Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling
through the paths of a web application’s cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Finally, Arachni yields great performance due to its asynchronous HTTP model (courtesy of Typhoeus).
Thus, you’ll only be limited by the responsiveness of the server under audit and your available bandwidth.

Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc with the addition of custom modules.

Arachni offers:

A stable, efficient, high-performance framework

Module, report and plugin writers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.
Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.

Simplicity

Although some parts of the Framework are fairly complex you will never have to deal them directly.
From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.

Feature List

General

  • Cookie-jar support
  • SSL support.
  • User Agent spoofing.
  • Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
  • Proxy authentication.
  • Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLM and others)
  • Highlighted command line output.
  • UI abstraction:
    • Command line UI
    • Web UI (Utilizing the Client – Dispatch-server XMLRPC architecture)
    • XMLRPC Client/Dispatch server
      • Centralised deployment
      • Multiple clients
      • Parallel scans
      • SSL encryption
      • SSL cert based client authentication
      • Remote monitoring
  • Pause/resume functionality.
  • High performance asynchronous HTTP requests.

Website Crawler

The crawler is provided by a modified version of Anemone.

  • Filters for redundant pages like galleries, catalogs, etc based on regular expressions and counters.
  • URL exclusion filter based on regular expressions.
  • URL inclusion filter based on regular expressions.
  • Can optionally follow subdomains.
  • Adjustable depth limit.
  • Adjustable link count limit.
  • Adjustable redirect limit.
  • Modular path extraction via “Path Extractor” components.

HTML Parser

Can extract and analyze:

  • Forms
  • Links
  • Cookies

The analyzer can graciously handle badly written HTML code due to a combination of regular expression analysis and the Nokogiri HTML parser.

Module Management

  • Very simple and easy to use module API providing access to multiple levels of complexity.
  • Helper audit methods:
    • For forms, links and cookies auditing.
    • A wide range of injection strings/input combinations.
    • Writing RFI, SQL injection, XSS etc modules is a matter of minutes if not seconds.
  • Currently available modules:
    • Audit:
      • SQL injection
      • Blind SQL injection using rDiff analysis
      • Blind SQL injection using timing attacks
      • CSRF detection
      • Code injection (PHP, Ruby, Python, JSP, ASP.NET)
      • Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET)
      • LDAP injection
      • Path traversal
      • Response splitting
      • OS command injection (*nix, Windows)
      • Blind OS command injection using timing attacks (*nix, Windows)
      • Remote file inclusion
      • Unvalidated redirects
      • XPath injection
      • Path XSS
      • URI XSS
      • XSS
      • XSS in event attributes of HTML elements
      • XSS in HTML tags
      • XSS in HTML ‘script’ tags
    • Recon:
      • Allowed HTTP methods
      • Back-up files
      • Common directories
      • Common files
      • HTTP PUT
      • Insufficient Transport Layer Protection for password forms
      • WebDAV detection
      • HTTP TRACE detection
      • Credit Card number disclosure
      • CVS/SVN user disclosure
      • Private IP address disclosure
      • Common backdoors
      • .htaccess LIMIT misconfiguration
      • Interesting responses
      • HTML object grepper
      • E-mail address disclosure
      • US Social Security Number disclosure
      • Forceful directory listing

Report Management

  • Modular design.
  • Currently available reports:

Plug-in Management

  • Modular design
  • Plug-ins are framework demi-gods, they have direct access to the framework instance.
  • Can be used to add any functionality to Arachni.
  • Currently available plugins:
    • Passive Proxy
    • Form based AutoLogin
    • Dictionary attacker for HTTP Auth
    • Dictionary attacker for form based authentication
    • Cookie collector
    • Healthmap — Generates sitemap showing the health of each crawled/audited URL
    • Content-types — Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files
    • WAF (Web Application Firewall) Detector
    • MetaModules — Loads and runs high-level meta-analysis modules pre/mid/post-scan
      • AutoThrottle — Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization
      • TimeoutNotice — Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with. It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
      • Uniformity — Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.

Trainer subsystem

The Trainer is what enables Arachni to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit.

Modules have the ability to individually force the Framework to learn from the HTTP responses they are going to induce.
However, this is usually not required since Arachni is aware of which requests are more likely to uncover new elements or attack vectors and will adapt itself accordingly.

Still, this can be an invaluable asset to Fuzzer modules.

Changelog

  • WebUI
    • Added connection cache for XMLRPC server instances to remove HTTPS handshake overhead and take advantage of keep-alive support.
    • Added initial support for management of multiple Dispatchers.
  • XMLRPC Client->Dispatch Server
    • Updated to always use SSL [Issue #28]
    • Added per instance authentication tokens [Issue #28]
  • Modules
    • Audit
      • Path traversal: added double encoded traversals [Issue #29]
  • Reports
    • HTML
      • Fixed “invalid byte sequence in UTF-8″ using iconv [Issue #27]
      • Added false positive reporting. Data are encrypted using 256bit AES (with AES primitives encrypted using RSA) and sent over HTTPS. [Issue #30]
    • Metareport
      • Fixed bug caused by not explicitly closed file handle.

Download

Download Post in PDF Save Post as PDF