Class: Arachni::Browser

Inherits:

Object

• Object
• Arachni::Browser

Includes:

Support::Mixins::Observable, UI::Output, Utilities

Defined in:

lib/arachni/browser.rb,
lib/arachni/browser/javascript.rb,
lib/arachni/browser/element_locator.rb,
lib/arachni/browser/javascript/dom_monitor.rb,
lib/arachni/browser/javascript/taint_tracer.rb,
lib/arachni/browser/javascript/taint_tracer/frame.rb,
lib/arachni/browser/javascript/taint_tracer/sink/base.rb,
lib/arachni/browser/javascript/taint_tracer/sink/data_flow.rb,
lib/arachni/browser/javascript/taint_tracer/sink/execution_flow.rb,
lib/arachni/browser/javascript/taint_tracer/frame/called_function.rb

Overview

Note:

Depends on PhantomJS 1.9.2.

Real browser driver providing DOM/JS/AJAX support.

Author:

• Tasos “Zapotek” Laskos <tasos.laskos@arachni-scanner.com>

Direct Known Subclasses

Arachni::BrowserCluster::Worker

Defined Under Namespace

Classes: ElementLocator, Error, Javascript

Constant Summary

PHANTOMJS_SPAWN_TIMEOUT =

How much time to wait for the PhantomJS process to spawn before respawning.

4

ELEMENT_APPEARANCE_TIMEOUT =

How much time to wait for a targeted HTML element to appear on the page after the page is loaded.

5

WATIR_COM_TIMEOUT =

Let the browser take as long as it needs to complete an operation.

3600

ASSET_EXTENSIONS =

1 hour.

Set.new(
    ['css', 'js', 'jpg', 'jpeg', 'png', 'gif', 'woff', 'json']
)

ASSET_EXTRACTORS =

[
    /<\s*link.*?href=['"](.*?)['"].*?>/im,
    /<\s*script.*?src=['"](.*?)['"].*?>/im,
    /<\s*img.*?src=['"](.*?)['"].*?>/im,
    /<\s*input.*?src=['"](.*?)['"].*?>/im,
]

Instance Attribute Summary

• #javascript ⇒ Javascript readonly
• #last_dom_url ⇒ Object readonly

  Returns the value of attribute last_dom_url.

• #last_url ⇒ Object readonly

  Returns the value of attribute last_url.

• #page_snapshots_with_sinks ⇒ Array<Page> readonly

  Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Javascript#data_flow_sinks and Javascript#execution_flow_sinks.

• #pid ⇒ Integer readonly
• #preloads ⇒ Hash readonly

  Preloaded resources, by URL.

• #skip_states ⇒ Support::LookUp::HashSet readonly

  States that have been visited and should be skipped.

• #transitions ⇒ Array<Page::DOM::Transition> readonly
• #watir ⇒ Watir::Browser readonly

  Watir driver interface.

Class Method Summary

• .add_asset_domain(url) ⇒ Object
• .asset_domains ⇒ Object
• .executable ⇒ String

  Path to the PhantomJS executable.

• .has_executable? ⇒ Bool

  ‘true` if a supported browser is in the OS PATH, `false` otherwise.

Instance Method Summary

• #cache(resource = nil) ⇒ Object
• #capture? ⇒ Bool

  ‘true` if request capturing is enabled, `false` otherwise.

• #capture_snapshot(transition = nil) ⇒ Object
• #captured_pages ⇒ Array<Page>

  Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

• #clear_buffers ⇒ Object
• #cookies ⇒ Array<Cookie>

  Browser cookies.

• #distribute_event(page, locator, event) ⇒ Object

  Distributes the triggering of ‘event` on the element at `element_index` on `page`.

• #each_element_with_events(mark_state = true) {|ElementLocator, Array<Symbol>| ... } ⇒ Object

  Iterates over all elements which have events and passes their info to the given block.

• #explore_and_flush(depth = nil) ⇒ Array<Page>

  Explores the browser’s DOM tree and captures page snapshots for each state change until there are no more available.

• #fire_event(element, event, options = {}) ⇒ Page::DOM::Transition, false

  Triggers ‘event` on `element`.

• #flush_page_snapshots_with_sinks ⇒ Array<Page>

  Returns #page_snapshots_with_sinks and flushes it.

• #flush_pages ⇒ Array<Page>

  Flushes and returns the captured and snapshot pages.

• #goto(url, options = {}) ⇒ Page::DOM::Transition

  Transition used to replay the resource visit.

• #initialize(options = {}) ⇒ Browser constructor

  A new instance of Browser.

• #inspect ⇒ Object
• #load(resource, options = {}) ⇒ Browser

  ‘self`.

• #load_delay ⇒ Object
• #on_fire_event(&block) ⇒ Object
• #on_new_page(&block) ⇒ Object
• #on_new_page_with_sink(&block) ⇒ Object
• #on_response(&block) ⇒ Object
• #page_snapshots ⇒ Array<Page>

  Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

• #preload(resource) ⇒ Object
• #response ⇒ Object
• #selenium ⇒ Selenium::WebDriver::Driver

  Selenium driver interface.

• #shutdown ⇒ Object
• #skip_path?(path) ⇒ Boolean
• #snapshot_id ⇒ String

  Snapshot ID used to determine whether or not a page snapshot has already been seen.

• #source ⇒ String

  HTML code of the evaluated (DOM/JS/AJAX) page.

• #source_with_line_numbers ⇒ String

  Prefixes each source line with a number.

• #start_capture ⇒ Browser

  Starts capturing requests and parses them into elements of pages, accessible via #captured_pages.

• #stop_capture ⇒ Browser

  Stops the HTTP::Request capture.

• #to_page ⇒ Page

  Converts the current browser window to a page.

• #trigger_event(page, element, event) ⇒ Object

  Triggers ‘event` on the element described by `tag` on `page`.

• #trigger_events ⇒ Browser

  Triggers all events on all elements (once) and captures page snapshots.

• #url ⇒ String

  Current URL.

• #wait_for_timers ⇒ Object

Methods included from Support::Mixins::Observable

included

Methods included from Utilities

#available_port, #bytes_to_kilobytes, #bytes_to_megabytes, #caller_name, #caller_path, #cookie_decode, #cookie_encode, #cookies_from_document, #cookies_from_file, #cookies_from_response, #exception_jail, #exclude_path?, #follow_protocol?, #form_decode, #form_encode, #forms_from_document, #forms_from_response, #full_and_absolute_url?, #generate_token, #get_path, #hms_to_seconds, #html_decode, #html_encode, #include_path?, #links_from_document, #links_from_response, #normalize_url, #page_from_response, #page_from_url, #parse_set_cookie, #path_in_domain?, #path_too_deep?, #port_available?, #rand_port, #random_seed, #redundant_path?, #regexp_array_match, #remove_constants, #request_parse_body, #seconds_to_hms, #skip_page?, #skip_resource?, #skip_response?, #to_absolute, #uri_decode, #uri_encode, #uri_parse, #uri_parse_query, #uri_parser, #uri_rewrite

Methods included from UI::Output

#debug?, #debug_off, #debug_on, #disable_only_positives, #included, #mute, #muted?, #only_positives, #only_positives?, #print_bad, #print_debug, #print_debug_backtrace, #print_debug_level_1, #print_debug_level_2, #print_debug_level_3, #print_error, #print_error_backtrace, #print_exception, #print_info, #print_line, #print_ok, #print_status, #print_verbose, #reroute_to_file, #reroute_to_file?, reset_output_options, #unmute, #verbose?, #verbose_on

Constructor Details

#initialize(options = {}) ⇒ Browser

Returns a new instance of Browser.

Parameters:

• options (Hash) (defaults to: {})

Options Hash (options):

• :concurrency (Integer) —

  Maximum number of concurrent connections.

• :store_pages (Bool) — default: true —

  Whether to store pages in addition to just passing them to #on_new_page.

• :width (Integer) — default: 1600 —

  Window width.

• :height (Integer) — default: 1200 —

  Window height.

# File 'lib/arachni/browser.rb', line 157

def initialize( options = {} )
    super()
    @options = options.dup

    @ignore_scope = options[:ignore_scope]

    @width  = options[:width]  || 1600
    @height = options[:height] || 1200

    @proxy = HTTP::ProxyServer.new(
        concurrency:      @options[:concurrency],
        address:          '127.0.0.1',
        request_handler:  proc do |request, response|
            synchronize { exception_jail { request_handler( request, response ) } }
        end,
        response_handler: proc do |request, response|
            synchronize { exception_jail { response_handler( request, response ) } }
        end
    )

    @options[:store_pages] = true if !@options.include?( :store_pages )

    @proxy.start_async

    @watir = ::Watir::Browser.new( selenium )

    # User-controlled response cache, by URL.
    @cache = Support::Cache::LeastRecentlyUsed.new( 200 )

    # User-controlled preloaded responses, by URL.
    @preloads = {}

    # Captured pages -- populated by #capture.
    @captured_pages = []

    # Snapshots of the working page resulting from firing of events and
    # clicking of JS links.
    @page_snapshots = {}

    # Same as @page_snapshots but it doesn't deduplicate and only contains
    # pages with sink (Page::DOM#sink) data as populated by Javascript#flush_sink.
    @page_snapshots_with_sinks = []

    # Captures HTTP::Response objects per URL for open windows.
    @window_responses = {}

    # Keeps track of resources which should be skipped -- like already fired
    # events and clicked links etc.
    @skip_states = Support::LookUp::HashSet.new( hasher: :persistent_hash )

    @transitions = []
    @request_transitions = []
    @add_request_transitions = true

    # Last loaded URL.
    @last_url = nil

    @javascript = Javascript.new( self )

    ensure_open_window
end

Instance Attribute Details

#javascript ⇒ Javascript (readonly)

Returns:

• (Javascript)

# File 'lib/arachni/browser.rb', line 107

def javascript
  @javascript
end

#last_dom_url ⇒ Object (readonly)

Returns the value of attribute last_dom_url.

# File 'lib/arachni/browser.rb', line 121

def last_dom_url
  @last_dom_url
end

#last_url ⇒ Object (readonly)

Returns the value of attribute last_url.

# File 'lib/arachni/browser.rb', line 119

def last_url
  @last_url
end

#page_snapshots_with_sinks ⇒ Array<Page> (readonly)

Returns Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Arachni::Browser::Javascript#data_flow_sinks and Arachni::Browser::Javascript#execution_flow_sinks.

Returns:

• (Array<Page>) —

  Same as #page_snapshots but it doesn’t deduplicate and only contains pages with sink (Page::DOM#data_flow_sinks or Page::DOM#execution_flow_sinks) data as populated by Arachni::Browser::Javascript#data_flow_sinks and Arachni::Browser::Javascript#execution_flow_sinks.

See Also:

• Arachni::Browser::Javascript#data_flow_sinks
• Arachni::Browser::Javascript#execution_flow_sinks
• Page::DOM#data_flow_sinks
• Page::DOM#execution_flow_sinks

# File 'lib/arachni/browser.rb', line 104

def page_snapshots_with_sinks
  @page_snapshots_with_sinks
end

#pid ⇒ Integer (readonly)

Returns:

• (Integer)

# File 'lib/arachni/browser.rb', line 117

def pid
  @pid
end

#preloads ⇒ Hash (readonly)

Returns Preloaded resources, by URL.

Returns:

• (Hash) —

  Preloaded resources, by URL.

# File 'lib/arachni/browser.rb', line 89

def preloads
  @preloads
end

#skip_states ⇒ Support::LookUp::HashSet (readonly)

Returns States that have been visited and should be skipped.

Returns:

• (Support::LookUp::HashSet) —

  States that have been visited and should be skipped.

See Also:

• #skip_state
• #skip_state?

# File 'lib/arachni/browser.rb', line 114

def skip_states
  @skip_states
end

#transitions ⇒ Array<Page::DOM::Transition> (readonly)

Returns:

• (Array<Page::DOM::Transition>)

# File 'lib/arachni/browser.rb', line 85

def transitions
  @transitions
end

#watir ⇒ Watir::Browser (readonly)

Returns Watir driver interface.

Returns:

• (Watir::Browser) —

  Watir driver interface.

# File 'lib/arachni/browser.rb', line 93

def watir
  @watir
end

Class Method Details

.add_asset_domain(url) ⇒ Object

# File 'lib/arachni/browser.rb', line 140

def self.add_asset_domain( url )
    return if url.to_s.empty?
    return if !(curl = Arachni::URI( url ))
    return if !(domain = curl.domain)

    asset_domains << domain
end

.asset_domains ⇒ Object

# File 'lib/arachni/browser.rb', line 135

def self.asset_domains
    @asset_domains ||= Set.new
end

.executable ⇒ String

Returns Path to the PhantomJS executable.

Returns:

• (String) —

  Path to the PhantomJS executable.

# File 'lib/arachni/browser.rb', line 131

def self.executable
    Selenium::WebDriver::PhantomJS.path
end

.has_executable? ⇒ Bool

Returns ‘true` if a supported browser is in the OS PATH, `false` otherwise.

Returns:

• (Bool) —

  ‘true` if a supported browser is in the OS PATH, `false` otherwise.

# File 'lib/arachni/browser.rb', line 125

def self.has_executable?
    !!executable
end

Instance Method Details

#cache(resource = nil) ⇒ Object

Parameters:

• resource (HTTP::Response, Page) (defaults to: nil) —

  Cache a resource in order to be instantly available by URL via #load.

# File 'lib/arachni/browser.rb', line 300

def cache( resource = nil )
    return @cache if !resource

    response =  case resource
                    when HTTP::Response
                        resource

                    when Page
                        resource.response

                    else
                        fail Error::Load,
                             "Can't load resource of type #{resource.class}."
                end

    save_response response
    @cache[response.url] = response
    response.url
end

#capture? ⇒ Bool

Returns ‘true` if request capturing is enabled, `false` otherwise.

Returns:

• (Bool) —

  ‘true` if request capturing is enabled, `false` otherwise.

See Also:

• #start_capture
• #stop_capture

# File 'lib/arachni/browser.rb', line 769

def capture?
    !!@capture
end

#capture_snapshot(transition = nil) ⇒ Object

# File 'lib/arachni/browser.rb', line 849

def capture_snapshot( transition = nil )
    pages = []

    request_transitions = flush_request_transitions
    transitions = ([transition] + request_transitions).flatten.compact

    begin
        # Skip about:blank windows.
        watir.windows( url: /^http/ ).each do |window|
            window.use do
                next if !(page = to_page)

                if pages.empty?
                    transitions.each do |t|
                        @transitions << t
                        page.dom.push_transition t
                    end
                end

                capture_snapshot_with_sink( page )

                unique_id  = self.snapshot_id
                next if skip_state? unique_id
                skip_state unique_id

                notify_on_new_page( page )

                if store_pages?
                    @page_snapshots[unique_id.hash] = page
                    pages << page
                end
            end
        end
    rescue => e
        print_debug "Could not capture snapshot for: #{@last_url}"

        if transition
            print_debug "-- #{transition}"
        end

        print_debug
        print_debug_exception e
    end

    pages
end

#captured_pages ⇒ Array<Page>

Returns Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

Returns:

• (Array<Page>) —

  Captured HTTP requests performed by the web page (AJAX etc.) converted into forms of pages to assist with analysis and audit.

# File 'lib/arachni/browser.rb', line 783

def captured_pages
    @captured_pages
end

#clear_buffers ⇒ Object

# File 'lib/arachni/browser.rb', line 219

def clear_buffers
    synchronize do
        @preloads.clear
        @cache.clear
        @captured_pages.clear
        @page_snapshots.clear
        @page_snapshots_with_sinks.clear
        @window_responses.clear
    end
end

#cookies ⇒ Array<Cookie>

Returns Browser cookies.

Returns:

• (Array<Cookie>) —

  Browser cookies.

# File 'lib/arachni/browser.rb', line 922

def cookies
    js_cookies = begin
        # Watir doesn't tell us if cookies are HttpOnly, so we need to figure
        # this out ourselves, by checking for JS visibility.
        javascript.run( 'return document.cookie' )
    # We may not have a page.
    rescue Selenium::WebDriver::Error::WebDriverError
        ''
    end

    watir.cookies.to_a.map do |c|
        original_name = c[:name].to_s

        c[:path]     = '/' if c[:path] == '//'
        c[:name]     = Cookie.decode( c[:name].to_s )
        c[:value]    = Cookie.value_to_v0( c[:value].to_s )
        c[:httponly] = !js_cookies.include?( original_name )

        Cookie.new c.merge( url: @last_url || url )
    end
end

#distribute_event(page, locator, event) ⇒ Object

Note:

Only used when running as part of Arachni::BrowserCluster to distribute page analysis across a pool of browsers.

Distributes the triggering of ‘event` on the element at `element_index` on `page`.

Parameters:

• page (Page)
• locator (ElementLocator)
• event (Symbol)

# File 'lib/arachni/browser.rb', line 587

def distribute_event( page, locator, event )
    trigger_event( page, locator, event )
end

#each_element_with_events(mark_state = true) {|ElementLocator, Array<Symbol>| ... } ⇒ Object

Note:

Will skip non-visible elements as they can’t be manipulated.

Iterates over all elements which have events and passes their info to the given block.

Parameters:

• mark_state (Bool) (defaults to: true) —

  Mark each element/events as visited and skip it if it has already been seen.

Yields:

• (ElementLocator, Array<Symbol>) —

  Hash with information about the element, its tag name, applicable events along with their handlers and attributes.

# File 'lib/arachni/browser.rb', line 444

def each_element_with_events( mark_state = true )
    current_url = url

    javascript.dom_elements_with_events.each do |element|
        tag_name   = element['tag_name']
        attributes = element['attributes']
        events     = element['events']

        case tag_name
            when 'a'
                href = attributes['href'].to_s

                if !href.empty?
                    if href.downcase.start_with?( 'javascript:' )
                        events << [ :click, href ]
                    else
                        next if skip_path?( to_absolute( href, current_url ) )
                    end
                end

            when 'input'
                if attributes['type'].to_s.downcase == 'image'
                    events << [ :click, 'image' ]
                end

            when 'form'
                action = attributes['action'].to_s

                if !action.empty?
                    if action.downcase.start_with?( 'javascript:' )
                        events << [ :submit, action ]
                    else
                        next if skip_path?( to_absolute( action, current_url ) )
                    end
                end
        end

        next if events.empty?

        if mark_state
            state = "#{tag_name}#{attributes}#{events}"
            next if skip_state?( state )
            skip_state state
        end

        yield ElementLocator.new( tag_name: tag_name, attributes: attributes ),
                events
    end

    self
end

#explore_and_flush(depth = nil) ⇒ Array<Page>

Explores the browser’s DOM tree and captures page snapshots for each state change until there are no more available.

Parameters:

• depth (Integer) (defaults to: nil) —

  How deep to go into the DOM tree.

Returns:

• (Array<Page>) —

  Page snapshots for each state.

# File 'lib/arachni/browser.rb', line 416

def explore_and_flush( depth = nil )
    pages         = [ to_page ]
    current_depth = 0

    loop do
        bcnt   = pages.size
        pages |= pages.map { |p| load( p ).trigger_events.flush_pages }.flatten

        break if pages.size == bcnt || (depth && depth >= current_depth)

        current_depth += 1
    end

    pages.compact
end

#fire_event(element, event, options = {}) ⇒ Page::DOM::Transition, false

Triggers ‘event` on `element`.

Parameters:

• element (Watir::Element, ElementLocator)
• event (Symbol)
• options (Hash) (defaults to: {})

Options Hash (options):

• :inputs (Hash<Symbol,String=>String>) —

  Values to use to fill-in inputs. Keys should be input names or ids.

  Defaults to using OptionGroups::Input if not specified.

Returns:

• (Page::DOM::Transition, false) —

  Transition if the operation was successful, ‘nil` otherwise.

# File 'lib/arachni/browser.rb', line 630

def fire_event( element, event, options = {} )
    event   = event.to_s.downcase.sub( /^on/, '' ).to_sym
    locator = nil

    options[:inputs] = options[:inputs].my_stringify if options[:inputs]

    if element.is_a? ElementLocator
        locator = element

        begin
            element = element.locate( self )
        rescue Selenium::WebDriver::Error::WebDriverError,
            Watir::Exception::Error => e

            print_debug "Element '#{element.inspect}' could not be " <<
                            "located for triggering '#{event}'."
            print_debug
            print_debug_exception e
            return
        end
    end

    # The page may need a bit to settle and the element is lazily located
    # by Watir so give it a few tries.
    begin
        with_timeout ELEMENT_APPEARANCE_TIMEOUT do
            sleep 0.1 while !element.exists?
        end
    rescue Timeout::Error
        print_debug_level_2 "#{element.inspect} did not appear in " <<
                                "#{ELEMENT_APPEARANCE_TIMEOUT}."
        return
    end

    if !element.visible?
        print_debug_level_2 "#{element.inspect} is not visible, skipping..."
        return
    end

    if locator
        opening_tag = locator.to_s
        tag_name    = locator.tag_name
    else
        opening_tag = element.opening_tag
        tag_name    = element.tag_name
        locator     = ElementLocator.from_html( opening_tag )
    end

    print_debug_level_2 "#{__method__} [start]: #{event} (#{options}) #{locator}"

    tag_name = tag_name.to_sym

    notify_on_fire_event( element, event )

    tries = 0
    begin
        Page::DOM::Transition.new( locator, event, options ) do
            had_special_trigger = false

            if tag_name == :form
                fill_in_form_inputs( element, options[:inputs] )

                if event == :submit
                    element.to_subtype.submit
                    had_special_trigger = true
                end
            elsif tag_name == :input && event == :click &&
                    element.attribute_value(:type) == 'image'

                element.to_subtype.click
                had_special_trigger = true

            elsif [:keyup, :keypress, :keydown, :change, :input, :focus, :blur, :select].include? event

                # Some of these need an explicit event triggers.
                had_special_trigger = true if ![:change, :blur, :focus, :select].include? event

                element.send_keys( (options[:value] || value_for( element )).to_s )
            end

            element.fire_event( event ) if !had_special_trigger

            print_debug_level_2 "#{__method__} [waiting for requests]: #{event} (#{options}) #{locator}"
            wait_for_pending_requests
            print_debug_level_2 "#{__method__} [done waiting for requests]: #{event} (#{options}) #{locator}"

            # puts source_with_line_numbers
            print_debug_level_2 "#{__method__} [done]: #{event} (#{options}) #{locator}"
        end
    rescue Selenium::WebDriver::Error::WebDriverError,
        Watir::Exception::Error => e

        sleep 0.1

        tries += 1
        retry if tries < 5

        print_debug "Error when triggering event for: #{url}"
        print_debug "-- '#{event}' on: #{opening_tag}"
        print_debug
        print_debug_exception e

        nil
    end
end

#flush_page_snapshots_with_sinks ⇒ Array<Page>

Returns #page_snapshots_with_sinks and flushes it.

Returns:

• (Array<Page>) —

  Returns #page_snapshots_with_sinks and flushes it.

# File 'lib/arachni/browser.rb', line 898

def flush_page_snapshots_with_sinks
    @page_snapshots_with_sinks.dup
ensure
    @page_snapshots_with_sinks.clear
end

#flush_pages ⇒ Array<Page>

Returns Flushes and returns the captured and snapshot pages.

Returns:

• (Array<Page>) —

  Flushes and returns the captured and snapshot pages.

See Also:

• #captured_pages
• #page_snapshots
• #start_capture
• #stop_capture
• #capture?

# File 'lib/arachni/browser.rb', line 913

def flush_pages
    captured_pages + page_snapshots
ensure
    @captured_pages.clear
    @page_snapshots.clear
end

#goto(url, options = {}) ⇒ Page::DOM::Transition

Returns Transition used to replay the resource visit.

Parameters:

• url (String) —

  Loads the given URL in the browser.

• options (Hash) (defaults to: {})
• [Bool] (Hash) —

  a customizable set of options

• [Array<Cookie>] (Hash) —

  a customizable set of options

Returns:

• (Page::DOM::Transition) —

  Transition used to replay the resource visit.

# File 'lib/arachni/browser.rb', line 330

def goto( url, options = {} )
    take_snapshot      = options.include?(:take_snapshot) ?
        options[:take_snapshot] : true
    extra_cookies      = options[:cookies] || {}
    update_transitions = options.include?(:update_transitions) ?
        options[:update_transitions] : true

    pre_add_request_transitions = @add_request_transitions
    if !update_transitions
        @add_request_transitions = false
    end

    @last_url = Arachni::URI( url ).to_s
    self.class.add_asset_domain @last_url

    ensure_open_window

    load_cookies url, extra_cookies

    transition = Page::DOM::Transition.new( :page, :load,
        url:     url,
        cookies: extra_cookies
    ) do
        watir.goto url

        @javascript.wait_till_ready
        wait_for_pending_requests
        wait_for_timers

        url = watir.url
        Options.browser_cluster.css_to_wait_for( url ).each do |css|
            print_info "Waiting for #{css.inspect} to appear for: #{url}"

            begin
                watir.element( css: css ).
                    wait_until_present( Options.browser_cluster.job_timeout )

                print_info "#{css.inspect} appeared for: #{url}"
            rescue Watir::Wait::TimeoutError
                print_bad "#{css.inspect} did not appeared for: #{url}"
            end

        end

        javascript.set_element_ids
    end

    if @add_request_transitions
        @transitions << transition
    end

    @add_request_transitions = pre_add_request_transitions

    HTTP::Client.update_cookies cookies

    # Capture the page at its initial state.
    capture_snapshot if take_snapshot

    transition
end

#inspect ⇒ Object

# File 'lib/arachni/browser.rb', line 1007

def inspect
    s = "#<#{self.class} "
    s << "pid=#{@pid} "
    s << "last-url=#{@last_url.inspect} "
    s << "transitions=#{@transitions.size}"
    s << '>'
end

#load(resource, options = {}) ⇒ Browser

Returns ‘self`.

Parameters:

• resource (String, HTTP::Response, Page) —

  Loads the given resource in the browser. If it is a string it will be treated like a URL.

Returns:

• (Browser) —

  ‘self`

# File 'lib/arachni/browser.rb', line 244

def load( resource, options = {} )
    @last_dom_url = nil

    case resource
        when String
            goto resource, options

        when HTTP::Response
            goto preload( resource ), options

        when Page
            HTTP::Client.update_cookies resource.cookie_jar

            @transitions = resource.dom.transitions.dup
            update_skip_states resource.dom.skip_states

            @last_dom_url = resource.dom.url

            @add_request_transitions = false if @transitions.any?
            resource.dom.restore self
            @add_request_transitions = true

        else
            fail Error::Load,
                 "Can't load resource of type #{resource.class}."
    end

    self
end

#load_delay ⇒ Object

# File 'lib/arachni/browser.rb', line 950

def load_delay
    #(intervals + timeouts).map { |t| t[1] }.max
    @javascript.timeouts.compact.map { |t| t[1].to_i }.max
end

#on_fire_event(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 30

advertise :on_fire_event

#on_new_page(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 33

advertise :on_new_page

#on_new_page_with_sink(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 36

advertise :on_new_page_with_sink

#on_response(&block) ⇒ Object

# File 'lib/arachni/browser.rb', line 39

advertise :on_response

#page_snapshots ⇒ Array<Page>

Returns Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

Returns:

• (Array<Page>) —

  Page snapshots (stored after events have been fired and JS links clicked) with hashes as keys and pages as values.

# File 'lib/arachni/browser.rb', line 776

def page_snapshots
    @page_snapshots.values
end

#preload(resource) ⇒ Object

Note:

The preloaded resource will be removed once used, for a persistent cache use #cache.

Parameters:

• resource (HTTP::Response, Page) —

  Preloads a resource to be instantly available by URL via #load.

# File 'lib/arachni/browser.rb', line 279

def preload( resource )
    response =  case resource
                    when HTTP::Response
                        resource

                    when Page
                        resource.response

                    else
                        fail Error::Load,
                             "Can't load resource of type #{resource.class}."
                end

    save_response( response ) if !response.url.include?( request_token )

    @preloads[response.url] = response
    response.url
end

#response ⇒ Object

# File 'lib/arachni/browser.rb', line 966

def response
    u = watir.url

    return if skip_path?( u )

    begin
        with_timeout Options.http.request_timeout / 1_000 do
            while !(r = get_response(u))
                sleep 0.1
            end

            fail Timeout::Error if r.timed_out?

            return r
        end
    rescue Timeout::Error
        print_debug "Response for '#{u}' never arrived."
    end

    nil
end

#selenium ⇒ Selenium::WebDriver::Driver

Returns Selenium driver interface.

Returns:

• (Selenium::WebDriver::Driver) —

  Selenium driver interface.

# File 'lib/arachni/browser.rb', line 990

def selenium
    return @selenium if @selenium

    client = Selenium::WebDriver::Remote::Http::Typhoeus.new
    client.timeout = WATIR_COM_TIMEOUT

    @selenium = Selenium::WebDriver.for(
        :remote,

        # We need to spawn our own PhantomJS process because Selenium's
        # way sometimes gives us zombies.
        url:                  spawn_browser,
        desired_capabilities: capabilities,
        http_client:          client
    )
end

#shutdown ⇒ Object

# File 'lib/arachni/browser.rb', line 391

def shutdown
    begin
        watir.close if browser_alive?
    rescue Selenium::WebDriver::Error::WebDriverError,
        Watir::Exception::Error
    end

    kill_process
    @proxy.shutdown
end

#skip_path?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/arachni/browser.rb', line 962

def skip_path?( path )
    enforce_scope? && super( path )
end

#snapshot_id ⇒ String

Returns Snapshot ID used to determine whether or not a page snapshot has already been seen. Uses both elements and their DOM events and possible audit workload to determine the ID, as page snapshots should be retained both when further browser analysis can be performed and when new element audit workload (but possibly without any DOM relevance) is available.

Returns:

• (String) —

  Snapshot ID used to determine whether or not a page snapshot has already been seen. Uses both elements and their DOM events and possible audit workload to determine the ID, as page snapshots should be retained both when further browser analysis can be performed and when new element audit workload (but possibly without any DOM relevance) is available.

# File 'lib/arachni/browser.rb', line 502

def snapshot_id
    current_url = url

    id = []
    javascript.dom_elements_with_events.each do |element|
        tag_name   = element['tag_name']
        attributes = element['attributes']
        events     = element['events'] +
            Javascript.select_event_attributes( attributes ).to_a
        element_id = attributes['id'].to_s

        case tag_name
            when 'a'
                href        = attributes['href'].to_s
                element_id << href

                if !href.empty?
                    if href.downcase.start_with?( 'javascript:' )
                        events << [ :click, href ]
                    else
                        absolute = to_absolute( href, current_url )
                        next if skip_path?( absolute )

                        events << [ :click, href ]
                    end
                else
                    events << [ :click, current_url ]
                end

            when 'input', 'textarea', 'select'
                events     << [ tag_name.to_sym ]
                element_id << attributes['name'].to_s

            when 'form'
                action      = attributes['action'].to_s
                element_id << "#{action}#{attributes['name']}"

                if !action.empty?
                    if action.downcase.start_with?( 'javascript:' )
                        events << [ :submit, action ]
                    else
                        absolute = to_absolute( action, current_url )
                        if !skip_path?( absolute )
                            events << [ :submit, absolute ]
                        end
                    end
                else
                    events << [ :submit, current_url ]
                end
        end

        next if events.empty?

        id << "#{tag_name}:#{element_id}:#{events}"
    end

    id.uniq.sort.to_s
end

#source ⇒ String

Returns HTML code of the evaluated (DOM/JS/AJAX) page.

Returns:

• (String) —

  HTML code of the evaluated (DOM/JS/AJAX) page.

# File 'lib/arachni/browser.rb', line 946

def source
    watir.html
end

#source_with_line_numbers ⇒ String

Returns Prefixes each source line with a number.

Returns:

• (String) —

  Prefixes each source line with a number.

# File 'lib/arachni/browser.rb', line 232

def source_with_line_numbers
    source.lines.map.with_index do |line, i|
        "#{i+1} - #{line}"
    end.join
end

#start_capture ⇒ Browser

Starts capturing requests and parses them into elements of pages, accessible via #captured_pages.

Returns:

• (Browser) —

  ‘self`

See Also:

• #stop_capture
• #capture?
• #captured_pages
• #flush_pages

# File 'lib/arachni/browser.rb', line 746

def start_capture
    @capture = true
    self
end

#stop_capture ⇒ Browser

Stops the HTTP::Request capture.

Returns:

• (Browser) —

  ‘self`

See Also:

• #start_capture
• #capture?
• #flush_pages

# File 'lib/arachni/browser.rb', line 759

def stop_capture
    @capture = false
    self
end

#to_page ⇒ Page

Returns Converts the current browser window to a page.

Returns:

• (Page) —

  Converts the current browser window to a page.

# File 'lib/arachni/browser.rb', line 789

def to_page
    if !(r = response)
        return Page.from_data(
            dom: {
                url: watir.url
            },
            response: {
                code: 0,
                url:  url
            }
        )
    end

    page                          = r.to_page
    page.body                     = source
    page.dom.url                  = watir.url
    page.dom.digest               = @javascript.dom_digest
    page.dom.execution_flow_sinks = @javascript.execution_flow_sinks
    page.dom.data_flow_sinks      = @javascript.data_flow_sinks
    page.dom.transitions          = @transitions.dup
    page.dom.skip_states          = skip_states.dup

    # Go through auditable DOM forms and cookies and remove the DOM from
    # them if no events are associated with it.
    #
    # This can save **A LOT** of time during the audit.
    if @javascript.supported?
        if Options.audit.form_doms?
            page.forms.each do |form|
                next if !form.node || !form.dom

                action = form.node['action'].to_s
                form.dom.browser = self

                next if action.downcase.start_with?( 'javascript:' ) ||
                    form.dom.locate.events.any?

                form.skip_dom = true
            end

            page.update_metadata
            page.clear_cache
        end

        if Options.audit.cookie_doms?
            sinks = @javascript.taint_tracer.data_flow_sinks
            page.cookies.each do |cookie|
                next if sinks.include?( cookie.name ) ||
                    sinks.include?( cookie.value )

                cookie.skip_dom = true
            end

            page.update_metadata
        end
    end

    page
end

#trigger_event(page, element, event) ⇒ Object

Note:

Captures page #page_snapshots.

Triggers ‘event` on the element described by `tag` on `page`.

Parameters:

• page (Page) —

  Page containing the element’s ‘tag`.

• element (ElementLocator)
• event (Symbol) —

  Event to trigger.

# File 'lib/arachni/browser.rb', line 600

def trigger_event( page, element, event )
    event = event.to_sym
    transition = fire_event( element, event )

    if !transition
        print_info "Could not trigger '#{event}' on '#{element}' because" <<
            ' the page has changed, capturing a new snapshot.'
        capture_snapshot

        print_info 'Restoring page.'
        restore page
        return
    end

    capture_snapshot( transition )
    restore page
end

#trigger_events ⇒ Browser

Triggers all events on all elements (once) and captures page snapshots.

Returns:

• (Browser) —

  ‘self`

# File 'lib/arachni/browser.rb', line 566

def trigger_events
    root_page = to_page

    each_element_with_events do |locator, events|
        events.each do |name, _|
            distribute_event( root_page, locator, name.to_sym )
        end
    end

    self
end

#url ⇒ String

Returns Current URL.

Returns:

• (String) —

  Current URL.

# File 'lib/arachni/browser.rb', line 404

def url
    normalize_url watir.url
end

#wait_for_timers ⇒ Object

# File 'lib/arachni/browser.rb', line 955

def wait_for_timers
    delay = load_delay
    return if !delay

    sleep [Options.http.request_timeout, delay].min / 1000.0
end