arachni 1.2.1 → 1.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (373) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +66 -0
  3. data/Gemfile +1 -1
  4. data/README.md +16 -5
  5. data/components/checks/active/ldap_injection/errors.txt +1 -0
  6. data/components/checks/active/source_code_disclosure.rb +1 -1
  7. data/components/checks/active/unvalidated_redirect.rb +6 -6
  8. data/components/checks/active/unvalidated_redirect_dom.rb +10 -7
  9. data/components/checks/passive/grep/captcha.rb +14 -5
  10. data/components/checks/passive/grep/form_upload.rb +7 -3
  11. data/components/checks/passive/grep/hsts.rb +3 -3
  12. data/components/checks/passive/grep/html_objects.rb +2 -3
  13. data/components/checks/passive/grep/http_only_cookies.rb +2 -3
  14. data/components/checks/passive/grep/insecure_cookies.rb +1 -1
  15. data/components/checks/passive/grep/password_autocomplete.rb +2 -2
  16. data/components/checks/passive/grep/unencrypted_password_forms.rb +7 -7
  17. data/components/checks/passive/grep/x_frame_options.rb +2 -2
  18. data/components/checks/passive/http_put.rb +2 -3
  19. data/components/path_extractors/comments.rb +3 -3
  20. data/components/path_extractors/scripts.rb +10 -1
  21. data/components/plugins/defaults/autothrottle.rb +27 -18
  22. data/components/plugins/defaults/meta/remedies/discovery.rb +30 -33
  23. data/components/plugins/defaults/meta/remedies/timing_attacks.rb +7 -11
  24. data/components/plugins/login_script.rb +9 -3
  25. data/components/plugins/proxy.rb +4 -3
  26. data/components/reporters/html.rb +11 -14
  27. data/components/reporters/html/default/issue.erb +13 -38
  28. data/components/reporters/html/default/issue/info.erb +1 -1
  29. data/components/reporters/html/default/summary/issues/by_name.erb +3 -3
  30. data/components/reporters/stdout.rb +62 -71
  31. data/components/reporters/xml.rb +26 -40
  32. data/components/reporters/xml/schema.xsd +43 -89
  33. data/lib/arachni/browser.rb +52 -3
  34. data/lib/arachni/browser/javascript.rb +3 -3
  35. data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -25
  36. data/lib/arachni/browser_cluster.rb +61 -0
  37. data/lib/arachni/browser_cluster/job.rb +21 -1
  38. data/lib/arachni/browser_cluster/jobs/browser_provider.rb +3 -1
  39. data/lib/arachni/browser_cluster/jobs/resource_exploration.rb +2 -1
  40. data/lib/arachni/browser_cluster/jobs/resource_exploration/event_trigger.rb +2 -1
  41. data/lib/arachni/browser_cluster/jobs/taint_trace.rb +3 -2
  42. data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
  43. data/lib/arachni/browser_cluster/worker.rb +5 -0
  44. data/lib/arachni/check/auditor.rb +22 -12
  45. data/lib/arachni/data/framework.rb +13 -1
  46. data/lib/arachni/data/issues.rb +9 -25
  47. data/lib/arachni/element/base.rb +9 -3
  48. data/lib/arachni/element/capabilities/analyzable.rb +2 -6
  49. data/lib/arachni/element/capabilities/analyzable/differential.rb +24 -7
  50. data/lib/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +23 -23
  51. data/lib/arachni/element/capabilities/auditable.rb +0 -6
  52. data/lib/arachni/element/capabilities/dom_only.rb +61 -0
  53. data/lib/arachni/element/capabilities/with_dom.rb +3 -1
  54. data/lib/arachni/element/cookie.rb +35 -5
  55. data/lib/arachni/element/cookie/dom.rb +13 -4
  56. data/lib/arachni/element/{capabilities/auditable/dom.rb → dom.rb} +20 -68
  57. data/lib/arachni/element/dom/capabilities/auditable.rb +29 -0
  58. data/lib/arachni/element/dom/capabilities/inputtable.rb +27 -0
  59. data/lib/arachni/element/dom/capabilities/mutable.rb +21 -0
  60. data/lib/arachni/element/dom/capabilities/submittable.rb +52 -0
  61. data/lib/arachni/element/form.rb +12 -1
  62. data/lib/arachni/element/form/capabilities/mutable.rb +2 -1
  63. data/lib/arachni/element/form/capabilities/with_dom.rb +0 -1
  64. data/lib/arachni/element/form/dom.rb +9 -3
  65. data/lib/arachni/element/header.rb +14 -33
  66. data/lib/arachni/element/header/capabilities/inputtable.rb +29 -0
  67. data/lib/arachni/element/header/capabilities/mutable.rb +51 -0
  68. data/lib/arachni/element/input/dom.rb +71 -0
  69. data/lib/arachni/element/json.rb +2 -0
  70. data/lib/arachni/element/link.rb +3 -0
  71. data/lib/arachni/element/link/capabilities/with_dom.rb +0 -1
  72. data/lib/arachni/element/link/dom.rb +16 -3
  73. data/lib/arachni/element/link/dom/capabilities/submittable.rb +29 -0
  74. data/lib/arachni/element/link_template.rb +3 -5
  75. data/lib/arachni/element/link_template/capabilities/inputtable.rb +5 -0
  76. data/lib/arachni/element/link_template/capabilities/with_dom.rb +0 -1
  77. data/lib/arachni/element/link_template/dom.rb +16 -3
  78. data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +29 -0
  79. data/lib/arachni/element/server.rb +3 -5
  80. data/lib/arachni/element/ui_form.rb +106 -0
  81. data/lib/arachni/element/ui_form/dom.rb +107 -0
  82. data/lib/arachni/element/ui_input.rb +62 -0
  83. data/lib/arachni/element/xml.rb +2 -1
  84. data/lib/arachni/framework.rb +7 -5
  85. data/lib/arachni/framework/parts/audit.rb +0 -1
  86. data/lib/arachni/framework/parts/check.rb +1 -0
  87. data/lib/arachni/framework/parts/data.rb +4 -0
  88. data/lib/arachni/framework/parts/state.rb +0 -2
  89. data/lib/arachni/http/client.rb +17 -6
  90. data/lib/arachni/http/proxy_server.rb +52 -5
  91. data/lib/arachni/http/request.rb +1 -1
  92. data/lib/arachni/issue.rb +34 -179
  93. data/lib/arachni/issue/severity.rb +2 -0
  94. data/lib/arachni/option_groups/audit.rb +22 -2
  95. data/lib/arachni/option_groups/browser_cluster.rb +15 -0
  96. data/lib/arachni/page.rb +3 -2
  97. data/lib/arachni/parser.rb +24 -5
  98. data/lib/arachni/platform/manager.rb +1 -2
  99. data/lib/arachni/rpc/server/framework.rb +3 -4
  100. data/lib/arachni/rpc/server/framework/multi_instance.rb +2 -1
  101. data/lib/arachni/session.rb +1 -1
  102. data/lib/arachni/trainer.rb +4 -7
  103. data/lib/arachni/watir/element.rb +12 -1
  104. data/lib/version +1 -1
  105. data/spec/arachni/browser/element_locator_spec.rb +43 -43
  106. data/spec/arachni/browser/javascript/dom_monitor_spec.rb +44 -44
  107. data/spec/arachni/browser/javascript/proxy/stub_spec.rb +17 -14
  108. data/spec/arachni/browser/javascript/proxy_spec.rb +24 -24
  109. data/spec/arachni/browser/javascript/taint_tracer/frame/called_function_spec.rb +11 -11
  110. data/spec/arachni/browser/javascript/taint_tracer/frame_spec.rb +7 -7
  111. data/spec/arachni/browser/javascript/taint_tracer/sink/data_flow_spec.rb +13 -13
  112. data/spec/arachni/browser/javascript/taint_tracer/sink/execution_flow_spec.rb +7 -7
  113. data/spec/arachni/browser/javascript/taint_tracer_spec.rb +568 -558
  114. data/spec/arachni/browser/javascript_spec.rb +73 -63
  115. data/spec/arachni/browser_cluster/job/result_spec.rb +3 -3
  116. data/spec/arachni/browser_cluster/job_spec.rb +68 -48
  117. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger/result_spec.rb +2 -2
  118. data/spec/arachni/browser_cluster/jobs/resource_exploration/event_trigger_spec.rb +5 -4
  119. data/spec/arachni/browser_cluster/jobs/resource_exploration/result_spec.rb +2 -2
  120. data/spec/arachni/browser_cluster/jobs/resource_exploration_spec.rb +5 -5
  121. data/spec/arachni/browser_cluster/worker_spec.rb +87 -70
  122. data/spec/arachni/browser_cluster_spec.rb +64 -39
  123. data/spec/arachni/browser_spec.rb +692 -527
  124. data/spec/arachni/check/auditor_spec.rb +177 -147
  125. data/spec/arachni/check/base_spec.rb +33 -33
  126. data/spec/arachni/check/manager_spec.rb +15 -15
  127. data/spec/arachni/component/base_spec.rb +8 -8
  128. data/spec/arachni/component/manager_spec.rb +100 -99
  129. data/spec/arachni/component/options/address_spec.rb +3 -3
  130. data/spec/arachni/component/options/base_spec.rb +7 -7
  131. data/spec/arachni/component/options/bool_spec.rb +9 -9
  132. data/spec/arachni/component/options/float_spec.rb +6 -6
  133. data/spec/arachni/component/options/int_spec.rb +5 -5
  134. data/spec/arachni/component/options/multiple_choice_spec.rb +12 -12
  135. data/spec/arachni/component/options/object_spec.rb +2 -2
  136. data/spec/arachni/component/options/path_spec.rb +3 -3
  137. data/spec/arachni/component/options/port_spec.rb +5 -5
  138. data/spec/arachni/component/options/string_spec.rb +3 -3
  139. data/spec/arachni/component/options/url_spec.rb +4 -4
  140. data/spec/arachni/component/utilities_spec.rb +2 -2
  141. data/spec/arachni/data/framework/rpc_spec.rb +10 -9
  142. data/spec/arachni/data/framework_spec.rb +65 -46
  143. data/spec/arachni/data/issues_spec.rb +39 -77
  144. data/spec/arachni/data/plugins_spec.rb +11 -11
  145. data/spec/arachni/data/session_spec.rb +6 -6
  146. data/spec/arachni/data_spec.rb +8 -8
  147. data/spec/arachni/element/body_spec.rb +10 -10
  148. data/spec/arachni/element/capabilities/analyzable/differential_spec.rb +39 -21
  149. data/spec/arachni/element/capabilities/analyzable/{taint_spec.rb → signature_spec.rb} +63 -63
  150. data/spec/arachni/element/capabilities/analyzable/timeout_spec.rb +51 -51
  151. data/spec/arachni/element/capabilities/with_scope/scope_spec.rb +5 -5
  152. data/spec/arachni/element/cookie/dom_spec.rb +37 -18
  153. data/spec/arachni/element/cookie_spec.rb +206 -139
  154. data/spec/arachni/element/form/dom_spec.rb +36 -19
  155. data/spec/arachni/element/form_spec.rb +210 -187
  156. data/spec/arachni/element/generic_dom_spec.rb +14 -14
  157. data/spec/arachni/element/header_spec.rb +35 -17
  158. data/spec/arachni/element/json_spec.rb +53 -31
  159. data/spec/arachni/element/link/dom_spec.rb +46 -28
  160. data/spec/arachni/element/link_spec.rb +58 -40
  161. data/spec/arachni/element/link_template/dom_spec.rb +47 -29
  162. data/spec/arachni/element/link_template_spec.rb +79 -61
  163. data/spec/arachni/element/path_spec.rb +1 -1
  164. data/spec/arachni/element/server_spec.rb +33 -32
  165. data/spec/arachni/element/ui_form/ui_form_dom_spec.rb +164 -0
  166. data/spec/arachni/element/ui_form_spec.rb +242 -0
  167. data/spec/arachni/element/ui_input/dom_spec.rb +157 -0
  168. data/spec/arachni/element/ui_input_spec.rb +136 -0
  169. data/spec/arachni/element/xml_spec.rb +42 -24
  170. data/spec/arachni/element_filter_spec.rb +49 -48
  171. data/spec/arachni/error_spec.rb +3 -3
  172. data/spec/arachni/framework/parts/audit_spec.rb +64 -63
  173. data/spec/arachni/framework/parts/browser_spec.rb +16 -16
  174. data/spec/arachni/framework/parts/check_spec.rb +3 -3
  175. data/spec/arachni/framework/parts/data_spec.rb +48 -48
  176. data/spec/arachni/framework/parts/platform_spec.rb +3 -3
  177. data/spec/arachni/framework/parts/plugin_spec.rb +7 -6
  178. data/spec/arachni/framework/parts/report_spec.rb +7 -7
  179. data/spec/arachni/framework/parts/scope_spec.rb +16 -16
  180. data/spec/arachni/framework/parts/state_spec.rb +68 -69
  181. data/spec/arachni/framework_spec.rb +39 -31
  182. data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +32 -32
  183. data/spec/arachni/http/client_spec.rb +219 -208
  184. data/spec/arachni/http/cookie_jar_spec.rb +72 -72
  185. data/spec/arachni/http/headers_spec.rb +14 -14
  186. data/spec/arachni/http/proxy_server_spec.rb +43 -42
  187. data/spec/arachni/http/request_spec.rb +105 -103
  188. data/spec/arachni/http/response/scope_spec.rb +24 -24
  189. data/spec/arachni/http/response_spec.rb +50 -49
  190. data/spec/arachni/issue/severity_spec.rb +10 -9
  191. data/spec/arachni/issue_spec.rb +71 -369
  192. data/spec/arachni/option_groups/audit_spec.rb +114 -114
  193. data/spec/arachni/option_groups/browser_cluster_spec.rb +20 -3
  194. data/spec/arachni/option_groups/datastore_spec.rb +6 -6
  195. data/spec/arachni/option_groups/dispatcher_spec.rb +19 -19
  196. data/spec/arachni/option_groups/http_spec.rb +11 -11
  197. data/spec/arachni/option_groups/input_spec.rb +31 -27
  198. data/spec/arachni/option_groups/output_spec.rb +2 -2
  199. data/spec/arachni/option_groups/paths_spec.rb +17 -17
  200. data/spec/arachni/option_groups/rpc_spec.rb +2 -2
  201. data/spec/arachni/option_groups/scope_spec.rb +40 -40
  202. data/spec/arachni/option_groups/session_spec.rb +6 -5
  203. data/spec/arachni/option_groups/snapshot_spec.rb +4 -4
  204. data/spec/arachni/options_spec.rb +46 -45
  205. data/spec/arachni/page/dom/transition_spec.rb +74 -72
  206. data/spec/arachni/page/dom_spec.rb +35 -35
  207. data/spec/arachni/page/scope_spec.rb +15 -15
  208. data/spec/arachni/page_spec.rb +217 -217
  209. data/spec/arachni/parser_spec.rb +106 -104
  210. data/spec/arachni/platform/fingerprinter_spec.rb +17 -14
  211. data/spec/arachni/platform/list_spec.rb +33 -33
  212. data/spec/arachni/platform/manager_spec.rb +67 -64
  213. data/spec/arachni/plugin/base_spec.rb +10 -10
  214. data/spec/arachni/plugin/manager_spec.rb +38 -37
  215. data/spec/arachni/report_spec.rb +43 -40
  216. data/spec/arachni/reporter/base_spec.rb +15 -15
  217. data/spec/arachni/reporter/manager_spec.rb +4 -4
  218. data/spec/arachni/reporter/options_spec.rb +6 -6
  219. data/spec/arachni/rpc/client/base_spec.rb +6 -6
  220. data/spec/arachni/rpc/client/dispatcher_spec.rb +2 -2
  221. data/spec/arachni/rpc/client/instance_spec.rb +6 -6
  222. data/spec/arachni/rpc/server/active_options_spec.rb +11 -8
  223. data/spec/arachni/rpc/server/base_spec.rb +5 -5
  224. data/spec/arachni/rpc/server/checks/manager_spec.rb +8 -8
  225. data/spec/arachni/rpc/server/dispatcher/node_spec.rb +37 -37
  226. data/spec/arachni/rpc/server/dispatcher/service_spec.rb +15 -14
  227. data/spec/arachni/rpc/server/dispatcher_spec.rb +36 -35
  228. data/spec/arachni/rpc/server/framework/distributor_spec.rb +36 -36
  229. data/spec/arachni/rpc/server/framework_multi_spec.rb +340 -336
  230. data/spec/arachni/rpc/server/framework_spec.rb +90 -85
  231. data/spec/arachni/rpc/server/instance_spec.rb +126 -107
  232. data/spec/arachni/rpc/server/output_spec.rb +1 -1
  233. data/spec/arachni/rpc/server/plugin/manager_spec.rb +6 -6
  234. data/spec/arachni/ruby/array_spec.rb +42 -42
  235. data/spec/arachni/ruby/hash_spec.rb +20 -18
  236. data/spec/arachni/ruby/io_spec.rb +2 -2
  237. data/spec/arachni/ruby/object_spec.rb +1 -1
  238. data/spec/arachni/ruby/set_spec.rb +3 -3
  239. data/spec/arachni/ruby/string_spec.rb +30 -30
  240. data/spec/arachni/ruby/webrick_spec.rb +2 -2
  241. data/spec/arachni/scope_spec.rb +1 -1
  242. data/spec/arachni/session_spec.rb +67 -64
  243. data/spec/arachni/snapshot_spec.rb +15 -15
  244. data/spec/arachni/state/audit_spec.rb +11 -11
  245. data/spec/arachni/state/element_filter_spec.rb +6 -6
  246. data/spec/arachni/state/framework/rpc_spec.rb +12 -12
  247. data/spec/arachni/state/framework_spec.rb +125 -121
  248. data/spec/arachni/state/http_spec.rb +7 -7
  249. data/spec/arachni/state/options_spec.rb +7 -7
  250. data/spec/arachni/state/plugins_spec.rb +8 -8
  251. data/spec/arachni/state_spec.rb +10 -10
  252. data/spec/arachni/support/buffer/autoflush_spec.rb +16 -16
  253. data/spec/arachni/support/buffer/base_spec.rb +39 -39
  254. data/spec/arachni/support/cache/least_cost_replacement_spec.rb +18 -18
  255. data/spec/arachni/support/cache/least_recently_pushed_spec.rb +24 -24
  256. data/spec/arachni/support/cache/least_recently_used_spec.rb +20 -20
  257. data/spec/arachni/support/cache/preference_spec.rb +4 -4
  258. data/spec/arachni/support/cache/random_replacement_spec.rb +8 -8
  259. data/spec/arachni/support/crypto/rsa_aes_cbc_spec.rb +1 -1
  260. data/spec/arachni/support/database/hash_spec.rb +44 -43
  261. data/spec/arachni/support/database/queue_spec.rb +27 -27
  262. data/spec/arachni/support/lookup/hash_set_spec.rb +8 -8
  263. data/spec/arachni/support/lookup/moolb_spec.rb +3 -3
  264. data/spec/arachni/support/mixins/observable_spec.rb +6 -6
  265. data/spec/arachni/support/signature_spec.rb +19 -19
  266. data/spec/arachni/trainer_spec.rb +39 -39
  267. data/spec/arachni/typhoeus/hydra_spec.rb +2 -2
  268. data/spec/arachni/uri/scope_spec.rb +66 -66
  269. data/spec/arachni/uri_spec.rb +107 -105
  270. data/spec/arachni/utilities_spec.rb +40 -40
  271. data/spec/components/checks/active/csrf_spec.rb +8 -8
  272. data/spec/components/checks/active/no_sql_injection_spec.rb +1 -1
  273. data/spec/components/checks/active/sql_injection_spec.rb +16 -16
  274. data/spec/components/checks/active/trainer_spec.rb +4 -4
  275. data/spec/components/checks/active/unvalidated_redirect_dom_spec.rb +4 -2
  276. data/spec/components/checks/active/xpath_injection_spec.rb +1 -1
  277. data/spec/components/checks/active/xss_dom_script_context_spec.rb +51 -21
  278. data/spec/components/checks/active/xss_dom_spec.rb +46 -24
  279. data/spec/components/checks/passive/allowed_methods_spec.rb +1 -1
  280. data/spec/components/checks/passive/grep/cookie_set_for_parent_domain_spec.rb +1 -1
  281. data/spec/components/checks/passive/grep/hsts_spec.rb +2 -2
  282. data/spec/components/checks/passive/grep/http_only_cookies_spec.rb +1 -1
  283. data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +1 -1
  284. data/spec/components/checks/passive/grep/insecure_cors_policy_spec.rb +2 -2
  285. data/spec/components/checks/passive/grep/password_autocomplete_spec.rb +1 -1
  286. data/spec/components/checks/passive/grep/private_ip_spec.rb +3 -3
  287. data/spec/components/checks/passive/grep/unencrypted_password_forms_spec.rb +1 -1
  288. data/spec/components/checks/passive/grep/x_frame_options_spec.rb +2 -2
  289. data/spec/components/checks/passive/interesting_responses_spec.rb +2 -2
  290. data/spec/components/checks/passive/webdav_spec.rb +1 -1
  291. data/spec/components/checks/passive/xst_spec.rb +1 -1
  292. data/spec/components/fingerprinters/servers/apache_spec.rb +2 -2
  293. data/spec/components/path_extractors/comments_spec.rb +5 -1
  294. data/spec/components/path_extractors/scripts_spec.rb +5 -2
  295. data/spec/components/plugins/autologin_spec.rb +22 -22
  296. data/spec/components/plugins/autothrottle_spec.rb +6 -5
  297. data/spec/components/plugins/content_types_spec.rb +4 -4
  298. data/spec/components/plugins/cookie_collector_spec.rb +5 -5
  299. data/spec/components/plugins/exec_spec.rb +12 -12
  300. data/spec/components/plugins/form_dicattack_spec.rb +3 -3
  301. data/spec/components/plugins/headers_collector_spec.rb +8 -8
  302. data/spec/components/plugins/healthmap_spec.rb +3 -3
  303. data/spec/components/plugins/http_dicattack_spec.rb +3 -3
  304. data/spec/components/plugins/login_script_spec.rb +79 -22
  305. data/spec/components/plugins/meta/remedies/discovery_spec.rb +3 -2
  306. data/spec/components/plugins/meta/remedies/timing_attacks_spec.rb +3 -3
  307. data/spec/components/plugins/meta/uniformity_spec.rb +2 -2
  308. data/spec/components/plugins/restrict_to_dom_state_spec.rb +1 -1
  309. data/spec/components/plugins/script_spec.rb +1 -1
  310. data/spec/components/plugins/uncommon_headers_spec.rb +2 -2
  311. data/spec/components/plugins/vector_collector_spec.rb +2 -2
  312. data/spec/components/plugins/vector_feed_spec.rb +40 -40
  313. data/spec/components/plugins/waf_detector_spec.rb +6 -6
  314. data/spec/components/reporters/json_spec.rb +4 -4
  315. data/spec/components/reporters/marshal_spec.rb +2 -2
  316. data/spec/components/reporters/yaml_spec.rb +3 -2
  317. data/spec/external/wavsep/active/sqli_spec.rb +1 -3
  318. data/spec/spec_helper.rb +4 -0
  319. data/spec/support/factories/element/ui_form.rb +14 -0
  320. data/spec/support/factories/element/ui_input.rb +13 -0
  321. data/spec/support/factories/issue.rb +0 -13
  322. data/spec/support/fixtures/report.afr +0 -0
  323. data/spec/support/fixtures/{taint_check/taint.rb → signature_check/signature.rb} +2 -2
  324. data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +11 -11
  325. data/spec/support/helpers/framework.rb +1 -1
  326. data/spec/support/helpers/pages.rb +2 -2
  327. data/spec/support/servers/arachni/browser.rb +139 -0
  328. data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +40 -0
  329. data/spec/support/servers/arachni/element/capabilities/analyzable/{taint.rb → signature.rb} +0 -0
  330. data/spec/support/servers/arachni/element/input/input_dom.rb +102 -0
  331. data/spec/support/servers/arachni/element/ui_form/ui_form_dom.rb +238 -0
  332. data/spec/support/servers/checks/active/trainer_check.rb +7 -7
  333. data/spec/support/servers/checks/active/unvalidated_redirect_dom.rb +22 -6
  334. data/spec/support/servers/checks/active/xss_dom.rb +50 -0
  335. data/spec/support/servers/checks/active/xss_dom_script_context.rb +53 -0
  336. data/spec/support/shared/browser/javascript/taint_tracer/sink/base.rb +6 -6
  337. data/spec/support/shared/check.rb +10 -12
  338. data/spec/support/shared/component/options/base.rb +24 -24
  339. data/spec/support/shared/element/base.rb +25 -25
  340. data/spec/support/shared/element/capabilities/auditable.rb +116 -140
  341. data/spec/support/shared/element/capabilities/dom_only.rb +65 -0
  342. data/spec/support/shared/element/capabilities/inputtable.rb +71 -86
  343. data/spec/support/shared/element/capabilities/mutable.rb +122 -111
  344. data/spec/support/shared/element/capabilities/refreshable.rb +10 -10
  345. data/spec/support/shared/element/capabilities/{submitable.rb → submittable.rb} +26 -26
  346. data/spec/support/shared/element/capabilities/with_auditor.rb +10 -10
  347. data/spec/support/shared/element/capabilities/with_dom.rb +8 -8
  348. data/spec/support/shared/element/capabilities/with_node.rb +4 -6
  349. data/spec/support/shared/element/capabilities/with_scope.rb +2 -2
  350. data/spec/support/shared/element/capabilities/with_source.rb +6 -8
  351. data/spec/support/shared/element/dom.rb +144 -0
  352. data/spec/support/shared/element/dom/auditable.rb +42 -0
  353. data/spec/support/shared/element/dom/inputtable.rb +5 -0
  354. data/spec/support/shared/element/dom/mutable.rb +3 -0
  355. data/spec/support/shared/element/dom/submittable.rb +119 -0
  356. data/spec/support/shared/external/wavsep.rb +3 -3
  357. data/spec/support/shared/fingerprinter.rb +2 -2
  358. data/spec/support/shared/framework.rb +1 -1
  359. data/spec/support/shared/http/message.rb +9 -9
  360. data/spec/support/shared/option_group.rb +17 -17
  361. data/spec/support/shared/path_extractor.rb +1 -1
  362. data/spec/support/shared/plugin.rb +2 -2
  363. data/spec/support/shared/support/cache.rb +57 -57
  364. data/spec/support/shared/support/lookup.rb +25 -25
  365. data/ui/cli/framework.rb +22 -11
  366. data/ui/cli/framework/option_parser.rb +15 -0
  367. data/ui/cli/option_parser.rb +8 -1
  368. data/ui/cli/output.rb +2 -1
  369. metadata +54 -20
  370. data/components/checks/active/xss_dom_inputs.rb +0 -236
  371. data/spec/components/checks/active/xss_dom_inputs_spec.rb +0 -30
  372. data/spec/support/servers/checks/active/xss_dom_inputs.rb +0 -59
  373. data/spec/support/shared/element/capabilities/auditable/dom.rb +0 -322
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: d17c2d7494c0ec0cbaf825b7f55ce71a90fb48ba
4
- data.tar.gz: 3343cc7e23ed519a1b5e7e059aa3e88cf777ba32
3
+ metadata.gz: 706f2003d1263e3894635514152f7b16aaea736d
4
+ data.tar.gz: 8947b852c5714245f173921d794b0babcae004e2
5
5
  SHA512:
6
- metadata.gz: 697804e1e14595b202beada64a5b2b0296d33fb4b61714091084c4d2ef813af467470a31bb04f571aed438c18b4f1cef8c91ea1bf299f46580556372108ae1bc
7
- data.tar.gz: 245fd98a16d683a668eddf41deb0783de006679352308b2c4e268a48a5f2bcfdd159431624a80d3d82f46633bcc4cf0d4ad2971afaff42a942a35d4939f608a4
6
+ metadata.gz: 6a7e3b6201d61176c12fbf3da6b18f66e14af3110e851fa2f127a6cfa69c2688eb68b20f0b075b904a16eb6547a6eaf1e0641997448f2b1ad81a8d0aad8c174c
7
+ data.tar.gz: 23e26d260d0dab562d0691ca11f92bd652c7d212d7a864d3346d12f3c8e66df491d4e08ff2397e12779dc26a27f8affe2adcae7b8c011568749e61dca488ea3c
data/CHANGELOG.md CHANGED
@@ -1,5 +1,71 @@
1
1
  # ChangeLog
2
2
 
3
+ ## 1.3 _(October 01, 2015)_
4
+
5
+ - `UI`
6
+ - `CLI`
7
+ - Options
8
+ - `--browser-cluster-local-storage` -- Sets `localStorage` data from JSON file.
9
+ - `Issue`
10
+ - `#variations` -- Removed, all issues now include full data.
11
+ - `#unique_id`, `#digest` -- In cases of passive issues, the associated
12
+ `#proof` is now taken into consideration.
13
+ - `Data`
14
+ - `Framework`
15
+ - `#update_sitemap` -- Don't push URLs that include the
16
+ `Utilities.random_seed` to the sitemap to keep noise down.
17
+ - `Element`
18
+ - `Cookie`
19
+ - `.encode` -- Updated list of reversed characters.
20
+ - `.decode` -- Handle broken encodings.
21
+ - `Form`
22
+ - `.decode` -- Handle broken encodings.
23
+ - `UIForm` -- Audits `<input>` and `<button>` groups which don't belong to
24
+ a `<form>` parent. Also covers cases of `<form>` submissions that occur
25
+ via elements other than a submit button.
26
+ - `UIInput` -- Audits individual `<input>` elements which have associated DOM events.
27
+ - `Capabilities` -- Refactored to allow for easier expansion of DOM capabilities.
28
+ - `Analyzable`
29
+ - `Differential` -- Updated to remove the injected seed from the response
30
+ bodies, echoed payloads can compromise the analysis.
31
+ - `Taint` => `Signature` -- Signature analysis better describes that
32
+ process and the "taint" terminology was overloaded by the browser's
33
+ taint tracing subsystems.
34
+ - `Browser`
35
+ - Use the faster, native `#click` event on `Watir` elements, instead of `fire_event`.
36
+ - Sets `localStorage` data from `Arachni::OptionGroups::BrowserCluster#local_storage`.
37
+ - `Javascript`
38
+ - `TaintTracer`
39
+ - Updated sanitization of traced `Event` arguments to extract only
40
+ certain properties instead of iterating through the whole object.
41
+ - Limited the depth of the recursive taint search in argument objects.
42
+ - `Components`
43
+ - Path extractors
44
+ - `comments`
45
+ - Small cleanup in acceptable paths.
46
+ - `script`
47
+ - Updated to not get fooled by comment strings (`/*Comment`, `//Comment`).
48
+ - Updated to require absolute paths to avoid processing junk.
49
+ - Reporters -- All reporters have been updated to remove `Issue#variations`.
50
+ - `xml` -- Updated schema to include the new `Element::UIForm::DOM` and
51
+ `Element::Input::DOM` elements.
52
+ - Plugins
53
+ - `proxy` -- Fixed bug causing the plugin to hang after proxy server shutdown.
54
+ - `login_script`
55
+ - Wait for the page to settle when using a JS login script.
56
+ - Catch script syntax errors.
57
+ - Checks
58
+ - Active
59
+ - Removed
60
+ `xss_dom_inputs` -- No longer necessary, covered by new DOM
61
+ element abstractions and `xss_dom`.
62
+ - `unvalidated_redirect` -- Updated to use `Utilities.random_seed`
63
+ in the injected URL.
64
+ - `unvalidated_redirect_dom` -- Updated to use `Utilities.random_seed`
65
+ in the injected URL.
66
+ - Passive -- Reworked proofs to remove dynamic content which can interfere
67
+ with issue uniqueness or removed proofs altogether when not necessary.
68
+
3
69
  ## 1.2.1 _(July 25, 2015)_
4
70
 
5
71
  - HTTP
data/Gemfile CHANGED
@@ -10,7 +10,7 @@ end
10
10
  group :spec do
11
11
  gem 'simplecov', require: false, group: :test
12
12
 
13
- gem 'rspec', '2.99'
13
+ gem 'rspec'
14
14
  gem 'faker'
15
15
 
16
16
  gem 'puma' if !Gem.win_platform? || RUBY_PLATFORM == 'java'
data/README.md CHANGED
@@ -3,7 +3,7 @@
3
3
  <table>
4
4
  <tr>
5
5
  <th>Version</th>
6
- <td>1.2.1</td>
6
+ <td>1.3</td>
7
7
  </tr>
8
8
  <tr>
9
9
  <th>Homepage</th>
@@ -196,6 +196,8 @@ Configuration options include:
196
196
  - Ability to disable loading images.
197
197
  - Adjustable screen width and height.
198
198
  - Can be used to analyze responsive and mobile applications.
199
+ - Ability to wait until certain elements appear in the page.
200
+ - Configurable local storage data.
199
201
 
200
202
  ### Coverage
201
203
 
@@ -211,7 +213,12 @@ By inspecting all possible pages and their states (when using client-side code)
211
213
  Arachni is able to extract and audit the following elements and their inputs:
212
214
 
213
215
  - Forms
214
- - Along with ones that require interaction with a real browser due to DOM events.
216
+ - Along with ones that require interaction via a real browser due to DOM events.
217
+ - User-interface Forms
218
+ - Input and button groups which don't belong to an HTML `<form>` element but
219
+ are instead associated via JS code.
220
+ - User-interface Inputs
221
+ - Orphan `<input>` elements with associated DOM events.
215
222
  - Links
216
223
  - Along with ones that have client-side parameters in their fragment, i.e.:
217
224
  `http://example.com/#/?param=val&param2=val2`
@@ -222,7 +229,7 @@ Arachni is able to extract and audit the following elements and their inputs:
222
229
  `http://example.com/#/param/val/param2/val2`
223
230
  - Cookies
224
231
  - Headers
225
- - Generic client-side elements like `input`s which have associated DOM events.
232
+ - Generic client-side elements which have associated DOM events.
226
233
  - AJAX-request parameters.
227
234
  - JSON request data.
228
235
  - XML request data.
@@ -278,6 +285,11 @@ Arachni is able to extract and audit the following elements and their inputs:
278
285
  - Forms
279
286
  - Can automatically refresh nonce tokens.
280
287
  - Can submit them via the integrated browser environment.
288
+ - User-interface Forms
289
+ - Input and button groups which don't belong to an HTML `<form>` element
290
+ but are instead associated via JS code.
291
+ - User-interface Inputs
292
+ - Orphan `<input>` elements with associated DOM events.
281
293
  - Links
282
294
  - Can load them via the integrated browser environment.
283
295
  - LinkTemplates
@@ -285,7 +297,7 @@ Arachni is able to extract and audit the following elements and their inputs:
285
297
  - Cookies
286
298
  - Can load them via the integrated browser environment.
287
299
  - Headers
288
- - Generic client-side DOM elements like `input`s.
300
+ - Generic client-side DOM elements.
289
301
  - JSON request data.
290
302
  - XML request data.
291
303
  - Can ignore binary/non-text pages.
@@ -433,7 +445,6 @@ Active checks engage the web application via its inputs.
433
445
  - XSS in HTML tags (`xss_tag`).
434
446
  - XSS in script context (`xss_script_context`).
435
447
  - DOM XSS (`xss_dom`).
436
- - DOM XSS inputs (`xss_dom_inputs`).
437
448
  - DOM XSS script context (`xss_dom_script_context`).
438
449
  - Source code disclosure (`source_code_disclosure`)
439
450
  - XML External Entity (`xxe`).
data/components/checks/active/ldap_injection/errors.txt CHANGED
@@ -1,5 +1,6 @@
1
1
  supplied argument is not a valid ldap
2
2
  javax.naming.NameNotFoundException
3
+ javax.naming.directory.InvalidSearchFilterException
3
4
  LDAPException
4
5
  com.sun.jndi.ldap
5
6
  Search: Bad search filter
data/components/checks/active/source_code_disclosure.rb CHANGED
@@ -108,7 +108,7 @@ class Arachni::Checks::SourceCodeDisclosure < Arachni::Check::Base
108
108
  return if self.class.payloads.empty?
109
109
 
110
110
  each_candidate_element do |element|
111
- element.taint_analysis( self.class.payloads, self.class.options )
111
+ element.signature_analysis( self.class.payloads, self.class.options )
112
112
  end
113
113
  end
114
114
 
data/components/checks/active/unvalidated_redirect.rb CHANGED
@@ -12,16 +12,16 @@
12
12
  # header field to determine whether the attack was successful.
13
13
  #
14
14
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
15
- # @version 0.2.3
16
- #
17
15
  # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
18
16
  class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
19
17
 
18
+ BASE_URL = "www.#{Utilities.random_seed}.com"
19
+
20
20
  def self.payloads
21
21
  @payloads ||= [
22
- 'www.arachni-boogie-woogie.com',
23
- 'https://www.arachni-boogie-woogie.com',
24
- 'http://www.arachni-boogie-woogie.com'
22
+ BASE_URL,
23
+ "https://#{BASE_URL}",
24
+ "http://#{BASE_URL}"
25
25
  ].map { |url| Arachni::URI( url ).to_s }
26
26
  end
27
27
 
@@ -77,7 +77,7 @@ URL to determine whether the attack was successful.
77
77
  },
78
78
  elements: ELEMENTS_WITH_INPUTS - [Element::LinkTemplate],
79
79
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
80
- version: '0.2.3',
80
+ version: '0.2.4',
81
81
 
82
82
  issue: {
83
83
  name: %q{Unvalidated redirect},
data/components/checks/active/unvalidated_redirect_dom.rb CHANGED
@@ -9,16 +9,16 @@
9
9
  # Unvalidated redirect DOM check.
10
10
  #
11
11
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
12
- # @version 0.1.1
13
- #
14
12
  # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
15
13
  class Arachni::Checks::UnvalidatedRedirectDOM < Arachni::Check::Base
16
14
 
15
+ BASE_URL = "www.#{Utilities.random_seed}.com"
16
+
17
17
  def self.payloads
18
18
  @payloads ||= [
19
- 'www.arachni-boogie-woogie.com',
20
- 'https://www.arachni-boogie-woogie.com',
21
- 'http://www.arachni-boogie-woogie.com'
19
+ BASE_URL,
20
+ "https://#{BASE_URL}",
21
+ "http://#{BASE_URL}"
22
22
  ].map { |url| Arachni::URI( url ).to_s }
23
23
  end
24
24
 
@@ -54,9 +54,12 @@ class Arachni::Checks::UnvalidatedRedirectDOM < Arachni::Check::Base
54
54
  description: %q{
55
55
  Injects URLs and checks the browser URL to determine whether the attack was successful.
56
56
  },
57
- elements: DOM_ELEMENTS_WITH_INPUTS - [Element::LinkTemplate::DOM],
57
+ elements: DOM_ELEMENTS_WITH_INPUTS - [
58
+ Element::LinkTemplate::DOM,
59
+ Element::UIInput::DOM
60
+ ],
58
61
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
59
- version: '0.1.1',
62
+ version: '0.1.2',
60
63
 
61
64
  issue: {
62
65
  name: %q{Unvalidated DOM redirect},
data/components/checks/passive/grep/captcha.rb CHANGED
@@ -7,10 +7,10 @@
7
7
  =end
8
8
 
9
9
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
10
- # @version 0.2
10
+ # @version 0.2.1
11
11
  class Arachni::Checks::Captcha < Arachni::Check::Base
12
12
 
13
- CAPTCHA_RX = /captcha/i
13
+ CAPTCHA_RX = /.*captcha.*/i
14
14
 
15
15
  def run
16
16
  return if !page.body =~ CAPTCHA_RX
@@ -18,23 +18,32 @@ class Arachni::Checks::Captcha < Arachni::Check::Base
18
18
  # since we only care about forms parse the HTML and match forms only
19
19
  page.document.css( 'form' ).each do |form|
20
20
  # pretty dumb way to do this but it's a pretty dumb issue anyways...
21
- next if !((form_html = form.to_s) =~ CAPTCHA_RX)
21
+ next if !(proof = find_proof( form ))
22
22
 
23
23
  log(
24
24
  signature: CAPTCHA_RX,
25
- proof: form_html,
25
+ proof: proof,
26
26
  vector: Element::Form.from_document( page.url, form ).first
27
27
  )
28
28
  end
29
29
  end
30
30
 
31
+ def find_proof( node )
32
+ node.css('input').each do |input|
33
+ html = input.to_html
34
+ return html if html =~ CAPTCHA_RX
35
+ end
36
+
37
+ nil
38
+ end
39
+
31
40
  def self.info
32
41
  {
33
42
  name: 'CAPTCHA',
34
43
  description: %q{Greps pages for forms with CAPTCHAs.},
35
44
  elements: [ Element::Form ],
36
45
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
37
- version: '0.2',
46
+ version: '0.2.1',
38
47
 
39
48
  issue: {
40
49
  name: %q{CAPTCHA protected form},
data/components/checks/passive/grep/form_upload.rb CHANGED
@@ -10,14 +10,18 @@
10
10
  #
11
11
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
12
12
  #
13
- # @version 0.2.1
13
+ # @version 0.2.2
14
14
  class Arachni::Checks::FormUpload < Arachni::Check::Base
15
15
 
16
16
  def run
17
17
  page.forms.each do |form|
18
18
  form.inputs.keys.each do |name|
19
19
  next if form.details_for( name )[:type] != :file
20
- log( proof: form.source, vector: form )
20
+
21
+ log(
22
+ proof: form.node.xpath('input[@type="file"]').to_html,
23
+ vector: form
24
+ )
21
25
  end
22
26
  end
23
27
  end
@@ -28,7 +32,7 @@ class Arachni::Checks::FormUpload < Arachni::Check::Base
28
32
  description: 'Logs upload forms which require manual testing.',
29
33
  elements: [ Element::Form ],
30
34
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
31
- version: '0.2.1',
35
+ version: '0.2.2',
32
36
 
33
37
  issue: {
34
38
  name: %q{Form-based File Upload},
data/components/checks/passive/grep/hsts.rb CHANGED
@@ -7,7 +7,7 @@
7
7
  =end
8
8
 
9
9
  # @author Tasos Laskos <tasos.laskos@arachni-scanner.com>
10
- # @version 0.1.1
10
+ # @version 0.1.2
11
11
  class Arachni::Checks::Hsts < Arachni::Check::Base
12
12
 
13
13
  def run
@@ -19,7 +19,7 @@ class Arachni::Checks::Hsts < Arachni::Check::Base
19
19
 
20
20
  log(
21
21
  vector: Element::Server.new( page.url ),
22
- proof: page.response.headers_string
22
+ proof: page.response.status_line
23
23
  )
24
24
  end
25
25
 
@@ -28,7 +28,7 @@ class Arachni::Checks::Hsts < Arachni::Check::Base
28
28
  name: 'HTTP Strict Transport Security',
29
29
  description: %q{Checks HTTPS pages for missing `Strict-Transport-Security` headers.},
30
30
  author: 'Tasos Laskos <tasos.laskos@arachni-scanner.com>',
31
- version: '0.1.1',
31
+ version: '0.1.2',
32
32
  elements: [ Element::Server ],
33
33
 
34
34
  issue: {
data/components/checks/passive/grep/html_objects.rb CHANGED
@@ -9,11 +9,10 @@
9
9
  # Looks for HTML "object" tags.
10
10
  #
11
11
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
12
- # @version 0.1.3
13
12
  class Arachni::Checks::HtmlObjects < Arachni::Check::Base
14
13
 
15
14
  def self.regexp
16
- @regexp ||= /<object(?:.*?)>(?:.*?)<\/object>/im
15
+ @regexp ||= /<object.*?>.*?<\/object>/im
17
16
  end
18
17
 
19
18
  def run
@@ -30,7 +29,7 @@ class Arachni::Checks::HtmlObjects < Arachni::Check::Base
30
29
  description: description,
31
30
  elements: [ Element::Body ],
32
31
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
33
- version: '0.1.3',
32
+ version: '0.1.4',
34
33
 
35
34
  issue: {
36
35
  name: %q{HTML object},
data/components/checks/passive/grep/http_only_cookies.rb CHANGED
@@ -9,14 +9,13 @@
9
9
  # Logs cookies that are accessible via JavaScript.
10
10
  #
11
11
  # @author Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
12
- # @version 0.1.3
13
12
  class Arachni::Checks::HttpOnlyCookies < Arachni::Check::Base
14
13
 
15
14
  def run
16
15
  page.cookies.each do |cookie|
17
16
  next if cookie.http_only? || audited?( cookie.name )
18
17
 
19
- log( vector: cookie, proof: cookie.source )
18
+ log( vector: cookie )
20
19
  audited( cookie.name )
21
20
  end
22
21
  end
@@ -27,7 +26,7 @@ class Arachni::Checks::HttpOnlyCookies < Arachni::Check::Base
27
26
  description: %q{Logs cookies that are accessible via JavaScript.},
28
27
  elements: [ Element::Cookie ],
29
28
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
30
- version: '0.1.3',
29
+ version: '0.1.4',
31
30
 
32
31
  issue: {
33
32
  name: %q{HttpOnly cookie},
data/components/checks/passive/grep/insecure_cookies.rb CHANGED
@@ -15,7 +15,7 @@ class Arachni::Checks::InsecureCookies < Arachni::Check::Base
15
15
  page.cookies.each do |cookie|
16
16
  next if cookie.secure? || audited?( cookie.name )
17
17
 
18
- log( vector: cookie, proof: cookie.source )
18
+ log( vector: cookie )
19
19
  audited( cookie.name )
20
20
  end
21
21
  end
data/components/checks/passive/grep/password_autocomplete.rb CHANGED
@@ -18,7 +18,7 @@ class Arachni::Checks::PasswordAutocomplete < Arachni::Check::Base
18
18
  next if form.simple[:autocomplete] == 'off'
19
19
  next if has_input_with_autocomplete_off? form
20
20
 
21
- log( proof: form.source, vector: form )
21
+ log( vector: form )
22
22
  end
23
23
  end
24
24
 
@@ -36,7 +36,7 @@ class Arachni::Checks::PasswordAutocomplete < Arachni::Check::Base
36
36
  without explicitly disabling auto-complete.},
37
37
  elements: [ Element::Form ],
38
38
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
39
- version: '0.3',
39
+ version: '0.3.1',
40
40
 
41
41
  issue: {
42
42
  name: %q{Password field with auto-complete},
data/components/checks/passive/grep/unencrypted_password_forms.rb CHANGED
@@ -23,19 +23,19 @@ class Arachni::Checks::UnencryptedPasswordForms < Arachni::Check::Base
23
23
  return if !check_form?( form )
24
24
 
25
25
  form.inputs.each do |name, v|
26
- next if form.field_type_for( name ) != :password || audited?( form.id )
26
+ next if form.field_type_for( name ) != :password
27
27
 
28
28
  cform = form.dup
29
29
  cform.affected_input_name = name
30
- log( vector: cform, proof: form.source )
31
-
32
- print_ok( "Found unprotected password field '#{name}' at #{page.url}" )
33
- audited form.id
30
+ log( vector: cform )
34
31
  end
32
+
33
+ audited form.id
35
34
  end
36
35
 
37
36
  def check_form?( form )
38
- uri_parse( form.action ).scheme.downcase == 'http'
37
+ uri_parse( form.action ).scheme == 'http' ||
38
+ audited?( form.id ) || !form.requires_password?
39
39
  end
40
40
 
41
41
  def self.info
@@ -45,7 +45,7 @@ class Arachni::Checks::UnencryptedPasswordForms < Arachni::Check::Base
45
45
  over an encrypted channel (HTTPS).},
46
46
  elements: [ Element::Form ],
47
47
  author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com> ',
48
- version: '0.2',
48
+ version: '0.2.1',
49
49
 
50
50
  issue: {
51
51
  name: %q{Unencrypted password form},