RubyGems - arachni - Versions diffs - 1.4 → 1.5 - Mend

arachni 1.4 → 1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (746) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +136 -0
data/Gemfile +3 -1
data/LICENSE.md +1 -1
data/README.md +5 -2
data/Rakefile +1 -1
data/arachni.gemspec +35 -30
data/bin/arachni +1 -1
data/bin/arachni_console +1 -1
data/bin/arachni_multi +6 -1
data/bin/arachni_reporter +1 -1
data/bin/arachni_reproduce +12 -0
data/bin/arachni_rest_server +1 -1
data/bin/arachni_restore +1 -1
data/bin/arachni_rpc +6 -1
data/bin/arachni_rpcd +1 -1
data/bin/arachni_rpcd_monitor +6 -1
data/bin/arachni_script +1 -1
data/components/checks/active/code_injection.rb +1 -1
data/components/checks/active/code_injection_php_input_wrapper.rb +1 -1
data/components/checks/active/code_injection_timing.rb +1 -1
data/components/checks/active/csrf.rb +15 -75
data/components/checks/active/file_inclusion.rb +1 -1
data/components/checks/active/ldap_injection.rb +1 -1
data/components/checks/active/no_sql_injection.rb +1 -1
data/components/checks/active/no_sql_injection_differential.rb +1 -1
data/components/checks/active/os_cmd_injection.rb +1 -1
data/components/checks/active/os_cmd_injection_timing.rb +1 -1
data/components/checks/active/path_traversal.rb +3 -3
data/components/checks/active/response_splitting.rb +1 -1
data/components/checks/active/rfi.rb +1 -1
data/components/checks/active/session_fixation.rb +1 -1
data/components/checks/active/source_code_disclosure.rb +1 -1
data/components/checks/active/sql_injection.rb +1 -1
data/components/checks/active/sql_injection/regexps/hsqldb.yaml +1 -0
data/components/checks/active/sql_injection/substrings/hsqldb +1 -0
data/components/checks/active/sql_injection/substrings/java +4 -0
data/components/checks/active/sql_injection/substrings/oracle +0 -1
data/components/checks/active/sql_injection/substrings/sqlite +1 -0
data/components/checks/active/sql_injection_differential.rb +1 -1
data/components/checks/active/sql_injection_timing.rb +1 -1
data/components/checks/active/trainer.rb +1 -1
data/components/checks/active/unvalidated_redirect.rb +34 -11
data/components/checks/active/unvalidated_redirect_dom.rb +4 -4
data/components/checks/active/xpath_injection.rb +1 -1
data/components/checks/active/xss.rb +52 -27
data/components/checks/active/xss_dom.rb +15 -11
data/components/checks/active/xss_dom_script_context.rb +4 -6
data/components/checks/active/xss_event.rb +45 -33
data/components/checks/active/xss_path.rb +9 -6
data/components/checks/active/xss_script_context.rb +99 -46
data/components/checks/active/xss_tag.rb +39 -14
data/components/checks/active/xxe.rb +1 -1
data/components/checks/passive/allowed_methods.rb +1 -1
data/components/checks/passive/backdoors.rb +1 -1
data/components/checks/passive/backup_directories.rb +15 -3
data/components/checks/passive/backup_files.rb +39 -6
data/components/checks/passive/common_admin_interfaces.rb +1 -1
data/components/checks/passive/common_admin_interfaces/admin-panels.txt +1 -0
data/components/checks/passive/common_directories.rb +1 -1
data/components/checks/passive/common_files.rb +1 -1
data/components/checks/passive/directory_listing.rb +1 -1
data/components/checks/passive/grep/captcha.rb +8 -9
data/components/checks/passive/grep/cookie_set_for_parent_domain.rb +1 -1
data/components/checks/passive/grep/credit_card.rb +1 -1
data/components/checks/passive/grep/cvs_svn_users.rb +1 -1
data/components/checks/passive/grep/emails.rb +1 -1
data/components/checks/passive/grep/form_upload.rb +3 -5
data/components/checks/passive/grep/hsts.rb +1 -1
data/components/checks/passive/grep/html_objects.rb +1 -1
data/components/checks/passive/grep/http_only_cookies.rb +1 -1
data/components/checks/passive/grep/insecure_cookies.rb +5 -5
data/components/checks/passive/grep/insecure_cors_policy.rb +1 -1
data/components/checks/passive/grep/mixed_resource.rb +4 -4
data/components/checks/passive/grep/password_autocomplete.rb +1 -1
data/components/checks/passive/grep/private_ip.rb +1 -1
data/components/checks/passive/grep/ssn.rb +1 -1
data/components/checks/passive/grep/unencrypted_password_forms.rb +3 -3
data/components/checks/passive/grep/x_frame_options.rb +1 -1
data/components/checks/passive/htaccess_limit.rb +1 -1
data/components/checks/passive/http_put.rb +1 -1
data/components/checks/passive/insecure_client_access_policy.rb +2 -2
data/components/checks/passive/insecure_cross_domain_policy_access.rb +2 -2
data/components/checks/passive/insecure_cross_domain_policy_headers.rb +2 -2
data/components/checks/passive/interesting_responses.rb +1 -1
data/components/checks/passive/localstart_asp.rb +1 -1
data/components/checks/passive/origin_spoof_access_restriction_bypass.rb +1 -1
data/components/checks/passive/webdav.rb +1 -1
data/components/checks/passive/xst.rb +10 -12
data/components/fingerprinters/frameworks/aspx_mvc.rb +1 -1
data/components/fingerprinters/frameworks/cakephp.rb +1 -1
data/components/fingerprinters/frameworks/cherrypy.rb +1 -1
data/components/fingerprinters/frameworks/django.rb +1 -1
data/components/fingerprinters/frameworks/jsf.rb +1 -1
data/components/fingerprinters/frameworks/nette.rb +1 -1
data/components/fingerprinters/frameworks/rack.rb +1 -1
data/components/fingerprinters/frameworks/rails.rb +1 -1
data/components/fingerprinters/frameworks/symfony.rb +1 -1
data/components/fingerprinters/languages/asp.rb +1 -1
data/components/fingerprinters/languages/aspx.rb +1 -1
data/components/fingerprinters/languages/java.rb +1 -1
data/components/fingerprinters/languages/php.rb +1 -1
data/components/fingerprinters/languages/python.rb +1 -1
data/components/fingerprinters/languages/ruby.rb +1 -1
data/components/fingerprinters/os/bsd.rb +1 -1
data/components/fingerprinters/os/linux.rb +1 -1
data/components/fingerprinters/os/solaris.rb +1 -1
data/components/fingerprinters/os/unix.rb +1 -1
data/components/fingerprinters/os/windows.rb +1 -1
data/components/fingerprinters/servers/apache.rb +1 -1
data/components/fingerprinters/servers/gunicorn.rb +1 -1
data/components/fingerprinters/servers/iis.rb +1 -1
data/components/fingerprinters/servers/jetty.rb +1 -1
data/components/fingerprinters/servers/nginx.rb +1 -1
data/components/fingerprinters/servers/tomcat.rb +1 -1
data/components/path_extractors/anchors.rb +3 -5
data/components/path_extractors/areas.rb +3 -4
data/components/path_extractors/comments.rb +4 -5
data/components/path_extractors/data_url.rb +4 -5
data/components/path_extractors/forms.rb +3 -4
data/components/path_extractors/frames.rb +3 -5
data/components/path_extractors/generic.rb +3 -1
data/components/path_extractors/links.rb +3 -4
data/components/path_extractors/meta_refresh.rb +11 -17
data/components/path_extractors/scripts.rb +18 -15
data/components/plugins/autologin.rb +3 -2
data/components/plugins/beep_notify.rb +1 -1
data/components/plugins/content_types.rb +1 -1
data/components/plugins/cookie_collector.rb +1 -1
data/components/plugins/debug/browser_cluster_job_monitor.rb +60 -0
data/components/plugins/defaults/autothrottle.rb +1 -1
data/components/plugins/defaults/healthmap.rb +3 -1
data/components/plugins/defaults/meta/remedies/discovery.rb +1 -1
data/components/plugins/defaults/meta/remedies/timing_attacks.rb +1 -1
data/components/plugins/defaults/meta/uniformity.rb +1 -1
data/components/plugins/email_notify.rb +26 -9
data/components/plugins/exec.rb +1 -1
data/components/plugins/form_dicattack.rb +3 -4
data/components/plugins/headers_collector.rb +1 -1
data/components/plugins/http_dicattack.rb +4 -5
data/components/plugins/login_script.rb +2 -2
data/components/plugins/metrics.rb +41 -15
data/components/plugins/page_dump.rb +60 -0
data/components/plugins/proxy.rb +42 -30
data/components/plugins/proxy/template_scope.rb +6 -1
data/components/plugins/rate_limiter.rb +80 -0
data/components/plugins/restrict_to_dom_state.rb +1 -1
data/components/plugins/script.rb +1 -1
data/components/plugins/uncommon_headers.rb +1 -1
data/components/plugins/vector_collector.rb +1 -1
data/components/plugins/vector_feed.rb +1 -1
data/components/plugins/waf_detector.rb +3 -3
data/components/plugins/webhook_notify.rb +99 -0
data/components/reporters/ap.rb +1 -1
data/components/reporters/html.rb +2 -3
data/components/reporters/html/default.erb +1 -2
data/components/reporters/html/default/configuration.erb +2 -0
data/components/reporters/json.rb +1 -1
data/components/reporters/marshal.rb +1 -1
data/components/reporters/plugin_formatters/html/autologin.rb +1 -1
data/components/reporters/plugin_formatters/html/content_types.rb +1 -1
data/components/reporters/plugin_formatters/html/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/exec.rb +1 -1
data/components/reporters/plugin_formatters/html/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/html/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/html/login_script.rb +1 -1
data/components/reporters/plugin_formatters/html/metrics.rb +46 -1
data/components/reporters/plugin_formatters/html/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/html/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/html/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/html/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/autologin.rb +1 -1
data/components/reporters/plugin_formatters/stdout/content_types.rb +1 -1
data/components/reporters/plugin_formatters/stdout/cookie_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/exec.rb +1 -1
data/components/reporters/plugin_formatters/stdout/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/stdout/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/stdout/login_script.rb +1 -1
data/components/reporters/plugin_formatters/stdout/metrics.rb +11 -1
data/components/reporters/plugin_formatters/stdout/uncommon_headers.rb +1 -1
data/components/reporters/plugin_formatters/stdout/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/stdout/vector_collector.rb +1 -1
data/components/reporters/plugin_formatters/stdout/waf_detector.rb +1 -1
data/components/reporters/plugin_formatters/xml/autologin.rb +1 -1
data/components/reporters/plugin_formatters/xml/content_types.rb +10 -7
data/components/reporters/plugin_formatters/xml/cookie_collector.rb +6 -3
data/components/reporters/plugin_formatters/xml/exec.rb +1 -1
data/components/reporters/plugin_formatters/xml/form_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/healthmap.rb +1 -1
data/components/reporters/plugin_formatters/xml/http_dicattack.rb +1 -1
data/components/reporters/plugin_formatters/xml/login_script.rb +1 -1
data/components/reporters/plugin_formatters/xml/metrics.rb +1 -1
data/components/reporters/plugin_formatters/xml/uncommon_headers.rb +5 -2
data/components/reporters/plugin_formatters/xml/uniformity.rb +1 -1
data/components/reporters/plugin_formatters/xml/vector_collector.rb +8 -5
data/components/reporters/plugin_formatters/xml/waf_detector.rb +1 -1
data/components/reporters/stdout.rb +3 -2
data/components/reporters/txt.rb +1 -1
data/components/reporters/xml.rb +39 -22
data/components/reporters/xml/schema.xsd +28 -13
data/components/reporters/yaml.rb +1 -1
data/lib/arachni.rb +1 -1
data/lib/arachni/banner.rb +1 -1
data/lib/arachni/browser.rb +242 -231
data/lib/arachni/browser/element_locator.rb +9 -5
data/lib/arachni/browser/javascript.rb +103 -168
data/lib/arachni/browser/javascript/dom_monitor.rb +1 -1
data/lib/arachni/browser/javascript/proxy.rb +1 -1
data/lib/arachni/browser/javascript/proxy/stub.rb +1 -1
data/lib/arachni/browser/javascript/scripts/dom_monitor.js +295 -51
data/lib/arachni/browser/javascript/scripts/polyfills.js +0 -28
data/lib/arachni/browser/javascript/scripts/taint_tracer.js +46 -8
data/lib/arachni/browser/javascript/taint_tracer.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/frame.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/base.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb +1 -1
data/lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb +1 -1
data/lib/arachni/browser_cluster.rb +78 -60
data/lib/arachni/browser_cluster/job.rb +9 -2
data/lib/arachni/browser_cluster/job/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/browser_provider.rb +8 -2
data/lib/arachni/browser_cluster/jobs/dom_exploration.rb +13 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/dom_exploration/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/event_trigger/result.rb +1 -1
data/lib/arachni/browser_cluster/jobs/taint_trace/result.rb +1 -1
data/lib/arachni/browser_cluster/worker.rb +109 -84
data/lib/arachni/check.rb +1 -1
data/lib/arachni/check/auditor.rb +137 -93
data/lib/arachni/check/base.rb +1 -1
data/lib/arachni/check/manager.rb +1 -1
data/lib/arachni/component.rb +1 -1
data/lib/arachni/component/base.rb +3 -1
data/lib/arachni/component/manager.rb +1 -1
data/lib/arachni/component/options.rb +1 -1
data/lib/arachni/component/options/address.rb +1 -1
data/lib/arachni/component/options/base.rb +1 -1
data/lib/arachni/component/options/bool.rb +1 -1
data/lib/arachni/component/options/float.rb +1 -1
data/lib/arachni/component/options/int.rb +1 -1
data/lib/arachni/component/options/multiple_choice.rb +1 -1
data/lib/arachni/component/options/object.rb +1 -1
data/lib/arachni/component/options/path.rb +1 -1
data/lib/arachni/component/options/port.rb +1 -1
data/lib/arachni/component/options/string.rb +1 -1
data/lib/arachni/component/options/url.rb +1 -1
data/lib/arachni/component/output.rb +8 -2
data/lib/arachni/component/utilities.rb +1 -1
data/lib/arachni/data.rb +1 -1
data/lib/arachni/data/framework.rb +2 -1
data/lib/arachni/data/framework/rpc.rb +1 -1
data/lib/arachni/data/issues.rb +1 -1
data/lib/arachni/data/plugins.rb +1 -1
data/lib/arachni/data/session.rb +1 -1
data/lib/arachni/element/base.rb +1 -1
data/lib/arachni/element/body.rb +1 -1
data/lib/arachni/element/capabilities/analyzable.rb +1 -1
data/lib/arachni/element/capabilities/analyzable/differential.rb +142 -175
data/lib/arachni/element/capabilities/analyzable/signature.rb +39 -17
data/lib/arachni/element/capabilities/analyzable/timeout.rb +1 -1
data/lib/arachni/element/capabilities/auditable.rb +2 -8
data/lib/arachni/element/capabilities/auditable/buffered.rb +92 -0
data/lib/arachni/element/capabilities/auditable/line_buffered.rb +103 -0
data/lib/arachni/element/capabilities/dom_only.rb +1 -1
data/lib/arachni/element/capabilities/inputtable.rb +6 -2
data/lib/arachni/element/capabilities/mutable.rb +1 -1
data/lib/arachni/element/capabilities/refreshable.rb +1 -1
data/lib/arachni/element/capabilities/submittable.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor.rb +1 -1
data/lib/arachni/element/capabilities/with_auditor/output.rb +4 -3
data/lib/arachni/element/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/capabilities/with_node.rb +3 -3
data/lib/arachni/element/capabilities/with_scope.rb +1 -1
data/lib/arachni/element/capabilities/with_scope/scope.rb +1 -1
data/lib/arachni/element/capabilities/with_source.rb +2 -2
data/lib/arachni/element/cookie.rb +49 -24
data/lib/arachni/element/cookie/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/mutable.rb +1 -1
data/lib/arachni/element/cookie/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/cookie/dom.rb +1 -1
data/lib/arachni/element/dom.rb +1 -1
data/lib/arachni/element/dom/capabilities/auditable.rb +44 -3
data/lib/arachni/element/dom/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/dom/capabilities/locatable.rb +1 -1
data/lib/arachni/element/dom/capabilities/mutable.rb +7 -3
data/lib/arachni/element/dom/capabilities/submittable.rb +51 -22
data/lib/arachni/element/form.rb +21 -32
data/lib/arachni/element/form/capabilities/auditable.rb +1 -1
data/lib/arachni/element/form/capabilities/mutable.rb +16 -11
data/lib/arachni/element/form/capabilities/submittable.rb +1 -1
data/lib/arachni/element/form/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/form/dom.rb +1 -1
data/lib/arachni/element/generic_dom.rb +1 -1
data/lib/arachni/element/header.rb +3 -1
data/lib/arachni/element/header/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/header/capabilities/mutable.rb +1 -1
data/lib/arachni/element/json.rb +4 -8
data/lib/arachni/element/json/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/json/capabilities/mutable.rb +1 -1
data/lib/arachni/element/link.rb +11 -30
data/lib/arachni/element/link/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link/dom.rb +1 -1
data/lib/arachni/element/link/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/link_template.rb +10 -19
data/lib/arachni/element/link_template/capabilities/auditable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/link_template/capabilities/with_dom.rb +1 -1
data/lib/arachni/element/link_template/dom.rb +2 -2
data/lib/arachni/element/link_template/dom/capabilities/submittable.rb +1 -1
data/lib/arachni/element/path.rb +1 -1
data/lib/arachni/element/server.rb +11 -11
data/lib/arachni/element/ui_form.rb +5 -6
data/lib/arachni/element/ui_form/dom.rb +1 -1
data/lib/arachni/element/ui_input.rb +4 -6
data/lib/arachni/element/ui_input/dom.rb +1 -1
data/lib/arachni/element/xml.rb +3 -7
data/lib/arachni/element/xml/capabilities/inputtable.rb +1 -1
data/lib/arachni/element/xml/capabilities/mutable.rb +1 -1
data/lib/arachni/element_filter.rb +1 -1
data/lib/arachni/error.rb +1 -1
data/lib/arachni/ethon/easy.rb +1 -1
data/lib/arachni/framework.rb +1 -1
data/lib/arachni/framework/parts/audit.rb +6 -1
data/lib/arachni/framework/parts/browser.rb +14 -14
data/lib/arachni/framework/parts/check.rb +1 -1
data/lib/arachni/framework/parts/data.rb +1 -1
data/lib/arachni/framework/parts/platform.rb +1 -1
data/lib/arachni/framework/parts/plugin.rb +1 -1
data/lib/arachni/framework/parts/report.rb +2 -2
data/lib/arachni/framework/parts/scope.rb +1 -1
data/lib/arachni/framework/parts/state.rb +1 -1
data/lib/arachni/http.rb +1 -1
data/lib/arachni/http/client.rb +32 -7
data/lib/arachni/http/client/dynamic_404_handler.rb +74 -16
data/lib/arachni/http/cookie_jar.rb +13 -8
data/lib/arachni/http/headers.rb +11 -5
data/lib/arachni/http/message.rb +9 -8
data/lib/arachni/http/message/scope.rb +1 -1
data/lib/arachni/http/proxy_server.rb +44 -11
data/lib/arachni/http/proxy_server/connection.rb +113 -80
data/lib/arachni/http/proxy_server/ssl_interceptor.rb +2 -1
data/lib/arachni/http/proxy_server/tunnel.rb +4 -4
data/lib/arachni/http/request.rb +236 -44
data/lib/arachni/http/request/scope.rb +1 -1
data/lib/arachni/http/response.rb +71 -8
data/lib/arachni/http/response/scope.rb +1 -1
data/lib/arachni/issue.rb +42 -14
data/lib/arachni/issue/severity.rb +1 -1
data/lib/arachni/issue/severity/base.rb +1 -1
data/lib/arachni/option_group.rb +1 -1
data/lib/arachni/option_groups.rb +1 -1
data/lib/arachni/option_groups/audit.rb +1 -1
data/lib/arachni/option_groups/browser_cluster.rb +6 -2
data/lib/arachni/option_groups/datastore.rb +1 -1
data/lib/arachni/option_groups/dispatcher.rb +1 -1
data/lib/arachni/option_groups/http.rb +35 -6
data/lib/arachni/option_groups/input.rb +1 -1
data/lib/arachni/option_groups/output.rb +1 -1
data/lib/arachni/option_groups/paths.rb +1 -1
data/lib/arachni/option_groups/rpc.rb +1 -1
data/lib/arachni/option_groups/scope.rb +13 -1
data/lib/arachni/option_groups/session.rb +1 -1
data/lib/arachni/option_groups/snapshot.rb +1 -1
data/lib/arachni/options.rb +23 -4
data/lib/arachni/page.rb +8 -6
data/lib/arachni/page/dom.rb +46 -54
data/lib/arachni/page/dom/transition.rb +5 -2
data/lib/arachni/page/scope.rb +1 -1
data/lib/arachni/parser.rb +157 -77
data/lib/arachni/parser/document.rb +34 -0
data/lib/arachni/parser/extractors/base.rb +48 -0
data/lib/arachni/parser/nodes/base.rb +22 -0
data/lib/arachni/parser/nodes/comment.rb +32 -0
data/lib/arachni/parser/nodes/element.rb +48 -0
data/lib/arachni/parser/nodes/element/with_attributes.rb +35 -0
data/lib/arachni/parser/nodes/element/with_attributes/attributes.rb +31 -0
data/lib/arachni/parser/nodes/text.rb +32 -0
data/lib/arachni/parser/nodes/with_value.rb +29 -0
data/lib/arachni/parser/sax.rb +75 -0
data/lib/arachni/parser/with_children.rb +35 -0
data/lib/arachni/parser/with_children/search.rb +92 -0
data/lib/arachni/platform.rb +1 -1
data/lib/arachni/platform/fingerprinter.rb +1 -1
data/lib/arachni/platform/list.rb +1 -1
data/lib/arachni/platform/manager.rb +2 -2
data/lib/arachni/plugin.rb +1 -1
data/lib/arachni/plugin/base.rb +2 -2
data/lib/arachni/plugin/formatter.rb +1 -1
data/lib/arachni/plugin/manager.rb +8 -5
data/lib/arachni/processes.rb +1 -1
data/lib/arachni/processes/dispatchers.rb +1 -1
data/lib/arachni/processes/executables/browser.rb +0 -2
data/lib/arachni/processes/helpers.rb +1 -1
data/lib/arachni/processes/helpers/dispatchers.rb +1 -1
data/lib/arachni/processes/helpers/instances.rb +1 -1
data/lib/arachni/processes/helpers/processes.rb +1 -1
data/lib/arachni/processes/instances.rb +1 -1
data/lib/arachni/processes/manager.rb +10 -5
data/lib/arachni/report.rb +8 -1
data/lib/arachni/reporter.rb +1 -1
data/lib/arachni/reporter/base.rb +1 -1
data/lib/arachni/reporter/formatter_manager.rb +1 -1
data/lib/arachni/reporter/manager.rb +1 -1
data/lib/arachni/reporter/options.rb +1 -1
data/lib/arachni/rest/server.rb +7 -1
data/lib/arachni/rest/server/instance_helpers.rb +1 -1
data/lib/arachni/rpc/client/base.rb +1 -1
data/lib/arachni/rpc/client/dispatcher.rb +1 -1
data/lib/arachni/rpc/client/instance.rb +1 -1
data/lib/arachni/rpc/client/instance/framework.rb +1 -1
data/lib/arachni/rpc/client/instance/service.rb +1 -1
data/lib/arachni/rpc/serializer.rb +1 -1
data/lib/arachni/rpc/server/active_options.rb +1 -1
data/lib/arachni/rpc/server/base.rb +1 -1
data/lib/arachni/rpc/server/check/manager.rb +1 -1
data/lib/arachni/rpc/server/dispatcher.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/node.rb +1 -1
data/lib/arachni/rpc/server/dispatcher/service.rb +1 -1
data/lib/arachni/rpc/server/framework.rb +1 -1
data/lib/arachni/rpc/server/framework/distributor.rb +1 -1
data/lib/arachni/rpc/server/framework/master.rb +1 -1
data/lib/arachni/rpc/server/framework/multi_instance.rb +1 -1
data/lib/arachni/rpc/server/framework/slave.rb +1 -1
data/lib/arachni/rpc/server/instance.rb +1 -1
data/lib/arachni/rpc/server/output.rb +1 -1
data/lib/arachni/rpc/server/plugin/manager.rb +1 -1
data/lib/arachni/ruby.rb +1 -1
data/lib/arachni/ruby/array.rb +1 -1
data/lib/arachni/ruby/hash.rb +1 -1
data/lib/arachni/ruby/object.rb +1 -1
data/lib/arachni/ruby/set.rb +1 -1
data/lib/arachni/ruby/string.rb +9 -5
data/lib/arachni/ruby/webrick.rb +1 -1
data/lib/arachni/ruby/webrick/cookie.rb +1 -1
data/lib/arachni/ruby/webrick/httprequest.rb +1 -1
data/lib/arachni/scope.rb +1 -1
data/lib/arachni/selenium/webdriver/element.rb +4 -4
data/lib/arachni/selenium/webdriver/remote/typhoeus.rb +69 -0
data/lib/arachni/session.rb +32 -13
data/lib/arachni/snapshot.rb +1 -1
data/lib/arachni/state.rb +1 -1
data/lib/arachni/state/audit.rb +1 -1
data/lib/arachni/state/element_filter.rb +1 -1
data/lib/arachni/state/framework.rb +1 -1
data/lib/arachni/state/framework/rpc.rb +1 -1
data/lib/arachni/state/http.rb +2 -2
data/lib/arachni/state/options.rb +1 -1
data/lib/arachni/state/plugins.rb +1 -1
data/lib/arachni/support.rb +1 -1
data/lib/arachni/support/buffer.rb +1 -1
data/lib/arachni/support/buffer/autoflush.rb +1 -1
data/lib/arachni/support/buffer/base.rb +1 -1
data/lib/arachni/support/cache.rb +1 -1
data/lib/arachni/support/cache/base.rb +1 -1
data/lib/arachni/support/cache/least_cost_replacement.rb +1 -1
data/lib/arachni/support/cache/least_recently_pushed.rb +1 -1
data/lib/arachni/support/cache/least_recently_used.rb +1 -1
data/lib/arachni/support/cache/preference.rb +1 -1
data/lib/arachni/support/cache/random_replacement.rb +1 -1
data/lib/arachni/support/crypto.rb +1 -1
data/lib/arachni/support/crypto/rsa_aes_cbc.rb +1 -1
data/lib/arachni/support/database.rb +1 -1
data/lib/arachni/support/database/base.rb +1 -1
data/lib/arachni/support/database/hash.rb +1 -1
data/lib/arachni/support/database/queue.rb +1 -1
data/lib/arachni/support/glob.rb +1 -1
data/lib/arachni/support/lookup.rb +1 -1
data/lib/arachni/support/lookup/base.rb +1 -1
data/lib/arachni/support/lookup/hash_set.rb +1 -1
data/lib/arachni/support/lookup/moolb.rb +1 -1
data/lib/arachni/support/mixins.rb +1 -1
data/lib/arachni/support/mixins/observable.rb +1 -1
data/lib/arachni/support/mixins/terminal.rb +1 -1
data/lib/arachni/support/profiler.rb +52 -13
data/lib/arachni/support/signature.rb +18 -6
data/lib/arachni/trainer.rb +55 -39
data/lib/arachni/ui/foo/output.rb +1 -1
data/lib/arachni/uri.rb +132 -103
data/lib/arachni/uri/scope.rb +15 -13
data/lib/arachni/utilities.rb +10 -10
data/lib/arachni/version.rb +1 -1
data/lib/version +1 -1
data/logs/error-11897.log +2006 -0
data/logs/error-3855.log +382 -0
data/spec/arachni/browser/element_locator_spec.rb +42 -18
data/spec/arachni/browser/javascript/dom_monitor_spec.rb +214 -63
data/spec/arachni/browser/javascript/polyfills_spec.rb +0 -15
data/spec/arachni/browser/javascript/taint_tracer_spec.rb +68 -121
data/spec/arachni/browser/javascript_spec.rb +92 -51
data/spec/arachni/browser_cluster/job_spec.rb +23 -8
data/spec/arachni/browser_cluster/jobs/dom_exploration_spec.rb +6 -1
data/spec/arachni/browser_cluster/worker_spec.rb +31 -57
data/spec/arachni/browser_cluster_spec.rb +124 -43
data/spec/arachni/browser_spec.rb +352 -312
data/spec/arachni/check/auditor_spec.rb +118 -33
data/spec/arachni/element/capabilities/analyzable/signature_spec.rb +46 -3
data/spec/arachni/element/cookie/dom_spec.rb +1 -1
data/spec/arachni/element/cookie_spec.rb +158 -63
data/spec/arachni/element/form/dom_spec.rb +1 -1
data/spec/arachni/element/form_spec.rb +101 -54
data/spec/arachni/element/header_spec.rb +3 -1
data/spec/arachni/element/json_spec.rb +2 -0
data/spec/arachni/element/link/dom_spec.rb +2 -2
data/spec/arachni/element/link_spec.rb +46 -15
data/spec/arachni/element/link_template/dom_spec.rb +1 -1
data/spec/arachni/element/link_template_spec.rb +36 -12
data/spec/arachni/element/server_spec.rb +22 -5
data/spec/arachni/element/ui_form/dom_spec.rb +1 -1
data/spec/arachni/element/ui_input/dom_spec.rb +1 -1
data/spec/arachni/element/xml_spec.rb +5 -3
data/spec/arachni/framework/parts/audit_spec.rb +2 -14
data/spec/arachni/framework/parts/data_spec.rb +0 -6
data/spec/arachni/http/client/dynamic_404_handlers_spec.rb +126 -0
data/spec/arachni/http/client_spec.rb +82 -10
data/spec/arachni/http/headers_spec.rb +59 -12
data/spec/arachni/http/proxy_server_spec.rb +56 -25
data/spec/arachni/http/request_spec.rb +379 -33
data/spec/arachni/http/response_spec.rb +135 -7
data/spec/arachni/issue_spec.rb +20 -1
data/spec/arachni/option_groups/http_spec.rb +15 -0
data/spec/arachni/option_groups/scope_spec.rb +26 -1
data/spec/arachni/options_spec.rb +8 -1
data/spec/arachni/page/dom_spec.rb +20 -6
data/spec/arachni/page_spec.rb +5 -5
data/spec/arachni/parser/document_spec.rb +49 -0
data/spec/arachni/parser/nodes/comment_spec.rb +24 -0
data/spec/arachni/parser/nodes/element/with_attributes/attributes_spec.rb +40 -0
data/spec/arachni/parser/nodes/element/with_attributes_spec.rb +50 -0
data/spec/arachni/parser/nodes/element_spec.rb +18 -0
data/spec/arachni/parser/nodes/text_spec.rb +24 -0
data/spec/arachni/parser/sax_spec.rb +88 -0
data/spec/arachni/parser/with_children/search_spec.rb +146 -0
data/spec/arachni/parser/with_children_spec.rb +37 -0
data/spec/arachni/parser_spec.rb +166 -26
data/spec/arachni/report_spec.rb +9 -2
data/spec/arachni/rest/server_spec.rb +52 -6
data/spec/arachni/rpc/server/active_options_spec.rb +1 -1
data/spec/arachni/rpc/server/framework/distributor_spec.rb +6 -6
data/spec/arachni/ruby/string_spec.rb +6 -0
data/spec/arachni/session_spec.rb +69 -8
data/spec/arachni/support/signature_spec.rb +58 -0
data/spec/arachni/trainer_spec.rb +102 -21
data/spec/arachni/uri_spec.rb +11 -8
data/spec/arachni/utilities_spec.rb +3 -3
data/spec/components/checks/active/csrf_spec.rb +1 -21
data/spec/components/checks/active/path_traversal_spec.rb +12 -12
data/spec/components/checks/active/sql_injection_spec.rb +10 -1
data/spec/components/checks/active/unvalidated_redirect_spec.rb +6 -6
data/spec/components/checks/active/xss_dom_script_context_spec.rb +1 -5
data/spec/components/checks/active/xss_dom_spec.rb +2 -2
data/spec/components/checks/active/xss_event_spec.rb +8 -2
data/spec/components/checks/active/xss_script_context_spec.rb +5 -5
data/spec/components/checks/active/xss_spec.rb +3 -3
data/spec/components/checks/passive/backup_directories_spec.rb +3 -1
data/spec/components/checks/passive/backup_files_spec.rb +8 -1
data/spec/components/checks/passive/grep/insecure_cookies_spec.rb +2 -2
data/spec/components/path_extractors/comments_spec.rb +3 -1
data/spec/components/path_extractors/data_url_spec.rb +6 -2
data/spec/components/path_extractors/links_spec.rb +1 -1
data/spec/components/plugins/autologin_spec.rb +2 -2
data/spec/components/plugins/webhook_notify_spec.rb +69 -0
data/spec/spec_helper.rb +1 -1
data/spec/support/factories/page/dom.rb +6 -0
data/spec/support/factories/scan_report.rb +1 -0
data/spec/support/factories/vector.rb +7 -3
data/spec/support/fixtures/check_with_invalid_platforms/with_invalid_platforms.rb +1 -1
data/spec/support/fixtures/checks/test.rb +1 -1
data/spec/support/fixtures/checks/test2.rb +1 -1
data/spec/support/fixtures/checks/test3.rb +1 -1
data/spec/support/fixtures/cookies.txt +2 -2
data/spec/support/fixtures/fingerprinters/test.rb +1 -1
data/spec/support/fixtures/plugins/bad.rb +1 -1
data/spec/support/fixtures/plugins/defaults/default.rb +1 -1
data/spec/support/fixtures/plugins/distributable.rb +1 -1
data/spec/support/fixtures/plugins/loop.rb +1 -1
data/spec/support/fixtures/plugins/suspendable.rb +1 -1
data/spec/support/fixtures/plugins/wait.rb +1 -1
data/spec/support/fixtures/plugins/with_options.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p0.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p00.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p1.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p2.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p22.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p222.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil.rb +1 -1
data/spec/support/fixtures/plugins_with_priorities/p_nil2.rb +1 -1
data/spec/support/fixtures/report.afr +0 -0
data/spec/support/fixtures/reporters/base_spec/plugin_formatters/with_formatters/foobar.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_formatters.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/with_outfile.rb +1 -1
data/spec/support/fixtures/reporters/base_spec/without_outfile.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/afr.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/error.rb +1 -1
data/spec/support/fixtures/reporters/manager_spec/foo.rb +1 -1
data/spec/support/fixtures/run_check/body.rb +1 -1
data/spec/support/fixtures/run_check/cookies.rb +1 -1
data/spec/support/fixtures/run_check/empty.rb +1 -1
data/spec/support/fixtures/run_check/flch.rb +1 -1
data/spec/support/fixtures/run_check/forms.rb +1 -1
data/spec/support/fixtures/run_check/headers.rb +1 -1
data/spec/support/fixtures/run_check/links.rb +1 -1
data/spec/support/fixtures/run_check/nil.rb +1 -1
data/spec/support/fixtures/run_check/path.rb +1 -1
data/spec/support/fixtures/run_check/server.rb +1 -1
data/spec/support/fixtures/signature_check/signature.rb +1 -1
data/spec/support/fixtures/wait_check/wait.rb +1 -1
data/spec/support/helpers/browser_cluster/jobs/taint_tracer.rb +0 -3
data/spec/support/helpers/framework.rb +1 -1
data/spec/support/helpers/misc.rb +1 -1
data/spec/support/helpers/paths.rb +1 -1
data/spec/support/helpers/requires.rb +1 -1
data/spec/support/helpers/resets.rb +1 -1
data/spec/support/helpers/web_server.rb +1 -1
data/spec/support/lib/factory.rb +1 -1
data/spec/support/lib/web_server_client.rb +1 -1
data/spec/support/lib/web_server_dispatcher.rb +1 -1
data/spec/support/lib/web_server_manager.rb +4 -2
data/spec/support/logs/Dispatcher - 1024-31864.log +10 -0
data/spec/support/logs/Dispatcher - 1047-41465.log +10 -0
data/spec/support/logs/Dispatcher - 1274-60799.log +64 -0
data/spec/support/logs/Dispatcher - 1295-1058.log +44 -0
data/spec/support/logs/Dispatcher - 1313-27076.log +40 -0
data/spec/support/logs/Dispatcher - 1332-17127.log +35 -0
data/spec/support/logs/Dispatcher - 1350-7351.log +29 -0
data/spec/support/logs/Dispatcher - 1368-38528.log +22 -0
data/spec/support/logs/Dispatcher - 1386-17419.log +14 -0
data/spec/support/logs/Dispatcher - 31030-26156.log +10 -0
data/spec/support/logs/Dispatcher - 321-27189.log +12 -0
data/spec/support/logs/Dispatcher - 32353-50061.log +20 -0
data/spec/support/logs/Dispatcher - 32450-61574.log +10 -0
data/spec/support/logs/Dispatcher - 32470-53874.log +20 -0
data/spec/support/logs/Dispatcher - 32491-10523.log +18 -0
data/spec/support/logs/Dispatcher - 32509-8583.log +14 -0
data/spec/support/logs/Dispatcher - 32536-21209.log +10 -0
data/spec/support/logs/Dispatcher - 32556-53881.log +10 -0
data/spec/support/logs/Dispatcher - 32579-49083.log +50 -0
data/spec/support/logs/Dispatcher - 32761-20025.log +12 -0
data/spec/support/logs/Dispatcher - 347-17512.log +12 -0
data/spec/support/logs/Dispatcher - 3489-43230.log +24 -0
data/spec/support/logs/Dispatcher - 3524-57459.log +26 -0
data/spec/support/logs/Dispatcher - 3559-21544.log +20 -0
data/spec/support/logs/Dispatcher - 3764-33844.log +25 -0
data/spec/support/logs/Dispatcher - 3798-45350.log +26 -0
data/spec/support/logs/Dispatcher - 382-15725.log +12 -0
data/spec/support/logs/Dispatcher - 3836-6205.log +21 -0
data/spec/support/logs/Dispatcher - 4112-45433.log +22 -0
data/spec/support/logs/Dispatcher - 4148-53510.log +26 -0
data/spec/support/logs/Dispatcher - 415-29873.log +14 -0
data/spec/support/logs/Dispatcher - 4185-29736.log +18 -0
data/spec/support/logs/Dispatcher - 4268-60912.log +25 -0
data/spec/support/logs/Dispatcher - 4303-39372.log +26 -0
data/spec/support/logs/Dispatcher - 4342-42190.log +21 -0
data/spec/support/logs/Dispatcher - 463-55220.log +26 -0
data/spec/support/logs/Dispatcher - 4649-12104.log +22 -0
data/spec/support/logs/Dispatcher - 4683-32355.log +26 -0
data/spec/support/logs/Dispatcher - 4724-41636.log +18 -0
data/spec/support/logs/Dispatcher - 4881-57692.log +22 -0
data/spec/support/logs/Dispatcher - 4961-64665.log +26 -0
data/spec/support/logs/Dispatcher - 502-8742.log +25 -0
data/spec/support/logs/Dispatcher - 5052-61726.log +18 -0
data/spec/support/logs/Dispatcher - 536-15972.log +22 -0
data/spec/support/logs/Dispatcher - 620-2220.log +20 -0
data/spec/support/logs/Dispatcher - 638-17826.log +18 -0
data/spec/support/logs/Dispatcher - 656-23967.log +16 -0
data/spec/support/logs/Dispatcher - 700-15701.log +12 -0
data/spec/support/logs/Dispatcher - 726-6080.log +10 -0
data/spec/support/logs/Dispatcher - 749-56590.log +18 -0
data/spec/support/logs/Dispatcher - 807-19073.log +18 -0
data/spec/support/logs/Dispatcher - 871-8764.log +10 -0
data/spec/support/logs/Dispatcher - 898-21496.log +12 -0
data/spec/support/logs/Dispatcher - 933-64070.log +12 -0
data/spec/support/logs/Instance - 1577-32284.error.log +151 -0
data/spec/support/logs/Instance - 1625-58174.error.log +154 -0
data/spec/support/logs/Instance - 2727-57968.error.log +151 -0
data/spec/support/logs/Instance - 2898-20648.error.log +303 -0
data/spec/support/logs/Instance - 2901-30845.error.log +429 -0
data/spec/support/logs/Instance - 31185-37600.error.log +174 -0
data/spec/support/logs/Instance - 3319-20111.error.log +175 -0
data/spec/support/logs/error-3855.log +5132 -0
data/spec/support/servers/arachni/browser.rb +275 -4
data/spec/support/servers/arachni/browser/javascript/dom_monitor.rb +48 -0
data/spec/support/servers/arachni/browser/javascript/taint_tracer.rb +15 -3
data/spec/support/servers/arachni/check/auditor.rb +8 -0
data/spec/support/servers/arachni/element/cookie.rb +34 -0
data/spec/support/servers/arachni/element/form.rb +34 -0
data/spec/support/servers/arachni/element/header.rb +36 -1
data/spec/support/servers/arachni/element/json.rb +33 -0
data/spec/support/servers/arachni/element/link.rb +33 -1
data/spec/support/servers/arachni/element/link_template.rb +37 -5
data/spec/support/servers/arachni/element/xml.rb +33 -0
data/spec/support/servers/arachni/http/client.rb +43 -4
data/spec/support/servers/arachni/http/client/dynamic_404_handler.rb +36 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_1.rb +18 -0
data/spec/support/servers/arachni/http/client/dynamic_404_handler_redirect_2.rb +11 -0
data/spec/support/servers/arachni/http/proxy_server.rb +12 -0
data/spec/support/servers/arachni/session.rb +24 -1
data/spec/support/servers/checks/active/csrf.rb +0 -76
data/spec/support/servers/checks/active/sql_injection/java +2 -0
data/spec/support/servers/checks/active/unvalidated_redirect.rb +81 -0
data/spec/support/servers/checks/active/xss_event.rb +1 -1
data/spec/support/servers/checks/passive/backup_files.rb +20 -1
data/spec/support/servers/checks/passive/grep/cookie_set_for_parent_domain.rb +3 -5
data/spec/support/servers/checks/passive/grep/insecure_cookies_https.rb +9 -0
data/spec/support/servers/plugins/autologin.rb +17 -1
data/spec/support/servers/plugins/webhook_notify.rb +9 -0
data/spec/support/shared/element/capabilities/auditable.rb +26 -32
data/spec/support/shared/element/capabilities/auditable/buffered.rb +791 -0
data/spec/support/shared/element/capabilities/auditable/line_buffered.rb +797 -0
data/spec/support/shared/element/capabilities/inputtable.rb +26 -0
data/spec/support/shared/element/capabilities/with_node.rb +2 -2
data/spec/support/shared/element/dom/submittable.rb +10 -10
data/spec/support/shared/path_extractor.rb +17 -5
data/ui/cli/framework.rb +24 -4
data/ui/cli/framework/option_parser.rb +35 -6
data/ui/cli/option_parser.rb +1 -1
data/ui/cli/output.rb +10 -3
data/ui/cli/reporter.rb +1 -1
data/ui/cli/reporter/option_parser.rb +1 -1
data/ui/cli/reproduce.rb +228 -0
data/ui/cli/reproduce/option_parser.rb +90 -0
data/ui/cli/rest/server.rb +1 -1
data/ui/cli/rest/server/option_parser.rb +1 -1
data/ui/cli/restored_framework.rb +1 -1
data/ui/cli/restored_framework/option_parser.rb +1 -1
data/ui/cli/rpc/client/dispatcher_monitor.rb +9 -11
data/ui/cli/rpc/client/dispatcher_monitor/option_parser.rb +1 -1
data/ui/cli/rpc/client/instance.rb +1 -1
data/ui/cli/rpc/client/local.rb +1 -1
data/ui/cli/rpc/client/local/option_parser.rb +1 -1
data/ui/cli/rpc/client/remote.rb +1 -1
data/ui/cli/rpc/client/remote/option_parser.rb +1 -1
data/ui/cli/rpc/server/dispatcher.rb +1 -1
data/ui/cli/rpc/server/dispatcher/option_parser.rb +1 -1
data/ui/cli/utilities.rb +1 -1
metadata +253 -49
data/ACKNOWLEDGMENTS.md +0 -21
data/AUTHORS.md +0 -3
data/CONTRIBUTORS.md +0 -22

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f4c2f78464615f487fac68b9e72685088d568977
-  data.tar.gz: db89773e54c4321dbb18bd9c18958c3263f4c952
+  metadata.gz: 9258760c9e75d398da9ab655640904e5d51544c4
+  data.tar.gz: b7f5f56e8f1977916b7a87465954c354892cc4d3
 SHA512:
-  metadata.gz: 5ed261c2eab8f545585e8ac2a733f59296823e8d3de533a6789ba871c4a4ff732108760c33169198fde6b8c240192cdbeba16a9241d8eba4a03da6b9ee9b176b
-  data.tar.gz: 50297d450fd4e8d53b1c556af729d889a94ea0c4cd2f7220e2703dd70f274bff373d6603fb57dfb99860d3fd90199b0258d0a6e271d672e92564884cf8be5a1f
+  metadata.gz: baef5531633d799813d4bbfdfc89a44aa682feb5b502349e40c19ec9036ef074f2cf4f8838403487e79b2ac905ace671863b5ee092515251418d0180f0db659b
+  data.tar.gz: 43e379175dff426bc078a5055dda4b0d65dee05f47df7032559501ce1603d5e4c32517ff0c9fb69669a0d21b7710df4f62b2899de099e32ebcc530165a039c46

data/CHANGELOG.md CHANGED

@@ -1,5 +1,140 @@
 # ChangeLog
+## 1.5 _(January 31, 2017)_
+- Executables
+    - `arachni_rpcd_monitor` -- Brought up to date with Dispatcher refactoring.
+    - New
+        - `arachni_reproduce` -- Reproduces the issues in the given report.
+- Options
+    - `url` -- Raise error on addresses starting with `127.` because
+        PhantomJS 2.1.1 doesn't proxy any loopback connections.
+    - `--http-cookie-string` -- Updated to only accept `Set-Cookie` formatted
+        cookies instead of `Cookie` ones.
+    - `--browser-cluster-job-timeout`
+        - Repurposed to apply to communication requests for Selenium rather than
+            the entire job.
+        - Lowered to `10` seconds.
+    - New
+        - `--http-authentication-type`
+            - `auto` -- Default
+            - `basic`
+            - `digest`
+            - `digest_ie`
+            - `negotiate`
+            - `ntlm`
+        - `--scope-dom-event-limit` -- Limits the amount of DOM events to be
+            triggered for each DOM depth.
+        - `--daemon-friendly` -- Disables status screen.
+- `UI`
+    - `CLI`
+        - `Framework` -- Trap `USR1` signal and go into a `pry` session for debugging.
+- `URI`
+    - `.fast_parse` --- Ignore `data:` URIs.
+- `HTTP`
+    - `ProxyServer`
+        - Fixed state of abruptly closed SSL interceptor connections leading to
+            frozen browser operations.
+        - Added support for configurable concurrency of origin requests to keep
+            the amount of `Thread`s low.
+        - Added support for `Connection: Upgrade` requests by tunneling WebSocket
+            connections.
+    - `Client`
+        - Added `X-Arachni-Scan-Seed` header that includes the random scan seed.
+        - `Dynamic404Handler`
+            - Added more training scenarios for when:
+                - Dashes are used as routing separators.
+                - Directory name prepending and appending is ignored.
+            - Updated to not dismiss redirects but follow the location.
+- `Browser`
+    - Updated engine to PhantomJS 2.1.1.
+    - Remove `Content-Security-Policy` to allow the Arachni JS env to run.
+    - `#snapshot_id` -- Moved to browser-side `DOMMonitor` for better performance.
+    - `#capture` -- Extract query parameters from `POST` requests.
+    - `#capture_snapshot` -- Deduplicate based on DOM URL and transitions as well.
+    - `ElementLocator` -- Fixed bug causing broken CSS selectors with UTF8 characters.
+    - `Javascript`
+        - `#dom_elements_with_events`
+            - Moved code to browser-side `DOMMonitor`.
+            - Updated it to return results in batches, in order to keep RAM
+                usage under control when processing large pages with thousands
+                of elements with events.
+- `BrowserCluster`
+    - `Worker`
+        - `#run_job` -- Retry 5 times on job time-outs.
+- `Element`
+    - `Capabilities`
+        - `Auditable`
+            - New
+                - `Buffered` -- Reads audit responses in chunks.
+                - `LineBuffered` -- Reads audit responses in chunks of lines.
+    - `DOM`
+        - `Capabilities`
+            - `Submittable`, `Auditable` -- Switched from `Proc` to class methods
+                for callbacks, in order to avoid keeping contexts in memory.
+- Session -- Allow for a submit input to be specified when the login needs to be
+    triggered by clicking it, rather than just triggering the submit event on
+    the form.
+- REST API
+    - Added `GET /scans/:id/summary` to return scan progress data without
+        `issues`, `errors` and `sitemap`.
+- Report
+    - Added `#seed` attribute that includes the random scan seed.
+- Plugins
+    - New
+        - `webhook_notify` -- Sends a webhook payload over HTTP at the end of the scan.
+        - `rate_limiter` -- Rate limits HTTP requests.
+        - `page_dump` -- Dumps page data to disk as YAML.
+    - `proxy` -- `bind_address` default switched to `127.0.0.1`, `0.0.0.0` breaks
+        SSL interception on MS Windows.
+    - `metrics`
+        - Fixed division by 0 error when no requests have been performed.
+        - Added:
+            - HTTP
+                - Request time-outs
+                - Responses per second
+            - Browser cluster
+                - Timed-out jobs
+                - Seconds per job
+                - Total job time
+                - Job count
+    - `email_notify`
+        - Retry on error.
+        - Default to `afr` as a report format.
+- Checks
+    - Active
+        - `xss` -- Only check HTML responses to avoid FPs.
+        - `xss_event`
+            - Replaced full parsing of responses with SAX.
+            - Only check HTML responses to avoid FPs.
+        - `xss_script_context`
+            - Replaced full parsing of responses with SAX.
+            - Only check HTML responses to avoid FPs.
+        - `xss_tag`
+            - Replaced full parsing of responses with SAX.
+            - Only check HTML responses to avoid FPs.
+        - `unvalidated_redirect`, `unvalidated_redirect_dom`, `xss`, `xss_dom`,
+            `xss_dom_script_context`, `xss_script_context` -- Replaced `Proc`s
+                with class methods for `BrowserCluster` job callbacks.
+        - `unvalidated_redirect` -- Added prepended payload to the default value.
+        - `sql_injection` -- Added more error signatures for HSQLDB, Java and SQLite.
+        - `csrf` -- Removed heuristics that try to match tokens based on format;
+            now only uses a nonce check.
+        - `path_traversal` -- Increased maximum traversals to 8.
+    - Passive
+        - `backup_files`
+            - Ignore media files to avoid FPs when dealing with galleries and the like.
+            - Added issue remark explaining how the original resource name was manipulated.
+        - `backup_directories` -- Added issue remark explaining how the original
+            resource name was manipulated.
+        - `xst` -- Run once for each protocol, not just for the first page.
+- Path extractors
+    - `data_url` -- Extract from all elements, not just links.
+- Reporters
+    - `xml`
+        - Replaced unsupported null-bytes with a placeholder.
+        - Made `issues/issue/page/dom/data_flow_sinks/data_flow_sink/frame/line` nil-able.
 ## 1.4 _(February 7, 2016)_
 - Native MS Windows compatibility.
@@ -95,6 +230,7 @@
                 there's no way to verify SSNs.
             - `http_only_cookies`, `insecure_cookies` -- Only check current page
                 cookies, don't let the CookieJar ones sneak in.
+            - `insecure_cookies` -- Check JS cookies too.
 - Plugins
     - `proxy`
         - Removed injection of control toolbar to each response.

data/Gemfile CHANGED

@@ -1,6 +1,7 @@
 source 'https://rubygems.org'
-gem 'rake'
+gem 'rake', '11.3.0'
+gem 'pry'
 group :docs do
     gem 'yard'
@@ -19,6 +20,7 @@ group :prof do
     gem 'sys-proctable'
     gem 'ruby-mass'
     gem 'benchmark-ips'
+    gem 'memory_profiler'
 end
 gemspec

data/LICENSE.md CHANGED

@@ -1,6 +1,6 @@
 # License
-Copyright 2010-2016 [Tasos Laskos](mailto:tasos.laskos@arachni-scanner.com).
+Copyright 2010-2017 [Sarosys LLC](http://www.sarosys.com).
 ```
                     Arachni Public Source License

data/README.md CHANGED

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.4</td>
+        <td>1.5</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -38,7 +38,7 @@
     </tr>
     <tr>
         <th>Copyright</th>
-        <td>2010-2016 Tasos Laskos</td>
+        <td>2010-2017 <a href="http://www.sarosys.com">Sarosys LLC</a></td>
     </tr>
     <tr>
         <th>License</th>
@@ -555,6 +555,9 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
 - Metrics (`metrics`) -- Captures metrics about multiple aspects of the scan and the web application.
 - Restrict to DOM state (`restrict_to_dom_state`) -- Restricts the audit to a single page's DOM
     state, based on a URL fragment.
+- Webhook notify (`webhook_notify`) -- Sends a webhook payload over HTTP at the end of the scan.
+- Rate limiter (`rate_limiter`) -- Rate limits HTTP requests.
+- Page dump (`page_dump`) -- Dumps page data to disk as YAML.
 ##### Defaults

data/Rakefile CHANGED

@@ -1,5 +1,5 @@
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/arachni.gemspec CHANGED

@@ -1,6 +1,6 @@
 # coding: utf-8
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -10,7 +10,7 @@
 Gem::Specification.new do |s|
     require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni/version'
-    s.required_ruby_version = '>= 2.0.0'
+    s.required_ruby_version = '>= 2.2.0'
     s.name              = 'arachni'
     s.version           = Arachni::VERSION
@@ -37,77 +37,82 @@ Gem::Specification.new do |s|
     s.executables       = Dir.glob( 'bin/*' ).map { |e| File.basename e }
-    s.extra_rdoc_files  = %w(README.md ACKNOWLEDGMENTS.md LICENSE.md
-                            AUTHORS.md CHANGELOG.md CONTRIBUTORS.md)
+    s.extra_rdoc_files  = %w(README.md LICENSE.md CHANGELOG.md)
     s.rdoc_options      = [ '--charset=UTF-8' ]
-    s.add_dependency 'awesome_print'
+    s.add_dependency 'awesome_print',       '1.6.1'
-    s.add_dependency 'rack'
+    s.add_dependency 'rack',                '1.6.4'
+    # Don't specify version, messes with the packages since they always grab the
+    # latest one.
     s.add_dependency 'bundler'
-    s.add_dependency 'concurrent-ruby',     '1.0.0'
-    s.add_dependency 'concurrent-ruby-ext', '1.0.0'
+    s.add_dependency 'concurrent-ruby',     '1.0.2'
+    s.add_dependency 'concurrent-ruby-ext', '1.0.2'
     # For compressing/decompressing system state archives.
-    s.add_dependency 'rubyzip',           '1.1.6'
+    s.add_dependency 'rubyzip',             '1.1.6'
     # HTTP proxy server
-    s.add_dependency 'http_parser.rb'
+    s.add_dependency 'http_parser.rb',      '0.6.0'
     # HTML report
-    s.add_dependency 'coderay',           '1.1.0'
+    s.add_dependency 'coderay',             '1.1.0'
-    s.add_dependency 'childprocess',      '0.5.3'
+    s.add_dependency 'childprocess',        '0.5.3'
     # RPC serialization.
-    s.add_dependency 'msgpack',           '0.7.0'
+    s.add_dependency 'msgpack',             '0.7.0'
     if RUBY_PLATFORM != 'java'
         # Optimized JSON.
-        s.add_dependency 'oj',            '~> 2.14.3'
-        s.add_dependency 'oj_mimic_json'
+        s.add_dependency 'oj',              '2.15.0'
+        s.add_dependency 'oj_mimic_json',   '1.0.1'
     end
     # Web server
-    s.add_dependency 'puma',              '2.14.0'
+    s.add_dependency 'puma',                '2.14.0'
     # REST API
-    s.add_dependency 'sinatra',           '1.4.6'
-    s.add_dependency 'sinatra-contrib',   '1.4.6'
+    s.add_dependency 'sinatra',             '1.4.6'
+    s.add_dependency 'sinatra-contrib',     '1.4.6'
     # RPC client/server implementation.
-    s.add_dependency 'arachni-rpc',       '0.2.1.3'
+    s.add_dependency 'arachni-rpc',         '~> 0.2.1.4'
     # HTTP client.
-    s.add_dependency 'typhoeus',          '1.0.1'
+    s.add_dependency 'typhoeus',            '1.0.2'
     # Fallback URI parsing and encoding utilities.
-    s.add_dependency 'addressable',       '2.3.6'
+    s.add_dependency 'addressable',         '2.3.6'
     # E-mail plugin.
-    s.add_dependency 'pony',              '1.8'
+    s.add_dependency 'pony',                '1.11'
     # For the Arachni console (arachni_console).
-    s.add_dependency 'rb-readline',       '0.5.1'
+    s.add_dependency 'rb-readline',         '0.5.1'
-    # Markup parsing.
-    s.add_dependency 'nokogiri',          '1.6.8rc2'
+    # Markup parsing, for reports and Element::XML.
+    s.add_dependency 'nokogiri',            '1.6.8.1'
+    # Really fast and lightweight markup parsing, for pages.
+    s.add_dependency 'ox',                  '2.4.9'
     # Outputting data in table format (arachni_rpcd_monitor).
-    s.add_dependency 'terminal-table',    '1.4.5'
+    s.add_dependency 'terminal-table',      '1.4.5'
     # Browser support for DOM/JS/AJAX analysis stuff.
-    s.add_dependency 'watir-webdriver',   '0.8.0'
+    # Lock webdriver, newer versions has issues.
+    s.add_dependency 'selenium-webdriver',  '3.0.1'
+    s.add_dependency 'watir-webdriver',     '0.8.0'
     # Markdown to HTML conversion, used by the HTML report for component
     # descriptions.
-    s.add_dependency 'kramdown',          '1.4.1'
+    s.add_dependency 'kramdown',            '1.4.1'
     # Used to scrub Markdown for XSS etc.
-    s.add_dependency 'loofah',            '~> 2.0.0'
+    s.add_dependency 'loofah',              '2.0.3'
     s.post_install_message = <<MSG
@@ -124,7 +129,7 @@ License            - Arachni Public Source License v1.0
                         (https://github.com/Arachni/arachni/blob/master/LICENSE.md)
 Author             - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
 Twitter            - http://twitter.com/ArachniScanner
-Copyright          - 2010-2016 Tasos Laskos
+Copyright          - 2010-2017 Sarosys LLC (http://www.sarosys.com)
 Please do not hesitate to ask for assistance (via the support portal)
 or report a bug (via GitHub Issues) if you come across any problem.

data/bin/arachni CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/bin/arachni_console CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/bin/arachni_multi CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -10,4 +10,9 @@
 require_relative '../lib/arachni'
 require_relative '../ui/cli/rpc/client/local'
+if Arachni.windows?
+    Arachni::UI::Output.print_error "This interface is not available on MS Windows."
+    exit
+end
 Arachni::UI::CLI::RPC::Client::Local.new

data/bin/arachni_reporter CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/bin/arachni_reproduce ADDED

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+=begin
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
+    This file is part of the Arachni Framework project and is subject to
+    redistribution and commercial restrictions. Please see the Arachni Framework
+    web site for more information on licensing and terms of use.
+=end
+require_relative '../ui/cli/reproduce'
+Arachni::UI::CLI::Reproduce.new

data/bin/arachni_rest_server CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/bin/arachni_restore CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework

data/bin/arachni_rpc CHANGED

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 =begin
-    Copyright 2010-2016 Tasos Laskos <tasos.laskos@arachni-scanner.com>
+    Copyright 2010-2017 Sarosys LLC <http://www.sarosys.com>
     This file is part of the Arachni Framework project and is subject to
     redistribution and commercial restrictions. Please see the Arachni Framework
@@ -10,4 +10,9 @@
 require_relative '../lib/arachni'
 require_relative '../ui/cli/rpc/client/remote'
+if Arachni.windows?
+    Arachni::UI::Output.print_error "This interface is not available on MS Windows."
+    exit
+end
 Arachni::UI::CLI::RPC::Client::Remote.new