Arachni Framework v1.1 – Web User Interface v0.5.7 Released
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
Arachni is smart, it trains itself by learning from the HTTP responses it receives during the audit process. Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.
Changelog v1.1
Option updates
More sensible defaults
Some defaults have been updated to be more sensible and reduce the system’s overzealousness:
- HTTP
- Request timeout: Lowered from 50 to 10 seconds.
- Response maximum size: Set to 500KB.
- Browser cluster
- Job timeout: Lowered from 120 to 15 seconds.
- Scope
- DOM depth limit: Lowered from 10 to 5.
New options
- Audit
- —audit–parameter–names — Injects payloads into parameter names.
- —audit–with–extra–parameter — Injects payloads into an extra parameter.
- HTTP
- —http–ssl–verify–peer — Verify SSL peer.
- —http–ssl–verify–host — Verify SSL host.
- —http–ssl–certificate — SSL certificate to use.
- —http–ssl–certificate–type — SSL certificate type.
- —http–ssl–key — SSL private key to use.
- —http–ssl–key–type — SSL key type.
- —http–ssl–key–password — Password for the SSL private key.
- —http–ssl–ca — File holding one or more certificates with which to verify the peer.
- —http–ssl–ca–directory — Directory holding multiple certificate files with which to verify the peer.
- —http–ssl–version — SSL version to use.
- Kerberos HTTP authentication
- Custom 404 detection overhaul
- Performance improvements
- Comparison
XML and JSON element support
A natural follow-up to adding real browser analysis is extracting XML and JSON inputs from requests and auditing them like any other element. The Framework can now do this for you.
There’s not much to say here really, auditing these elements is enabled by default and everything is automated.
The proxy plugin has also been updated to extract XML and JSON input vectors from HTTP requests, which means you can use Arachni to perform service scans by first training it via the plugin.
Soon enough, there’ll be specialized service crawlers, until then training the system via the proxy plugin should cover you.
Checks
Active
New
- unvalidated_redirect_dom — Logs DOM-based unvalidated redirects.
- xxe — Logs XML External Entity vulnerabilities.
Updated
- trainer — Disabled parameter flip for the payload to avoid parameter pollution.
- os_cmd_injection — Only use straight payload injection instead of straight and append.
- code_injection — Only use straight payload injection instead of straight and append.
- xss — When auditing links don’t require a tainted response for browser analysis.
- xss_script_context
- Updated payloads.
- Only use straight payload injection instead of straight and append.
- xss_dom_script_context — Only use straight payload injection instead of straight and append.
- xss_tag — Updated payloads to handle cases when more data are appended to the landed value.
- xss_event — Added proof to the issue.
Passive
New
- insecure_cross_domain_policy_access — Checks crossdomain.xml files for allow–access–fromwildcard policies.
- insecure_cross_domain_policy_headers — Checks crossdomain.xml files for wildcard allow–http–request–headers–from policies.
- insecure_client_access_policy — Checks clientaccesspolicy.xml files for wildcard domain policies.
- insecure_cors_policy — Logs wildcard Access–Control–Allow–Origin headers per host.
- x_frame_options — Logs missing X–Frame–Options headers per host.
- common_directories — Added:
- rails/info/routes
- rails/info/properties
Updated
- http_put — Try to DELETE the PUT file.
- html_objects — Updated regexp to use non-capturing groups.
Plugins
New
- vector_collector — Collects information about all seen input vectors which are within the scan scope.
- headers_collector — Collects response headers based on specified criteria.
- exec — Calls external executables at different scan stages.
Updated
- email_notify
- Added domain option.
- Fixed extension for html reporter.
- Added support for afr report type.
- proxy — Added XML and JSON input vector extraction.
More Information: