Merge branch 'release/v1.3'

CHANGELOG.md

@@ -1,5 +1,71 @@
 # ChangeLog
 
+## 1.3 _(October 01, 2015)_
+
+- `UI`
+    - `CLI`
+        - Options
+            - `--browser-cluster-local-storage` -- Sets `localStorage` data from JSON file.
+- `Issue`
+    - `#variations` -- Removed, all issues now include full data.
+    - `#unique_id`, `#digest` -- In cases of passive issues, the associated
+        `#proof` is now taken into consideration.
+- `Data`
+    - `Framework`
+        - `#update_sitemap` -- Don't push URLs that include the
+            `Utilities.random_seed` to the sitemap to keep noise down.
+- `Element`
+    - `Cookie`
+        - `.encode` -- Updated list of reversed characters.
+        - `.decode` -- Handle broken encodings.
+    - `Form`
+        - `.decode` -- Handle broken encodings.
+    - `UIForm` -- Audits `<input>` and `<button>` groups which don't belong to
+        a `<form>` parent. Also covers cases of `<form>` submissions that occur
+        via elements other than a submit button.
+    - `UIInput` -- Audits individual `<input>` elements which have associated DOM events.
+    - `Capabilities` -- Refactored to allow for easier expansion of DOM capabilities.
+        - `Analyzable`
+            - `Differential` -- Updated to remove the injected seed from the response
+                bodies, echoed payloads can compromise the analysis.
+            - `Taint` => `Signature` -- Signature analysis better describes that
+                process and the "taint" terminology was overloaded by the browser's
+                taint tracing subsystems.
+- `Browser`
+    - Use the faster, native `#click` event on `Watir` elements, instead of `fire_event`.
+    - Sets `localStorage` data from `Arachni::OptionGroups::BrowserCluster#local_storage`.
+    - `Javascript`
+        - `TaintTracer`
+            - Updated sanitization of traced `Event` arguments to extract only
+                certain properties instead of iterating through the whole object.
+            - Limited the depth of the recursive taint search in argument objects.
+- `Components`
+    - Path extractors
+        - `comments`
+            - Small cleanup in acceptable paths.
+        - `script`
+            - Updated to not get fooled by comment strings (`/*Comment`, `//Comment`).
+            - Updated to require absolute paths to avoid processing junk.
+    - Reporters -- All reporters have been updated to remove `Issue#variations`.
+        - `xml` -- Updated schema to include the new `Element::UIForm::DOM` and
+            `Element::Input::DOM` elements.
+    - Plugins
+        - `proxy` -- Fixed bug causing the plugin to hang after proxy server shutdown.
+        - `login_script`
+            - Wait for the page to settle when using a JS login script.
+            - Catch script syntax errors.
+    - Checks
+        - Active
+            - Removed
+                `xss_dom_inputs` -- No longer necessary, covered by new DOM
+                    element abstractions and `xss_dom`.
+            - `unvalidated_redirect` -- Updated to use `Utilities.random_seed`
+                in the injected URL.
+            - `unvalidated_redirect_dom` -- Updated to use `Utilities.random_seed`
+                in the injected URL.
+        - Passive -- Reworked proofs to remove dynamic content which can interfere
+            with issue uniqueness or removed proofs altogether when not necessary.
+
 ## 1.2.1 _(July 25, 2015)_
 
 - HTTP

Gemfile

@@ -10,7 +10,7 @@ end
 group :spec do
     gem 'simplecov', require: false, group: :test
 
-    gem 'rspec', '2.99'
+    gem 'rspec'
     gem 'faker'
 
     gem 'puma' if !Gem.win_platform? || RUBY_PLATFORM == 'java'

README.md

@@ -3,7 +3,7 @@
 <table>
     <tr>
         <th>Version</th>
-        <td>1.2.1</td>
+        <td>1.3</td>
     </tr>
     <tr>
         <th>Homepage</th>
@@ -196,6 +196,8 @@ Configuration options include:
  - Ability to disable loading images.
  - Adjustable screen width and height.
      - Can be used to analyze responsive and mobile applications.
+ - Ability to wait until certain elements appear in the page.
+ - Configurable local storage data.
 
 ### Coverage
 
@@ -211,7 +213,12 @@ By inspecting all possible pages and their states (when using client-side code)
 Arachni is able to extract and audit the following elements and their inputs:
 
  - Forms
-    - Along with ones that require interaction with a real browser due to DOM events.
+    - Along with ones that require interaction via a real browser due to DOM events.
+ - User-interface Forms
+    - Input and button groups which don't belong to an HTML `<form>` element but
+        are instead associated via JS code.
+ - User-interface Inputs
+    - Orphan `<input>` elements with associated DOM events.
  - Links
     - Along with ones that have client-side parameters in their fragment, i.e.:
         `http://example.com/#/?param=val&param2=val2`
@@ -222,7 +229,7 @@ Arachni is able to extract and audit the following elements and their inputs:
             `http://example.com/#/param/val/param2/val2`
  - Cookies
  - Headers
- - Generic client-side elements like `input`s which have associated DOM events.
+ - Generic client-side elements which have associated DOM events.
  - AJAX-request parameters.
  - JSON request data.
  - XML request data.
@@ -278,14 +285,19 @@ Arachni is able to extract and audit the following elements and their inputs:
     - Forms
         - Can automatically refresh nonce tokens.
         - Can submit them via the integrated browser environment.
+     - User-interface Forms
+        - Input and button groups which don't belong to an HTML `<form>` element
+            but are instead associated via JS code.
+    - User-interface Inputs
+        - Orphan `<input>` elements with associated DOM events.
     - Links
         - Can load them via the integrated browser environment.
     - LinkTemplates
         - Can load them via the integrated browser environment.
     - Cookies
         - Can load them via the integrated browser environment.
     - Headers
-    - Generic client-side DOM elements like `input`s.
+    - Generic client-side DOM elements.
     - JSON request data.
     - XML request data.
  - Can ignore binary/non-text pages.
@@ -433,7 +445,6 @@ Active checks engage the web application via its inputs.
 - XSS in HTML tags (`xss_tag`).
 - XSS in script context (`xss_script_context`).
 - DOM XSS (`xss_dom`).
-- DOM XSS inputs (`xss_dom_inputs`).
 - DOM XSS script context (`xss_dom_script_context`).
 - Source code disclosure (`source_code_disclosure`)
 - XML External Entity (`xxe`).

components/checks/active/ldap_injection/errors.txt

@@ -1,5 +1,6 @@
 supplied argument is not a valid ldap
 javax.naming.NameNotFoundException
+javax.naming.directory.InvalidSearchFilterException
 LDAPException
 com.sun.jndi.ldap
 Search: Bad search filter

components/checks/active/source_code_disclosure.rb

@@ -108,7 +108,7 @@ def run
         return if self.class.payloads.empty?
 
         each_candidate_element do |element|
-            element.taint_analysis( self.class.payloads, self.class.options )
+            element.signature_analysis( self.class.payloads, self.class.options )
         end
     end
 

components/checks/active/unvalidated_redirect.rb

@@ -12,16 +12,16 @@
 # header field to determine whether the attack was successful.
 #
 # @author Tasos "Zapotek" Laskos <[email protected]>
-# @version 0.2.3
-#
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirect < Arachni::Check::Base
 
+    BASE_URL = "www.#{Utilities.random_seed}.com"
+
     def self.payloads
         @payloads ||= [
-            'www.arachni-boogie-woogie.com',
-            'https://www.arachni-boogie-woogie.com',
-            'http://www.arachni-boogie-woogie.com'
+            BASE_URL,
+            "https://#{BASE_URL}",
+            "http://#{BASE_URL}"
         ].map { |url| Arachni::URI( url ).to_s }
     end
 
@@ -77,7 +77,7 @@ def self.info
 },
             elements:    ELEMENTS_WITH_INPUTS - [Element::LinkTemplate],
             author:      'Tasos "Zapotek" Laskos <[email protected]>',
-            version:     '0.2.3',
+            version:     '0.2.4',
 
             issue:       {
                 name:            %q{Unvalidated redirect},

components/checks/active/unvalidated_redirect_dom.rb

@@ -9,16 +9,16 @@
 # Unvalidated redirect DOM check.
 #
 # @author Tasos "Zapotek" Laskos <[email protected]>
-# @version 0.1.1
-#
 # @see https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
 class Arachni::Checks::UnvalidatedRedirectDOM < Arachni::Check::Base
 
+    BASE_URL = "www.#{Utilities.random_seed}.com"
+
     def self.payloads
         @payloads ||= [
-            'www.arachni-boogie-woogie.com',
-            'https://www.arachni-boogie-woogie.com',
-            'http://www.arachni-boogie-woogie.com'
+            BASE_URL,
+            "https://#{BASE_URL}",
+            "http://#{BASE_URL}"
         ].map { |url| Arachni::URI( url ).to_s }
     end
 
@@ -54,9 +54,12 @@ def self.info
             description: %q{
 Injects URLs and checks the browser URL to determine whether the attack was successful.
 },
-            elements:    DOM_ELEMENTS_WITH_INPUTS - [Element::LinkTemplate::DOM],
+            elements:    DOM_ELEMENTS_WITH_INPUTS - [
+                Element::LinkTemplate::DOM,
+                Element::UIInput::DOM
+            ],
             author:      'Tasos "Zapotek" Laskos <[email protected]>',
-            version:     '0.1.1',
+            version:     '0.1.2',
 
             issue:       {
                 name:            %q{Unvalidated DOM redirect},