... | ... | @@ -431,9 +431,10 @@ This will suppress all messages except for positive matches -- vulnerabilities. |
|
|
|
|
|
Limit how many concurrent HTTP request are sent.
|
|
|
|
|
|
*Note*: If your scan seems unresponsive try lowering the limit.
|
|
|
*Warning*: Given enough bandwidth and a high limit it could cause a DoS.
|
|
|
Be careful when setting this option too high, don't kill your server.
|
|
|
**Note**: If your scan seems unresponsive try lowering the limit.
|
|
|
|
|
|
**Warning**: Given enough bandwidth and a high limit it could cause a DoS.
|
|
|
Be careful when setting this option too high, don't kill your server.
|
|
|
|
|
|
<h3 id='http-timeout'><a href='#http-timeout'>HTTP timeout (--http-timeout)</a></h3>
|
|
|
|
... | ... | @@ -456,6 +457,7 @@ Limit how long the HTTP client should wait for a response from the server. |
|
|
|
|
|
|
|
|
Forces the system to only follow HTTPS URLs.
|
|
|
|
|
|
_(Target URL must be an HTTPS one as well.)_
|
|
|
|
|
|
<h3 id='cookie-jar'><a href='#cookie-jar'>Cookie jar (--cookie-jar)</a></h3>
|
... | ... | @@ -472,9 +474,9 @@ If you want to audit restricted parts of a website that are accessible only to l |
|
|
|
|
|
There's a number of ways to do that, I've found that Firebug's export cookie feature works best.
|
|
|
|
|
|
You should also take a look at the _--exclude-cookie_ option discussed later.
|
|
|
You should also take a look at the `--exclude-cookie` option discussed later.
|
|
|
|
|
|
*Note*: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.
|
|
|
**Note**: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.
|
|
|
|
|
|
<h3 id='cookie-string'><a href='#cookie-string'>Cookie string (--cookie-string)</a></h3>
|
|
|
|
... | ... | @@ -503,7 +505,7 @@ Cookies, as a string, to be sent to the web application. |
|
|
|
|
|
|
|
|
You can pass your own user agent string which will be sent to the webserver under audit.
|
|
|
Default is _Arachni/<version>_.
|
|
|
Default is `Arachni/<version>`.
|
|
|
|
|
|
<h3 id='custom-header'><a href='#custom-header'>Custom header (--custom-header)</a></h3>
|
|
|
|
... | ... | @@ -532,9 +534,9 @@ Allows you to specify custom headers in the form of key-value pairs. |
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
|
|
|
The string passed to this option will be included in the user-agent string and be the value of the "From" HTTP header field.
|
|
|
The string passed to this option will be included in the user-agent string and be the value of the _From_ HTTP header field.
|
|
|
|
|
|
The _--authed-by_ value should contain information about the person who authorized the scan, his name and e-mail.
|
|
|
The `--authed-by` value should contain information about the person who authorized the scan, his name and e-mail.
|
|
|
|
|
|
<h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4>
|
|
|
|
... | ... | @@ -550,12 +552,12 @@ The _--authed-by_ value should contain information about the person who authoriz |
|
|
|
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
*Requires*: "login-check-pattern":#login-check-pattern
|
|
|
**Requires**: [login-check-pattern](#login-check-pattern)
|
|
|
|
|
|
The URL passed to this option will be used to verify that the scanner is still
|
|
|
logged in to the web application.
|
|
|
|
|
|
If HTTP response body of URL matches the "login-check-pattern":#login-check-pattern
|
|
|
If HTTP response body of URL matches the [login-check-pattern](#login-check-pattern)
|
|
|
this should indicate that the scanner is logged in.
|
|
|
|
|
|
<h3 id='login-check-pattern'><a href='#login-check-pattern'>Login check pattern (--login-check-pattern)</a></h3>
|
... | ... | @@ -566,9 +568,9 @@ this should indicate that the scanner is logged in. |
|
|
|
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
*Requires*: "login-check-url":#login-check-url
|
|
|
**Requires**: [login-check-url](#login-check-url)
|
|
|
|
|
|
A pattern used against the body of the "login-check-url":#login-check-url to
|
|
|
A pattern used against the body of the [login-check-pattern](#login-check-pattern) to
|
|
|
verify that the scanner is still logged in to the web application.
|
|
|
|
|
|
A positive match should indicate that the scanner is logged in.
|
... | ... | @@ -625,7 +627,7 @@ This option will output the running configuration as a string of command line ar |
|
|
<h4 id='show-profile_example'><a href='#show-profile_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```arachni --show-profile --load-profile=myprofile.afp</pre></code>
|
|
|
` arachni --show-profile --load-profile=myprofile.afp`
|
|
|
|
|
|
<h2 id='crawler'><a href='#crawler'>Crawler</a></h2>
|
|
|
|
... | ... | @@ -638,11 +640,11 @@ This option will output the running configuration as a string of command line ar |
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
The _--exclude_ option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
|
|
|
The `--exclude` option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
|
|
|
|
|
|
<h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4>
|
|
|
|
|
|
In this simple example we tell Arachni to exclude all URLs that contain the string "xss".
|
|
|
In this simple example we tell Arachni to exclude all URLs that contain the string _xss_.
|
|
|
Thus no further action was taken.
|
|
|
|
|
|
```
|
... | ... | @@ -736,21 +738,20 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
The _--exclude-page_ option expects a regular expression or plain string
|
|
|
The `--exclude-page` option expects a regular expression or plain string
|
|
|
and excludes pages whose content matching that expression from the crawl process.
|
|
|
|
|
|
<h3 id='include'><a href='#include'>Include (--include/-i)</a></h3>
|
|
|
|
|
|
**Expects**: `regexp`
|
|
|
|
|
|
**Default**: `'.*'`
|
|
|
**Default**: `disabled`
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
This is the exact oposite of the _--exclude_ option.
|
|
|
When a regular expression is passed to the _--include_ option, *only* URLs matching that regular expression will be crawled.
|
|
|
This is the exact oposite of the `--exclude` option.
|
|
|
When a regular expression is passed to the `--include` option, **only** URLs matching that regular expression will be crawled.
|
|
|
|
|
|
<h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3>
|
|
|
|
... | ... | @@ -922,8 +923,9 @@ Tells Arachni to audit the cookies of the page. |
|
|
Tells Arachni to exclude -- not audit -- a cookie by name.
|
|
|
Usually used to avoid auditing a session ID cookie from the cookie-jar.
|
|
|
|
|
|
*Note*: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it.
|
|
|
**Note**: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it.
|
|
|
However, some extra cautious websites may invalidate/block the session upon receiving an invalid token.
|
|
|
|
|
|
This is very unlikely but it's better to err on the side of caution.
|
|
|
|
|
|
<h3 id='exclude-vector'><a href='#exclude-vector'>Exclude cookie (--exclude-vector)</a></h3>
|
... | ... | @@ -948,8 +950,9 @@ Tells Arachni to exclude -- not audit -- an input vector by name. |
|
|
|
|
|
Tells Arachni to audit the HTTP headers of the page.
|
|
|
|
|
|
*Note*: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
|
|
|
*Warning*: Enabling this option will result in increased requests, maybe by an order of magnitude.
|
|
|
**Note**: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
|
|
|
|
|
|
**Warning**: Enabling this option will result in increased requests, maybe by an order of magnitude.
|
|
|
|
|
|
<h2 id='coverage'><a href='#coverage'>Coverage</a></h2>
|
|
|
|
... | ... | @@ -964,7 +967,7 @@ Tells Arachni to audit the HTTP headers of the page. |
|
|
|
|
|
If enabled Arachni will submit all links and forms of the page along with the cookie permutations.
|
|
|
|
|
|
*Warning*: Will severely increase the scan-time.
|
|
|
**Warning**: Will severely increase the scan-time.
|
|
|
|
|
|
<h3 id='fuzz-methods'><a href='#fuzz-methods'>Fuzz methods (--fuzz-methods)</a></h3>
|
|
|
|
... | ... | @@ -978,7 +981,7 @@ If enabled Arachni will submit all links and forms of the page along with the co |
|
|
If enabled Arachni will submit all links and forms using both the _GET_ and _POST_
|
|
|
HTTP request methods.
|
|
|
|
|
|
*Warning*: Will severely increase the scan-time.
|
|
|
**Warning**: Will severely increase the scan-time.
|
|
|
|
|
|
<h3 id='exclude-binaries'><a href='#exclude-binaries'>Exclude binaries (--exclude-binaries)</a></h3>
|
|
|
|
... | ... | @@ -991,7 +994,7 @@ HTTP request methods. |
|
|
|
|
|
Disables inclusion of binary HTTP response bodies in the audit.
|
|
|
|
|
|
*Note*: Binary content can confuse recon modules that perform pattern matching.
|
|
|
**Note**: Binary content can confuse recon modules that perform pattern matching.
|
|
|
|
|
|
<h2 id='modules'><a href='#modules'>Modules</a></h2>
|
|
|
|
... | ... | @@ -1146,9 +1149,11 @@ Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xs |
|
|
|
|
|
|
|
|
Tells Arachni which modules to load.
|
|
|
Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to see all.
|
|
|
You can specify the modules to load as comma separated values (without spaces) or '*' to load all modules.
|
|
|
You can prevent modules from loading by prefixing their name with a dash (-).
|
|
|
|
|
|
Modules are referenced by their filename without the `.rb` extension, use `--lsmod` to see all.
|
|
|
|
|
|
You can specify the modules to load as comma separated values (without spaces) or `*` to load all modules.
|
|
|
You can prevent modules from loading by prefixing their name with a dash (`-`).
|
|
|
|
|
|
|
|
|
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
|
... | ... | @@ -1173,7 +1178,7 @@ Excluding modules: |
|
|
$ arachni --modules=*,-backup_files,-xss http://www.test.com
|
|
|
```
|
|
|
|
|
|
The above will load all modules except for the 'backup_files' and 'xss' modules.
|
|
|
The above will load all modules except for the _backup_files_ and _xss_ modules.
|
|
|
|
|
|
<h2 id='reports'><a href='#reports'>Reports</a></h2>
|
|
|
|
... | ... | @@ -1361,7 +1366,7 @@ You can use this option to load a report file and convert it to another format. |
|
|
|
|
|
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
|
|
|
|
|
|
Load an AFR report file and send it to the "stdout" report.
|
|
|
Load an AFR report file and send it to the _stdout_ report.
|
|
|
|
|
|
```
|
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
|
... | ... | @@ -1512,7 +1517,7 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
|
|
|
|
|
|
Tells Arachni which report component to use.
|
|
|
Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to see all.
|
|
|
Reports are referenced by their filename without the `.rb` extension, use `--lsrep` to see all.
|
|
|
|
|
|
<h4 id='report_example'><a href='#report_example'>Example</a></h4>
|
|
|
|
... | ... | @@ -2124,7 +2129,7 @@ Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb |
|
|
|
|
|
|
|
|
Tells Arachni which plugin components to run.
|
|
|
Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to see all.
|
|
|
Plugins are referenced by their filename without the `.rb` extension, use `--lsplug` to see all.
|
|
|
|
|
|
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
|
|
|
|
... | ... | @@ -2470,7 +2475,7 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
Usage: arachni [options] url
|
|
|
Usage: arachni [options] url
|
|
|
|
|
|
Supported options:
|
|
|
|
... | ... | @@ -2480,6 +2485,8 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
-h
|
|
|
--help Output this.
|
|
|
|
|
|
--version Show version information and exit.
|
|
|
|
|
|
-v Be verbose.
|
|
|
|
|
|
--debug Show what is happening internally.
|
... | ... | @@ -2538,6 +2545,9 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
--exclude=<regexp> Exclude urls matching <regexp>.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--exclude-page=<regexp> Exclude pages whose content matches <regexp>.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
-i <regexp>
|
|
|
--include=<regexp> Include *only* urls matching <regex>.
|
|
|
(Can be used multiple times.)
|
... | ... | @@ -2569,9 +2579,11 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
--extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--restrict-paths=<filepath> Use the paths in <file> instead of crawling.
|
|
|
--interceptor.callict-paths=<filepath> Use the paths in <file> instead of crawling.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--https-only Forces the system to only follow HTTPS URLs.
|
|
|
|
|
|
|
|
|
Auditor ------------------------
|
|
|
|
... | ... | @@ -2672,4 +2684,5 @@ Arachni - Web Application Security Scanner Framework v0.4.2 |
|
|
--proxy-type=<type> Proxy type; can be http, http_1_0, socks4, socks5, socks4a
|
|
|
(Default: http)
|
|
|
|
|
|
|
|
|
``` |