RubyGems - arachni - Versions diffs - 1.0.6 → 1.1 - Mend

arachni 1.0.6 → 1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (634) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +193 -0
data/Gemfile +0 -1
data/LICENSE.md +1 -1
data/README.md +23 -18
data/Rakefile +5 -3
data/arachni.gemspec +11 -8
data/bin/arachni +1 -1
data/bin/arachni_console +1 -1
data/bin/arachni_multi +1 -1
data/bin/arachni_reporter +1 -1
data/bin/arachni_restore +1 -1
data/bin/arachni_rpc +1 -1
data/bin/arachni_rpcd +1 -1
data/bin/arachni_rpcd_monitor +1 -1
data/bin/arachni_script +1 -1
data/components/checks/active/code_injection.rb +5 -7
data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
data/components/checks/active/code_injection_timing.rb +2 -3
data/components/checks/active/csrf.rb +9 -5
data/components/checks/active/file_inclusion.rb +4 -5
data/components/checks/active/ldap_injection.rb +6 -8
data/components/checks/active/no_sql_injection.rb +4 -6
data/components/checks/active/no_sql_injection_differential.rb +1 -1
data/components/checks/active/os_cmd_injection.rb +7 -9
data/components/checks/active/os_cmd_injection_timing.rb +6 -8
data/components/checks/active/path_traversal.rb +6 -7
data/components/checks/active/response_splitting.rb +7 -15
data/components/checks/active/rfi.rb +4 -8
data/components/checks/active/session_fixation.rb +1 -1
data/components/checks/active/source_code_disclosure.rb +9 -7
data/components/checks/active/sql_injection.rb +6 -9
data/components/checks/active/sql_injection_differential.rb +3 -3
data/components/checks/active/sql_injection_timing.rb +6 -8
data/components/checks/active/trainer.rb +4 -4
data/components/checks/active/unvalidated_redirect.rb +7 -6
data/components/checks/active/unvalidated_redirect_dom.rb +97 -0
data/components/checks/active/xpath_injection.rb +7 -8
data/components/checks/active/xss.rb +11 -10
data/components/checks/active/xss_dom.rb +3 -4
data/components/checks/active/xss_dom_inputs.rb +1 -1
data/components/checks/active/xss_dom_script_context.rb +6 -7
data/components/checks/active/xss_event.rb +4 -4
data/components/checks/active/xss_path.rb +1 -1
data/components/checks/active/xss_script_context.rb +11 -4
data/components/checks/active/xss_tag.rb +6 -6
data/components/checks/active/xxe.rb +110 -0
data/components/checks/passive/allowed_methods.rb +1 -1
data/components/checks/passive/backdoors.rb +1 -1
data/components/checks/passive/backup_directories.rb +1 -1
data/components/checks/passive/backup_files.rb +1 -1
data/components/checks/passive/common_directories.rb +1 -1
data/components/checks/passive/common_directories/directories.txt +2 -0
data/components/checks/passive/common_files.rb +1 -1
data/components/checks/passive/directory_listing.rb +1 -1
data/components/checks/passive/grep/captcha.rb +2 -2
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
data/components/checks/passive/grep/credit_card.rb +1 -1
data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
data/components/checks/passive/grep/emails.rb +1 -1
data/components/checks/passive/grep/form_upload.rb +2 -2
data/components/checks/passive/grep/hsts.rb +2 -2
data/components/checks/passive/grep/html_objects.rb +4 -4
data/components/checks/passive/grep/http_only_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cors_policy.rb +66 -0
data/components/checks/passive/grep/mixed_resource.rb +1 -1
data/components/checks/passive/grep/password_autocomplete.rb +2 -2
data/components/checks/passive/grep/private_ip.rb +1 -1
data/components/checks/passive/grep/ssn.rb +1 -1
data/components/checks/passive/grep/unencrypted_password_forms.rb +2 -2
data/components/checks/passive/grep/x_frame_options.rb +61 -0
data/components/checks/passive/htaccess_limit.rb +1 -1
data/components/checks/passive/http_put.rb +10 -3
data/components/checks/passive/insecure_client_access_policy.rb +91 -0
data/components/checks/passive/insecure_cross_domain_policy_access.rb +91 -0
data/components/checks/passive/insecure_cross_domain_policy_headers.rb +91 -0
data/components/checks/passive/interesting_responses.rb +1 -1
data/components/checks/passive/localstart_asp.rb +1 -1
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
data/components/checks/passive/webdav.rb +1 -1
data/components/checks/passive/xst.rb +1 -1
data/components/fingerprinters/frameworks/rack.rb +1 -1
data/components/fingerprinters/languages/asp.rb +1 -1
data/components/fingerprinters/languages/aspx.rb +1 -1
data/components/fingerprinters/languages/jsp.rb +1 -1
data/components/fingerprinters/languages/php.rb +1 -1
data/components/fingerprinters/languages/python.rb +1 -1
data/components/fingerprinters/languages/ruby.rb +1 -1
data/components/fingerprinters/os/bsd.rb +1 -1
data/components/fingerprinters/os/linux.rb +1 -1
data/components/fingerprinters/os/solaris.rb +1 -1
data/components/fingerprinters/os/unix.rb +1 -1
data/components/fingerprinters/os/windows.rb +1 -1
data/components/fingerprinters/servers/apache.rb +1 -1
data/components/fingerprinters/servers/iis.rb +1 -1
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/nginx.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +1 -1
data/components/path_extractors/anchors.rb +1 -1
data/components/path_extractors/areas.rb +1 -1
data/components/path_extractors/comments.rb +5 -5
data/components/path_extractors/forms.rb +1 -1
data/components/path_extractors/frames.rb +1 -1
data/components/path_extractors/generic.rb +1 -1
data/components/path_extractors/links.rb +1 -1
data/components/path_extractors/meta_refresh.rb +1 -1
data/components/path_extractors/scripts.rb +1 -1
data/components/plugins/autologin.rb +6 -6
data/components/plugins/beep_notify.rb +1 -1
data/components/plugins/content_types.rb +1 -1
data/components/plugins/cookie_collector.rb +1 -1
data/components/plugins/defaults/autothrottle.rb +1 -1
data/components/plugins/defaults/healthmap.rb +1 -1
data/components/plugins/defaults/meta/remedies/discovery.rb +2 -4
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
data/components/plugins/defaults/meta/uniformity.rb +1 -1
data/components/plugins/email_notify.rb +24 -12
data/components/plugins/exec.rb +153 -0
data/components/plugins/form_dicattack.rb +4 -4
data/components/plugins/headers_collector.rb +102 -0
data/components/plugins/http_dicattack.rb +4 -4
data/components/plugins/login_script.rb +4 -5
data/components/plugins/proxy.rb +19 -7
data/components/plugins/proxy/template_scope.rb +1 -1
data/components/plugins/script.rb +1 -1
data/components/plugins/uncommon_headers.rb +9 -2
data/components/plugins/vector_collector.rb +73 -0
data/components/plugins/vector_feed.rb +3 -5
data/components/plugins/waf_detector.rb +3 -3
data/components/reporters/ap.rb +1 -1
data/components/reporters/html.rb +138 -14
data/components/reporters/html/default.erb +1 -1
data/components/reporters/html/default/configuration.erb +2 -2
data/components/reporters/html/default/issue/page.erb +1 -1
data/components/reporters/html/default/issue/vector.erb +2 -2
data/components/reporters/html/default/js/charts.js.erb +7 -4
data/components/reporters/html/default/js/helpers.js +2 -0
data/components/reporters/html/default/summary.erb +7 -0
data/components/reporters/html/default/summary/charts.erb +3 -3
data/components/reporters/html/default/summary/issues.erb +1 -91
data/components/reporters/html/default/summary/issues/by_name.erb +90 -0
data/components/reporters/html/default/summary/owasp_top_10.erb +43 -0
data/components/reporters/json.rb +1 -1
data/components/reporters/marshal.rb +1 -1
data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/exec.rb +63 -0
data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/html/vector_collector.rb +59 -0
data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/exec.rb +26 -0
data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/stdout/vector_collector.rb +40 -0
data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
data/components/reporters/plugin_formatters/xml/content_types.rb +1 -1
data/components/reporters/plugin_formatters/xml/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/xml/exec.rb +26 -0
data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/xml/vector_collector.rb +44 -0
data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
data/components/reporters/stdout.rb +1 -1
data/components/reporters/txt.rb +1 -1
data/components/reporters/xml.rb +18 -9
data/components/reporters/xml/schema.xsd +73 -8
data/components/reporters/yaml.rb +1 -1
data/config/write_paths.yml +15 -0
data/lib/arachni.rb +1 -1
data/lib/arachni/banner.rb +1 -1
data/lib/arachni/browser.rb +221 -77
data/lib/arachni/browser/element_locator.rb +7 -2
data/lib/arachni/browser/javascript.rb +40 -24
data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
data/lib/arachni/browser/javascript/proxy.rb +1 -1
data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +8 -3
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +57 -39
data/lib/arachni/browser/javascript/taint_tracer.rb +12 -8
data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
data/lib/arachni/browser_cluster.rb +5 -3
data/lib/arachni/browser_cluster/job.rb +1 -1
data/lib/arachni/browser_cluster/job/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +2 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/resource_exploration/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +2 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +16 -16
data/lib/arachni/check.rb +1 -1
data/lib/arachni/check/auditor.rb +40 -17
data/lib/arachni/check/base.rb +1 -1
data/lib/arachni/check/manager.rb +1 -1
data/lib/arachni/component.rb +1 -1
data/lib/arachni/component/base.rb +1 -1
data/lib/arachni/component/manager.rb +1 -1
data/lib/arachni/component/options.rb +1 -1
data/lib/arachni/component/options/address.rb +1 -1
data/lib/arachni/component/options/base.rb +1 -1
data/lib/arachni/component/options/bool.rb +1 -1
data/lib/arachni/component/options/float.rb +1 -1
data/lib/arachni/component/options/int.rb +1 -1
data/lib/arachni/component/options/multiple_choice.rb +1 -1
data/lib/arachni/component/options/object.rb +1 -1
data/lib/arachni/component/options/path.rb +1 -1
data/lib/arachni/component/options/port.rb +1 -1
data/lib/arachni/component/options/string.rb +1 -1
data/lib/arachni/component/options/url.rb +1 -1
data/lib/arachni/component/output.rb +1 -1
data/lib/arachni/component/utilities.rb +1 -1
data/lib/arachni/data.rb +1 -1
data/lib/arachni/data/framework.rb +1 -1
data/lib/arachni/data/framework/rpc.rb +1 -1
data/lib/arachni/data/issues.rb +1 -1
data/lib/arachni/data/plugins.rb +1 -1
data/lib/arachni/data/session.rb +1 -1
data/lib/arachni/element/base.rb +10 -4
data/lib/arachni/element/body.rb +1 -6
data/lib/arachni/element/capabilities/analyzable.rb +1 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +41 -6
data/lib/arachni/element/capabilities/analyzable/taint.rb +10 -2
data/lib/arachni/element/capabilities/analyzable/timeout.rb +61 -8
data/lib/arachni/element/capabilities/auditable.rb +9 -2
data/lib/arachni/element/capabilities/auditable/dom.rb +6 -7
data/lib/arachni/element/capabilities/inputtable.rb +5 -3
data/lib/arachni/element/capabilities/mutable.rb +182 -67
data/lib/arachni/element/capabilities/refreshable.rb +1 -1
data/lib/arachni/element/capabilities/submittable.rb +3 -3
data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor/output.rb +1 -1
data/lib/arachni/element/capabilities/with_dom.rb +17 -5
data/lib/arachni/element/capabilities/with_node.rb +6 -31
data/lib/arachni/element/capabilities/with_scope.rb +1 -1
data/lib/arachni/element/capabilities/with_scope/scope.rb +8 -2
data/lib/arachni/element/capabilities/with_source.rb +55 -0
data/lib/arachni/element/cookie.rb +39 -112
data/lib/arachni/element/cookie/capabilities/inputtable.rb +53 -0
data/lib/arachni/element/cookie/capabilities/mutable.rb +95 -0
data/lib/arachni/element/cookie/capabilities/with_dom.rb +31 -0
data/lib/arachni/element/cookie/dom.rb +2 -2
data/lib/arachni/element/form.rb +65 -153
data/lib/arachni/element/form/capabilities/auditable.rb +45 -0
data/lib/arachni/element/form/capabilities/mutable.rb +126 -0
data/lib/arachni/element/form/capabilities/submittable.rb +36 -0
data/lib/arachni/element/form/capabilities/with_dom.rb +32 -0
data/lib/arachni/element/form/dom.rb +13 -4
data/lib/arachni/element/generic_dom.rb +5 -3
data/lib/arachni/element/header.rb +16 -11
data/lib/arachni/element/json.rb +145 -0
data/lib/arachni/element/json/capabilities/inputtable.rb +139 -0
data/lib/arachni/element/json/capabilities/mutable.rb +121 -0
data/lib/arachni/element/link.rb +14 -40
data/lib/arachni/element/link/capabilities/auditable.rb +27 -0
data/lib/arachni/element/link/capabilities/submittable.rb +37 -0
data/lib/arachni/element/link/capabilities/with_dom.rb +43 -0
data/lib/arachni/element/link/dom.rb +9 -2
data/lib/arachni/element/link_template.rb +23 -51
data/lib/arachni/element/link_template/capabilities/auditable.rb +27 -0
data/lib/arachni/element/link_template/capabilities/inputtable.rb +47 -0
data/lib/arachni/element/link_template/capabilities/with_dom.rb +42 -0
data/lib/arachni/element/link_template/dom.rb +3 -2
data/lib/arachni/element/path.rb +1 -1
data/lib/arachni/element/server.rb +99 -18
data/lib/arachni/element/xml.rb +195 -0
data/lib/arachni/element/xml/capabilities/inputtable.rb +34 -0
data/lib/arachni/element/xml/capabilities/mutable.rb +39 -0
data/lib/arachni/element_filter.rb +54 -3
data/lib/arachni/error.rb +1 -1
data/lib/arachni/ethon/easy.rb +1 -1
data/lib/arachni/framework.rb +20 -1
data/lib/arachni/framework/parts/audit.rb +29 -22
data/lib/arachni/framework/parts/browser.rb +53 -5
data/lib/arachni/framework/parts/check.rb +11 -2
data/lib/arachni/framework/parts/data.rb +8 -6
data/lib/arachni/framework/parts/platform.rb +1 -1
data/lib/arachni/framework/parts/plugin.rb +1 -1
data/lib/arachni/framework/parts/report.rb +1 -1
data/lib/arachni/framework/parts/scope.rb +1 -1
data/lib/arachni/framework/parts/state.rb +5 -4
data/lib/arachni/http.rb +1 -1
data/lib/arachni/http/client.rb +13 -242
data/lib/arachni/http/client/dynamic_404_handler.rb +474 -0
data/lib/arachni/http/cookie_jar.rb +1 -1
data/lib/arachni/http/headers.rb +11 -2
data/lib/arachni/http/message.rb +1 -1
data/lib/arachni/http/message/scope.rb +1 -1
data/lib/arachni/http/proxy_server.rb +7 -4
data/lib/arachni/http/request.rb +39 -8
data/lib/arachni/http/request/scope.rb +1 -1
data/lib/arachni/http/response.rb +10 -4
data/lib/arachni/http/response/scope.rb +1 -1
data/lib/arachni/issue.rb +17 -7
data/lib/arachni/issue/severity.rb +1 -1
data/lib/arachni/issue/severity/base.rb +1 -1
data/lib/arachni/option_group.rb +1 -1
data/lib/arachni/option_groups.rb +1 -1
data/lib/arachni/option_groups/audit.rb +74 -6
data/lib/arachni/option_groups/browser_cluster.rb +2 -2
data/lib/arachni/option_groups/datastore.rb +1 -1
data/lib/arachni/option_groups/dispatcher.rb +1 -1
data/lib/arachni/option_groups/http.rb +143 -7
data/lib/arachni/option_groups/input.rb +1 -1
data/lib/arachni/option_groups/output.rb +1 -1
data/lib/arachni/option_groups/paths.rb +1 -1
data/lib/arachni/option_groups/rpc.rb +1 -1
data/lib/arachni/option_groups/scope.rb +9 -9
data/lib/arachni/option_groups/session.rb +1 -1
data/lib/arachni/option_groups/snapshot.rb +1 -1
data/lib/arachni/options.rb +1 -1
data/lib/arachni/page.rb +81 -45
data/lib/arachni/page/dom.rb +13 -3
data/lib/arachni/page/dom/transition.rb +1 -1
data/lib/arachni/page/scope.rb +1 -1
data/lib/arachni/parser.rb +11 -1
data/lib/arachni/platform.rb +1 -1
data/lib/arachni/platform/fingerprinter.rb +1 -1
data/lib/arachni/platform/list.rb +1 -1
data/lib/arachni/platform/manager.rb +1 -1
data/lib/arachni/plugin.rb +1 -1
data/lib/arachni/plugin/base.rb +11 -4
data/lib/arachni/plugin/formatter.rb +1 -1
data/lib/arachni/plugin/manager.rb +13 -5
data/lib/arachni/processes.rb +1 -1
data/lib/arachni/processes/dispatchers.rb +1 -1
data/lib/arachni/processes/helpers.rb +1 -1
data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
data/lib/arachni/processes/helpers/instances.rb +1 -1
data/lib/arachni/processes/helpers/processes.rb +1 -1
data/lib/arachni/processes/instances.rb +1 -1
data/lib/arachni/processes/manager.rb +8 -3
data/lib/arachni/report.rb +12 -2
data/lib/arachni/reporter.rb +1 -1
data/lib/arachni/reporter/base.rb +1 -1
data/lib/arachni/reporter/formatter_manager.rb +1 -1
data/lib/arachni/reporter/manager.rb +1 -1
data/lib/arachni/reporter/options.rb +1 -1
data/lib/arachni/rpc/client/base.rb +1 -1
data/lib/arachni/rpc/client/dispatcher.rb +1 -1
data/lib/arachni/rpc/client/instance.rb +1 -1
data/lib/arachni/rpc/client/instance/framework.rb +1 -1
data/lib/arachni/rpc/client/instance/service.rb +1 -1
data/lib/arachni/rpc/serializer.rb +3 -1
data/lib/arachni/rpc/server/active_options.rb +1 -25
data/lib/arachni/rpc/server/base.rb +1 -1
data/lib/arachni/rpc/server/check/manager.rb +1 -1
data/lib/arachni/rpc/server/dispatcher.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
data/lib/arachni/rpc/server/framework.rb +1 -1
data/lib/arachni/rpc/server/framework/distributor.rb +2 -6
data/lib/arachni/rpc/server/framework/master.rb +1 -1
data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
data/lib/arachni/rpc/server/framework/slave.rb +1 -1
data/lib/arachni/rpc/server/instance.rb +9 -1
data/lib/arachni/rpc/server/output.rb +1 -1
data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
data/lib/arachni/ruby.rb +1 -1
data/lib/arachni/ruby/array.rb +1 -1
data/lib/arachni/ruby/hash.rb +1 -1
data/lib/arachni/ruby/io.rb +1 -1
data/lib/arachni/ruby/object.rb +1 -1
data/lib/arachni/ruby/set.rb +1 -1
data/lib/arachni/ruby/string.rb +1 -1
data/lib/arachni/ruby/webrick.rb +1 -1
data/lib/arachni/ruby/webrick/cookie.rb +1 -1
data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
data/lib/arachni/scope.rb +1 -1
data/lib/arachni/selenium/webdriver/remote/http/typhoeus.rb +19 -2
data/lib/arachni/session.rb +8 -3
data/lib/arachni/snapshot.rb +1 -1
data/lib/arachni/state.rb +1 -1
data/lib/arachni/state/audit.rb +1 -1
data/lib/arachni/state/element_filter.rb +12 -20
data/lib/arachni/state/framework.rb +1 -1
data/lib/arachni/state/framework/rpc.rb +1 -1
data/lib/arachni/state/http.rb +1 -1
data/lib/arachni/state/options.rb +1 -1
data/lib/arachni/state/plugins.rb +1 -1
data/lib/arachni/support.rb +1 -1
data/lib/arachni/support/buffer.rb +1 -1
data/lib/arachni/support/buffer/autoflush.rb +1 -1
data/lib/arachni/support/buffer/base.rb +1 -1
data/lib/arachni/support/cache.rb +1 -1
data/lib/arachni/support/cache/base.rb +1 -1
data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
data/lib/arachni/support/cache/least_recently_used.rb +1 -1
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -1
data/lib/arachni/support/crypto.rb +1 -1
data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
data/lib/arachni/support/database.rb +1 -1
data/lib/arachni/support/database/base.rb +1 -1
data/lib/arachni/support/database/hash.rb +1 -1
data/lib/arachni/support/database/queue.rb +1 -1
data/lib/arachni/support/lookup.rb +1 -1
data/lib/arachni/support/lookup/base.rb +1 -1
data/lib/arachni/support/lookup/hash_set.rb +1 -1
data/lib/arachni/support/lookup/moolb.rb +1 -1
data/lib/arachni/support/mixins.rb +1 -1
data/lib/arachni/support/mixins/observable.rb +1 -1
data/lib/arachni/support/mixins/terminal.rb +1 -1
data/lib/arachni/support/profiler.rb +1 -1
data/lib/arachni/support/signature.rb +1 -1
data/lib/arachni/trainer.rb +8 -1
data/lib/arachni/ui/foo/output.rb +1 -1
data/lib/arachni/uri.rb +79 -57
data/lib/arachni/uri/scope.rb +17 -6
data/lib/arachni/utilities.rb +8 -3
data/lib/arachni/version.rb +1 -1
data/lib/arachni/watir/element.rb +22 -1
data/lib/version +1 -1
data/spec/arachni/browser/element_locator_spec.rb +38 -1
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +21 -6
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +351 -216
data/spec/arachni/browser/javascript_spec.rb +26 -6
data/spec/arachni/browser_spec.rb +205 -53
data/spec/arachni/check/auditor_spec.rb +36 -12
data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +84 -42
data/spec/arachni/element/capabilities/analyzable/taint_spec.rb +2 -0
data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +87 -19
data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +9 -0
data/spec/arachni/element/cookie/dom_spec.rb +2 -2
data/spec/arachni/element/cookie_spec.rb +28 -7
data/spec/arachni/element/form/dom_spec.rb +2 -2
data/spec/arachni/element/form_spec.rb +39 -7
data/spec/arachni/element/generic_dom_spec.rb +13 -6
data/spec/arachni/element/header_spec.rb +2 -2
data/spec/arachni/element/json_spec.rb +522 -0
data/spec/arachni/element/link/dom_spec.rb +2 -2
data/spec/arachni/element/link_spec.rb +12 -12
data/spec/arachni/element/link_template/dom_spec.rb +1 -1
data/spec/arachni/element/link_template_spec.rb +13 -13
data/spec/arachni/element/server_spec.rb +50 -8
data/spec/arachni/element/xml_spec.rb +247 -0
data/spec/arachni/framework/parts/audit_spec.rb +13 -6
data/spec/arachni/framework/parts/browser_spec.rb +276 -10
data/spec/arachni/framework/parts/state_spec.rb +20 -2
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +274 -0
data/spec/arachni/http/client_spec.rb +4 -241
data/spec/arachni/http/proxy_server_spec.rb +8 -0
data/spec/arachni/http/request_spec.rb +129 -1
data/spec/arachni/http/response_spec.rb +20 -0
data/spec/arachni/issue_spec.rb +3 -3
data/spec/arachni/option_groups/audit_spec.rb +32 -0
data/spec/arachni/option_groups/http_spec.rb +70 -4
data/spec/arachni/options_spec.rb +6 -6
data/spec/arachni/page_spec.rb +89 -1
data/spec/arachni/report_spec.rb +17 -0
data/spec/arachni/session_spec.rb +3 -14
data/spec/arachni/trainer_spec.rb +24 -5
data/spec/arachni/uri/scope_spec.rb +97 -7
data/spec/arachni/uri_spec.rb +41 -0
data/spec/arachni/utilities_spec.rb +2 -1
data/spec/components/checks/active/code_injection_spec.rb +47 -7
data/spec/components/checks/active/code_injection_timing_spec.rb +4 -2
data/spec/components/checks/active/file_inclusion_spec.rb +16 -6
data/spec/components/checks/active/ldap_injection_spec.rb +13 -4
data/spec/components/checks/active/no_sql_injection_spec.rb +4 -2
data/spec/components/checks/active/os_cmd_injection_spec.rb +15 -11
data/spec/components/checks/active/os_cmd_injection_timing_spec.rb +4 -2
data/spec/components/checks/active/path_traversal_spec.rb +11 -5
data/spec/components/checks/active/response_splitting_spec.rb +4 -2
data/spec/components/checks/active/rfi_spec.rb +5 -2
data/spec/components/checks/active/source_code_disclosure_spec.rb +6 -4
data/spec/components/checks/active/sql_injection_spec.rb +52 -26
data/spec/components/checks/active/sql_injection_timing_spec.rb +29 -5
data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +19 -0
data/spec/components/checks/active/unvalidated_redirect_spec.rb +5 -2
data/spec/components/checks/active/xpath_injection_spec.rb +11 -3
data/spec/components/checks/active/xss_dom_script_context_spec.rb +4 -4
data/spec/components/checks/active/xss_script_context_spec.rb +5 -5
data/spec/components/checks/active/xss_tag_spec.rb +1 -1
data/spec/components/checks/active/xxe_spec.rb +19 -0
data/spec/components/checks/passive/grep/hsts_spec.rb +10 -2
data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +25 -0
data/spec/components/checks/passive/grep/x_frame_options_spec.rb +25 -0
data/spec/components/checks/passive/insecure_client_access_policy_spec.rb +15 -0
data/spec/components/checks/passive/insecure_cross_domain_policy_access_spec.rb +15 -0
data/spec/components/checks/passive/insecure_cross_domain_policy_headers_spec.rb +15 -0
data/spec/components/plugins/exec_spec.rb +56 -0
data/spec/components/plugins/headers_collector_spec.rb +126 -0
data/spec/components/plugins/vector_collector_spec.rb +55 -0
data/spec/spec_helper.rb +2 -1
data/spec/support/factories/element/form.rb +1 -1
data/spec/support/factories/element/json.rb +5 -0
data/spec/support/factories/element/link.rb +1 -1
data/spec/support/factories/element/link_template.rb +1 -1
data/spec/support/factories/element/xml.rb +5 -0
data/spec/support/factories/page.rb +11 -2
data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
data/spec/support/fixtures/checks/test.rb +1 -1
data/spec/support/fixtures/checks/test2.rb +1 -1
data/spec/support/fixtures/checks/test3.rb +1 -1
data/spec/support/fixtures/fingerprinters/test.rb +1 -1
data/spec/support/fixtures/plugins/bad.rb +1 -1
data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
data/spec/support/fixtures/plugins/distributable.rb +1 -1
data/spec/support/fixtures/plugins/loop.rb +1 -1
data/spec/support/fixtures/plugins/suspendable.rb +1 -1
data/spec/support/fixtures/plugins/wait.rb +1 -1
data/spec/support/fixtures/plugins/with_options.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
data/spec/support/fixtures/run_check/body.rb +1 -1
data/spec/support/fixtures/run_check/cookies.rb +1 -1
data/spec/support/fixtures/run_check/empty.rb +1 -1
data/spec/support/fixtures/run_check/flch.rb +1 -1
data/spec/support/fixtures/run_check/forms.rb +1 -1
data/spec/support/fixtures/run_check/headers.rb +1 -1
data/spec/support/fixtures/run_check/links.rb +1 -1
data/spec/support/fixtures/run_check/nil.rb +1 -1
data/spec/support/fixtures/run_check/path.rb +1 -1
data/spec/support/fixtures/run_check/server.rb +1 -1
data/spec/support/fixtures/taint_check/taint.rb +1 -1
data/spec/support/fixtures/wait_check/wait.rb +1 -1
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/misc.rb +1 -1
data/spec/support/helpers/pages.rb +23 -14
data/spec/support/helpers/paths.rb +1 -1
data/spec/support/helpers/requires.rb +1 -1
data/spec/support/helpers/resets.rb +1 -1
data/spec/support/helpers/web_server.rb +1 -1
data/spec/support/lib/factory.rb +1 -1
data/spec/support/lib/web_server_client.rb +1 -1
data/spec/support/lib/web_server_dispatcher.rb +1 -1
data/spec/support/lib/web_server_manager.rb +1 -1
data/spec/support/servers/arachni/browser.rb +77 -3
data/spec/support/servers/arachni/browser/javascript/angular-1.2.8.js +1 -1
data/spec/support/servers/arachni/browser/javascript/angular-route.js +1 -1
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +24 -1
data/spec/support/servers/arachni/browser/javascript/jquery.cookie.js +117 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +58 -1
data/spec/support/servers/arachni/element/capabilities/analyzable/timeout.rb +6 -0
data/spec/support/servers/arachni/element/json.rb +5 -0
data/spec/support/servers/arachni/element/xml.rb +5 -0
data/spec/support/servers/arachni/http/client.rb +0 -22
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +47 -0
data/spec/support/servers/arachni/trainer.rb +10 -0
data/spec/support/servers/checks/active/code_injection.rb +69 -42
data/spec/support/servers/checks/active/code_injection_timing.rb +115 -0
data/spec/support/servers/checks/active/file_inclusion.rb +117 -2
data/spec/support/servers/checks/active/ldap_injection.rb +114 -0
data/spec/support/servers/checks/active/no_sql_injection.rb +81 -0
data/spec/support/servers/checks/active/os_cmd_injection.rb +116 -0
data/spec/support/servers/checks/active/os_cmd_injection_timing.rb +77 -5
data/spec/support/servers/checks/active/path_traversal.rb +154 -2
data/spec/support/servers/checks/active/response_splitting.rb +117 -0
data/spec/support/servers/checks/active/rfi.rb +117 -0
data/spec/support/servers/checks/active/source_code_disclosure.rb +109 -0
data/spec/support/servers/checks/active/sql_injection.rb +125 -0
data/spec/support/servers/checks/active/sql_injection_timing.rb +114 -0
data/spec/support/servers/checks/active/unvalidated_redirect.rb +117 -1
data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +115 -0
data/spec/support/servers/checks/active/xpath_injection.rb +117 -0
data/spec/support/servers/checks/active/xss_script_context.rb +16 -32
data/spec/support/servers/checks/active/xss_tag.rb +12 -12
data/spec/support/servers/checks/active/xxe.rb +85 -0
data/spec/support/servers/checks/passive/grep/insecure_cors_policy.rb +8 -0
data/spec/support/servers/checks/passive/grep/x_frame_options.rb +9 -0
data/spec/support/servers/checks/passive/insecure_client_access_policy.rb +9 -0
data/spec/support/servers/checks/passive/insecure_cross_domain_policy_access.rb +13 -0
data/spec/support/servers/checks/passive/insecure_cross_domain_policy_headers.rb +13 -0
data/spec/support/servers/plugins/headers_collector.rb +16 -0
data/spec/support/servers/plugins/vector_collector.rb +13 -0
data/spec/support/shared/check.rb +6 -1
data/spec/support/shared/element/base.rb +16 -9
data/spec/support/shared/element/capabilities/auditable.rb +22 -15
data/spec/support/shared/element/capabilities/auditable/dom.rb +7 -14
data/spec/support/shared/element/capabilities/inputtable.rb +46 -61
data/spec/support/shared/element/capabilities/mutable.rb +159 -64
data/spec/support/shared/element/capabilities/with_dom.rb +52 -3
data/spec/support/shared/element/capabilities/with_node.rb +2 -44
data/spec/support/shared/element/capabilities/with_scope.rb +1 -1
data/spec/support/shared/element/capabilities/with_source.rb +55 -0
data/ui/cli/framework.rb +9 -9
data/ui/cli/framework/option_parser.rb +75 -3
data/ui/cli/option_parser.rb +1 -1
data/ui/cli/output.rb +1 -1
data/ui/cli/reporter.rb +1 -1
data/ui/cli/reporter/option_parser.rb +1 -1
data/ui/cli/restored_framework.rb +1 -1
data/ui/cli/restored_framework/option_parser.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
data/ui/cli/rpc/client/instance.rb +5 -4
data/ui/cli/rpc/client/local.rb +1 -1
data/ui/cli/rpc/client/local/option_parser.rb +1 -1
data/ui/cli/rpc/client/remote.rb +1 -1
data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
data/ui/cli/rpc/server/dispatcher.rb +1 -1
data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
data/ui/cli/utilities.rb +4 -1
metadata +129 -19
data/lib/arachni/nokogiri/xml/node.rb +0 -42

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9c9fcad54f45425bae6cfe2e13128890fe6bd259
-  data.tar.gz: 5909dde7398a67e4da8f94fdbb11f40e3fc6d9b7
+  metadata.gz: 8f24a93602ee05ee80f03367f6076200362efff6
+  data.tar.gz: 0e6c3ee901415342be5661d62bf41925cc6b36f2
 SHA512:
-  metadata.gz: 9adfdde00f808552c7f8387f5bf7bb766672fee202b757dc150eb92eb5f33326ab3fb680ada9b1cf024f26c1a9c503006d47238d5359f9eb9c2f42b27538f0bf
-  data.tar.gz: fe7f56f73a56ddc426095e9abd9b54315c0be4ba493fb2a1666521a38cb8a88a4e3992a810ff0b1d936a4d9e4d6a5f23f5c319333241686f8adca5789c891b89
+  metadata.gz: ab0b21531f7be52bbe924d1a58f58de719222b72df67431c22898d519dd66bd47f297166b083a68add14cf64ee64ea3497c66350f3c68ec9da0eeda85a56751c
+  data.tar.gz: 54e4aff6b4437087c2f32919c2eb669648fc88e4fb42c397ec27a64058741af717bd750eb1a0c5d4f1cefa46cfb44750049e024a57c4538409b9686daee17b54

data/CHANGELOG.md CHANGED

@@ -1,5 +1,198 @@
 # ChangeLog
+## 1.1 _(May 1, 2015)_
+- `gemspec` -- Require Ruby >= 2.0.0.
+- Options
+    - `--authorized-by` -- Fixed expected type (`Integer` => `String`).
+    - HTTP
+        - `request_timeout` -- Lowered from 50 to 10 seconds.
+        - `response_max_size` -- Set to 500KB.
+    - BrowserCluster
+        - `job_timeout` -- Lowered from 120 to 15 seconds.
+    - Scope
+        - `dom_depth_limit` -- Lowered from 10 to 5.
+    - Added:
+        - Audit
+            - `--audit-parameter-names` -- Injects payloads into parameter names.
+            - `--audit-with-extra-parameter` -- Injects payloads into an extra parameter.
+        - HTTP
+            - `--http-ssl-verify-peer` -- Verify SSL peer.
+            - `--http-ssl-verify-host` -- Verify SSL host.
+            - `--http-ssl-certificate` -- SSL certificate to use.
+            - `--http-ssl-certificate-type` -- SSL certificate type.
+            - `--http-ssl-key` -- SSL private key to use.
+            - `--http-ssl-key-type` -- SSL key type.
+            - `--http-ssl-key-password` -- Password for the SSL private key.
+            - `--http-ssl-ca` -- File holding one or more certificates with which to verify the peer.
+            - `--http-ssl-ca-directory` -- Directory holding multiple certificate files with which to verify the peer.
+            - `--http-ssl-version` -- SSL version to use.
+- `URI`
+    - Added `#resource_name`.
+    - Added `.full_and_absolute?`.
+    - `Scope`
+        - `#redundant?` -- No longer updates counter by default.
+        - `#auto_redundant?`
+            - No longer updates counter by default.
+            - Only consider URLs with query parameters.
+- `HTTP`
+    - `Client`
+        - Overhauled custom-404 identification and moved to `Dynamic404Handler`.
+- `Framework`
+    - `Parts`
+        - `Data`
+            - `#push_to_page_queue` -- Update redundancy scope counters.
+            - `#push_to_url_queue` -- Update redundancy scope counters.
+        - `Audit`
+            - `#audit_page`
+                - Apply DOM metadata to pages not originated from `Browser#to_page`.
+        - `Browser`
+            - Added utility `#browser`.
+            - Added `#use_browsers?`, determining whether system options and
+                capabilities allow for browsers to be used.
+            - `#wait_for_browsers?` => `#wait_for_browser_cluster?`
+- `Element`
+    - All
+        - Renamed `#html` to `#source`.
+        - Moved element-specific capabilities to their own files.
+    - `Cookie`
+            - `.encode` -- Encode `=` even when in value.
+    - `JSON` -- Represents JSON input vectors.
+    - `XML` -- Represents XML input vectors.
+    - `Form`
+        - Support forms with multiple values for `submit` inputs with sa
+        me names.
+    - `Server`
+        - `#log_remote_file_if_exists` -- Perform some rudimentary meta-analysis
+            on possible issues and only feed the identified resources back to the
+            system if they are above a certain threshold of similarity.
+            This fixes infinite loop scenarios when dealing with unreliable
+            custom-404 fingerprints.
+    - `Capabilities`
+        - `Mutable`
+            - `:param_flip` => `:parameter_names`
+            - Added `:parameter_values` option.
+            - Added `:with_extra_parameter` option.
+        - `Analyzable`
+            - `Timeout`
+                - Updated algorithm to be resilient to WAF/IDS/IPS filtering.
+                - Added remarks to each issue containing extra information
+                    regarding the state of the web application during analysis.
+            - `Differential` -- Added remarks to each issue containing extra information
+                regarding the used payloads.
+            - `Taint`
+                - Don't log issues when unable to get a verification response.
+                - Provide all matched data as proof, not only the regexp captured ones.
+        - `WithDOM`
+            - Added `#skip_dom` (set via `Browser#to_page`), to prevent `DOM`s
+                from being loaded and audited when there are no associated events.
+- `Page`
+    - Added `#update_metadata`, updating `#metadata` from `#cache` elements.
+    - Added `#reload_metadata`, updating `#cache` elements from `#metadata`.
+    - Added `#import_metadata`, importing `#metadata` from other page.
+    - `DOM`
+        - `#restore` -- Added debugging messages.
+- `Utilities`
+    - Added `.full_and_absolute_url?`.
+- `Browser`
+    - Updated to extract JSON and XML input vectors from HTTP requests.
+    - `#shutdown` -- Fixed Selenium exceptions on dead browser process.
+    - `#to_page` -- Apply DOM metadata to page elements.
+    - `#spawn_phantomjs` -- Enabled `--disk-cache` option for `phantomjs`.
+    - `#fire_event` -- Recode input values to fix encoding errors.
+    - `#to_page` -- Return empty page on unavailable response data instead of `nil`.
+    - `#snapshot_id` -- Updated to only consider important element attributes
+        (depending on type) instead of all of them.
+    - `ElementLocator`
+        - `#css` -- Returns a CSS locator.
+        - `#locate` -- Updated to use `#css`.
+    - `Javascript`
+        - Added `.select_event_attributes`.
+        - `DOMMonitor`
+            - `#digest` -- Removed `data-arachni-id` from digest.
+        - `TaintTracer`
+            - Added support for tracing multiple taints in groups.
+            - Added tracing for:
+                - `escape()`
+                - `unescape()`
+                - `String`
+                    - `indexOf()`
+                    - `lastIndexOf()`
+                - `jQuery`
+                    - `cookie()` plugin.
+- `BrowserCluster`
+    - `Worker`
+        - `#browser_respawn` -- Catch Watir/Selenium errors.
+- `Session`
+    - Ensure the browser is shut-down after each login operation.
+- `Check`
+    - `Auditor`
+        - `#each_candidate_dom_element` -- Yield element DOMs instead of parent elements.
+- `Plugin`
+    - `Manager`
+        - `#run` -- Optimized plugin initialization by using a queue to signal
+            a ready-state, instead of blocking for 1 second.
+-  Checks
+    - Active
+        - Added
+            - `unvalidated_redirect_dom` -- Logs DOM-based unvalidated redirects.
+            - `xxe` -- Logs XML External Entity vulnerabilities.
+        - `trainer` -- Disabled parameter flip for the payload to avoid parameter
+            pollution.
+        - `os_cmd_injection` -- Only use straight payload injection instead
+            of straight and append.
+        - `code_injection` -- Only use straight payload injection instead
+            of straight and append.
+        - `xss` -- When auditing links don't require a tainted response for
+            browser analysis.
+        - `xss_script_context`
+            - Updated payloads.
+            - Only use straight payload injection instead of straight and append.
+        - `xss_dom_script_context` -- Only use straight payload injection instead
+            of straight and append.
+        - `xss_tag` -- Updated payloads to handle cases when more data are appended
+            to the landed value.
+        - `xss_event` -- Added proof to the issue.
+    - Passive
+        - Added
+            - `insecure_cross_domain_policy_access` -- Checks `crossdomain.xml`
+                files for `allow-access-from` wildcard policies.
+            - `insecure_cross_domain_policy_headers` -- Checks `crossdomain.xml`
+                files for wildcard `allow-http-request-headers-from` policies.
+            - `insecure_client_access_policy` -- Checks `clientaccesspolicy.xml`
+                files for wildcard domain policies.
+            - `insecure_cors_policy` -- Logs wildcard `Access-Control-Allow-Origin`
+                headers per host.
+            - `x_frame_options` -- Logs missing `X-Frame-Options` headers per host.
+            - `common_directories` -- Added:
+                - `rails/info/routes`
+                - `rails/info/properties`
+        - `http_put` -- Try to `DELETE` the `PUT` file.
+        - `html_objects` -- Updated regexp to use non-capturing groups.
+- Plugins
+    - All
+        - Updated `#prepare` methods to not block, in accordance with the new
+            `Plugin::Manager#run` behavior.
+    - `email_notify`
+        - Added `domain` option.
+        - Fixed extension for `html` reporter.
+        - Added support for `afr` report type.
+    - `proxy` -- Added XML and JSON input vector extraction.
+    - Added:
+        - `vector_collector` -- Collects information about all seen input vectors
+            which are within the scan scope.
+        - `headers_collector` -- Collects response headers based on specified criteria.
+        - `exec` -- Calls external executables at different scan stages.
+- Report -- Renamed `#html` to `#source` for all elements.
+    - `html`
+        - Updated chart rendering to only take place when visiting the chart page.
+        - Fixed broken links.
+        - Cleaned up chart severity handling.
+        - Summary
+            - Added OWASP Top 10 tab.
+    - `xml`
+        - Schema update for issue remarks.
 ## 1.0.6 _(December 07, 2014)_
 - `arachni_rpcd` -- Fixed bug causing the `--nickname` option to not be understood.

data/Gemfile CHANGED

@@ -26,4 +26,3 @@ group :prof do
 end
 gemspec

data/LICENSE.md CHANGED

@@ -1,6 +1,6 @@
 # License
-Copyright 2010-2014 [Tasos Laskos](mailto:tasos.laskos@arachni-scanner.com).
+Copyright 2010-2015 [Tasos Laskos](mailto:tasos.laskos@arachni-scanner.com).
 The Arachni Framework (henceforth referred to simply as "Arachni") is dual-licensed.

data/README.md CHANGED

@@ -1,17 +1,9 @@
-**NOTICE**:
-* Arachni's license has changed, please see the _LICENSE_ file before working
-    with the project.
-* v1.0 is not backwards compatible with v0.4.
-<hr/>
 # Arachni - Web Application Security Scanner Framework
 <table>
     <tr>
         <th>Version</th>
-        <td>1.0.6</td>
+        <td>1.1</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -46,7 +38,7 @@
     </tr>
     <tr>
         <th>Copyright</th>
-        <td>2010-2014 Tasos Laskos</td>
+        <td>2010-2015 Tasos Laskos</td>
     </tr>
     <tr>
         <th>License</th>
@@ -123,11 +115,11 @@ you with its findings.
  - Cookie-jar/cookie-string support.
  - Custom header support.
- - SSL support.
+ - SSL support with fine-grained options.
  - User Agent spoofing.
  - Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
  - Proxy authentication.
- - Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLMv1 and others).
+ - Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
  - Automatic log-out detection and re-login during the scan (when the initial
     login was performed via the `autologin`, `login_script` or `proxy` plugins).
  - Custom 404 page detection.
@@ -233,6 +225,8 @@ Arachni is able to extract and audit the following elements and their inputs:
  - Headers
  - Generic client-side elements like `input`s which have associated DOM events.
  - AJAX-request parameters.
+ - JSON request data.
+ - XML request data.
 ### Open [distributed architecture](https://github.com/Arachni/arachni/wiki/Distributed-components)
@@ -293,6 +287,8 @@ Arachni is able to extract and audit the following elements and their inputs:
         - Can load them via the integrated browser environment.
     - Headers
     - Generic client-side DOM elements like `input`s.
+    - JSON request data.
+    - XML request data.
  - Can ignore binary/non-text pages.
  - Can optionally audit elements using both `GET` and `POST` HTTP methods.
  - Can optionally submit all links and forms of the page along with the cookie
@@ -416,6 +412,7 @@ Active checks engage the web application via its inputs.
     - Windows
 - Remote file inclusion (`rfi`).
 - Unvalidated redirects (`unvalidated_redirect`).
+- Unvalidated DOM redirects (`unvalidated_redirect_dom`).
 - XPath injection (`xpath_injection`).
     - Generic
     - PHP
@@ -431,6 +428,11 @@ Active checks engage the web application via its inputs.
 - DOM XSS inputs (`xss_dom_inputs`).
 - DOM XSS script context (`xss_dom_script_context`).
 - Source code disclosure (`source_code_disclosure`)
+- XML External Entity (`xxe`).
+    - Linux
+    - *BSD
+    - Solaris
+    - Windows
 ##### Passive
@@ -464,6 +466,11 @@ Passive checks look for the existence of files, folders and signatures.
 - localstart.asp (`localstart_asp`)
 - Cookie set for parent domain (`cookie_set_for_parent_domain`)
 - Missing `Strict-Transport-Security` headers for HTTPS sites (`hsts`).
+- Missing `X-Frame-Options` headers (`x_frame_options`).
+- Insecure CORS policy (`insecure_cors_policy`).
+- Insecure cross-domain policy (allow-access-from) (`insecure_cross_domain_policy_access`)
+- Insecure cross-domain policy (allow-http-request-headers-from) (`insecure_cross_domain_policy_headers`)
+- Insecure client-access policy (`insecure_client_access_policy`)
 #### Reporters
@@ -503,6 +510,10 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
 - Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
 - Content-types (`content_types`) -- Logs content-types of server responses aiding in the
     identification of interesting (possibly leaked) files.
+- Vector collector (`vector_collector`) -- Collects information about all seen input vectors
+    which are within the scan scope.
+- Headers collector (`headers_collector`) -- Collects response headers based on specified criteria.
+- Exec (`exec`) -- Calls external executables at different scan stages.
 ##### Defaults
@@ -585,9 +596,3 @@ need to follow in order to contribute code:
 Dual-licensed (Apache License v2.0/Commercial) -- please see the _LICENSE_ file
 for more information.
-## Disclaimer
-This is free software and you are allowed to use it as you see fit.
-However, neither the development team nor any of our contributors can be held
-responsible for your actions nor for any damage caused by the use of this software.

data/Rakefile CHANGED

@@ -1,5 +1,5 @@
 =begin
-    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -145,7 +145,6 @@ begin
                 begin
                     $spec_issues = []
-                    # Rake::Task['spec:checks'].execute rescue nil
                     RSpec::Core::Runner.run(FileList[ 'spec/components/checks/**/*_spec.rb' ])
                     ($spec_issues.size / 3).times do |i|
@@ -154,6 +153,9 @@ begin
                         issue.add_remark( :stuff, 'Blah' )
                         issue.add_remark( :stuff, 'Blah2' )
+                        issue.add_remark( :stuff2, '2 Blah' )
+                        issue.add_remark( :stuff2, '2 Blah2' )
                         # Flag some issues as untrusted.
                         $spec_issues.sample.trusted = false
                     end
@@ -162,7 +164,7 @@ begin
                     $spec_issues.each { |i| Arachni::Data.issues << i }
                     Arachni::Options.url = 'http://test.com'
-                    Arachni::Options.audit.elements :forms, :links, :cookies, :headers
+                    Arachni::Options.audit.elements Arachni::Page::ELEMENTS - [:link_templates]
                     Arachni::Options.audit.link_templates = [
                         /\/input\/(?<input>.+)\//,
                         /input\|(?<input>.+)/

data/arachni.gemspec CHANGED

@@ -1,6 +1,6 @@
 # coding: utf-8
 =begin
-    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -10,7 +10,7 @@
 Gem::Specification.new do |s|
     require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni/version'
-    s.required_ruby_version = '>= 1.9.3'
+    s.required_ruby_version = '>= 2.0.0'
     s.name              = 'arachni'
     s.version           = Arachni::VERSION
@@ -24,6 +24,7 @@ Gem::Specification.new do |s|
     s.authors           = [ 'Tasos Laskos' ]
     s.licenses          = ['Apache-2.0', 'Proprietary']
+    s.files            += Dir.glob( 'config/**/**' )
     s.files            += Dir.glob( 'gfx/**/**' )
     s.files            += Dir.glob( 'lib/**/**' )
     s.files            += Dir.glob( 'ui/**/**' )
@@ -43,6 +44,8 @@ Gem::Specification.new do |s|
     s.rdoc_options      = [ '--charset=UTF-8' ]
+    s.add_dependency 'rack'
     s.add_dependency 'bundler'
     # For compressing/decompressing system state archives.
@@ -61,7 +64,7 @@ Gem::Specification.new do |s|
     end
     # RPC client/server implementation.
-    s.add_dependency 'arachni-rpc',       '0.2.1.1'
+    s.add_dependency 'arachni-rpc',       '0.2.1.2'
     # HTTP client.
     s.add_dependency 'typhoeus',          '0.6.9'
@@ -73,16 +76,16 @@ Gem::Specification.new do |s|
     s.add_dependency 'pony',              '1.8'
     # Printing complex objects.
-    s.add_dependency 'awesome_print',     '1.2.0'
+    s.add_dependency 'awesome_print',     '~> 1.2.0'
     # JSON reporter.
-    s.add_dependency 'json',              '1.8.1'
+    s.add_dependency 'json',              '~> 1.8.1'
     # For the Arachni console (arachni_console).
     s.add_dependency 'rb-readline',       '0.5.1'
     # Markup parsing.
-    s.add_dependency 'nokogiri',          '1.6.2.1'
+    s.add_dependency 'nokogiri',          '~> 1.6.5'
     # Outputting data in table format (arachni_rpcd_monitor).
     s.add_dependency 'terminal-table',    '1.4.5'
@@ -95,7 +98,7 @@ Gem::Specification.new do |s|
     s.add_dependency 'kramdown',          '1.4.1'
     # Used to scrub Markdown for XSS etc.
-    s.add_dependency 'loofah',            '2.0.0'
+    s.add_dependency 'loofah',            '~> 2.0.0'
     s.post_install_message = <<MSG
@@ -112,7 +115,7 @@ License            - Apache License v2.0/Proprietary
                         (https://github.com/Arachni/arachni/blob/master/LICENSE.md)
 Author             - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
 Twitter            - http://twitter.com/ArachniScanner
-Copyright          - 2010-2014 Tasos Laskos
+Copyright          - 2010-2015 Tasos Laskos
 Please do not hesitate to ask for assistance (via the support portal)
 or report a bug (via GitHub Issues) if you come across any problem.

data/bin/arachni CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2014 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2015 Tasos Laskos <tasos.laskos@arachni-scanner.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework