changelog v-1.0.6 (December 07, 2014) :
- arachni_rpcd — Fixed bug causing the –nickname option to not be understood.
UI::Output — Flush output stream after each message.
Added sql and nosql parents for DBs.
Check::Auditor#skip? — Ignore mutations when checking for redundancies.
Browser — Fixed issue causing select inputs in forms to not be set.
Element::Cookie.encode — Added ‘&’ to the list of reserved characters.
#recheck — Rechecks the existence of the issue.
#html= — Recode string before storing.
#dom — Return nil on Inputtable::Error.
Auditable — Updated response analysis messages to include vector type, name and action URL.
Framework — Split into Parts:
If Options.platforms are given, checks which don’t support them are completely skipped.
#pop_page_from_url_queue — Fixed issue causing multiple-choice redirections to cause an error.
#abort — Fixed exception message.
sql_injection — Slight payload update to catch double-quote cases.
code_injection — Slight PHP payload update, to ensure it works in more cases.
code_injection_timing — Updated payloads to mirror code_injection.
os_command_injection — Updated payloads to handle chained commands
- arachni_restore (UI::CLI::RestoredFramework)
- Restores snapshots of suspended scans.
- Prints snapshot metadata.
- arachni_report (UI::CLI::Report)
- Creates reports from .afr files.
- arachni (UI::CLI::Framework)
- Ctrl+C (SIGINT) now aborts the scan.
- Hitting Enter now toggles between the progress message and the command screens.
- Updated to provide access to the new suspend-to-disk feature.
- Moved reporting functionality to arachni_report.
- #audit_page — Updated to perform DOM/JS/AJAX analysis on the page and feed DOM page snapshots and new paths back to the Framework.
- #stats renamed to #statistics with the return hash cleaned-up.
- #opts renamed to #options.
- Added State — Stores and provides access to the system’s state.
- Plugins — Stores plugin runtime states when suspending.
- HTTP — Stores client headers and cookies.
- Audit — Stores audit operations.
- ElementFilter — Stores seen elements.
- Framework — Stores the Framework state.
- RPC — Stores the RPC::Server::Framework state.
- Added Data — Stores and provides access to the system’s data.
- Issues — Stores logged Issue objects.
- Plugins — Stores plugin results.
- Session — Stores login configuration.
- Framework — Stores the Framework audit workload.
- RPC — Stores the RPC::Server::Framework audit workload.
- Dumps and loads State and Data to and from disk to suspend and restore active scans.
Removed the Spider.
- The Framework has grown to encompass a process providing the same functionality as a result of Browser analysis.
Cleaned up initializers.
- Now passed a single Hash argument with configuration options.
- Provides an interface similar to traditional elements in order for generic DOM elements to be logged and assigned as vectors to issues.
- Basing its vector identification and manipulation to a user-provided template to satisfy cases like ModRewrite and similar.
- Including #dom pointing to a Auditable::DOM object handling browser-based link submissions/audits.
- Added #dom pointing to a Auditable::DOM object handling browser-based form submissions/audits.
- Added #dom pointing to a Auditable::DOM object handling browser-based link submissions/audits.
- Added #dom pointing to a Auditable::DOM object handling browser-based cookie submissions/audits.
- Removed #use_anonymous_auditor
- #auditable => #inputs
- #orig => #default_inputs
- #opts => #audit_options
- #audit – Callback now get passed the HTTP response and element mutation instead of response, audit options and mutation — options can now be accessed via the element’s #audit_options attribute.
- Added DOM — To handle DOM submission/auditing of elements.
- Split into the following Capabilities:
- General refactoring and code cleanup.
- Updated the algorithm to ensure server responsiveness before each phase.
- Lowered the amount of performed requests.
- No longer downloads response bodies.
- RDiff => Differential
- Serializer — Replaced Marshal and YAML as RPC serialization providers.
- Delegates to MessagePack.
- Supports message compression — applied based on message size to minimize overhead.
- opts handler renamed to options.
- #dispatch — Returns false when the pool is empty as a signal to check back later.
- Removed #proc_info method.
- Removed proc from job info data.
- Handler renamed to Service.
- Removed #output.
- Removed #output.
- :messages now returns Framework#status_messages instead of output messages.
- Cleaned up return data.
- Removed #progress_data alias.
- HTTP expanded to be a complete wrapper around Typhoeus, providing:
- #request options:
- :params => :parameters
- :async => :mode (with values of :async and :sync)
- Added :http_max_response_size.
- ProxyServer — Moved the proxy server out of the Proxy plugin and updated it to work with Arachni::HTTP objects.
- Browser — Real browser driver providing DOM/JS/AJAX support.
- BrowserCluster — Maintains a pool of Arachni::Browser instances and distributes the analysis workload of multiple resources.
- Cleaned-up attributes.
- Attributes (#links, #forms, #paths etc.) are lazy-parsed on-demand.
- #response — Associated HTTP::Response.
- #dom — Associated Arachni::Page::DOM.
- Page::DOM — Static DOM snapshot as computed by a real browser.
- Parser — Updated to only operate under the context of the HTTP::Response with which it was initialized — no longer supports parsing data from external sources.
- Options — Rewritten with renamed option names and grouped relevant options together.
- Report (Renamed from AuditStore)
- #save — Updated to store a compressed Marshal dump of the instance.
- .load — Updated to load the new #save format.
- Component::Options — Refactored initializers and API.
- Enum renamed to MultipleChoice.
- Reporters (Renamed from Reports)
- Removed metareport.
- All updated to the new format.
- Descriptions have been converted to GitHub-flavored Markdown.
- resolver — Removed as the report now contains that information in the responses associated with each issue.
- Updated to use HTTP::ProxyServer.
- Added ignore_responses option.
- Forces the proxy to only extract vector information from observed HTTP requests and not analyze responses.
- params option renames to parameters.
- Changed results to include status (String) and message (String) instead of code (Integer) and msg (String).
- Updated to abort the scan upon login failure.
- Renamed params in logged results to parameters.
- Renamed res in logged results to response.
- Changed results to include status (Symbol) and message (String) instead of code (Integer) and msg (String).
- Changed results to use with_issues and without_issues instead of unsafe and safe.
- Path extractors Added:
- Extract partial paths from HTML comments (comments).
- script – Extract partial paths from scripts.
- Moved all Framework components (modules, plugins, reports, etc.) under components/.
- Renamed modules to checks, also:
- Audit checks renamed to Active checks.
- Recon checks renamed to Passive checks.
- Descriptions and remedy_guidance have been converted to GitHub-flavored Markdown.
- xpath => xpath_injection
- ldapi => ldap_injection
- sqli => sql_injection
- sqli_blind_rdiff => sql_injection_differential
- sqli_blind_timing => sql_injection_timing
- htaccess => htaccess_limit
- xss_dom — Injects HTML code via DOM-based links, forms and cookies.
- xss_dom_inputs — Injects HTML code via orphan text inputs with associated DOM events.
- no_sql_injection — NoSQL Injection (error-based) .
- no_sql_injection_differential — Blind NoSQL Injection (differential analysis).
- xss — Added support for Browser-based taint-analysis.
- xss_script_context — Added support for Browser-based taint-analysis.
- Renamed from xss_script_tag.
- unvalidated_redirect — Updated to also use full browser evaluation in order to detect JS redirects.
- os_cmd_injection — Added payloads for *BSD and AIX.
- backup_directories — Backup directories.
- cookie_set_for_parent_domain — Cookie set for parent domain.
- hsts – Checks HTTPS pages for missing Strict-Transport-Security headers.
- backup_files — Updated filename formats.
- x_forwarded_for_access_restriction_bypass renamed to origin_spoof_access_restriction_bypass.
- Also updated to use more origin headers.
- emails – Updated to handle simple ([at] and [dot]) obfuscation.
- insecure_cookies – Only check HTTPS pages.
- Arachni’s license has changed, please see the LICENSE file before working with the project.
- v1.0 is not backwards compatible.
Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
Features General :
- Cookie-jar/cookie-string support.
- Custom header support.
- SSL support.
- User Agent spoofing.
- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
- Proxy authentication.
- Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLMv1 and others).
- Automatic log-out detection and re-login during the scan (when the initial login was performed via the autologin or proxy plugins).
- Custom 404 page detection.
- UI abstraction:
- Command-line Interface.
- Web User Interface.
- Pause/resume functionality.
- Hibernation support — Suspend to and restore from disk.
- High performance asynchronous HTTP requests.
- With adjustable concurrency.
- With the ability to auto-detect server health and adjust its concurrency automatically.
- Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.
Download version :
Zipball : arachni-1.0.6 zip(2.3MB) https://github.com/Arachni/arachni/archive/v1.0.6.zip
Tarball : arachni-1.0.6 tar.gz(2.2MB) https://github.com/Arachni/arachni/archive/v1.0.6.tar.gz
Source : http://www.arachni-scanner.com/
Mail to : email@example.com
Our post before : http://seclist.us/update-arachni-v-1-0-web-application-security-scanner-framework.html