Arachni - Web Application Security Scanner Framework
Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.
It is smart, it trains itself by monitoring and learning from the web application's behavior during the scan process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify (or avoid) false-positives.
Unlike other scanners, it takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web application’s cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input vectors that would otherwise be undetectable by non-humans can be handled seamlessly.
Moreover, due to its integrated browser environment, it can also audit and inspect client-side code, as well as support highly complicated web applications which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.
Finally, it is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.
Note: Despite the fact that Arachni is mostly targeted towards web application security, it can easily be used for general purpose scraping, data-mining, etc. with the addition of custom components.
A stable, efficient, high-performance framework
Check
, report
and plugin
developers are allowed to easily and quickly create and deploy their components with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.
Furthermore, they are encouraged to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.
Moreover, that same framework can be utilized as any other Ruby library and lead to the development of brand new scanners or help you create highly customized scan/audit scenarios and/or scripted scans.
Simplicity
Although some parts of the Framework are fairly complex you will never have to deal them directly. From a user’s or a component developer’s point of view everything appears simple and straight-forward all the while providing power, performance and flexibility.
From the simple command-line utility scanner to the intuitive and user-friendly Web interface and collaboration platform, Arachni follows the principle of least surprise and provides you with plenty of feedback and guidance.
In simple terms
Arachni is designed to automatically detect security issues in web applications. All it expects is the URL of the target website and after a while it will present you with its findings.
Features
General
- Cookie-jar/cookie-string support.
- Custom header support.
- SSL support with fine-grained options.
- User Agent spoofing.
- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0.
- Proxy authentication.
- Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).
- Automatic log-out detection and re-login during the scan (when the initial login was performed via the
autologin
,login_script
orproxy
plugins). - Custom 404 page detection.
- UI abstraction:
- Command-line Interface.
- Web User Interface.
- Pause/resume functionality.
- Hibernation support -- Suspend to and restore from disk.
- High performance asynchronous HTTP requests.
- With adjustable concurrency.
- With the ability to auto-detect server health and adjust its concurrency automatically.
- Support for custom default input values, using pairs of patterns (to be matched against input names) and values to be used to fill in matching inputs.
Integrated browser environment
Arachni includes an integrated, real browser environment in order to provide sufficient coverage to modern web applications which make use of technologies such as HTML5, JavaScript, DOM manipulation, AJAX, etc.
In addition to the monitoring of the vanilla DOM and JavaScript environments, Arachni's browsers also hook into popular frameworks to make the logged data easier to digest:
- JQuery
- AngularJS
In essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to monitor DOM events and JavaScript data and execution flows. As a result, not only can the system trigger and identify DOM-based issues, but it will accompany them with a great deal of information regarding the state of the page at the time.
Full Detail
||||||https://github.com/Arachni/arachni
KALI LINUX: Download and Extract Arachni
extract :----- tar -xvzf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz
:~terminal : ./arachni_web
:~terminal : ./arachni_rpcd
This start's arachni web scanner & can access at: localhost:9292
User Name: admin@admin.admin
Password: administrator
KALI LINUX: Download and Extract Arachni
extract :----- tar -xvzf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz
:~terminal : ./arachni_web
:~terminal : ./arachni_rpcd
This start's arachni web scanner & can access at: localhost:9292
User Name: admin@admin.admin
Password: administrator