This version includes lots of goodies, including:

• A new light-weight RPC implementation (No more XMLRPC)
• High Performance Grid (HPG) — Combines the resources of multiple nodes for lightning-fast scans
• Updated WebUI to provide access to HPG features and context-sensitive help
• Accuracy improvements and bugfixes for the XSS, SQL Injection and Path Traversal modules
• New report formats (JSON, Marshal, YAML)
• Cygwin package for Windows

New plugins

• ReScan — It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
• BeepNotify — Beeps when the scan finishes.
• LibNotify — Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
• EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
• Manual verification — Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
• Resolver — Resolves vulnerable hostnames to IP addresses.

IF you want a slightly more detailed description of what’s changed you can check here, or view the ChangeLog.

You can download Arachni v0.4 here:

Windows – arachni-v0.4.0.2-cygwin.exe
Linux – arachni-v0.4.0.2-cde.tar.gz

Or read more here.

SIFT has released a new Intelligence Report titled ‘A Web Services Security Testing Framework‘. The framework covers the entire web services security testing process incorporating detailed threat modelling, scoping and planning methodologies tailored specifically for web services applications.

Web services are a widely touted technology that aim to provide tangible benefits to both business and IT. The increasing use of this technology in the enterprise sector for the integration of distributed systems and business critical functions dictates the need for security assurance yet there is currently no security testing methodology specifically adapted to applications that implement the technology.

Although many application security testing principles can be generically applied to web services, particular aspects of the technology such as its reliance upon XML and web services specific standards require closer attention that is not provided by other testing methodologies. Thus, a comprehensive framework for evaluating the security of web service implementations during all phases of the development cycle is required.

This paper presents a framework that covers the entire web services security testing process incorporating detailed threat modelling, scoping and planning methodologies tailored specifically for web services applications. The framework provides a structured approach to assessing the security of a web service through an application-level penetration test and aims to deliver a repeatable means for security assurance.

The paper is available for download from the the SIFT site [PDF].