This project is no longer maintained, for details please read: https://www.arachni-scanner.com/blog/arachni-is-no-longer-maintained/
|Author||Tasos Laskos (@Zap0tek)|
|Copyright||2010-2017 Sarosys LLC|
|License||Arachni Public Source License v1.0 - (see LICENSE file)|
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.
Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.
Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc. with the addition of custom components.
plugin developers are allowed to easily and quickly create and
deploy their components with the minimum amount of restrictions imposed upon them,
while provided with the necessary infrastructure to accomplish their goals.
Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.
Moreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans.
Although some parts of the Framework are fairly complex you will never have to deal them directly. From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.
From the simple command-line utility scanner to the intuitive and user-friendly Web interface and collaboration platform, Arachni follows the principle of least surprise and provides you with plenty of feedback and guidance.
Arachni is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings.
Relevant information include:
In essence, you have access to roughly the same information that your favorite debugger (for example, FireBug) would provide, as if you had set a breakpoint to take place at the right time for identifying an issue.
The browser-cluster is what coordinates the browser analysis of resources and allows the system to perform operations which would normally be quite time consuming in a high-performance fashion.
Configuration options include:
In addition to that, it also knows about which browser state changes the application has been programmed to handle and is able to trigger them programatically in order to provide coverage for a full set of possible scenarios.
By inspecting all possible pages and their states (when using client-side code) Arachni is able to extract and audit the following elements and their inputs:
<form>element but are instead associated via JS code.
<input>elements with associated DOM events.
Arachni is designed to fit into your workflow and easily integrate with your existing infrastructure.
Depending on the level of control you require over the process, you can either choose the REST service or the custom RPC protocol.
Both approaches allow you to:
MessagePackserialization for performance, efficiency and ease of integration with 3rd party systems.
<form>element but are instead associated via JS code.
<input>elements with associated DOM events.
Arachni is a highly modular system, employing several components of distinct types to perform its duties.
In addition to enabling or disabling the bundled components so as to adjust the system's behavior and features as needed, functionality can be extended via the addition of user-created components to suit almost every need.
In order to make efficient use of the available bandwidth, Arachni performs rudimentary platform fingerprinting and tailors the audit process to the server-side deployed technologies by only using applicable payloads.
Currently, the following platforms can be identified:
The user also has the option of specifying extra platforms (like a DB server) in order to help the system be as efficient as possible. Alternatively, fingerprinting can be disabled altogether.
Finally, Arachni will always err on the side of caution and send all available payloads when it fails to identify specific platforms.
Checks are system components which perform security checks and log issues.
Active checks engage the web application via its inputs.
sql_injection) -- Error based detection.
no_sql_injection) -- Error based vulnerability detection.
Passive checks look for the existence of files, folders and signatures.
Strict-Transport-Securityheaders for HTTPS sites (
Plugins add extra functionality to the system in a modular fashion, this way the core remains lean and makes it easy for anyone to add arbitrary functionality.
proxy) -- Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
cookie_collector) -- Keeps track of cookies while establishing a timeline of changes.
waf_detector) -- Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
beep_notify) -- Beeps when the scan finishes.
email_notify) -- Sends a notification (and optionally a report) over SMTP at the end of the scan.
vector_feed) -- Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.
script) -- Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.
uncommon_headers) -- Logs uncommon headers.
content_types) -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files.
vector_collector) -- Collects information about all seen input vectors which are within the scan scope.
headers_collector) -- Collects response headers based on specified criteria.
exec) -- Calls external executables at different scan stages.
metrics) -- Captures metrics about multiple aspects of the scan and the web application.
restrict_to_dom_state) -- Restricts the audit to a single page's DOM state, based on a URL fragment.
webhook_notify) -- Sends a webhook payload over HTTP at the end of the scan.
rate_limiter) -- Rate limits HTTP requests.
page_dump) -- Dumps page data to disk as YAML.
Default plugins will run for every scan and are placed under
autothrottle) -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization.
healthmap) -- Generates sitemap showing the health of each crawled/audited URL
/plugins/defaults/meta/ perform analysis on the scan results
to determine trustworthiness or just add context information or general insights.
timing_attacks) -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with. It also points out the danger of DoS attacks against pages that perform heavy-duty processing.
discovery) -- Performs anomaly detection on issues logged by discovery checks and warns of the possibility of false positives where applicable.
uniformity) -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization.
The Trainer is what enables Arachni to learn from the scan it performs and incorporate that knowledge, on the fly, for the duration of the audit.
Checks have the ability to individually force the Framework to learn from the HTTP responses they are going to induce.
However, this is usually not required since Arachni is aware of which requests are more likely to uncover new elements or attack vectors and will adapt itself accordingly.
Still, this can be an invaluable asset to Fuzzer checks.
You can run
rake spec to run all specs or you can run them selectively using the following:
rake spec:core # for the core libraries rake spec:checks # for the checks rake spec:plugins # for the plugins rake spec:reports # for the reports rake spec:path_extractors # for the path extractors
Please be warned, the core specs will require a beast of a machine due to the necessity to test the Grid/multi-Instance features of the system.
Note: The check specs will take many hours to complete due to the timing-attack tests.
(Before starting any work, please read the instructions for working with the source code.)
We're happy to accept help from fellow code-monkeys and these are the steps you need to follow in order to contribute code:
git checkout -b <feature-name> experimental).
rake spec:corefor the core libs or
rake specfor everything).
Arachni Public Source License v1.0 -- please see the LICENSE file for more information.