arachni 1.6.0 → 1.6.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +16 -0
- data/README.md +114 -109
- data/arachni.gemspec +2 -2
- data/components/plugins/exec.rb +2 -2
- data/components/reporters/html/default/css/main.css +4 -0
- data/components/reporters/html/default.erb +6 -0
- data/components/reporters/stdout.rb +5 -0
- data/lib/arachni/browser.rb +1 -0
- data/lib/version +1 -1
- metadata +523 -523
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 42c381ca18f8a4dc632204b1306b6e1626b3aa889ae8dab1a6c077b170b92de5
|
4
|
+
data.tar.gz: 3de9a300e641a09ede4d657835e232d6a8ca6c373a107dc63032805b7503f65f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 85ee971e616c317cbb7565dcb2a1ba54e9ee6d2a4c55fcb6bb80aefb16c8c8f0ec2dfba06e6aae9ded11ca8e9126264c02f86d713c728a64a8c40c41d9118fef
|
7
|
+
data.tar.gz: 321a8daf7280a13db164f10ea17f05d795c0fa21a2e7c5172cf6a0b50e1d0220e25e6215abb83f88b96766be9b44eb2558a27e405875edf20af99edb88162bdb
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,21 @@
|
|
1
1
|
# ChangeLog
|
2
2
|
|
3
|
+
## 1.6.1.2 (May 3, 2022)
|
4
|
+
|
5
|
+
- Updated Sinatra version.
|
6
|
+
|
7
|
+
## 1.6.1.1 (May 3, 2022)
|
8
|
+
|
9
|
+
- Plugins
|
10
|
+
- `exec` -- Fixed error on empty option.
|
11
|
+
- Reporters
|
12
|
+
- `stdout` -- Inform of Arachni's obsolescence and its successor [Ecsypno SCNR](https://www.ecsypno.com/).
|
13
|
+
- `html` -- Inform of Arachni's obsolescence and its successor [Ecsypno SCNR](https://www.ecsypno.com/).
|
14
|
+
|
15
|
+
## 1.6.1 _(March 20, 2022)_
|
16
|
+
|
17
|
+
- `Browser#eelenium` -- Disable sandbox.
|
18
|
+
|
3
19
|
## 1.6.0 _(March 4, 2022)_
|
4
20
|
|
5
21
|
- Options
|
data/README.md
CHANGED
@@ -1,9 +1,14 @@
|
|
1
|
+
# Notice
|
2
|
+
|
3
|
+
Arachni is heading towards obsolescence, try out its next-gen successor
|
4
|
+
[Ecsypno](https://www.ecsypno.com/) [SCNR](https://ecsypno.com/scnr-documentation/)!
|
5
|
+
|
1
6
|
# Arachni - Web Application Security Scanner Framework
|
2
7
|
|
3
8
|
<table>
|
4
9
|
<tr>
|
5
10
|
<th>Version</th>
|
6
|
-
<td>1.6.
|
11
|
+
<td>1.6.1.2</td>
|
7
12
|
</tr>
|
8
13
|
<tr>
|
9
14
|
<th>Homepage</th>
|
@@ -112,27 +117,27 @@ you with its findings.
|
|
112
117
|
|
113
118
|
### General
|
114
119
|
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
120
|
+
- Cookie-jar/cookie-string support.
|
121
|
+
- Custom header support.
|
122
|
+
- SSL support with fine-grained options.
|
123
|
+
- User Agent spoofing.
|
124
|
+
- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
|
125
|
+
- Proxy authentication.
|
126
|
+
- Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
|
127
|
+
- Automatic log-out detection and re-login during the scan (when the initial
|
128
|
+
login was performed via the `autologin`, `login_script` or `proxy` plugins).
|
129
|
+
- Custom 404 page detection.
|
130
|
+
- UI abstraction:
|
126
131
|
- [Command-line Interface](https://github.com/Arachni/arachni/wiki/Executables).
|
127
132
|
- [Web User Interface](https://github.com/Arachni/arachni-ui-web).
|
128
|
-
|
129
|
-
|
130
|
-
|
133
|
+
- Pause/resume functionality.
|
134
|
+
- Hibernation support -- Suspend to and restore from disk.
|
135
|
+
- High performance asynchronous HTTP requests.
|
131
136
|
- With adjustable concurrency.
|
132
137
|
- With the ability to auto-detect server health and adjust its concurrency
|
133
|
-
|
134
|
-
|
135
|
-
|
138
|
+
automatically.
|
139
|
+
- Support for custom default input values, using pairs of patterns (to be matched
|
140
|
+
against input names) and values to be used to fill in matching inputs.
|
136
141
|
|
137
142
|
### Integrated browser environment
|
138
143
|
|
@@ -155,27 +160,27 @@ with a great deal of information regarding the state of the page at the time.
|
|
155
160
|
|
156
161
|
Relevant information include:
|
157
162
|
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
163
|
+
- Page DOM, as HTML code.
|
164
|
+
- With a list of DOM transitions required to restore the state of the
|
165
|
+
page to the one at the time it was logged.
|
166
|
+
- Original DOM (i.e. prior to the action that caused the page to be logged),
|
167
|
+
as HTML code.
|
168
|
+
- With a list of DOM transitions.
|
169
|
+
- Data-flow sinks -- Each sink is a JS method which received a tainted argument.
|
170
|
+
- Parent object of the method (ex.: `DOMWindow`).
|
171
|
+
- Method signature (ex.: `decodeURIComponent()`).
|
172
|
+
- Arguments list.
|
173
|
+
- With the identified taint located recursively in the included objects.
|
174
|
+
- Method source code.
|
175
|
+
- JS stacktrace.
|
176
|
+
- Execution flow sinks -- Each sink is a successfully executed JS payload,
|
177
|
+
as injected by the security checks.
|
178
|
+
- Includes a JS stacktrace.
|
179
|
+
- JavaScript stack-traces include:
|
180
|
+
- Method names.
|
181
|
+
- Method locations.
|
182
|
+
- Method source codes.
|
183
|
+
- Argument lists.
|
179
184
|
|
180
185
|
In essence, you have access to roughly the same information that your favorite
|
181
186
|
debugger (for example, FireBug) would provide, as if you had set a breakpoint to
|
@@ -189,15 +194,15 @@ consuming in a high-performance fashion.
|
|
189
194
|
|
190
195
|
Configuration options include:
|
191
196
|
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
197
|
+
- Adjustable pool-size, i.e. the amount of browser workers to utilize.
|
198
|
+
- Timeout for each job.
|
199
|
+
- Worker TTL counted in jobs -- Workers which exceed the TTL have their browser
|
200
|
+
process respawned.
|
201
|
+
- Ability to disable loading images.
|
202
|
+
- Adjustable screen width and height.
|
203
|
+
- Can be used to analyze responsive and mobile applications.
|
204
|
+
- Ability to wait until certain elements appear in the page.
|
205
|
+
- Configurable local storage data.
|
201
206
|
|
202
207
|
### Coverage
|
203
208
|
|
@@ -212,28 +217,28 @@ order to provide coverage for a full set of possible scenarios.
|
|
212
217
|
By inspecting all possible pages and their states (when using client-side code)
|
213
218
|
Arachni is able to extract and audit the following elements and their inputs:
|
214
219
|
|
215
|
-
|
220
|
+
- Forms
|
216
221
|
- Along with ones that require interaction via a real browser due to DOM events.
|
217
|
-
|
222
|
+
- User-interface Forms
|
218
223
|
- Input and button groups which don't belong to an HTML `<form>` element but
|
219
|
-
|
220
|
-
|
224
|
+
are instead associated via JS code.
|
225
|
+
- User-interface Inputs
|
221
226
|
- Orphan `<input>` elements with associated DOM events.
|
222
|
-
|
227
|
+
- Links
|
223
228
|
- Along with ones that have client-side parameters in their fragment, i.e.:
|
224
|
-
|
229
|
+
`http://example.com/#/?param=val¶m2=val2`
|
225
230
|
- With support for rewrite rules.
|
226
|
-
|
227
|
-
|
231
|
+
- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,
|
232
|
+
based on user-supplied templates -- useful when rewrite rules are not available.
|
228
233
|
- Along with ones that have client-side parameters in their URL fragments, i.e.:
|
229
|
-
|
230
|
-
|
234
|
+
`http://example.com/#/param/val/param2/val2`
|
235
|
+
- Cookies
|
231
236
|
- Also supports nested cookies, containing key-value pairs inside individual cookies.
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
+
- Headers
|
238
|
+
- Generic client-side elements which have associated DOM events.
|
239
|
+
- AJAX-request parameters.
|
240
|
+
- JSON request data.
|
241
|
+
- XML request data.
|
237
242
|
|
238
243
|
### Open [distributed architecture](https://github.com/Arachni/arachni/wiki/Distributed-components)
|
239
244
|
|
@@ -247,7 +252,7 @@ Both approaches allow you to:
|
|
247
252
|
|
248
253
|
- Remotely monitor and manage scans.
|
249
254
|
- Perform multiple scans at the same time -- Each scan is compartmentalized to
|
250
|
-
|
255
|
+
its own OS process to take advantage of:
|
251
256
|
- Multi-core/SMP architectures.
|
252
257
|
- OS-level scheduling/restrictions.
|
253
258
|
- Sandboxed failure propagation.
|
@@ -261,51 +266,51 @@ Both approaches allow you to:
|
|
261
266
|
- Uses JSON to format messages.
|
262
267
|
- Stateful scan monitoring.
|
263
268
|
- Unique sessions automatically only receive updates when polling for progress,
|
264
|
-
|
269
|
+
rather than full data.
|
265
270
|
|
266
271
|
#### [RPC API](https://github.com/Arachni/arachni/wiki/RPC-API)
|
267
272
|
|
268
273
|
- High-performance/low-bandwidth [communication protocol](https://github.com/Arachni/arachni-rpc).
|
269
274
|
- `MessagePack` serialization for performance, efficiency and ease of
|
270
|
-
|
275
|
+
integration with 3rd party systems.
|
271
276
|
- Grid:
|
272
277
|
- Self-healing.
|
273
278
|
- Scale up/down by hot-plugging/hot-unplugging nodes.
|
274
279
|
- Can scale up infinitely by adding nodes to increase scan capacity.
|
275
280
|
- _(Always-on)_ Load-balancing -- All Instances are automatically provided
|
276
|
-
|
281
|
+
by the least burdened Grid member.
|
277
282
|
- With optional per-scan opt-out/override.
|
278
283
|
- _(Optional)_ High-Performance mode -- Combines the resources of
|
279
|
-
|
284
|
+
multiple nodes to perform multi-Instance scans.
|
280
285
|
- Enabled on a per-scan basis.
|
281
286
|
|
282
287
|
### Scope configuration
|
283
288
|
|
284
|
-
|
285
|
-
|
289
|
+
- Filters for redundant pages like galleries, catalogs, etc. based on regular
|
290
|
+
expressions and counters.
|
286
291
|
- Can optionally detect and ignore redundant pages automatically.
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
|
297
|
-
|
298
|
-
|
292
|
+
- URL exclusion filters using regular expressions.
|
293
|
+
- Page exclusion filters based on content, using regular expressions.
|
294
|
+
- URL inclusion filters using regular expressions.
|
295
|
+
- Can be forced to only follow HTTPS paths and not downgrade to HTTP.
|
296
|
+
- Can optionally follow subdomains.
|
297
|
+
- Adjustable page count limit.
|
298
|
+
- Adjustable redirect limit.
|
299
|
+
- Adjustable directory depth limit.
|
300
|
+
- Adjustable DOM depth limit.
|
301
|
+
- Adjustment using URL-rewrite rules.
|
302
|
+
- Can read paths from multiple user supplied files (to both restrict and extend
|
303
|
+
the scope).
|
299
304
|
|
300
305
|
### Audit
|
301
306
|
|
302
|
-
|
307
|
+
- Can audit:
|
303
308
|
- Forms
|
304
309
|
- Can automatically refresh nonce tokens.
|
305
310
|
- Can submit them via the integrated browser environment.
|
306
|
-
|
311
|
+
- User-interface Forms
|
307
312
|
- Input and button groups which don't belong to an HTML `<form>` element
|
308
|
-
|
313
|
+
but are instead associated via JS code.
|
309
314
|
- User-interface Inputs
|
310
315
|
- Orphan `<input>` elements with associated DOM events.
|
311
316
|
- Links
|
@@ -318,13 +323,13 @@ Both approaches allow you to:
|
|
318
323
|
- Generic client-side DOM elements.
|
319
324
|
- JSON request data.
|
320
325
|
- XML request data.
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
326
|
+
- Can ignore binary/non-text pages.
|
327
|
+
- Can audit elements using both `GET` and `POST` HTTP methods.
|
328
|
+
- Can inject both raw and HTTP encoded payloads.
|
329
|
+
- Can submit all links and forms of the page along with the cookie
|
330
|
+
permutations to provide extensive cookie-audit coverage.
|
331
|
+
- Can exclude specific input vectors by name.
|
332
|
+
- Can include specific input vectors by name.
|
328
333
|
|
329
334
|
### Components
|
330
335
|
|
@@ -515,7 +520,7 @@ Passive checks look for the existence of files, folders and signatures.
|
|
515
520
|
|
516
521
|
- Standard output
|
517
522
|
- [HTML](http://www.arachni-scanner.com/reports/report.html/)
|
518
|
-
|
523
|
+
([zip](http://www.arachni-scanner.com/reports/report.html.zip)) (`html`).
|
519
524
|
- [XML](http://www.arachni-scanner.com/reports/report.xml) (`xml`).
|
520
525
|
- [Text](http://www.arachni-scanner.com/reports/report.txt) (`text`).
|
521
526
|
- [JSON](http://www.arachni-scanner.com/reports/report.json) (`json`)
|
@@ -530,32 +535,32 @@ Plugins add extra functionality to the system in a modular fashion, this way the
|
|
530
535
|
core remains lean and makes it easy for anyone to add arbitrary functionality.
|
531
536
|
|
532
537
|
- Passive Proxy (`proxy`) -- Analyzes requests and responses between the web app and
|
533
|
-
|
538
|
+
the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
|
534
539
|
- Form based login (`autologin`).
|
535
540
|
- Script based login (`login_script`).
|
536
541
|
- Dictionary attacker for HTTP Auth (`http_dicattack`).
|
537
542
|
- Dictionary attacker for form based authentication (`form_dicattack`).
|
538
543
|
- Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.
|
539
544
|
- WAF (Web Application Firewall) Detector (`waf_detector`) -- Establishes a baseline of
|
540
|
-
|
545
|
+
normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
|
541
546
|
- BeepNotify (`beep_notify`) -- Beeps when the scan finishes.
|
542
547
|
- EmailNotify (`email_notify`) -- Sends a notification (and optionally a report) over SMTP at
|
543
|
-
|
548
|
+
the end of the scan.
|
544
549
|
- VectorFeed (`vector_feed`) -- Reads in vector data from which it creates elements to be
|
545
|
-
|
546
|
-
|
550
|
+
audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
|
551
|
+
Useful for unit-testing or a gazillion other things.
|
547
552
|
- Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,
|
548
|
-
|
553
|
+
used for debugging and general hackery.
|
549
554
|
- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
|
550
555
|
- Content-types (`content_types`) -- Logs content-types of server responses aiding in the
|
551
|
-
|
556
|
+
identification of interesting (possibly leaked) files.
|
552
557
|
- Vector collector (`vector_collector`) -- Collects information about all seen input vectors
|
553
|
-
|
558
|
+
which are within the scan scope.
|
554
559
|
- Headers collector (`headers_collector`) -- Collects response headers based on specified criteria.
|
555
560
|
- Exec (`exec`) -- Calls external executables at different scan stages.
|
556
561
|
- Metrics (`metrics`) -- Captures metrics about multiple aspects of the scan and the web application.
|
557
562
|
- Restrict to DOM state (`restrict_to_dom_state`) -- Restricts the audit to a single page's DOM
|
558
|
-
|
563
|
+
state, based on a URL fragment.
|
559
564
|
- Webhook notify (`webhook_notify`) -- Sends a webhook payload over HTTP at the end of the scan.
|
560
565
|
- Rate limiter (`rate_limiter`) -- Rate limits HTTP requests.
|
561
566
|
- Page dump (`page_dump`) -- Dumps page data to disk as YAML.
|
@@ -565,7 +570,7 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
|
|
565
570
|
Default plugins will run for every scan and are placed under `/plugins/defaults/`.
|
566
571
|
|
567
572
|
- AutoThrottle (`autothrottle`) -- Dynamically adjusts HTTP throughput during the scan for
|
568
|
-
|
573
|
+
maximum bandwidth utilization.
|
569
574
|
- Healthmap (`healthmap`) -- Generates sitemap showing the health of each crawled/audited URL
|
570
575
|
|
571
576
|
###### Meta
|
@@ -574,12 +579,12 @@ Plugins under `/plugins/defaults/meta/` perform analysis on the scan results
|
|
574
579
|
to determine trustworthiness or just add context information or general insights.
|
575
580
|
|
576
581
|
- TimingAttacks (`timing_attacks`) -- Provides a notice for issues uncovered by timing attacks
|
577
|
-
|
578
|
-
|
582
|
+
when the affected audited pages returned unusually high response times to begin with.
|
583
|
+
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
|
579
584
|
- Discovery (`discovery`) -- Performs anomaly detection on issues logged by discovery
|
580
|
-
|
585
|
+
checks and warns of the possibility of false positives where applicable.
|
581
586
|
- Uniformity (`uniformity`) -- Reports inputs that are uniformly vulnerable across a number
|
582
|
-
|
587
|
+
of pages hinting to the lack of a central point of input sanitization.
|
583
588
|
|
584
589
|
### Trainer subsystem
|
585
590
|
|
@@ -629,10 +634,10 @@ need to follow in order to contribute code:
|
|
629
634
|
|
630
635
|
* Fork the project.
|
631
636
|
* Start a feature branch based on the [experimental](https://github.com/Arachni/arachni/tree/experimental)
|
632
|
-
|
637
|
+
branch (`git checkout -b <feature-name> experimental`).
|
633
638
|
* Add specs for your code.
|
634
639
|
* Run the spec suite to make sure you didn't break anything (`rake spec:core`
|
635
|
-
|
640
|
+
for the core libs or `rake spec` for everything).
|
636
641
|
* Commit and push your changes.
|
637
642
|
* Issue a pull request and wait for your code to be reviewed.
|
638
643
|
|
data/arachni.gemspec
CHANGED
@@ -77,8 +77,8 @@ Gem::Specification.new do |s|
|
|
77
77
|
s.add_dependency 'puma', '>= 4.3.9'
|
78
78
|
|
79
79
|
# REST API
|
80
|
-
s.add_dependency 'sinatra', '2.
|
81
|
-
s.add_dependency 'sinatra-contrib', '2.
|
80
|
+
s.add_dependency 'sinatra', '2.2.0'
|
81
|
+
s.add_dependency 'sinatra-contrib', '2.2.0'
|
82
82
|
|
83
83
|
# RPC client/server implementation.
|
84
84
|
s.add_dependency 'arachni-rpc', '~> 0.2.1.4'
|
data/components/plugins/exec.rb
CHANGED
@@ -51,7 +51,7 @@ class Arachni::Plugins::Exec < Arachni::Plugin::Base
|
|
51
51
|
end
|
52
52
|
|
53
53
|
def exec( stage )
|
54
|
-
return if
|
54
|
+
return if options[stage].to_s.empty?
|
55
55
|
|
56
56
|
if defined?( Arachni::RPC::Server::Framework ) &&
|
57
57
|
framework.is_a?( Arachni::RPC::Server::Framework )
|
@@ -135,7 +135,7 @@ Will result in:
|
|
135
135
|
_Will not work over RPC._
|
136
136
|
},
|
137
137
|
author: 'Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>',
|
138
|
-
version: '0.1',
|
138
|
+
version: '0.1.1',
|
139
139
|
options: [
|
140
140
|
Options::String.new( :pre,
|
141
141
|
description: 'Executable to be called prior to the scan.'
|
@@ -38,6 +38,12 @@
|
|
38
38
|
</h1>
|
39
39
|
</div>
|
40
40
|
|
41
|
+
<div id="scnr-alert" class="alert alert-info">
|
42
|
+
Arachni is heading towards obsolescence, try out its
|
43
|
+
next-gen successor <a href="https://www.ecsypno.com/">Ecsypno</a>
|
44
|
+
<a href="https://ecsypno.com/scnr-documentation/">SCNR</a>!
|
45
|
+
</div>
|
46
|
+
|
41
47
|
<div class="tab-content">
|
42
48
|
<div class="tab-pane active" id="summary">
|
43
49
|
<%= erb :summary %>
|
@@ -154,6 +154,11 @@ class Arachni::Reporters::Stdout < Arachni::Reporter::Base
|
|
154
154
|
print_info "Description: #{report.plugins[name][:description]}"
|
155
155
|
print_line
|
156
156
|
end
|
157
|
+
|
158
|
+
print_line
|
159
|
+
print_info "Arachni is heading towards obsolescence, try out its next-gen successor Ecsypno SCNR:"
|
160
|
+
print_info " https://ecsypno.com/"
|
161
|
+
|
157
162
|
end
|
158
163
|
|
159
164
|
def print_info_issue_details( issue )
|
data/lib/arachni/browser.rb
CHANGED
@@ -1108,6 +1108,7 @@ class Browser
|
|
1108
1108
|
'--disable-web-security',
|
1109
1109
|
'--reduce-security-for-testing',
|
1110
1110
|
'--ignore-certificate-errors',
|
1111
|
+
'--no-sandbox',
|
1111
1112
|
'--disable-plugins',
|
1112
1113
|
"--user-data-dir=#{dir}",
|
1113
1114
|
"--proxy-server=#{proxy_uri.host}:#{proxy_uri.port}",
|
data/lib/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.6.
|
1
|
+
1.6.1.2
|