Class: Arachni::Browser

Inherits:

Object

• Object
• Arachni::Browser

Includes:

Support::Mixins::Observable, UI::Output, Utilities

Defined in:

lib/arachni/browser.rb,
lib/arachni/browser/javascript.rb,
lib/arachni/browser/element_locator.rb,
lib/arachni/browser/javascript/dom_monitor.rb,
lib/arachni/browser/javascript/taint_tracer.rb,
lib/arachni/browser/javascript/taint_tracer/frame.rb,
lib/arachni/browser/javascript/taint_tracer/sink/base.rb,
lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb,
lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb,
lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb

Overview

Note:

Depends on PhantomJS 1.9.2.

Real browser driver providing DOM/JS/AJAX support.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Direct Known Subclasses

Arachni::BrowserCluster::Worker

Defined Under Namespace

Classes: ElementLocator, Error, Javascript

Constant Summary

PHANTOMJS_SPAWN_TIMEOUT =

How much time to wait for the PhantomJS process to spawn before respawning.

4

ELEMENT_APPEARANCE_TIMEOUT =

How much time to wait for a targeted HTML element to appear on the page after the page is loaded.

5

WATIR_COM_TIMEOUT =

Let the browser take as long as it needs to complete an operation.

3600

HTML_IDENTIFIERS =

1 hour.

['<!doctype html', '<html', '<head', '<body', '<title', '<script']

Instance Attribute Summary

• #javascript ⇒ Javascript readonly
• #page_snapshots_with_sinks ⇒ Array<Page> readonly

  Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Javascript#data_flow_sinks and Javascript#execution_flow_sinks.

• #pid ⇒ Integer readonly
• #preloads ⇒ Hash readonly

  Preloaded resources, by URL.

• #skip_states ⇒ Support::LookUp::HashSet readonly

  States that have been visited and should be skipped.

• #transitions ⇒ Array<Page::DOM::Transition> readonly
• #watir ⇒ Watir::Browser readonly

  Watir driver interface.

Class Method Summary

• .executable ⇒ String

  Path to the PhantomJS executable.

• .has_executable? ⇒ Bool

  ‘true` if a supported browser is in the OS PATH, `false` otherwise.

Instance Method Summary

• #cache(resource = nil) ⇒ Object
• #capture? ⇒ Bool

  ‘true` if request capturing is enabled, `false` otherwise.

• #capture_snapshot(transition = nil) ⇒ Object
• #captured_pages ⇒ Array<Page>

  Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

• #cookies ⇒ Array<Cookie>

  Browser cookies.

• #distribute_event(page, locator, event) ⇒ Object

  Distributes the triggering of ‘event` on the element at `element_index` on `page`.

• #each_element_with_events(mark_state = true) {|ElementLocator, Array<Symbol>| ... } ⇒ Object

  Iterates over all elements which have events and passes their info to the given block.

• #explore_and_flush(depth = nil) ⇒ Array<Page>

  Explores the browser’s DOM tree and captures page snapshots for each state change until there are no more available.

• #fire_event(element, event, options = {}) ⇒ Page::DOM::Transition, false

  Triggers ‘event` on `element`.

• #flush_page_snapshots_with_sinks ⇒ Array<Page>

  Returns #page_snapshots_with_sinks and flushes it.

• #flush_pages ⇒ Array<Page>

  Flushes and returns the captured and snapshot pages.

• #goto(url, options = {}) ⇒ Page::DOM::Transition

  Transition used to replay the resource visit.

• #initialize(options = {}) ⇒ Browser constructor

  A new instance of Browser.

• #load(resource, options = {}) ⇒ Browser

  ‘self`.

• #load_delay ⇒ Object
• #on_fire_event(&block) ⇒ Object
• #on_new_page(&block) ⇒ Object
• #on_new_page_with_sink(&block) ⇒ Object
• #on_response(&block) ⇒ Object
• #page_snapshots ⇒ Array<Page>

  Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

• #preload(resource) ⇒ Object
• #response ⇒ Object
• #selenium ⇒ Selenium::WebDriver::Driver

  Selenium driver interface.

• #shutdown ⇒ Object
• #skip_path?(path) ⇒ Boolean
• #snapshot_id ⇒ String

  Snapshot ID used to determine whether or not a page snapshot has already been seen.

• #source ⇒ String

  HTML code of the evaluated (DOM/JS/AJAX) page.

• #source_with_line_numbers ⇒ String

  Prefixes each source line with a number.

• #start_capture ⇒ Browser

  Starts capturing requests and parses them into elements of pages, accessible via #captured_pages.

• #stop_capture ⇒ Browser

  Stops the HTTP::Request capture.

• #to_page ⇒ Page

  Converts the current browser window to a page.

• #trigger_event(page, element, event) ⇒ Object

  Triggers ‘event` on the element described by `tag` on `page`.

• #trigger_events ⇒ Browser

  Triggers all events on all elements (once) and captures page snapshots.

• #url ⇒ String

  Current URL.

• #wait_for_timers ⇒ Object

Methods included from Support::Mixins::Observable

included

Methods included from Utilities

#available_port, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from UI::Output

#debug?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on

Constructor Details

#initialize(options = {}) ⇒ Browser

Returns a new instance of Browser.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• :concurrency (Integer) —

  Maximum number of concurrent connections.

• :store_pages (Bool) — default: true —

  Whether to store pages in addition to just passing them to #on_new_page.

• :width (Integer) — default: 1600 —

  Window width.

• :height (Integer) — default: 1200 —

  Window height.

# File 'lib/arachni/browser.rb', line 125

def initialize( options = {} )
    super()
    @options = options.dup

    @ignore_scope = options[:ignore_scope]

    @width  = options[:width]  || 1600
    @height = options[:height] || 1200

    @proxy = HTTP::ProxyServer.new(
        concurrency:      @options[:concurrency],
        address:          '127.0.0.1',
        request_handler:  proc do |request, response|
            synchronize { exception_jail { request_handler( request, response ) } }
        end,
        response_handler: proc do |request, response|
            synchronize { exception_jail { response_handler( request, response ) } }
        end
    )

    @options[:store_pages] = true if !@options.include?( :store_pages )

    @proxy.start_async

    @watir = ::Watir::Browser.new( selenium )

    # User-controlled response cache, by URL.
    @cache = Support::Cache::LeastRecentlyUsed.new( 200 )

    # User-controlled preloaded responses, by URL.
    @preloads = {}

    # Captured pages -- populated by #capture.
    @captured_pages = []

    # Snapshots of the working page resulting from firing of events and
    # clicking of JS links.
    @page_snapshots = {}

    # Same as @page_snapshots but it doesn't deduplicate and only contains
    # pages with sink (Page::DOM#sink) data as populated by Javascript#flush_sink.
    @page_snapshots_with_sinks = []

    # Captures HTTP::Response objects per URL for open windows.
    @window_responses = {}

    # Keeps track of resources which should be skipped -- like already fired
    # events and clicked links etc.
    @skip_states = Support::LookUp::HashSet.new( hasher: :persistent_hash )

    @transitions = []
    @request_transitions = []
    @add_request_transitions = true

    # Last loaded URL.
    @last_url = nil

    @javascript = Javascript.new( self )

    ensure_open_window
end

Instance Attribute Details

#javascript ⇒ Javascript (readonly)

Returns:

• (Javascript)

# File 'lib/arachni/browser.rb', line 92

def javascript
  @javascript
end

#page_snapshots_with_sinks ⇒ Array<Page> (readonly)

Returns Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Arachni::Browser::Javascript#data_flow_sinks and Arachni::Browser::Javascript#execution_flow_sinks.

Returns:

• (Array<Page>) —

  Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Arachni::Browser::Javascript#data_flow_sinks and Arachni::Browser::Javascript#execution_flow_sinks.

See Also:

• Arachni::Browser::Javascript#data_flow_sinks
• Arachni::Browser::Javascript#execution_flow_sinks
• Page::DOM#data_flow_sinks
• Page::DOM#execution_flow_sinks

# File 'lib/arachni/browser.rb', line 89

def page_snapshots_with_sinks
  @page_snapshots_with_sinks
end

#pid ⇒ Integer (readonly)

Returns:

• (Integer)

# File 'lib/arachni/browser.rb', line 102

def pid
  @pid
end

#preloads ⇒ Hash (readonly)

Returns Preloaded resources, by URL.

Returns:

• (Hash) —

  Preloaded resources, by URL.

# File 'lib/arachni/browser.rb', line 74

def preloads
  @preloads
end

#skip_states ⇒ Support::LookUp::HashSet (readonly)

Returns States that have been visited and should be skipped.

Returns:

• (Support::LookUp::HashSet) —

  States that have been visited and should be skipped.

See Also:

• #skip_state
• #skip_state?

# File 'lib/arachni/browser.rb', line 99

def skip_states
  @skip_states
end

#transitions ⇒ Array<Page::DOM::Transition> (readonly)

Returns:

• (Array<Page::DOM::Transition>)

# File 'lib/arachni/browser.rb', line 70

def transitions
  @transitions
end

#watir ⇒ Watir::Browser (readonly)

Returns Watir driver interface.

Returns:

• (Watir::Browser) —

  Watir driver interface.

# File 'lib/arachni/browser.rb', line 78

def watir
  @watir
end

Class Method Details

.executable ⇒ String

Returns Path to the PhantomJS executable.

Returns:

• (String) —

  Path to the PhantomJS executable.

# File 'lib/arachni/browser.rb', line 112

def self.executable
    Selenium::WebDriver::PhantomJS.path
end

.has_executable? ⇒ Bool

Returns ‘true` if a supported browser is in the OS PATH, `false` otherwise.

Returns:

• (Bool) —

  ‘true` if a supported browser is in the OS PATH, `false` otherwise.

# File 'lib/arachni/browser.rb', line 106

def self.has_executable?
    !!executable
end

Instance Method Details

#cache(resource = nil) ⇒ Object

Parameters:

• resource (HTTP::Response, Page) (defaults to: nil) —

  Cache a resource in order to be instantly available by URL via #load.

# File 'lib/arachni/browser.rb', line 257

def cache( resource = nil )
    return @cache if !resource

    response =  case resource
                    when HTTP::Response
                        resource

                    when Page
                        resource.response

                    else
                        fail Error::Load,
                             "Can't load resource of type #{resource.class}."
                end

    save_response response
    @cache[response.url] = response
    response.url
end

#capture? ⇒ Bool

Returns ‘true` if request capturing is enabled, `false` otherwise.

Returns:

• (Bool) —

  ‘true` if request capturing is enabled, `false` otherwise.

See Also:

• #start_capture
• #stop_capture

# File 'lib/arachni/browser.rb', line 690

def capture?
    !!@capture
end

#capture_snapshot(transition = nil) ⇒ Object

# File 'lib/arachni/browser.rb', line 726

def capture_snapshot( transition = nil )
    pages = []

    request_transitions = flush_request_transitions
    transitions = ([transition] + request_transitions).flatten.compact

    begin
        # Skip about:blank windows.
        watir.windows( url: /^http/ ).each do |window|
            window.use do
                next if !(page = to_page)

                if pages.empty?
                    transitions.each do |t|
                        @transitions << t
                        page.dom.push_transition t
                    end
                end

                capture_snapshot_with_sink( page )

                unique_id = self.snapshot_id
                next if skip_state? unique_id
                skip_state unique_id

                notify_on_new_page( page )

                if store_pages?
                    @page_snapshots[unique_id.hash] = page
                    pages << page
                end
            end
        end
    rescue => e
        print_debug "Could not capture snapshot for: #{@last_url}"

        if transition
            print_debug "-- #{transition}"
        end

        print_debug
        print_debug_exception e
    end

    pages
end

#captured_pages ⇒ Array<Page>

Returns Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

Returns:

• (Array<Page>) —

  Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

# File 'lib/arachni/browser.rb', line 704

def captured_pages
    @captured_pages
end

#cookies ⇒ Array<Cookie>

Returns Browser cookies.

Returns:

• (Array<Cookie>) —

  Browser cookies.

# File 'lib/arachni/browser.rb', line 799

def cookies
    js_cookies = begin
        # Watir doesn't tell us if cookies are HttpOnly, so we need to figure
        # this out ourselves, by checking for JS visibility.
        javascript.run( 'return document.cookie' )
    # We may not have a page.
    rescue Selenium::WebDriver::Error::UnknownError
        ''
    end

    watir.cookies.to_a.map do |c|
        original_name = c[:name].to_s

        c[:path]     = '/' if c[:path] == '//'
        c[:name]     = Cookie.decode( c[:name].to_s )
        c[:value]    = Cookie.decode( c[:value].to_s )
        c[:httponly] = !js_cookies.include?( original_name )

        Cookie.new c.merge( url: @last_url )
    end
end

#distribute_event(page, locator, event) ⇒ Object

Note:

Only used when running as part of Arachni::BrowserCluster to distribute page analysis across a pool of browsers.

Distributes the triggering of ‘event` on the element at `element_index` on `page`.

Parameters:

• page (Page)
• locator (ElementLocator)
• event (Symbol)

# File 'lib/arachni/browser.rb', line 514

def distribute_event( page, locator, event )
    trigger_event( page, locator, event )
end

#each_element_with_events(mark_state = true) {|ElementLocator, Array<Symbol>| ... } ⇒ Object

Note:

Will skip non-visible elements as they can’t be manipulated.

Iterates over all elements which have events and passes their info to the given block.

Parameters:

• mark_state (Bool) (defaults to: true) —

  Mark each element/events as visited and skip it if it has already been seen.

Yields:

• (ElementLocator, Array<Symbol>) —

  Hash with information about the element, its tag name, applicable events along with their handlers and attributes.

# File 'lib/arachni/browser.rb', line 381

def each_element_with_events( mark_state = true )
    current_url = url

    javascript.dom_elements_with_events.each do |element|
        tag_name   = element['tag_name']
        attributes = element['attributes']
        events     = element['events']

        case tag_name
            when 'a'
                href = attributes['href'].to_s

                if !href.empty?
                    if href.start_with?( 'javascript:' )
                        events << [ :click, href ]
                    else
                        next if skip_path?( to_absolute( href, current_url ) )
                    end
                end

            when 'input'
                if attributes['type'].to_s.downcase == 'image'
                    events << [ :click, 'image' ]
                end

            when 'form'
                action = attributes['action'].to_s

                if !action.empty?
                    if action.start_with?( 'javascript:' )
                        events << [ :submit, action ]
                    else
                        next if skip_path?( to_absolute( action, current_url ) )
                    end
                end
        end

        state = "#{tag_name}#{attributes}#{events}"
        next if events.empty? || (mark_state && skip_state?( state ))
        skip_state state if mark_state

        yield ElementLocator.new( tag_name: tag_name, attributes: attributes ),
                events
    end

    self
end

#explore_and_flush(depth = nil) ⇒ Array<Page>

Explores the browser’s DOM tree and captures page snapshots for each state change until there are no more available.

Parameters:

• depth (Integer) (defaults to: nil) —

  How deep to go into the DOM tree.

Returns:

• (Array<Page>) —

  Page snapshots for each state.

# File 'lib/arachni/browser.rb', line 353

def explore_and_flush( depth = nil )
    pages         = [ to_page ]
    current_depth = 0

    loop do
        bcnt   = pages.size
        pages |= pages.map { |p| load( p ).trigger_events.flush_pages }.flatten

        break if pages.size == bcnt || (depth && depth >= current_depth)

        current_depth += 1
    end

    pages.compact
end

#fire_event(element, event, options = {}) ⇒ Page::DOM::Transition, false

Triggers ‘event` on `element`.

Parameters:

• element (Watir::Element, ElementLocator)
• event (Symbol)
• options (Hash) (defaults to: {})

Options Hash (options):

• :inputs (Hash<Symbol,String=>String>) —

  Values to use to fill-in inputs. Keys should be input names or ids.

  Defaults to using OptionGroups::Input if not specified.

Returns:

• (Page::DOM::Transition, false) —

  Transition if the operation was successful, ‘nil` otherwise.

# File 'lib/arachni/browser.rb', line 557

def fire_event( element, event, options = {} )
    event   = event.to_s.downcase.sub( /^on/, '' ).to_sym
    locator = nil

    options[:inputs] = options[:inputs].my_stringify if options[:inputs]

    if element.is_a? ElementLocator
        locator = element

        begin
            element = element.locate( self )
        rescue Selenium::WebDriver::Error::UnknownError,
            Watir::Exception::UnknownObjectException => e

            print_debug "Element '#{locator}' could not be located for triggering '#{event}'."
            print_debug
            print_debug_exception e
            return
        end
    end

    # The page may need a bit to settle and the element is lazily located
    # by Watir so give it a few tries.
    begin
        with_timeout ELEMENT_APPEARANCE_TIMEOUT do
            sleep 0.1 while !element.exists?
        end
    rescue Timeout::Error
        print_debug_level_2 "#{locator} did not appear in #{ELEMENT_APPEARANCE_TIMEOUT}."
        return
    end

    if !element.visible?
        print_debug_level_2 "#{locator} is not visible, skipping..."
        return
    end

    if locator
        opening_tag = locator.to_s
        tag_name    = locator.tag_name
    else
        opening_tag = element.opening_tag
        tag_name    = element.tag_name
        locator     = ElementLocator.from_html( opening_tag )
    end

    print_debug_level_2 "#{__method__}: #{event} (#{options}) #{locator}"

    tag_name = tag_name.to_sym

    notify_on_fire_event( element, event )

    tries = 0
    begin
        Page::DOM::Transition.new( locator, event, options ) do
            had_special_trigger = false

            if tag_name == :form
                fill_in_form_inputs( element, options[:inputs] )

                if event == :submit
                    had_special_trigger = true
                    element.submit
                end

            elsif tag_name == :input && event == :click &&
                    element.attribute_value(:type) == 'image'

                had_special_trigger = true
                watir.button( type: 'image' ).click

            elsif [:keyup, :keypress, :keydown, :change, :input, :focus, :blur, :select].include? event

                # Some of these need an explicit event triggers.
                had_special_trigger = true if ![:change, :blur, :focus, :select].include? event

                element.send_keys( (options[:value] || value_for( element )).to_s )
            end

            element.fire_event( event ) if !had_special_trigger
            wait_for_pending_requests
        end
    rescue Selenium::WebDriver::Error::InvalidElementStateError,
        Selenium::WebDriver::Error::UnknownError,
        Watir::Exception::UnknownObjectException => e

        sleep 0.1

        tries += 1
        retry if tries < 5

        print_debug "Error when triggering event for: #{url}"
        print_debug "-- '#{event}' on: #{opening_tag}"
        print_debug
        print_debug_exception e

        nil
    end
end

#flush_page_snapshots_with_sinks ⇒ Array<Page>

Returns #page_snapshots_with_sinks and flushes it.

Returns:

• (Array<Page>) —

  Returns #page_snapshots_with_sinks and flushes it.

# File 'lib/arachni/browser.rb', line 775

def flush_page_snapshots_with_sinks
    @page_snapshots_with_sinks.dup
ensure
    @page_snapshots_with_sinks.clear
end

#flush_pages ⇒ Array<Page>

Returns Flushes and returns the captured and snapshot pages.

Returns:

• (Array<Page>) —

  Flushes and returns the captured and snapshot pages.

See Also:

• #captured_pages
• #page_snapshots
• #start_capture
• #stop_capture
• #capture?

# File 'lib/arachni/browser.rb', line 790

def flush_pages
    captured_pages + page_snapshots
ensure
    @captured_pages.clear
    @page_snapshots.clear
end

#goto(url, options = {}) ⇒ Page::DOM::Transition

Returns Transition used to replay the resource visit.

Parameters:

• url (String) —

  Loads the given URL in the browser.

• options (Hash) (defaults to: {})
• [Bool] (Hash) —

  a customizable set of options

• [Array<Cookie>] (Hash) —

  a customizable set of options

Returns:

• (Page::DOM::Transition) —

  Transition used to replay the resource visit.

# File 'lib/arachni/browser.rb', line 287

def goto( url, options = {} )
    take_snapshot      = options.include?(:take_snapshot) ?
        options[:take_snapshot] : true
    extra_cookies      = options[:cookies] || {}
    update_transitions = options.include?(:update_transitions) ?
        options[:update_transitions] : true

    pre_add_request_transitions = @add_request_transitions
    if !update_transitions
        @add_request_transitions = false
    end

    @last_url = url

    ensure_open_window

    load_cookies url, extra_cookies

    transition = Page::DOM::Transition.new( :page, :load,
        url:     url,
        cookies: extra_cookies
    ) do
        watir.goto url

        @javascript.wait_till_ready
        wait_for_timers

        wait_for_pending_requests

        javascript.set_element_ids
    end

    if @add_request_transitions
        @transitions << transition
    end

    @add_request_transitions = pre_add_request_transitions

    HTTP::Client.update_cookies cookies

    # Capture the page at its initial state.
    capture_snapshot if take_snapshot

    transition
end

#load(resource, options = {}) ⇒ Browser

Returns ‘self`.

Parameters:

• resource (String, HTTP::Response, Page) —

  Loads the given resource in the browser. If it is a string it will be treated like a URL.

Returns:

• (Browser) —

  ‘self`

# File 'lib/arachni/browser.rb', line 201

def load( resource, options = {} )
    @last_dom_url = nil

    case resource
        when String
            goto resource, options

        when HTTP::Response
            goto preload( resource ), options

        when Page
            HTTP::Client.update_cookies resource.cookie_jar

            @transitions = resource.dom.transitions.dup
            update_skip_states resource.dom.skip_states

            @last_dom_url = resource.dom.url

            @add_request_transitions = false if @transitions.any?
            resource.dom.restore self
            @add_request_transitions = true

        else
            fail Error::Load,
                 "Can't load resource of type #{resource.class}."
    end

    self
end

#load_delay ⇒ Object

# File 'lib/arachni/browser.rb', line 827

def load_delay
    #(intervals + timeouts).map { |t| t[1] }.max
    @javascript.timeouts.compact.map { |t| t[1].to_i }.max
end

#on_fire_event(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 30

advertise :on_fire_event

#on_new_page(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 33

advertise :on_new_page

#on_new_page_with_sink(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 36

advertise :on_new_page_with_sink

#on_response(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 39

advertise :on_response

#page_snapshots ⇒ Array<Page>

Returns Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

Returns:

• (Array<Page>) —

  Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

# File 'lib/arachni/browser.rb', line 697

def page_snapshots
    @page_snapshots.values
end

#preload(resource) ⇒ Object

Note:

The preloaded resource will be removed once used, for a persistent cache use #cache.

Parameters:

• resource (HTTP::Response, Page) —

  Preloads a resource to be instantly available by URL via #load.

# File 'lib/arachni/browser.rb', line 236

def preload( resource )
    response =  case resource
                    when HTTP::Response
                        resource

                    when Page
                        resource.response

                    else
                        fail Error::Load,
                             "Can't load resource of type #{resource.class}."
                end

    save_response( response ) if !response.url.include?( request_token )

    @preloads[response.url] = response
    response.url
end

#response ⇒ Object

# File 'lib/arachni/browser.rb', line 843

def response
    u = watir.url

    return if skip_path?( u )

    begin
        with_timeout Options.http.request_timeout / 1_000 do
            while !(r = get_response(u))
                sleep 0.1
            end

            fail Timeout::Error if r.timed_out?

            return r
        end
    rescue Timeout::Error
        print_debug "Response for '#{u}' never arrived."
    end

    nil
end

#selenium ⇒ Selenium::WebDriver::Driver

Returns Selenium driver interface.

Returns:

• (Selenium::WebDriver::Driver) —

  Selenium driver interface.

# File 'lib/arachni/browser.rb', line 867

def selenium
    return @selenium if @selenium

    client = Selenium::WebDriver::Remote::Http::Typhoeus.new
    client.timeout = WATIR_COM_TIMEOUT

    @selenium = Selenium::WebDriver.for(
        :remote,

        # We need to spawn our own PhantomJS process because Selenium's
        # way sometimes gives us zombies.
        url:                  spawn_browser,
        desired_capabilities: capabilities,
        http_client:          client
    )
end

#shutdown ⇒ Object

# File 'lib/arachni/browser.rb', line 333

def shutdown
    watir.close if browser_alive?
    kill_process
    @proxy.shutdown
end

#skip_path?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/browser.rb', line 839

def skip_path?( path )
    enforce_scope? && super( path )
end

#snapshot_id ⇒ String

Returns Snapshot ID used to determine whether or not a page snapshot has already been seen. Uses both elements and their DOM events and possible audit workload to determine the ID, as page snapshots should be retained both when further browser analysis can be performed and when new element audit workload (but possibly without any DOM relevance) is available.

Returns:

• (String) —

  Snapshot ID used to determine whether or not a page snapshot has already been seen. Uses both elements and their DOM events and possible audit workload to determine the ID, as page snapshots should be retained both when further browser analysis can be performed and when new element audit workload (but possibly without any DOM relevance) is available.

# File 'lib/arachni/browser.rb', line 435

def snapshot_id
    current_url = url

    id = []
    javascript.dom_elements_with_events.each do |element|
        tag_name   = element['tag_name']
        attributes = element['attributes']
        events     = element['events']

        case tag_name
            when 'a'
                href = attributes['href'].to_s

                if !href.empty?
                    if href.start_with?( 'javascript:' )
                        events << [ :click, href ]
                    else
                        absolute = to_absolute( href, current_url )
                        if !skip_path?( absolute )
                            events << [ :click, absolute ]
                        end
                    end
                else
                    events << [ :click, current_url ]
                end

            when 'input', 'textarea', 'select'
                events << [ tag_name.to_sym ]

            when 'form'
                action = attributes['action'].to_s

                if !action.empty?
                    if action.start_with?( 'javascript:' )
                        events << [ :submit, action ]
                    else
                        absolute = to_absolute( action, current_url )
                        if !skip_path?( absolute )
                            events << [ :submit, absolute ]
                        end
                    end
                else
                    events << [ :submit, current_url ]
                end
        end

        next if events.empty?
        id << "#{tag_name}#{attributes}#{events}".hash
    end

    id.sort.to_s
end

#source ⇒ String

Returns HTML code of the evaluated (DOM/JS/AJAX) page.

Returns:

• (String) —

  HTML code of the evaluated (DOM/JS/AJAX) page.

# File 'lib/arachni/browser.rb', line 823

def source
    watir.html
end

#source_with_line_numbers ⇒ String

Returns Prefixes each source line with a number.

Returns:

• (String) —

  Prefixes each source line with a number.

# File 'lib/arachni/browser.rb', line 189

def source_with_line_numbers
    source.lines.map.with_index do |line, i|
        "#{i+1} - #{line}"
    end.join
end

#start_capture ⇒ Browser

Starts capturing requests and parses them into elements of pages, accessible via #captured_pages.

Returns:

• (Browser) —

  ‘self`

See Also:

• #stop_capture
• #capture?
• #captured_pages
• #flush_pages

# File 'lib/arachni/browser.rb', line 667

def start_capture
    @capture = true
    self
end

#stop_capture ⇒ Browser

Stops the HTTP::Request capture.

Returns:

• (Browser) —

  ‘self`

See Also:

• #start_capture
• #capture?
• #flush_pages

# File 'lib/arachni/browser.rb', line 680

def stop_capture
    @capture = false
    self
end

#to_page ⇒ Page

Returns Converts the current browser window to a page.

Returns:

• (Page) —

  Converts the current browser window to a page.

# File 'lib/arachni/browser.rb', line 710

def to_page
    return if !(r = response)

    page         = r.to_page
    page.body    = source

    page.dom.url                  = watir.url
    page.dom.digest               = @javascript.dom_digest
    page.dom.execution_flow_sinks = @javascript.execution_flow_sinks
    page.dom.data_flow_sinks      = @javascript.data_flow_sinks
    page.dom.transitions          = @transitions.dup
    page.dom.skip_states          = skip_states.dup

    page
end

#trigger_event(page, element, event) ⇒ Object

Note:

Captures page #page_snapshots.

Triggers ‘event` on the element described by `tag` on `page`.

Parameters:

• page (Page) —

  Page containing the element’s ‘tag`.

• element (ElementLocator)
• event (Symbol) —

  Event to trigger.

# File 'lib/arachni/browser.rb', line 527

def trigger_event( page, element, event )
    event = event.to_sym
    transition = fire_event( element, event )

    if !transition
        print_info "Could not trigger '#{event}' on '#{element}' because" <<
            ' the page has changed, capturing a new snapshot.'
        capture_snapshot

        print_info 'Restoring page.'
        restore page
        return
    end

    capture_snapshot( transition )
    restore page
end

#trigger_events ⇒ Browser

Triggers all events on all elements (once) and captures page snapshots.

Returns:

• (Browser) —

  ‘self`

# File 'lib/arachni/browser.rb', line 493

def trigger_events
    root_page = to_page

    each_element_with_events do |locator, events|
        events.each do |name, _|
            distribute_event( root_page, locator, name.to_sym )
        end
    end

    self
end

#url ⇒ String

Returns Current URL.

Returns:

• (String) —

  Current URL.

# File 'lib/arachni/browser.rb', line 341

def url
    normalize_url watir.url
end

#wait_for_timers ⇒ Object

# File 'lib/arachni/browser.rb', line 832

def wait_for_timers
    delay = load_delay
    return if !delay

    sleep [Options.http.request_timeout, delay].min / 1000.0
end