Class: Arachni::Page::DOM

Inherits:

Object

• Object
• Arachni::Page::DOM

Defined in:

lib/arachni/page/dom.rb,
lib/arachni/page/dom/transition.rb

Overview

Static DOM snapshot as computed by a real browser.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Defined Under Namespace

Classes: Error, Transition

Constant Summary

IGNORE_FROM_HASH =

Ignore these elements when calculating a #hash.

Set.new([ 'text', 'p' ])

Instance Attribute Summary

• #data_flow_sinks ⇒ Array

  Browser::Javascript::TaintTracer#data_flow_sinks data.

• #digest ⇒ String

  String digest of the DOM tree.

• #execution_flow_sinks ⇒ Array

  Browser::Javascript::TaintTracer#execution_flow_sinks data.

• #page ⇒ Page readonly

  Page to which this DOM state is attached.

• #skip_states ⇒ Support::LookUp::HashSet
• #transitions ⇒ Array<Transition>

  Transitions representing the steps required to convert a DOM snapshot to a live Browser page.

• #url ⇒ String

  URL of the page as seen by the user-agent, fragments and all.

Class Method Summary

• .from_rpc_data(data) ⇒ DOM

Instance Method Summary

• #==(other) ⇒ Object
• #===(other) ⇒ Bool

  ‘true` if the compared DOM trees are effectively the same, `false` otherwise.

• #depth ⇒ Integer

  Depth of the current DOM – sum of #transitions Transition#depths that had to be triggered to reach the current state.

• #hash ⇒ Object
• #initialize(options) ⇒ DOM constructor

  A new instance of DOM.

• #playable_transitions ⇒ Object
• #print_transitions(printer, indent = '') ⇒ Object
• #push_transition(transition) ⇒ Object
• #restore(browser, take_snapshot = true) ⇒ Browser^?

  Loads the page and restores it to its captured state.

• #to_h ⇒ Hash
• #to_hash ⇒ Object
• #to_rpc_data ⇒ Hash

  Data representing this instance that are suitable the RPC transmission.

• #to_s ⇒ Object

Constructor Details

#initialize(options) ⇒ DOM

Returns a new instance of DOM.

Parameters:

• options (Hash)

Options Hash (options):

• :page (Page)
• :transitions (Array<Hash>)

# File 'lib/arachni/page/dom.rb', line 57

def initialize( options )
    @page                 = options[:page]
    self.url              = options[:url]                   || @page.url
    self.digest           = options[:digest]
    @transitions          = options[:transitions]           || []
    @data_flow_sinks      = options[:data_flow_sinks]       || []
    @execution_flow_sinks = options[:execution_flow_sinks]  || []
    @skip_states          = options[:skip_states]           ||
        Support::LookUp::HashSet.new( hasher: :persistent_hash )
end

Instance Attribute Details

#data_flow_sinks ⇒ Array

Returns Browser::Javascript::TaintTracer#data_flow_sinks data.

Returns:

• (Array) —

  Browser::Javascript::TaintTracer#data_flow_sinks data.

# File 'lib/arachni/page/dom.rb', line 36

def data_flow_sinks
  @data_flow_sinks
end

#digest ⇒ String

Returns String digest of the DOM tree.

Returns:

• (String) —

  String digest of the DOM tree.

# File 'lib/arachni/page/dom.rb', line 44

def digest
  @digest
end

#execution_flow_sinks ⇒ Array

Returns Browser::Javascript::TaintTracer#execution_flow_sinks data.

Returns:

• (Array) —

  Browser::Javascript::TaintTracer#execution_flow_sinks data.

# File 'lib/arachni/page/dom.rb', line 40

def execution_flow_sinks
  @execution_flow_sinks
end

#page ⇒ Page (readonly)

Returns Page to which this DOM state is attached.

Returns:

• (Page) —

  Page to which this DOM state is attached.

# File 'lib/arachni/page/dom.rb', line 52

def page
  @page
end

#skip_states ⇒ Support::LookUp::HashSet

Returns:

• (Support::LookUp::HashSet)

# File 'lib/arachni/page/dom.rb', line 27

def skip_states
  @skip_states
end

#transitions ⇒ Array<Transition>

Returns Transitions representing the steps required to convert a Arachni::Page::DOM snapshot to a live Browser page.

Returns:

• (Array<Transition>) —

  Transitions representing the steps required to convert a Arachni::Page::DOM snapshot to a live Browser page.

# File 'lib/arachni/page/dom.rb', line 32

def transitions
  @transitions
end

#url ⇒ String

Returns URL of the page as seen by the user-agent, fragments and all.

Returns:

• (String) —

  URL of the page as seen by the user-agent, fragments and all.

# File 'lib/arachni/page/dom.rb', line 48

def url
  @url
end

Class Method Details

.from_rpc_data(data) ⇒ DOM

Parameters:

• data (Hash) —

  #to_rpc_data

Returns:

• (DOM)

# File 'lib/arachni/page/dom.rb', line 228

def self.from_rpc_data( data )
    instance = allocate
    data.each do |name, value|

        value = case name
                    when 'transitions'
                        value.map { |t| Transition.from_rpc_data t }

                    when 'data_flow_sinks'
                        value.map do |entry|
                            Browser::Javascript::TaintTracer::Sink::DataFlow.from_rpc_data( entry )
                        end.to_a

                    when 'execution_flow_sinks'
                        value.map do |entry|
                            Browser::Javascript::TaintTracer::Sink::ExecutionFlow.from_rpc_data( entry )
                        end.to_a

                    when 'skip_states'
                        skip_states = Support::LookUp::HashSet.new(
                            hasher: :persistent_hash
                        )
                        skip_states.collection.merge( value || [] )
                        skip_states

                    else
                        value
                end

        instance.instance_variable_set( "@#{name}", value )
    end
    instance
end

Instance Method Details

#==(other) ⇒ Object

# File 'lib/arachni/page/dom.rb', line 267

def ==( other )
    hash == other.hash
end

#===(other) ⇒ Bool

Note:

Removes the URL strings of both DOMs from each other’s document before comparing.

Returns ‘true` if the compared DOM trees are effectively the same, `false` otherwise.

Parameters:

• other (DOM)

Returns:

• (Bool) —

  ‘true` if the compared DOM trees are effectively the same, `false` otherwise.

# File 'lib/arachni/page/dom.rb', line 277

def ===( other )
    digest_without_urls( other ) == other.digest_without_urls( self )
end

#depth ⇒ Integer

Returns Depth of the current DOM – sum of #transitions Arachni::Page::DOM::Transition#depths that had to be triggered to reach the current state.

Returns:

• (Integer) —

  Depth of the current DOM – sum of #transitions Arachni::Page::DOM::Transition#depths that had to be triggered to reach the current state.

# File 'lib/arachni/page/dom.rb', line 93

def depth
    @transitions.map { |t| t.depth }.inject(&:+).to_i
end

#hash ⇒ Object

# File 'lib/arachni/page/dom.rb', line 262

def hash
    # TODO: Maybe raise error if #digest is not set?
    digest.persistent_hash
end

#playable_transitions ⇒ Object

# File 'lib/arachni/page/dom.rb', line 97

def playable_transitions
    transitions.select { |t| t.playable? }
end

#print_transitions(printer, indent = '') ⇒ Object

# File 'lib/arachni/page/dom.rb', line 101

def print_transitions( printer, indent = '' )
    longest_event_size = 0
    page.dom.transitions.each do |t|
        longest_event_size = [t.event.to_s.size, longest_event_size].max
    end

    page.dom.transitions.map do |t|
        padding = longest_event_size - t.event.to_s.size + 1
        time    = sprintf( '%.4f', t.time.to_f )

        if t.event == :request
            printer.call "#{indent * 2}* [#{time}s] #{t.event}#{' ' * padding} => #{t.element}"
        else
            url = nil
            if t.options[:url]
                url = "(#{t.options[:url]})"
            end

            printer.call "#{indent}-- [#{time}s] #{t.event}#{' ' * padding} => #{t.element} #{url}"

            if t.options[:cookies] && t.options[:cookies].any?
                printer.call "#{indent * 2}-- Cookies:"

                t.options[:cookies].each do |name, value|
                    printer.call  "#{indent * 3}* #{name}\t=> #{value}\n"
                end
            end

            if t.options[:inputs] && t.options[:inputs].any?
                t.options[:inputs].each do |name, value|
                    printer.call  "#{indent * 2}* #{name}\t=> #{value}\n"
                end
            end
        end
    end
end

#push_transition(transition) ⇒ Object

Parameters:

• transition (Transition) —

  Push the given transition to the #transitions.

# File 'lib/arachni/page/dom.rb', line 86

def push_transition( transition )
    @transitions << transition
end

#restore(browser, take_snapshot = true) ⇒ Browser^?

Loads the page and restores it to its captured state.

Parameters:

• browser (Browser) —

  Browser to use to restore the DOM.

Returns:

• (Browser, nil) —

  Live page in the ‘browser` if successful, `nil` otherwise.

# File 'lib/arachni/page/dom.rb', line 145

def restore( browser, take_snapshot = true )
    # Preload the associated HTTP response since we've already got it.
    browser.preload( page )

    # First, try to load the page via its DOM#url in case it can restore
    # itself via its URL fragments and whatnot.
    browser.goto url, take_snapshot: take_snapshot

    playables = playable_transitions

    # If we've got no playable transitions then we're done.
    return browser if playables.empty?

    browser_page = browser.to_page

    # We were probably led to an out-of-scope page via a JS redirect,
    # bail out.
    return if !browser_page

    # Check to see if just loading the DOM URL was enough.
    #
    # Of course, this check will fail some of the time because even if the
    # page can restore itself via its URL (using fragment data most probably),
    # the document may still be different from when our snapshot was captured.
    #
    # However, this check doesn't cost us much so it's worth a shot.
    if browser_page.dom === self
        return browser
    end

    # The URL restore failed, so, navigate to the pure version of the URL and
    # replay its transitions.
    browser.preload( page )

    playables.each do |transition|
        next if transition.play( browser )

        browser.print_debug "Could not replay transition for: #{url}"
        playables.each do |t|
            browser.print_debug "-#{t == transition ? '>' : '-'} #{transition}"
        end

        return
    end

    browser
end

#to_h ⇒ Hash

Returns:

• (Hash)

# File 'lib/arachni/page/dom.rb', line 194

def to_h
    {
        url:                  url,
        transitions:          transitions.map(&:to_hash),
        digest:               digest,
        skip_states:          skip_states,
        data_flow_sinks:      data_flow_sinks.map(&:to_hash),
        execution_flow_sinks: execution_flow_sinks.map(&:to_hash)
    }
end

#to_hash ⇒ Object

# File 'lib/arachni/page/dom.rb', line 204

def to_hash
    to_h
end

#to_rpc_data ⇒ Hash

Returns Data representing this instance that are suitable the RPC transmission.

Returns:

• (Hash) —

  Data representing this instance that are suitable the RPC transmission.

# File 'lib/arachni/page/dom.rb', line 214

def to_rpc_data
    {
        'url'                  => url,
        'transitions'          => transitions.map(&:to_rpc_data),
        'digest'               => digest,
        'skip_states'          => skip_states ? skip_states.collection.to_a : [],
        'data_flow_sinks'      => data_flow_sinks.map(&:to_rpc_data),
        'execution_flow_sinks' => execution_flow_sinks.map(&:to_rpc_data)
    }
end

#to_s ⇒ Object

# File 'lib/arachni/page/dom.rb', line 208

def to_s
    "#<#{self.class}:#{object_id} @url=#{@url.inspect}>"
end