Arachni v1.0 – Web User Interface v0.5 Released
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.
Changelog v1.0
The new scan engine has been benchmarked (WIVET v3 and WAVSEP v1.5) higher than even the most established commercial products in crawl coverage, vulnerability identification and accuracy.
Updated workflow:
- No more crawl-first, scan workload is discovered and handled on-the-fly.
- Support for suspending scans to disk.
Addition of an integrated browser environment, supporting:
- HTML5/DOM/JavaScript/AJAX
- Detection of DOM-based issues.
New input vectors:
- DOM forms
- DOM links (with parameters in URL fragments)
- DOM cookies
- Link templates (for extracting arbitrary inputs from generic paths).
- DOM link templates (for extracting arbitrary inputs from generic URL fragments).
Support for URL-rewrite rules.
New checks:
- NoSQL injection (error based and blind).
- DOM XSS variants.
New reports providing enormous amounts of context for easy issue verification and resolution — especially for DOM-based ones.
Cleaned up RPC API.
License update:
- Proprietary, commercial license for SaaS providers and commercial distributors.
Apache License v2.0 for all other use cases.
More Information: