arachni 1.6.0 → 1.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +109 -109
- data/lib/arachni/browser.rb +1 -0
- data/lib/version +1 -1
- metadata +519 -519
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bf786db138bf57e440712a7fab2a8b4cd4fb97f1e908a5ec29a41889daec526f
|
4
|
+
data.tar.gz: 7485ca9d6093da52bd4d5d8f6c139a6fa4305719cbd518af4d37455a84ebd723
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f7ce0f442dd3dfc68dba6eb331703ec75cc5d57021b5cb2daee5acd6050fa8f9249bfcdb4b697fc5fe9f48bdf2c34530c4b4af4bed5e69455b78f070d36520ff
|
7
|
+
data.tar.gz: 73392cf4dd5ea8e2fbd183beb6b7ef41331313e79fdfdc2c5c06012f6ec935c1bb82a065c16b9437e268a0cecf827f92b89b5a50914d2ef93adae931403b1d7c
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
<table>
|
4
4
|
<tr>
|
5
5
|
<th>Version</th>
|
6
|
-
<td>1.6.
|
6
|
+
<td>1.6.1</td>
|
7
7
|
</tr>
|
8
8
|
<tr>
|
9
9
|
<th>Homepage</th>
|
@@ -112,27 +112,27 @@ you with its findings.
|
|
112
112
|
|
113
113
|
### General
|
114
114
|
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
122
|
-
|
123
|
-
|
124
|
-
|
125
|
-
|
115
|
+
- Cookie-jar/cookie-string support.
|
116
|
+
- Custom header support.
|
117
|
+
- SSL support with fine-grained options.
|
118
|
+
- User Agent spoofing.
|
119
|
+
- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
|
120
|
+
- Proxy authentication.
|
121
|
+
- Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
|
122
|
+
- Automatic log-out detection and re-login during the scan (when the initial
|
123
|
+
login was performed via the `autologin`, `login_script` or `proxy` plugins).
|
124
|
+
- Custom 404 page detection.
|
125
|
+
- UI abstraction:
|
126
126
|
- [Command-line Interface](https://github.com/Arachni/arachni/wiki/Executables).
|
127
127
|
- [Web User Interface](https://github.com/Arachni/arachni-ui-web).
|
128
|
-
|
129
|
-
|
130
|
-
|
128
|
+
- Pause/resume functionality.
|
129
|
+
- Hibernation support -- Suspend to and restore from disk.
|
130
|
+
- High performance asynchronous HTTP requests.
|
131
131
|
- With adjustable concurrency.
|
132
132
|
- With the ability to auto-detect server health and adjust its concurrency
|
133
|
-
|
134
|
-
|
135
|
-
|
133
|
+
automatically.
|
134
|
+
- Support for custom default input values, using pairs of patterns (to be matched
|
135
|
+
against input names) and values to be used to fill in matching inputs.
|
136
136
|
|
137
137
|
### Integrated browser environment
|
138
138
|
|
@@ -155,27 +155,27 @@ with a great deal of information regarding the state of the page at the time.
|
|
155
155
|
|
156
156
|
Relevant information include:
|
157
157
|
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
169
|
-
|
170
|
-
|
171
|
-
|
172
|
-
|
173
|
-
|
174
|
-
|
175
|
-
|
176
|
-
|
177
|
-
|
178
|
-
|
158
|
+
- Page DOM, as HTML code.
|
159
|
+
- With a list of DOM transitions required to restore the state of the
|
160
|
+
page to the one at the time it was logged.
|
161
|
+
- Original DOM (i.e. prior to the action that caused the page to be logged),
|
162
|
+
as HTML code.
|
163
|
+
- With a list of DOM transitions.
|
164
|
+
- Data-flow sinks -- Each sink is a JS method which received a tainted argument.
|
165
|
+
- Parent object of the method (ex.: `DOMWindow`).
|
166
|
+
- Method signature (ex.: `decodeURIComponent()`).
|
167
|
+
- Arguments list.
|
168
|
+
- With the identified taint located recursively in the included objects.
|
169
|
+
- Method source code.
|
170
|
+
- JS stacktrace.
|
171
|
+
- Execution flow sinks -- Each sink is a successfully executed JS payload,
|
172
|
+
as injected by the security checks.
|
173
|
+
- Includes a JS stacktrace.
|
174
|
+
- JavaScript stack-traces include:
|
175
|
+
- Method names.
|
176
|
+
- Method locations.
|
177
|
+
- Method source codes.
|
178
|
+
- Argument lists.
|
179
179
|
|
180
180
|
In essence, you have access to roughly the same information that your favorite
|
181
181
|
debugger (for example, FireBug) would provide, as if you had set a breakpoint to
|
@@ -189,15 +189,15 @@ consuming in a high-performance fashion.
|
|
189
189
|
|
190
190
|
Configuration options include:
|
191
191
|
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
192
|
+
- Adjustable pool-size, i.e. the amount of browser workers to utilize.
|
193
|
+
- Timeout for each job.
|
194
|
+
- Worker TTL counted in jobs -- Workers which exceed the TTL have their browser
|
195
|
+
process respawned.
|
196
|
+
- Ability to disable loading images.
|
197
|
+
- Adjustable screen width and height.
|
198
|
+
- Can be used to analyze responsive and mobile applications.
|
199
|
+
- Ability to wait until certain elements appear in the page.
|
200
|
+
- Configurable local storage data.
|
201
201
|
|
202
202
|
### Coverage
|
203
203
|
|
@@ -212,28 +212,28 @@ order to provide coverage for a full set of possible scenarios.
|
|
212
212
|
By inspecting all possible pages and their states (when using client-side code)
|
213
213
|
Arachni is able to extract and audit the following elements and their inputs:
|
214
214
|
|
215
|
-
|
215
|
+
- Forms
|
216
216
|
- Along with ones that require interaction via a real browser due to DOM events.
|
217
|
-
|
217
|
+
- User-interface Forms
|
218
218
|
- Input and button groups which don't belong to an HTML `<form>` element but
|
219
|
-
|
220
|
-
|
219
|
+
are instead associated via JS code.
|
220
|
+
- User-interface Inputs
|
221
221
|
- Orphan `<input>` elements with associated DOM events.
|
222
|
-
|
222
|
+
- Links
|
223
223
|
- Along with ones that have client-side parameters in their fragment, i.e.:
|
224
|
-
|
224
|
+
`http://example.com/#/?param=val¶m2=val2`
|
225
225
|
- With support for rewrite rules.
|
226
|
-
|
227
|
-
|
226
|
+
- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,
|
227
|
+
based on user-supplied templates -- useful when rewrite rules are not available.
|
228
228
|
- Along with ones that have client-side parameters in their URL fragments, i.e.:
|
229
|
-
|
230
|
-
|
229
|
+
`http://example.com/#/param/val/param2/val2`
|
230
|
+
- Cookies
|
231
231
|
- Also supports nested cookies, containing key-value pairs inside individual cookies.
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
232
|
+
- Headers
|
233
|
+
- Generic client-side elements which have associated DOM events.
|
234
|
+
- AJAX-request parameters.
|
235
|
+
- JSON request data.
|
236
|
+
- XML request data.
|
237
237
|
|
238
238
|
### Open [distributed architecture](https://github.com/Arachni/arachni/wiki/Distributed-components)
|
239
239
|
|
@@ -247,7 +247,7 @@ Both approaches allow you to:
|
|
247
247
|
|
248
248
|
- Remotely monitor and manage scans.
|
249
249
|
- Perform multiple scans at the same time -- Each scan is compartmentalized to
|
250
|
-
|
250
|
+
its own OS process to take advantage of:
|
251
251
|
- Multi-core/SMP architectures.
|
252
252
|
- OS-level scheduling/restrictions.
|
253
253
|
- Sandboxed failure propagation.
|
@@ -261,51 +261,51 @@ Both approaches allow you to:
|
|
261
261
|
- Uses JSON to format messages.
|
262
262
|
- Stateful scan monitoring.
|
263
263
|
- Unique sessions automatically only receive updates when polling for progress,
|
264
|
-
|
264
|
+
rather than full data.
|
265
265
|
|
266
266
|
#### [RPC API](https://github.com/Arachni/arachni/wiki/RPC-API)
|
267
267
|
|
268
268
|
- High-performance/low-bandwidth [communication protocol](https://github.com/Arachni/arachni-rpc).
|
269
269
|
- `MessagePack` serialization for performance, efficiency and ease of
|
270
|
-
|
270
|
+
integration with 3rd party systems.
|
271
271
|
- Grid:
|
272
272
|
- Self-healing.
|
273
273
|
- Scale up/down by hot-plugging/hot-unplugging nodes.
|
274
274
|
- Can scale up infinitely by adding nodes to increase scan capacity.
|
275
275
|
- _(Always-on)_ Load-balancing -- All Instances are automatically provided
|
276
|
-
|
276
|
+
by the least burdened Grid member.
|
277
277
|
- With optional per-scan opt-out/override.
|
278
278
|
- _(Optional)_ High-Performance mode -- Combines the resources of
|
279
|
-
|
279
|
+
multiple nodes to perform multi-Instance scans.
|
280
280
|
- Enabled on a per-scan basis.
|
281
281
|
|
282
282
|
### Scope configuration
|
283
283
|
|
284
|
-
|
285
|
-
|
284
|
+
- Filters for redundant pages like galleries, catalogs, etc. based on regular
|
285
|
+
expressions and counters.
|
286
286
|
- Can optionally detect and ignore redundant pages automatically.
|
287
|
-
|
288
|
-
|
289
|
-
|
290
|
-
|
291
|
-
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
|
296
|
-
|
297
|
-
|
298
|
-
|
287
|
+
- URL exclusion filters using regular expressions.
|
288
|
+
- Page exclusion filters based on content, using regular expressions.
|
289
|
+
- URL inclusion filters using regular expressions.
|
290
|
+
- Can be forced to only follow HTTPS paths and not downgrade to HTTP.
|
291
|
+
- Can optionally follow subdomains.
|
292
|
+
- Adjustable page count limit.
|
293
|
+
- Adjustable redirect limit.
|
294
|
+
- Adjustable directory depth limit.
|
295
|
+
- Adjustable DOM depth limit.
|
296
|
+
- Adjustment using URL-rewrite rules.
|
297
|
+
- Can read paths from multiple user supplied files (to both restrict and extend
|
298
|
+
the scope).
|
299
299
|
|
300
300
|
### Audit
|
301
301
|
|
302
|
-
|
302
|
+
- Can audit:
|
303
303
|
- Forms
|
304
304
|
- Can automatically refresh nonce tokens.
|
305
305
|
- Can submit them via the integrated browser environment.
|
306
|
-
|
306
|
+
- User-interface Forms
|
307
307
|
- Input and button groups which don't belong to an HTML `<form>` element
|
308
|
-
|
308
|
+
but are instead associated via JS code.
|
309
309
|
- User-interface Inputs
|
310
310
|
- Orphan `<input>` elements with associated DOM events.
|
311
311
|
- Links
|
@@ -318,13 +318,13 @@ Both approaches allow you to:
|
|
318
318
|
- Generic client-side DOM elements.
|
319
319
|
- JSON request data.
|
320
320
|
- XML request data.
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
321
|
+
- Can ignore binary/non-text pages.
|
322
|
+
- Can audit elements using both `GET` and `POST` HTTP methods.
|
323
|
+
- Can inject both raw and HTTP encoded payloads.
|
324
|
+
- Can submit all links and forms of the page along with the cookie
|
325
|
+
permutations to provide extensive cookie-audit coverage.
|
326
|
+
- Can exclude specific input vectors by name.
|
327
|
+
- Can include specific input vectors by name.
|
328
328
|
|
329
329
|
### Components
|
330
330
|
|
@@ -515,7 +515,7 @@ Passive checks look for the existence of files, folders and signatures.
|
|
515
515
|
|
516
516
|
- Standard output
|
517
517
|
- [HTML](http://www.arachni-scanner.com/reports/report.html/)
|
518
|
-
|
518
|
+
([zip](http://www.arachni-scanner.com/reports/report.html.zip)) (`html`).
|
519
519
|
- [XML](http://www.arachni-scanner.com/reports/report.xml) (`xml`).
|
520
520
|
- [Text](http://www.arachni-scanner.com/reports/report.txt) (`text`).
|
521
521
|
- [JSON](http://www.arachni-scanner.com/reports/report.json) (`json`)
|
@@ -530,32 +530,32 @@ Plugins add extra functionality to the system in a modular fashion, this way the
|
|
530
530
|
core remains lean and makes it easy for anyone to add arbitrary functionality.
|
531
531
|
|
532
532
|
- Passive Proxy (`proxy`) -- Analyzes requests and responses between the web app and
|
533
|
-
|
533
|
+
the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
|
534
534
|
- Form based login (`autologin`).
|
535
535
|
- Script based login (`login_script`).
|
536
536
|
- Dictionary attacker for HTTP Auth (`http_dicattack`).
|
537
537
|
- Dictionary attacker for form based authentication (`form_dicattack`).
|
538
538
|
- Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.
|
539
539
|
- WAF (Web Application Firewall) Detector (`waf_detector`) -- Establishes a baseline of
|
540
|
-
|
540
|
+
normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
|
541
541
|
- BeepNotify (`beep_notify`) -- Beeps when the scan finishes.
|
542
542
|
- EmailNotify (`email_notify`) -- Sends a notification (and optionally a report) over SMTP at
|
543
|
-
|
543
|
+
the end of the scan.
|
544
544
|
- VectorFeed (`vector_feed`) -- Reads in vector data from which it creates elements to be
|
545
|
-
|
546
|
-
|
545
|
+
audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
|
546
|
+
Useful for unit-testing or a gazillion other things.
|
547
547
|
- Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,
|
548
|
-
|
548
|
+
used for debugging and general hackery.
|
549
549
|
- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.
|
550
550
|
- Content-types (`content_types`) -- Logs content-types of server responses aiding in the
|
551
|
-
|
551
|
+
identification of interesting (possibly leaked) files.
|
552
552
|
- Vector collector (`vector_collector`) -- Collects information about all seen input vectors
|
553
|
-
|
553
|
+
which are within the scan scope.
|
554
554
|
- Headers collector (`headers_collector`) -- Collects response headers based on specified criteria.
|
555
555
|
- Exec (`exec`) -- Calls external executables at different scan stages.
|
556
556
|
- Metrics (`metrics`) -- Captures metrics about multiple aspects of the scan and the web application.
|
557
557
|
- Restrict to DOM state (`restrict_to_dom_state`) -- Restricts the audit to a single page's DOM
|
558
|
-
|
558
|
+
state, based on a URL fragment.
|
559
559
|
- Webhook notify (`webhook_notify`) -- Sends a webhook payload over HTTP at the end of the scan.
|
560
560
|
- Rate limiter (`rate_limiter`) -- Rate limits HTTP requests.
|
561
561
|
- Page dump (`page_dump`) -- Dumps page data to disk as YAML.
|
@@ -565,7 +565,7 @@ core remains lean and makes it easy for anyone to add arbitrary functionality.
|
|
565
565
|
Default plugins will run for every scan and are placed under `/plugins/defaults/`.
|
566
566
|
|
567
567
|
- AutoThrottle (`autothrottle`) -- Dynamically adjusts HTTP throughput during the scan for
|
568
|
-
|
568
|
+
maximum bandwidth utilization.
|
569
569
|
- Healthmap (`healthmap`) -- Generates sitemap showing the health of each crawled/audited URL
|
570
570
|
|
571
571
|
###### Meta
|
@@ -574,12 +574,12 @@ Plugins under `/plugins/defaults/meta/` perform analysis on the scan results
|
|
574
574
|
to determine trustworthiness or just add context information or general insights.
|
575
575
|
|
576
576
|
- TimingAttacks (`timing_attacks`) -- Provides a notice for issues uncovered by timing attacks
|
577
|
-
|
578
|
-
|
577
|
+
when the affected audited pages returned unusually high response times to begin with.
|
578
|
+
It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
|
579
579
|
- Discovery (`discovery`) -- Performs anomaly detection on issues logged by discovery
|
580
|
-
|
580
|
+
checks and warns of the possibility of false positives where applicable.
|
581
581
|
- Uniformity (`uniformity`) -- Reports inputs that are uniformly vulnerable across a number
|
582
|
-
|
582
|
+
of pages hinting to the lack of a central point of input sanitization.
|
583
583
|
|
584
584
|
### Trainer subsystem
|
585
585
|
|
@@ -629,10 +629,10 @@ need to follow in order to contribute code:
|
|
629
629
|
|
630
630
|
* Fork the project.
|
631
631
|
* Start a feature branch based on the [experimental](https://github.com/Arachni/arachni/tree/experimental)
|
632
|
-
|
632
|
+
branch (`git checkout -b <feature-name> experimental`).
|
633
633
|
* Add specs for your code.
|
634
634
|
* Run the spec suite to make sure you didn't break anything (`rake spec:core`
|
635
|
-
|
635
|
+
for the core libs or `rake spec` for everything).
|
636
636
|
* Commit and push your changes.
|
637
637
|
* Issue a pull request and wait for your code to be reviewed.
|
638
638
|
|
data/lib/arachni/browser.rb
CHANGED
@@ -1108,6 +1108,7 @@ class Browser
|
|
1108
1108
|
'--disable-web-security',
|
1109
1109
|
'--reduce-security-for-testing',
|
1110
1110
|
'--ignore-certificate-errors',
|
1111
|
+
'--no-sandbox',
|
1111
1112
|
'--disable-plugins',
|
1112
1113
|
"--user-data-dir=#{dir}",
|
1113
1114
|
"--proxy-server=#{proxy_uri.host}:#{proxy_uri.port}",
|
data/lib/version
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.6.
|
1
|
+
1.6.1
|