.inspect}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/jobs/resource_exploration/result.rb

@@ -13,8 +13,14 @@ class ResourceExploration
 
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class Result < Job::Result
+
     # @return [Page]
     attr_accessor :page
+
+    def to_s
+        "#<#{self.class}:#{object_id} @job=#{@job} @page=#{@page}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/jobs/taint_trace.rb

@@ -41,6 +41,11 @@ class TaintTrace < ResourceExploration
         super
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} @resource=#{@resource} " +
+            "@taint=#{@taint.inspect} @injector=#{@injector.inspect}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb

@@ -25,6 +25,12 @@ class EventTrigger < ResourceExploration::EventTrigger
         super
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} @resource=#{@resource} " +
+            "@event=#{@event.inspect} @element=#{@element.inspect} " +
+            "@forwarder=#{@forwarder}>"
+    end
+
 end
 
 end

data/lib/arachni/browser_cluster/worker.rb

@@ -78,6 +78,7 @@ class Worker < Arachni::Browser
     # @see Arachni::Browser#trigger_events
     def run_job( job )
         @job = job
+        print_debug "Started: #{@job}"
 
         # PhantomJS may have crashed (it happens sometimes) so make sure that
         # we've got a live one before running the job.
@@ -94,7 +95,7 @@ class Worker < Arachni::Browser
                 end
             end
         rescue TimeoutError => e
-            print_debug "Job timed-out after #{@job_timeout} seconds: #{job}"
+            print_debug "Job timed-out after #{@job_timeout} seconds: #{@job}"
 
             # Could have left us with a broken browser.
             browser_respawn
@@ -110,6 +111,8 @@ class Worker < Arachni::Browser
         decrease_time_to_live
         browser_respawn_if_necessary
 
+        print_debug "Finished: #{@job}"
+
         true
     rescue Selenium::WebDriver::Error::WebDriverError
         browser_respawn
@@ -122,6 +125,7 @@ class Worker < Arachni::Browser
         @captured_pages.clear
         @page_snapshots.clear
         @page_snapshots_with_sinks.clear
+        @window_responses.clear
 
         # The jobs may have configured callbacks to capture pages etc.,
         # remove them.

data/lib/arachni/element/capabilities/auditable/dom.rb

@@ -18,7 +18,7 @@ module Auditable
 module DOM
     include WithNode
     include Auditable
-    extend Forwardable
+    extend ::Forwardable
 
     INVALID_INPUT_DATA = [ "\0" ]
 

data/lib/arachni/element/capabilities/with_auditor/output.rb

@@ -12,7 +12,7 @@ module WithAuditor
 
 # Delegate output related methods to the {WithAuditor#auditor}.
 module Output
-    extend Forwardable
+    extend ::Forwardable
 
     [ :debug?, :print_error, :print_status, :print_verbose, :print_info,
       :print_line, :print_ok, :print_bad, :print_debug, :print_debug_backtrace,

data/lib/arachni/element/form.rb

@@ -490,6 +490,21 @@ class Form < Base
 
     private
 
+    def audit_single( payload, opts = {}, &block )
+        opts = opts.dup
+
+        if (each_m = opts.delete(:each_mutation))
+            opts[:each_mutation] = proc do |mutation|
+                next if mutation.mutation_with_original_values? ||
+                    mutation.mutation_with_sample_values?
+
+                each_m.call( mutation )
+            end
+        end
+
+        super( payload, opts, &block )
+    end
+
     def skip?( elem )
         if elem.mutation_with_original_values? || elem.mutation_with_sample_values?
             id = elem.audit_id

data/lib/arachni/page.rb

@@ -425,6 +425,10 @@ class Page
     end
     alias :to_hash :to_h
 
+    def to_s
+        "#<#{self.class}:#{object_id} @url=#{@url.inspect} @dom=#{@dom}>"
+    end
+
     def persistent_hash
         digest.persistent_hash
     end

data/lib/arachni/page/dom.rb

@@ -69,9 +69,16 @@ class DOM
         @url = url.freeze
     end
 
-    def digest=( digest )
-        return @digest = nil if !digest
-        @digest = digest.freeze
+    def digest=( d )
+        return @digest = nil if !d
+
+        if d.include?( url ) || d.include?( page.url )
+            d = d.dup
+            d.gsub!( url, '' )
+            d.gsub!( page.url, '' )
+        end
+
+        @digest = d.freeze
     end
 
     # @param    [Transition]    transition
@@ -198,6 +205,10 @@ class DOM
         to_h
     end
 
+    def to_s
+        "#<#{self.class}:#{object_id} @url=#{@url.inspect}>"
+    end
+
     # @return   [Hash]
     #   Data representing this instance that are suitable the RPC transmission.
     def to_rpc_data
@@ -270,8 +281,14 @@ class DOM
     protected
 
     def digest_without_urls( other )
-        digest.gsub( url, '' ).gsub( other.url, '' ).
-            gsub( page.url, '' ).gsub( other.page.url, '' )
+        if !digest.include?( other.url ) && !digest.include?( other.page.url )
+            return digest
+        end
+
+        d = digest.dup
+        d.gsub!( other.url, '' )
+        d.gsub!( other.page.url, '' )
+        d
     end
 
 end

data/lib/arachni/report.rb

@@ -131,7 +131,7 @@ class Report
     end
 
     # @param    [String]    location
-    #   Location for the dumped report file.
+    #   Location for the {#to_afr dumped} report file.
     #
     # @return   [String]
     #   Absolute location of the report.
@@ -144,15 +144,21 @@ class Report
             location += "/#{default_filename}"
         end
 
-        IO.binwrite( location, RPC::Serializer.dump( self ) )
+        IO.binwrite( location, to_afr )
 
-        # Append metadata to the end of the file.
+        File.expand_path( location )
+    end
+
+    # @return   [String]
+    #   Report serialized in the Arachni Framework Report format..
+    def to_afr
+        afr = RPC::Serializer.dump( self )
+
+        # Append metadata to the end of the dump.
         metadata = RPC::Serializer.dump( summary )
-        File.open( location, 'a' ) do |f|
-            f.write [metadata, metadata.size].pack( 'a*N' )
-        end
+        afr << [metadata, metadata.size].pack( 'a*N' )
 
-        File.expand_path( location )
+        afr
     end
 
     # @return   [Hash]

data/lib/arachni/state/audit.rb

@@ -19,7 +19,7 @@ class State
 #
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class Audit
-    extend Forwardable
+    extend ::Forwardable
 
     def initialize
         @collection = Support::LookUp::HashSet.new( hasher: :persistent_hash )

data/lib/arachni/support/profiler.rb

@@ -6,6 +6,7 @@
     web site for more information on licensing and terms of use.
 =end
 
+require 'sys/proctable'
 require 'ruby-mass'
 require 'stackprof'
 
@@ -15,6 +16,22 @@ module Support
 # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
 class Profiler
 
+    def self.write_samples_to_disk( file, options = {} )
+        profiler = Support::Profiler.new
+
+        Thread.new do
+            begin
+                loop do
+                    profiler.write_object_space( file, options )
+                    sleep options[:interval] || 1
+                end
+            rescue => e
+                ap e
+                ap e.backtrace
+            end
+        end
+    end
+
     def trace_allocations
         require 'objspace'
         ObjectSpace.trace_object_allocations_start
@@ -60,26 +77,19 @@ class Profiler
         ap find_references( o )
     end
 
-    def print_object_space( options = {} )
-        klass                = options[:class]
-        namespaces           = options[:namespaces] || [Arachni]
-        with_allocation_info = options[:with_allocation_info]
-        with_references      = options[:with_references]
-        with_dependencies    = options[:with_dependencies]
-        max_entries          = options[:max_entries] || 50
+    def object_space( options = {} )
+        klass       = options[:class]
+        namespaces  = options[:namespaces] || [Arachni]
+        max_entries = options[:max_entries] || 50
 
         object_space    = Hash.new(0)
         @object_space ||= Hash.new(0)
 
         ObjectSpace.each_object do |o|
-            next if o.class != klass || !object_within_namespace?( o, namespaces )
-
-            print_object_allocations( o ) if with_allocation_info
-            print_references( o )         if with_references
-            print_dependencies( o )       if with_dependencies
-
+            next if o.class != klass && !object_within_namespace?( o, namespaces )
             object_space[o.class] += 1
         end
+
         object_space = Hash[object_space.sort_by { |_, v| v }.reverse[0..max_entries]]
 
         with_deltas = object_space.dup
@@ -91,9 +101,30 @@ class Profiler
             end
         end
 
-        ap with_deltas
-
         @object_space = object_space.dup
+        with_deltas
+    end
+
+    def write_object_space( file, options = {} )
+        consumption = resource_consumption
+
+        str = "RAM: #{consumption[:memory_usage].round(3)}MB"
+        str << " (#{consumption[:memory_utilization]}%)"
+        str << " - CPU: #{consumption[:cpu_utilization]}%\n\n"
+
+        os      = object_space( options )
+        maxsize = os.keys.map(&:to_s).map(&:size).sort.reverse.first
+
+        os.each do |klass, info|
+            offset = maxsize - klass.to_s.size
+            str << "#{klass}: #{' ' * offset}#{info}\n"
+        end
+
+        IO.write( file, str )
+    end
+
+    def print_object_space( options = {} )
+        ap object_space( options )
     end
 
     def count_objects( klass )
@@ -101,8 +132,6 @@ class Profiler
     end
 
     def resource_consumption
-        require 'sys/proctable'
-
         procinfo = ::Sys::ProcTable.ps( Process.pid )
         {
             cpu_utilization:    procinfo[:pctcpu],

data/lib/arachni/ui/foo/output.rb

@@ -92,6 +92,11 @@ module Output
     def debug?(*)
     end
 
+    1.upto( 3 ) do |i|
+        define_method( "debug_level_#{i}?" ) {}
+        define_method( "debug_level_#{i}" ) {}
+    end
+
     def only_positives
     end
 

data/lib/version

@@ -1 +1 @@
-1.0.1
+1.0.2

data/spec/arachni/element/form_spec.rb

@@ -101,6 +101,36 @@ describe Arachni::Element::Form do
         end
     end
 
+    describe '#audit' do
+        describe :each_mutation do
+            it 'ignores #mutation_with_original_values' do
+                had_mutation_with_original_values = false
+                each_mutation = proc do |mutation|
+                    had_mutation_with_original_values ||=
+                        mutation.mutation_with_original_values?
+                end
+
+                subject.audit( 'stuff', each_mutation: each_mutation ) {}
+                subject.http.run
+
+                had_mutation_with_original_values.should be_false
+            end
+
+            it 'ignores mutation_with_sample_values' do
+                had_mutation_with_sample_values = false
+                each_mutation = proc do |mutation|
+                    had_mutation_with_sample_values ||=
+                        mutation.mutation_with_sample_values?
+                end
+
+                subject.audit( 'stuff', each_mutation: each_mutation ) {}
+                subject.http.run
+
+                had_mutation_with_sample_values.should be_false
+            end
+        end
+    end
+
     describe '#name_or_id' do
         context 'when a #name is available' do
             it 'returns it' do

data/spec/arachni/report_spec.rb

@@ -221,6 +221,14 @@ describe Arachni::Report do
         end
     end
 
+    describe '#to_afr' do
+        it 'returns the object in AFR format' do
+            @report_file = report.save
+
+            IO.binread( @report_file ).should == report.to_afr
+        end
+    end
+
     describe '#to_h' do
         it 'returns the object as a hash' do
             report.to_h.should == {

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: arachni
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.0.2
 platform: ruby
 authors:
 - Tasos Laskos
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-09-07 00:00:00.000000000 Z
+date: 2014-09-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler