It’s been a while since we last mentioned Arachni, it was back in February – Arachni v0.2.2.1 – Web Application Security Scanner Framework.
For those who are not aware, Arachni is a fully automated system which tries to enforce the fire and forget principle. As soon as a scan is started it will not bother you for anything nor require further user interaction. Upon completion, the scan results will be saved in a file which you can later convert to several different formats (HTML, Plain Text, XML, etc.)
The project was initially started as an educational exercise though it has since evolved into a powerful and modular framework allowing for fast, accurate and flexible security/vulnerability assessments..
More than that, Arachni is highly extend-able allowing for anyone to improve upon it by adding custom components and tailoring most aspects to meet most needs.
The author notified us of a major new release (v0.3) which has some great new features, a few of those being:
- A new custom-written, lightweight Spider
- Add-on support for the WebUI
- Scan scheduler
- AutoDeploy — Convert any SSH enabled Linux box into a Dispatcher
- Improved accuracy of differential analysis audits
- Improved accuracy of timing attack audits
- Highly optimized timing attacks
For those of you into benchmarking and testing you might be interested to know that during a recent test Arachni was the only (from a long list of commercial and F/OSS systems) that hit 100% on both XSS and SQLi tests in the WAVSEP benchmark:
The author is doing a great job with this tool and rapidly closing the gap between free security scanners and the very expensive commercial options. If you do have any feedback on Arachni v0.3 drop a comment here or hit up the Arachni Google Group.
You can download Arachni v0.3 here:
Or read more here.