Navigation



Arachni v1.0 Released – Web Application Security Scanner Framework

Last updated: November 11, 2014 | 3,530 views

Use Netsparker


Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by monitoring and learning from the web application’s behaviour during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.

Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.

Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.

Finally, it is versatile enough to cover a great deal of use-cases, ranging from a simple command line scanner utility, to a distributed high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web user interface.

We haven’t mentioned it for a while back since 2012 – Arachni v0.4 Released – High-Performance (Open Source) Web Application Security Scanner Framework.

This Arachni v1.0 release makes it the first open source security scanner to have support for a real browser environment, allowing it to handle modern web applications which make use of technologies such as HTML5/DOM/JavaScript/AJAX.

Arachni v1.0 - Web Application Security Scanner Framework

The new scanner engine has been benchmarked (WIVET v3 and WAVSEP v1.5) higher than even the most established commercial products in crawl coverage, vulnerability identification and accuracy.

It’s a major rewrite so it will break backwards compatibility, don’t try and upgrade because you need to start from scratch. CLI options are different, reports are different, the RPC API is mostly different, the RPC protocol is different and so on and so forth.

Feature Overview

  • Multiple deployment options.
    • Ruby library, for highly-customized, scripted scans.
    • CLI scanner utility, for quick scans.
    • WebUI, for multi-User, multi-Scan, multi-Dispatcher management.
    • Distributed system using remote agents.
  • Integrated browser environment
    • Providing support for deep client-side analysis of applications that make use of DOM/JavaScript/AJAX technologies.
  • Support for pause/resume functionality.
  • Support for scan hibernation (suspend-to-disk/restore).
  • Automated session management (logout detection and re-login).
  • Plethora of scope options, governing scan coverage.
  • Intelligent, on-the-fly adaptation to each web application.
    • Fingerprinting of each individual resource.
    • Adjusts injections to match deployed platforms.
    • Automated detection of custom-404 pages.
    • Constant monitoring of server health and auto-throttling.
    • Resulting in less bandwidth consumption, less stress to the web application and, as a result, faster and more reliable scans.
    • Trains itself during the entire scan, by learning from HTTP responses, in order to identify new vectors and handle complex workflows like multi-page/form wizards.
  • High-performance
    • Asynchronous HTTP requests for lightweight concurrency and fast communications.
    • Clustered browser environments for concurrent JavaScript/DOM operations.
    • Support for multi-Instance scans, utilizing multiple Instances/processes, for super-fast audits (Even when distributed across multiple nodes).
  • Abundance of security checks.
  • Includes multiple plugins, providing extra functionality like:
    • Passive proxy for scanner training via HTTP requests & recording of login sequence
    • Form-based authentication.
    • Login dictionary attackers.
    • Many, many more.
  • Highly detailed, well-structured reports available in multiple of open formats.
  • Supports addition of custom Checks, Reporters and Plugins due to its modular design.

Full feature list can be found at: http://www.arachni-scanner.com/features/framework

Highlighted Changes

  • Updated workflow:
    • No more crawl-first, scan workload is discovered and handled on-the-fly.
    • Support for suspending scans to disk.
  • Addition of an integrated browser environment, supporting:
    • HTML5/DOM/JavaScript/AJAX
    • Detection of DOM-based issues.
  • New input vectors:
    • DOM forms
    • DOM links (with parameters in URL fragments)
    • DOM cookies
  • Link templates (for extracting arbitrary inputs from generic paths).
  • DOM link templates (for extracting arbitrary inputs from generic URL fragments).
  • Support for URL-rewrite rules.
  • New checks:
    • NoSQL injection (error based and blind).
    • DOM XSS variants.
  • New reports providing enormous amounts of context for easy issue verification and resolution — especially for DOM-based ones.
  • Cleaned up RPC API.
  • License update:
    • Proprietary, commercial license for SaaS providers and commercial distributors.
    • Apache License v2.0 for all other use cases.

You can download Arachni v1.0 here:

http://www.arachni-scanner.com/download/

Or read more here – the author can be found on Twitter here @Zap0tek.

Share55
Tweet88
+110
Share32
185 Shares
Posted in: Hacking Tools, Web Hacking

, , , , , , , , , , ,


Latest Posts:


Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
November 14, 2018 - 56 Shares
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
November 2, 2018 - 84 Shares
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
October 29, 2018 - 121 Shares
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.
October 20, 2018 - 230 Shares
Four Year Old libSSH Bug Leaves Servers Wide Open Four Year Old libssh Bug Leaves Servers Wide Open
A fairly serious 4-year old libssh bug has left servers vulnerable to remote compromise, fortunately, the attack surface isn't that big as neither OpenSSH or the GitHub implementation are affected.
October 17, 2018 - 95 Shares
CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
October 15, 2018 - 149 Shares


Comments are closed.