Commit b520d69c authored by Mati's avatar Mati

Imported Upstream version 0.4.1.3+git20130321

parents
script: "bundle exec rake spec:core"
rvm:
- 1.9.2
- 1.9.3
branches:
only:
- master
- experimental
--title "Arachni - Web Application Security Scanner Framework"
path_extractors/**/*.rb
plugins/**/*.rb
reports/**/*.rb
modules/**/*.rb
rpcd_handlers/**/*.rb
lib/**/*.rb
-
EXPLOITATION.md
HACKING.md
CHANGELOG.md
LICENSE.md
AUTHORS.md
CONTRIBUTORS.md
ACKNOWLEDGMENTS.md
# Acknowledgments
I’d like to thank:
- Mr. Miles Wolbe (owner of [TinyApps.Org](http://tinyapps.org/))
- Mr. Colin Davis (owner of [Lonava.com](http://lonava.com/))
- The good folks from [KATHO.be](http://www.katho.be/)
- Scott Buffington (owner of [BrutalDeluxe.us](http://brutaldeluxe.us/))
- The people who preferred to remain anonymous
for allowing me to test Arachni against their websites during the early stages of development.
All the people on [GitHub](http://github.com/Arachni/arachni/issues)
who have submitted bugs and given constructive feedback.
# Authors
Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
This diff is collapsed.
# Contributors
These are the people that helped improve Arachni either by submitting code, suggestions or testing it.
- [Matías Aereal Aeón](http://mfsec.com.ar/), for general suggestions and beta testing.
- [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.
- [Brandon Potter](mailto:bpotter8705@gmail.com) for the original "arachni_web_autostart" script
- [Steve Pinkham](http://github.com/spinkham) for beta testing and patches.
- [Aung Khant](mailto:aungkhant@yehg.net) for general suggestions.
- [Herman Stevens](mailto:herman@astyran.com) for contributing recon modules.
- [Edwin van Andel](mailto:evanandel@yafsec.com) for contributing *BSD patches and testing the build script.
- [Dan Woodruff](mailto:daniel.woodruff@gmail.com) for contributing OSX patches and testing the build script.
- [Robert Gouin](mailto:rgouin@webmaxdb.com) for relentless testing.
- [Evan Beard](mailto:beard.evan@gmail.com) for feedback and patches.
A big thanks to my buddy [Andreas](mailto:rainmakergr@gmail.com) for the original spider drawing used in the project graphics.
This diff is collapsed.
source :rubygems
gemspec
# Hacking the Framework
This file contains some brief instructions on contributing to Arachni.
## Code Style
In order to maintain consistency and keep the code pretty you should
adhere to the following guidelines:
- 4 spaces, no tabs.
- Maximum line length 75-80 columns, try not to exceed that limit.
- For single-line blocks, use:
```ruby
arr.each { |item| stuff( item ) }
```
- For multi-line blocks which expect parameters use:
```ruby
arr.each do |item|
stuff( item )
end
```
- Use space before, between, and after method parameters:
```ruby
my_method( param1, param2 )
```
- Use the new syntax when defining hashes, i.e. ':' instead of '=>'.
- Use '?' at the end of methods which are expected to return a boolean result.
- Use '!' at the end of methods only for ones which perform a similar operation
but requiring extra attention from the ones without.
Do not use it to just signify destructive action.
In general, take a look at the existing code and try to follow that style **but**
keep in mind that these guidelines should be given higher priority.
## Code No-Nos
**1. Don't print to standard output.**<br/>
The interface in use won't be able to see your output and route it
accordingly.
Arachni provides you with wrappers that you can use, take a look in {Arachni::UI::Output}.<br/>
All UIs will provide these methods to handle your output, use them.
**2. Don't use "sleep".**<br/>
It is unlikely that you will need it, but if you do, use
`select(nil, nil, nil, <time>)` instead to avoid multi-threading issues.
**3. Avoid creating your own instance of Net::HTTP or other lib.**<br/>
You are provided with a pre-configured wrapper ({Arachni::Module::Auditor#http}) of [Typhoeus](http://github.com/pauldix/typhoeus).
Take a look in the tutorial module to see what you get: {Arachni::Modules::RFI}
The base module will also give you some insights: {Arachni::Module::Base}
If you absolutely have to bypass Arachni's facilities you must obey the
run-time settings in {Arachni::Options}.
## Creating New Modules
Arachni provides you with examples for the usual types of modules.
This is your main guide: {Arachni::Modules::RFI}
This covers most of the usual tasks when writing a module.
It lets Arachni do all the work.
For something more elaborate look in:<br/>
- {Arachni::Modules::ResponseSplitting}<br/>
- {Arachni::Modules::SQLInjection}
These modules do their own vulnerability checking and logging.
One last note.
You're probably going to be working with large arrays of strings,
either regular expressions or strings to inject to the webapp,
so it's better to keep them in an external file under:
modules/<modtype>/<modname>/
Use "{Arachni::Module::Utilities#read_file}`( filename ){ |line| }`" to get the file line by line.<br/>
You just pass the filename (no path), `read_file()` will take care of the rest.
This will make the strings easier to update and keep your modules smaller.
In general, before writing a module copy an existing one that's close
to your needs and modify it.
## Creating New Reports
The only thing that you should keep in mind when creating a new report
is to adhere to the structure shown in: {Arachni::Reports::AP}.<br/>
Also look in: {Arachni::Report::Base}.
If you want your users to be able to customize the report you can
provide them with a set of options, as in {Arachni::Reports::HTML}'s `self.info()` return hash.
Keep in minds though that Arachni does not do any checking for these options,
you will have to take care of that yourself.
However, do provide an appropriate default `outfile` value in `initialize()`.
Other than that you can do whatever you want, you have all of Ruby's
power to work with.
## Creating New Plug-ins
Unlike the two previous types of components plug-ins are demi-gods.<br/>
Each plug-in is passed the instance of the running framework to do with it what it pleases.<br/>
Via the framework they have access to all Arachni subsystems and can alter or extend Arachni's behavior on the fly.<br/>
Plug-ins run in parallel to the framework and are executed right before the scan process starts.
## Licensing
All code must be contributed with an Apache License Version 2.0 compatible license.
This diff is collapsed.
Arachni Web Application Security Scanner Framework
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
This product includes code from the Arachni Web Application Security Scanner Framework
developed by Tasos Laskos <tasos.laskos@gmail.com>.
Arachni is free software and is released under the Apache License Version 2.0
http://www.apache.org/licenses/LICENSE-2.0.txt
More information about the Arachni project can be found at:
http://arachni-scanner.com
https://github.com/Arachni/arachni
This diff is collapsed.
=begin
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
=end
require 'bundler'
require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni/version'
begin
require 'rspec'
require 'rspec/core/rake_task'
namespace :spec do
RSpec::Core::RakeTask.new( :core ) do |t|
t.pattern = FileList[ "spec/arachni/**/*_spec.rb" ]
end
RSpec::Core::RakeTask.new( :modules ) do |t|
t.pattern = FileList[ "spec/modules/**/*_spec.rb" ]
end
RSpec::Core::RakeTask.new( :reports ) do |t|
t.pattern = FileList[ "spec/reports/**/*_spec.rb" ]
end
RSpec::Core::RakeTask.new( :plugins ) do |t|
t.pattern = FileList[ "spec/plugins/**/*_spec.rb" ]
end
RSpec::Core::RakeTask.new( :path_extractors ) do |t|
t.pattern = FileList[ "spec/path_extractors/**/*_spec.rb" ]
end
end
RSpec::Core::RakeTask.new
rescue LoadError
puts 'If you want to run the tests please install rspec first:'
puts ' gem install rspec'
end
desc "Generate docs"
task :docs do
outdir = "../arachni-docs"
sh "rm -rf #{outdir}"
sh "mkdir -p #{outdir}"
sh "yardoc -o #{outdir}"
sh "rm -rf .yardoc"
end
desc "Generate graphics"
task :gfx do
outdir = 'gfx/compiled'
srcdir = 'gfx/source'
sh 'mkdir -p ~/.fonts'
sh 'cp gfx/font/Beneath_the_Surface.ttf ~/.fonts'
Dir.glob( "#{srcdir}/*.svg" ).each do |src|
sh "inkscape #{src} --export-png=#{outdir}/#{File.basename( src, '.svg' )}.png"
end
cp "#{outdir}/icon.png", "#{outdir}/favicon.ico"
sh 'rm -f ~/.fonts/Beneath_the_Surface.ttf'
end
#
# Simple profiler using perftools[1].
#
# To install perftools for Ruby:
# gem install perftools.rb
#
# [1] https://github.com/tmm1/perftools.rb
#
desc "Profile Arachni"
task :profile do
if !Gem::Specification.find_all_by_name( 'perftools.rb' ).empty?
sh "CPUPROFILE_FREQUENCY=500 CPUPROFILE=/tmp/profile.dat " +
"RUBYOPT=\"-r`gem which perftools | tail -1`\" " +
" ./bin/arachni http://demo.testfire.net && " +
"pprof.rb --gif /tmp/profile.dat > profile.gif"
else
puts 'If you want to run the profiler please install perftools.rb first:'
puts ' gem install perftools.rb'
end
end
#
# Cleans reports and logs
#
desc "Cleaning report and log files."
task :clean do
sh "rm error.log || true"
sh "rm *.afr || true"
sh "rm *.yaml || true"
sh "rm *.json || true"
sh "rm *.marshal || true"
sh "rm *.gem || true"
sh "rm logs/*.log || true"
sh "rm spec/logs/*.log || true"
sh "rm lib/arachni/ui/web/server/db/*.* || true"
sh "rm lib/arachni/ui/web/server/db/welcomed || true"
sh "rm lib/arachni/ui/web/server/public/reports/*.* || true"
sh "rm lib/arachni/ui/web/server/tmp/*.* || true"
end
Bundler::GemHelper.install_tasks
desc "Push a new version to RubyGems"
task :publish => [ :release ]
desc "Build Arachni and run all the tests."
task :default => [ :build, :spec ]
=begin
Copyright 2010-2012 Tasos Laskos <tasos.laskos@gmail.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
=end
Gem::Specification.new do |s|
require File.expand_path( File.dirname( __FILE__ ) ) + '/lib/arachni/version'
s.required_ruby_version = '>= 1.9.2'
s.name = "arachni"
s.version = Arachni::VERSION
s.date = Time.now.strftime( '%Y-%m-%d' )
s.summary = "Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications."
s.homepage = "https://github.com/Arachni/arachni"
s.email = "tasos.laskos@gmail.com"
s.authors = [ "Tasos Laskos" ]
s.files += Dir.glob("conf/**/**")
s.files += Dir.glob("data/**/**")
s.files += Dir.glob("external/**/**")
s.files += Dir.glob("extras/**/**")
s.files += Dir.glob("gfx/**/**")
s.files += Dir.glob("lib/**/**")
s.files += Dir.glob("logs/**/**")
s.files += Dir.glob("modules/**/**")
s.files += Dir.glob("path_extractors/**/**")
s.files += Dir.glob("plugins/**/**")
s.files += Dir.glob("profiles/**/**")
s.files += Dir.glob("reports/**/**")
s.files += Dir.glob("rpcd_handlers/**/**")
s.files += Dir.glob("spec/**/**")
s.files += %w(Gemfile Rakefile arachni.gemspec)
s.executables = [ "arachni", "arachni_rpcd_monitor",
"arachni_rpcd", "arachni_rpc", "arachni_web",
"arachni_web_autostart", "arachni_console",
"arachni_script" ]