Updates Arachni v-2.0-dev.1.0 : Web Application Security Scanner Framework.

Updates Arachni v-2.0-dev.1.0 : Web Application Security Scanner Framework.

Changelog v-2.0-dev.1.0:

  • gemspec — Require Ruby >= 2.0.0.
  • Options
    • --authorized-by — Fixed expected type (Integer => String).
    • HTTP
      • request_timeout — Lowered from 50 to 10 seconds.
      • response_max_size — Set to 500KB.
    • BrowserCluster
      • job_timeout — Lowered from 120 to 15 seconds.
    • Scope
      • dom_depth_limit — Lowered from 10 to 5.
    • Added:
      • Audit
        • --audit-parameter-names — Injects payloads into parameter names.
        • --audit-with-extra-parameter — Injects payloads into an extra parameter.
      • HTTP
        • --http-ssl-verify-peer — Verify SSL peer.
        • --http-ssl-verify-host — Verify SSL host.
        • --http-ssl-certificate — SSL certificate to use.
        • --http-ssl-certificate-type — SSL certificate type.
        • --http-ssl-key — SSL private key to use.
        • --http-ssl-key-type — SSL key type.
        • --http-ssl-key-password — Password for the SSL private key.
        • --http-ssl-ca — File holding one or more certificates with which to verify the peer.
        • --http-ssl-ca-directory — Directory holding multiple certificate files with which to verify the peer.
        • --http-ssl-version — SSL version to use.
  • URI
    • Added #resource_name.
    • Added .full_and_absolute?.
    • Scope
      • #redundant? — No longer updates counter by default.
      • #auto_redundant?
        • No longer updates counter by default.
        • Only consider URLs with query parameters.
  • HTTP
    • Client
      • Overhauled custom-404 identification and moved to Dynamic404Handler.
  • Framework
    • Parts
      • Data
        • #push_to_page_queue — Update redundancy scope counters.
        • #push_to_url_queue — Update redundancy scope counters.
      • Audit
        • #audit_page
          • Apply DOM metadata to pages not originated from Browser#to_page.
      • Browser
        • Added utility #browser.
        • Added #use_browsers?, determining whether system options and capabilities allow for browsers to be used.
        • #wait_for_browsers? => #wait_for_browser_cluster?
  • Element
    • All
      • Renamed #html to #source.
      • Moved element-specific capabilities to their own files.
    • Cookie.encode — Encode = even when in value.
    • JSON — Represents JSON input vectors.
    • XML — Represents XML input vectors.
    • Form
      • Support forms with multiple values for submit inputs with sa me names.
    • Server
      • #log_remote_file_if_exists — Perform some rudimentary meta-analysis on possible issues and only feed the identified resources back to the system if they are above a certain threshold of similarity. This fixes infinite loop scenarios when dealing with unreliable custom-404 fingerprints.
    • Capabilities
      • Mutable
        • :param_flip => :parameter_names
        • Added :parameter_values option.
        • Added :with_extra_parameter option.
      • Analyzable
        • Timeout
          • Updated algorithm to be resilient to WAF/IDS/IPS filtering.
          • Added remarks to each issue containing extra information regarding the state of the web application during analysis.
        • Differential — Added remarks to each issue containing extra information regarding the used payloads.
        • Taint
          • Don’t log issues when unable to get a verification response.
          • Provide all matched data as proof, not only the regexp captured ones.
      • WithDOM
        • Added #skip_dom (set via Browser#to_page), to prevent DOMs from being loaded and audited when there are no associated events.
  • Page
    • Added #update_metadata, updating #metadata from #cache elements.
    • Added #reload_metadata, updating #cache elements from #metadata.
    • Added #import_metadata, importing #metadata from other page.
    • DOM
      • #restore — Added debugging messages.
  • Utilities
    • Added .full_and_absolute_url?.
  • Browser
    • Updated to extract JSON and XML input vectors from HTTP requests.
    • #shutdown — Fixed Selenium exceptions on dead browser process.
    • #to_page — Apply DOM metadata to page elements.
    • #spawn_phantomjs — Enabled --disk-cache option for phantomjs.
    • #fire_event — Recode input values to fix encoding errors.
    • #to_page — Return empty page on unavailable response data instead of nil.
    • #snapshot_id — Updated to only consider important element attributes (depending on type) instead of all of them.
    • ElementLocator
      • #css — Returns a CSS locator.
      • #locate — Updated to use #css.
    • Javascript
      • Added .select_event_attributes.
      • DOMMonitor
        • #digest — Removed data-arachni-id from digest.
      • TaintTracer
        • Added support for tracing multiple taints in groups.
        • Added tracing for:
          • escape()
          • unescape()
          • String
            • indexOf()
            • lastIndexOf()
          • jQuery
            • cookie() plugin.
  • BrowserCluster
    • Worker
      • #browser_respawn — Catch Watir/Selenium errors.
  • Session
    • Ensure the browser is shut-down after each login operation.
  • Check
    • Auditor
      • #each_candidate_dom_element — Yield element DOMs instead of parent elements.
  • Plugin
    • Manager
      • #run — Optimized plugin initialization by using a queue to signal a ready-state, instead of blocking for 1 second.
  • Checks
    • Active
      • Added
        • unvalidated_redirect_dom — Logs DOM-based unvalidated redirects.
        • xxe — Logs XML External Entity vulnerabilities.
      • trainer — Disabled parameter flip for the payload to avoid parameter pollution.
      • os_cmd_injection — Only use straight payload injection instead of straight and append.
      • code_injection — Only use straight payload injection instead of straight and append.
      • xss — When auditing links don’t require a tainted response for browser analysis.
      • xss_script_context
        • Updated payloads.
        • Only use straight payload injection instead of straight and append.
      • xss_dom_script_context — Only use straight payload injection instead of straight and append.
      • xss_tag — Updated payloads to handle cases when more data are appended to the landed value.
      • xss_event — Added proof to the issue.
    • Passive
      • Added
        • insecure_cross_domain_policy_access — Checks crossdomain.xml files for allow-access-fromwildcard policies.
        • insecure_cross_domain_policy_headers — Checks crossdomain.xml files for wildcard allow-http-request-headers-from policies.
        • insecure_client_access_policy — Checks clientaccesspolicy.xml files for wildcard domain policies.
        • insecure_cors_policy — Logs wildcard Access-Control-Allow-Origin headers per host.
        • x_frame_options — Logs missing X-Frame-Options headers per host.
        • common_directories — Added:
          • rails/info/routes
          • rails/info/properties
      • http_put — Try to DELETE the PUT file.
      • html_objects — Updated regexp to use non-capturing groups.
  • Plugins
    • All
      • Updated #prepare methods to not block, in accordance with the new Plugin::Manager#run behavior.
    • email_notify
      • Added domain option.
      • Fixed extension for html reporter.
      • Added support for afr report type.
    • proxy — Added XML and JSON input vector extraction.
    • Added:
      • vector_collector — Collects information about all seen input vectors which are within the scan scope.
      • headers_collector — Collects response headers based on specified criteria.
      • exec — Calls external executables at different scan stages.
  • Report — Renamed #html to #source for all elements.
    • html
      • Updated chart rendering to only take place when visiting the chart page.
      • Fixed broken links.
      • Cleaned up chart severity handling.
      • Summary
        • Added OWASP Top 10 tab.
    • xml
      • Schema update for issue remarks.

NOTICE:

  • Arachni’s license has changed, please see the LICENSE file before working with the project.
  • v1.0 is not backwards compatible.

show

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
Features General :

  • Cookie-jar/cookie-string support.
  • Custom header support.
  • SSL support.
  • User Agent spoofing.
  • Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
  • Proxy authentication.
  • Site authentication (Automated form-based, Cookie-Jar, Basic-Digest, NTLMv1 and others).
  • Automatic log-out detection and re-login during the scan (when the initial login was performed via the autologin or proxy plugins).
  • Custom 404 page detection.
  • UI abstraction:
  • Command-line Interface.
  • Web User Interface.
  • Pause/resume functionality.
  • Hibernation support — Suspend to and restore from disk.
  • High performance asynchronous HTTP requests.
  • With adjustable concurrency.
  • With the ability to auto-detect server health and adjust its concurrency automatically.
  • Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.

Framework

  • #audit_page — Updated to perform DOM/JS/AJAX analysis on the page and feed DOM page snapshots and new paths back to the Framework.
  • #stats renamed to #statistics with the return hash cleaned-up.
  • #opts renamed to #options.

Session

  • Updated to support login forms which depend on DOM/Javascript.
  • Added State — Stores and provides access to the system’s state.
  • Plugins — Stores plugin runtime states when suspending.
  • HTTP — Stores client headers and cookies.
  • Audit — Stores audit operations.
  • ElementFilter — Stores seen elements.
  • Framework — Stores the Framework state.
  • RPC — Stores the RPC::Server::Framework state.
  • Added Data — Stores and provides access to the system’s data.
  • Issues — Stores logged Issue objects.
  • Plugins — Stores plugin results.
  • Session — Stores login configuration.
  • Framework — Stores the Framework audit workload.
  • RPC — Stores the RPC::Server::Framework audit workload.

Added Snapshot

  • Dumps and loads State and Data to and from disk to suspend and restore active scans.

Removed the Spider.

  • The Framework has grown to encompass a process providing the same functionality as a result of Browser analysis.
  • Element

Cleaned up initializers.

  • Now passed a single Hash argument with configuration options.

Added GenericDOM

  • Provides an interface similar to traditional elements in order for generic DOM elements to be logged and assigned as vectors to issues.

Added LinkTemplate

  • Basing its vector identification and manipulation to a user-provided template to satisfy cases like ModRewrite and similar.
  • Including #dom pointing to a Auditable::DOM object handling browser-based link submissions/audits.

Form

  • Added #dom pointing to a Auditable::DOM object handling browser-based form submissions/audits.

Link

  • Added #dom pointing to a Auditable::DOM object handling browser-based link submissions/audits.

Cookie

  • Added #dom pointing to a Auditable::DOM object handling browser-based cookie submissions/audits.
  • Capabilities::Auditable
  • Removed #use_anonymous_auditor
  • #auditable => #inputs
  • #orig => #default_inputs
  • #opts => #audit_options
  • #audit – Callback now get passed the HTTP response and element mutation instead of response, audit options and mutation — options can now be accessed via the element’s #audit_options attribute.
  • Added DOM — To handle DOM submission/auditing of elements.
  • Split into the following Capabilities:
  • Analyzable
  • Timeout
  • General refactoring and code cleanup.
  • Updated the algorithm to ensure server responsiveness before each phase.
  • Lowered the amount of performed requests.
  • No longer downloads response bodies.
  • RDiff => Differential

Taint
Submittable
Inputtable
RPC

  • Serializer — Replaced Marshal and YAML as RPC serialization providers.
  • Delegates to MessagePack.
  • Supports message compression — applied based on message size to minimize overhead.
  • opts handler renamed to options.

Server

  • Dispatcher
  • #dispatch — Returns false when the pool is empty as a signal to check back later.
  • Removed #proc_info method.
  • Removed proc from job info data.
  • Handler renamed to Service.
  • Instance
  • Removed #output.
  • Framework
  • Removed #output.
  • #progress
  • :messages now returns Framework#status_messages instead of output messages.
  • Cleaned up return data.
  • Removed #progress_data alias.
  • HTTP expanded to be a complete wrapper around Typhoeus, providing:
  • Headers
  • Message
  • Request
  • Response
  • Client
  • #request options:
  • :params => :parameters
  • :async => :mode (with values of :async and :sync)
  • Added :http_max_response_size.
  • ProxyServer — Moved the proxy server out of the Proxy plugin and updated it to work with Arachni::HTTP objects.
  • Browser — Real browser driver providing DOM/JS/AJAX support.
  • BrowserCluster — Maintains a pool of Arachni::Browser instances and distributes the analysis workload of multiple resources.

Page

  • Cleaned-up attributes.
  • Attributes (#links, #forms, #paths etc.) are lazy-parsed on-demand.
  • Added:
  • #response — Associated HTTP::Response.
  • #dom — Associated Arachni::Page::DOM.
  • Page::DOM — Static DOM snapshot as computed by a real browser.
  • Parser — Updated to only operate under the context of the HTTP::Response with which it was initialized — no longer supports parsing data from external sources.
  • Options — Rewritten with renamed option names and grouped relevant options together.
  • Report (Renamed from AuditStore)
  • #save — Updated to store a compressed Marshal dump of the instance.
  • .load — Updated to load the new #save format.
  • Component::Options — Refactored initializers and API.
  • Enum renamed to MultipleChoice.
  • Reporters (Renamed from Reports)
  • Removed metareport.
  • All updated to the new format.
  • Plugins
  • Descriptions have been converted to GitHub-flavored Markdown.
  • resolver — Removed as the report now contains that information in the responses associated with each issue.
  • proxy
  • Updated to use HTTP::ProxyServer.
  • Added ignore_responses option.
  • Forces the proxy to only extract vector information from observed HTTP requests and not analyze responses.
  • autologin
  • params option renames to parameters.
  • Changed results to include status (String) and message (String) instead of code (Integer) and msg (String).
  • Updated to abort the scan upon login failure.
  • content_types
  • Renamed params in logged results to parameters.
  • cookie_collector
  • Renamed res in logged results to response.
  • waf_detector
  • Changed results to include status (Symbol) and message (String) instead of code (Integer) and msg (String).
  • healthmap
  • Changed results to use with_issues and without_issues instead of unsafe and safe.
  • Path extractors Added:
  • Extract partial paths from HTML comments (comments).
  • script – Extract partial paths from scripts.
  • Moved all Framework components (modules, plugins, reports, etc.) under components/.
  • Renamed modules to checks, also:
  • Audit checks renamed to Active checks.
  • Recon checks renamed to Passive checks.
  • Checks
  • Descriptions and remedy_guidance have been converted to GitHub-flavored Markdown.
  • Renamed
  • xpath => xpath_injection
  • ldapi => ldap_injection
  • sqli => sql_injection
  • sqli_blind_rdiff => sql_injection_differential
  • sqli_blind_timing => sql_injection_timing
  • htaccess => htaccess_limit

Active New

  • xss_dom — Injects HTML code via DOM-based links, forms and cookies.
  • xss_dom_inputs — Injects HTML code via orphan text inputs with associated DOM events.
  • xss_dom_script_context — Injects JavaScript code via DOM-based links, forms and cookies.
  • no_sql_injection — NoSQL Injection (error-based) .
  • no_sql_injection_differential — Blind NoSQL Injection (differential analysis).
  • xss — Added support for Browser-based taint-analysis.
  • xss_script_context — Added support for Browser-based taint-analysis.
  • Renamed from xss_script_tag.
  • unvalidated_redirect — Updated to also use full browser evaluation in order to detect JS redirects.
  • os_cmd_injection — Added payloads for *BSD and AIX.

Passive
New

  • backup_directories — Backup directories.
  • cookie_set_for_parent_domain — Cookie set for parent domain.
  • Grep
  • hsts – Checks HTTPS pages for missing Strict-Transport-Security headers.
  • backup_files — Updated filename formats.
  • x_forwarded_for_access_restriction_bypass renamed to origin_spoof_access_restriction_bypass.
  • Also updated to use more origin headers.
  • Grep
  • emails – Updated to handle simple ([at] and [dot]) obfuscation.
  • insecure_cookies – Only check HTTPS pages.

Download version :
arachni-2.0dev-1.0dev-linux-x86_64.tar.gz (205.8 MB)
arachni-2.0dev-1.0dev-linux-i686.tar.gz (202.4 MB)
arachni-2.0dev-1.0dev-darwin-x86_64.tar.gz (160.9 MB)
Source : http://www.arachni-scanner.com/
Mail to : tasos.laskos@arachni-scanner.com
Our post before : http://seclist.us/updates-arachni-v-1-1-web-application-security-scanner-framework.html