|
|
## Version 0.4.2
|
|
|
|
|
|
There are a lot of options, customizations and tweaks you can use but fear not and don't let yourself be overwhelmed.
|
|
|
|
|
|
This guide will walk you through each and every one of them and teach you how to use them in order to make your scans as efficient as possible.
|
|
|
|
|
|
_If you intend to scan big and complex sites it's best that you read through this guide and evaluate all available options._
|
|
|
|
|
|
### Quickstart
|
|
|
|
|
|
#### Help
|
|
|
|
|
|
In order to see everything Arachni has to offer execute:
|
|
|
|
|
|
$ arachni -h
|
|
|
|
|
|
#### Examples
|
|
|
|
|
|
You can simply run Arachni like so:
|
|
|
|
|
|
$ arachni http://test.com
|
|
|
|
|
|
which will load all modules, the plugins under `/plugins/defaults` and audit
|
|
|
all forms, links and cookies.
|
|
|
|
|
|
In the following example all modules will be run against _http://test.com_,
|
|
|
auditing links/forms/cookies and following subdomains --with verbose output enabled.
|
|
|
|
|
|
The results of the audit will be saved in the the file _test.com.afr_.
|
|
|
|
|
|
$ arachni -fv http://test.com --report=afr:outfile=test.com.afr
|
|
|
|
|
|
The Arachni Framework Report (.afr) file can later be loaded by Arachni to
|
|
|
create a report, like so:
|
|
|
|
|
|
$ arachni --repload=test.com.afr --report=html:outfile=my_report.html
|
|
|
|
|
|
or any other report type as shown by:
|
|
|
|
|
|
$ arachni --lsrep
|
|
|
|
|
|
#### You can make module loading easier by using wildcards (*) and exclusions (-).
|
|
|
|
|
|
To load all `xss` modules using a wildcard:
|
|
|
|
|
|
$ arachni http://example.net --modules=xss*
|
|
|
|
|
|
To load all _audit_ modules using a wildcard:
|
|
|
|
|
|
$ arachni http://example.net --modules=audit/*
|
|
|
|
|
|
To exclude only the _csrf_ module:
|
|
|
|
|
|
$ arachni http://example.net --modules=*,-csrf
|
|
|
|
|
|
Or you can mix and match; to run everything but the _xss_ modules:
|
|
|
|
|
|
$ arachni http://example.net --modules=*,-xss*
|
|
|
|
|
|
#### Performing a full scan quickly
|
|
|
|
|
|
The _full_ profile adds header auditing to the defaults.
|
|
|
|
|
|
_NOTICE: Auditing headers can increase scan time by an order of magnitude
|
|
|
(depending on the website) and may be considered over-the-top in most scenarios._
|
|
|
|
|
|
You can use it like so:
|
|
|
|
|
|
$ arachni --load-profile=profiles/full.afp http://example.net
|
|
|
|
|
|
|
|
|
_If you installed the Gem then you'll have to look for the "profiles" directory
|
|
|
in your gems path._
|
|
|
|
|
|
### Command reference
|
|
|
|
|
|
[Command Line Interface help output](#cli_help_output)
|
|
|
|
|
|
* "General":#general
|
|
|
* [Version (--version)](#version)
|
|
|
* [Verbosity (-v)](#verbosity)
|
|
|
* [Example](#verbosity_example)
|
|
|
* [Debug mode (--debug)](#debug)
|
|
|
* [Only positives (--only-positives)](#only-positives)
|
|
|
* [HTTP request limit (--http-req-limit)](#http-req-limit)
|
|
|
* [HTTP request timeout (--http-timeout)](#http-timeout)
|
|
|
* [HTTPS only (--https-only)](#https-only)
|
|
|
* [Cookie jar (--cookie-jar)](#cookie-jar)
|
|
|
* [Cookie string (--cookie-string)](#cookie-string)
|
|
|
* [User agent (--user-agent)](#user-agent)
|
|
|
* [Custom header (--custom-header)](#custom-header)
|
|
|
* [Example](#custom-header_example)
|
|
|
* [Authorized by (--authed-by)](#authed-by)
|
|
|
* [Example](#authed-by_example)
|
|
|
* [Login check URL (--login-check-url)](#login-check-url)
|
|
|
* [Login check pattern (--login-check-pattern)](#login-check-pattern)
|
|
|
* [Profiles](#profiles)
|
|
|
* [Save profile (--save-profile)](#save-profile)
|
|
|
* [Example](#save-profile_example)
|
|
|
* [Load profile (--load-profile)](#load-profile)
|
|
|
* [Example](#load-profile_example)
|
|
|
* [Show profile (--show-profile)](#show-profile)
|
|
|
* [Example](#show-profile_example)
|
|
|
* [Crawler](#crawler)
|
|
|
* [Exclude (--exclude/-e)](#exclude)
|
|
|
* [Example](#exclude_example)
|
|
|
* [Exclude page by content (--exclude-page)](#exclude-page)
|
|
|
* [Example](#exclude-page_example)
|
|
|
* [Include (--include/-i)](#include)
|
|
|
* [Redundant (--redundant)](#redundant)
|
|
|
* [Audo-redundant (--auto-redundant)](#auto-redundant)
|
|
|
* [Example](#auto-redundant_example)
|
|
|
* [Follow subdomains (-f/--follow-subdomains)](#follow-subdomains)
|
|
|
* [Depth limit (--depth)](#depth)
|
|
|
* [Link count limit (--link-count)](#link-count)
|
|
|
* [Redirect limit (--redirect-limit)](#redirect-limit)
|
|
|
* [Extend paths (--extend-paths)](#extend-paths)
|
|
|
* [Restrict paths (--restrict-paths)](#restrict-paths)
|
|
|
* [Auditor](#auditor)
|
|
|
* [Audit links (--audit-links/-g)](#audit-links)
|
|
|
* [Audit forms (--audit-forms/-p)](#audit-forms)
|
|
|
* [Audit cookies (--audit-cookies/-c)](#audit-cookies)
|
|
|
* [Exclude cookie (--exclude-cookie)](#exclude-cookie)
|
|
|
* [Exclude vector (--exclude-vector)](#exclude-vector)
|
|
|
* [Audit headers (--audit-headers)](#audit-headers)
|
|
|
* [Coverage](#coverage)
|
|
|
* [Audit cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
|
|
|
* [Fuzz methods (--fuzz-methods)](#fuzz-methods)
|
|
|
* [Exclude binaries (--exclude-binaries)](#exclude-binaries)
|
|
|
* [Modules](#modules)
|
|
|
* [List modules (--lsmod)](#lsmod)
|
|
|
* [Example](#lsmod_example)
|
|
|
* [Modules (--modules/-m)](#modules)
|
|
|
* [Example](#mods_example)
|
|
|
* [Reports](#reports)
|
|
|
* [List reports (--lsrep)](#lsrep)
|
|
|
* [Example](#lsrep_example)
|
|
|
* [Load a report (--repload)](#repload)
|
|
|
* [Example](#repload_example)
|
|
|
* [Report (--report)](#report)
|
|
|
* [Example](#report_example)
|
|
|
* [Plugins](#plugins)
|
|
|
* [List plugins (--lsplug)](#lsplug)
|
|
|
* [Example](#lsplug_example)
|
|
|
* [Load a plugin (--plugin)](#plugin)
|
|
|
* [Example](#plugin_example)
|
|
|
* [Proxy](#proxy)
|
|
|
* [Proxy server (--proxy)](#proxy_server)
|
|
|
* [Proxy authentication (--proxy-auth)](#proxy-auth)
|
|
|
* [Proxy type (--proxy-type)](#proxy-type)
|
|
|
|
|
|
<h2 id='general'><a href='#general'>General</a></h2>
|
|
|
|
|
|
<h3 id='version'><a href='#version'>Version (--version)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Outputs the Arachni banner and version information.
|
|
|
|
|
|
<h3 id='verbosity'><a href='#verbosity'>Verbosity (-v)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
When verbosity is enabled Arachni will give you detailed information about what's going on during the whole process.
|
|
|
|
|
|
<h4 id='verbosity_example'><a href='#verbosity_example'>Example</a></h4>
|
|
|
|
|
|
Let's give this a try:
|
|
|
|
|
|
```arachni --audit-forms --modules=xss http://testfire.net/ --link-count=1```
|
|
|
|
|
|
|
|
|
This will load the XSS module and audit all the forms in "http://testfire.net/".
|
|
|
|
|
|
*Verbose mode disabled*
|
|
|
|
|
|
Observe that there's no _-v_ flag in the following run.
|
|
|
_Don't worry about the rest of the parameters right now._
|
|
|
|
|
|
*Quick note:*
|
|
|
Arachni's output messages are classified into several categories, each of them prefixed with a different colored symbol.
|
|
|
"[*]" messages are status messages.
|
|
|
"[+]" messages are "ok" messages - positive matches.
|
|
|
_I won't bother with coloring during the examples._
|
|
|
|
|
|
|
|
|
```
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[*] Initialising...
|
|
|
[*] Waiting for plugins to settle...
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
[*] Profiler: Analyzing response #3...
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
[*] Profiler: Analyzing response #4...
|
|
|
[*] Profiler: Analyzing response #5...
|
|
|
[*] XSS: Analyzing response #6...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #7...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #8...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
```
|
|
|
|
|
|
|
|
|
*Verbose mode enabled*
|
|
|
|
|
|
See the extra information in this example.
|
|
|
"[v]" messages are verbose messages.
|
|
|
In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.
|
|
|
|
|
|
|
|
|
```
|
|
|
$ arachni -v --audit-forms --modules=xss http://testfire.net/ --link-count=1
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[*] Initialising...
|
|
|
[*] Waiting for plugins to settle...
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
[*] Profiler: Analyzing response #3...
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
[*] Profiler: Analyzing response #4...
|
|
|
[*] Profiler: Analyzing response #5...
|
|
|
[*] XSS: Analyzing response #6...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[v] XSS: Injected string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
[v] XSS: Verified string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
[*] XSS: Analyzing response #7...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[v] XSS: Injected string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
[v] XSS: Verified string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
[*] XSS: Analyzing response #8...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[v] XSS: Injected string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
|
|
|
[v] XSS: Verified string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='debug'><a href='debug'>Debug mode (--debug)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
When this flag is enabled the system will output a lot of messages detailing what's happening internally.
|
|
|
|
|
|
If you don't want to be flooded by annoying and obscure messages you can pipe debugging output to a separate file when running Arachni using:
|
|
|
|
|
|
```
|
|
|
$ arachni -pv --mods=xss http://localhost/~zapotek/tests/forms/xss.php --debug 2> debug.log
|
|
|
```
|
|
|
|
|
|
|
|
|
The debug.log file will contain something like:
|
|
|
|
|
|
```
|
|
|
$ cat debug.log
|
|
|
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1
|
|
|
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
|
|
|
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
|
|
|
[!] XSS:
|
|
|
[!] XSS: Trainer set to: OFF
|
|
|
[!] XSS: ------------
|
|
|
[!] XSS: Injection string format combinations set to:
|
|
|
[!] XSS: |
|
|
|
[!] XSS: |----> Null character termination (Format::NULL [4]) and append to default value (Format::APPEND [2]). [Combo mask: 6]
|
|
|
[!] XSS:
|
|
|
[!] XSS: Prepared combinations:
|
|
|
[!] XSS: |
|
|
|
[!] XSS: |
|
|
|
[!] XSS: |--> Auditing: __original_values__
|
|
|
[!] XSS: |--> Combo:
|
|
|
[!] XSS: |------> ["xss", ""]
|
|
|
[!] XSS: |
|
|
|
[!] XSS: |--> Auditing: __sample_values__
|
|
|
[!] XSS: |--> Combo:
|
|
|
[!] XSS: |------> ["xss", "1"]
|
|
|
[!] XSS: |
|
|
|
[!] XSS: |--> Auditing: xss
|
|
|
[!] XSS: |--> Combo:
|
|
|
[!] XSS: |------> ["xss", "1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"]
|
|
|
[!] XSS:
|
|
|
[!] XSS: ------------
|
|
|
[!] XSS:
|
|
|
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
|
|
|
[!] XSS: Submitting form with original values; overriding trainer option.
|
|
|
[!] XSS: Trainer set to: ON
|
|
|
[!] ------------
|
|
|
[!] Queued request.
|
|
|
[!] ID#: 0
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>""}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: true
|
|
|
[!] ------------
|
|
|
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
|
|
|
[!] XSS: Submitting form with sample values; overriding trainer option.
|
|
|
[!] XSS: Trainer set to: ON
|
|
|
[!] ------------
|
|
|
[!] Queued request.
|
|
|
[!] ID#: 1
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>"1"}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: true
|
|
|
[!] ------------
|
|
|
[!] ------------
|
|
|
[!] Queued request.
|
|
|
[!] ID#: 2
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: false
|
|
|
[!] ------------
|
|
|
[!] ------------
|
|
|
[!] Got response.
|
|
|
[!] Request ID#: 2
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: false
|
|
|
[!] ------------
|
|
|
[!] XSS: Request ID: 2
|
|
|
[!] ------------
|
|
|
[!] Got response.
|
|
|
[!] Request ID#: 0
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>""}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: true
|
|
|
[!] ------------
|
|
|
[!] Trainer: Started for response with request ID: #0
|
|
|
[!] Trainer: Page hasn't changed, skipping...
|
|
|
[!] ------------
|
|
|
[!] Got response.
|
|
|
[!] Request ID#: 1
|
|
|
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
|
[!] Method: post
|
|
|
[!] Params: {"xss"=>"1"}
|
|
|
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
|
|
|
[!] Train?: true
|
|
|
[!] ------------
|
|
|
[!] Trainer: Started for response with request ID: #1
|
|
|
[!] Trainer: Training complete.
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='only-positives'><a href='#only-positives'>Only positives (--only-positives)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
This will suppress all messages except for positive matches -- vulnerabilities.
|
|
|
|
|
|
<h3 id='http-req-limit'><a href='#http-req-limit'>HTTP request limit (--http-req-limit)</a></h3>
|
|
|
|
|
|
*Expects*: integer
|
|
|
*Default*: 60
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Limit how many concurrent HTTP request are sent.
|
|
|
|
|
|
*Note*: If your scan seems unresponsive try lowering the limit.
|
|
|
*Warning*: Given enough bandwidth and a high limit it could cause a DoS.
|
|
|
Be careful when setting this option too high, don't kill your server.
|
|
|
|
|
|
<h3 id='http-timeout'><a href='#http-timeout'>HTTP timeout (--http-timeout)</a></h3>
|
|
|
|
|
|
*Expects*: integer (milliseconds)
|
|
|
*Default*: 50000
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Limit how long the HTTP client should wait for a response from the server.
|
|
|
|
|
|
<h3 id='https-only'><a href='#https-only'>HTTP timeout (--https-only)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Forces the system to only follow HTTPS URLs.
|
|
|
_(Target URL must be an HTTPS one as well.)_
|
|
|
|
|
|
<h3 id='cookie-jar'><a href='#cookie-jar'>Cookie jar (--cookie-jar)</a></h3>
|
|
|
|
|
|
*Expects*: cookiejar file
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Arachni allows you to pass your own cookies in the form of a Netscape cookie-jar file.
|
|
|
If you want to audit restricted parts of a website that are accessible only to logged in users you should pass the session cookies to Arachni.
|
|
|
|
|
|
There's a number of ways to do that, I've found that Firebug's export cookie feature works best.
|
|
|
|
|
|
You should also take a look at the _--exclude-cookie_ option discussed later.
|
|
|
|
|
|
*Note*: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.
|
|
|
|
|
|
<h3 id='cookie-string'><a href='#cookie-string'>Cookie string (--cookie-string)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Cookies, as a string, to be sent to the web application.
|
|
|
|
|
|
<h4 id='cookie-string_example'><a href='#cookie-string_example'>Example</a></h4>
|
|
|
|
|
|
```
|
|
|
--cookie-string='userid=19;sessionid=deadbeefbabe'
|
|
|
```
|
|
|
|
|
|
<h3 id='user-agent'><a href='#user-agent'>User agent (--user-agent)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: "Arachni/<version>"
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
You can pass your own user agent string which will be sent to the webserver under audit.
|
|
|
Default is _Arachni/<version>_.
|
|
|
|
|
|
<h3 id='custom-header'><a href='#custom-header'>Custom header (--custom-header)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Allows you to specify custom headers in the form of key-value pairs.
|
|
|
|
|
|
<h4 id='custom-header_example'><a href='#custom-header_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
``` --custom-header='field_name=field value'```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='authed-by'><a href='#authed-by'>Authorized by (--authed-by)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
The string passed to this option will be included in the user-agent string and be the value of the "From" HTTP header field.
|
|
|
|
|
|
The _--authed-by_ value should contain information about the person who authorized the scan, his name and e-mail.
|
|
|
|
|
|
<h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
``` --authed-by='John Doe <jdoe@test.com>'```
|
|
|
|
|
|
|
|
|
<h3 id='login-check-url'><a href='#login-check-url'>Login check URL (--login-check-url)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
*Requires*: "login-check-pattern":#login-check-pattern
|
|
|
|
|
|
The URL passed to this option will be used to verify that the scanner is still
|
|
|
logged in to the web application.
|
|
|
|
|
|
If HTTP response body of URL matches the "login-check-pattern":#login-check-pattern
|
|
|
this should indicate that the scanner is logged in.
|
|
|
|
|
|
<h3 id='login-check-pattern'><a href='#login-check-pattern'>Login check pattern (--login-check-pattern)</a></h3>
|
|
|
|
|
|
*Expects*: string
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
*Requires*: "login-check-url":#login-check-url
|
|
|
|
|
|
A pattern used against the body of the "login-check-url":#login-check-url to
|
|
|
verify that the scanner is still logged in to the web application.
|
|
|
|
|
|
A positive match should indicate that the scanner is logged in.
|
|
|
|
|
|
<h2 id='profiles'><a href='#profiles'>Profiles</a></h2>
|
|
|
|
|
|
<h3 id='save-profile'><a href='#save-profile'>Save profile (--save-profile)</a></h3>
|
|
|
|
|
|
*Expects*: filename
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
This option allows you to save your current running configuration, all the options passed to Arachni, to an Arachni Framework Profile (.afp) file.
|
|
|
|
|
|
<h4 id='save-profile_example'><a href='#save-profile_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```arachni -pv --modules=xss http://site.com/ --save-profile=myprofile```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='load-profile'><a href='#load-profile'>Load profile (--load-profile)</a></h3>
|
|
|
|
|
|
*Expects*: Arachni Framework Profile (.afp) file
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
This option allows you to load and run a saved profile.
|
|
|
The load profile option does not restrict your ability to specify more options or even resave the profile.
|
|
|
|
|
|
<h4 id='load-profile_example'><a href='#load-profile_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```arachni --load-profile=myprofile.afp```
|
|
|
|
|
|
|
|
|
<h3 id='show-profile'><a href='#show-profile'>Show profile (--show-profile)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
This option will output the running configuration as a string of command line arguments.
|
|
|
|
|
|
<h4 id='show-profile_example'><a href='#show-profile_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```arachni --show-profile --load-profile=myprofile.afp</pre></code>
|
|
|
|
|
|
<h2 id='crawler'><a href='#crawler'>Crawler</a></h2>
|
|
|
|
|
|
<h3 id='exclude'><a href='#exclude'>Exclude (--exclude/-e)</a></h3>
|
|
|
|
|
|
*Expects*: regexp
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
The _--exclude_ option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
|
|
|
|
|
|
<h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4>
|
|
|
|
|
|
In this simple example we tell Arachni to exclude all URLs that contain the string "xss".
|
|
|
Thus no further action was taken.
|
|
|
|
|
|
```
|
|
|
$ arachni http://testfire.net --modules=xss --exclude=testfire
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
[*] Initialising...
|
|
|
[*] Waiting for plugins to settle...
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.38.18 +0300.afr'.
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:38:18 +0300
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
|
[~] ---------------
|
|
|
[~] Version: 0.4.1dev
|
|
|
[~] Revision: 0.2.7
|
|
|
[~] Audit started on: Sun Sep 9 02:38:15 2012
|
|
|
[~] Audit finished on: Sun Sep 9 02:38:16 2012
|
|
|
[~] Runtime: 00:00:01
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
[*] Audited elements:
|
|
|
[~] * Links
|
|
|
[~] * Forms
|
|
|
[~] * Cookies
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
[*] Filters:
|
|
|
[~] Exclude:
|
|
|
[~] (?-mix:testfire)
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
[+] 0 issues were detected.
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
[~] 0.0% [=> ] 100%
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
[~] Crawling, discovered 0 pages and counting.
|
|
|
|
|
|
[~] Sent 0 requests.
|
|
|
[~] Received and analyzed 0 responses.
|
|
|
[~] In 00:00:01
|
|
|
[~] Average: 0 requests/second.
|
|
|
|
|
|
[~] Burst response time total 0
|
|
|
[~] Burst response count total 0
|
|
|
[~] Burst average response time 0
|
|
|
[~] Burst average 0 requests/second
|
|
|
[~] Timed-out requests 0
|
|
|
[~] Original max concurrency 20
|
|
|
[~] Throttled max concurrency 20
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='exclude-page'><a href='#exclude-page'>Exclude page by content (--exclude-page)</a></h3>
|
|
|
|
|
|
*Expects*: regexp
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
The _--exclude-page_ option expects a regular expression or plain string
|
|
|
and excludes pages whose content matching that expression from the crawl process.
|
|
|
|
|
|
<h3 id='include'><a href='#include'>Include (--include/-i)</a></h3>
|
|
|
|
|
|
*Expects*: regexp
|
|
|
*Default*: '.*'
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
This is the exact oposite of the _--exclude_ option.
|
|
|
When a regular expression is passed to the _--include_ option, *only* URLs matching that regular expression will be crawled.
|
|
|
|
|
|
<h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3>
|
|
|
|
|
|
*Expects*: regexp:integer
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
The redundant option expects a regular expression and a counter, like so:
|
|
|
|
|
|
```--redundant='calendar.php':3```
|
|
|
|
|
|
|
|
|
This will cause URLs that contain "calendar.php" to be crawled only 3 times.
|
|
|
|
|
|
This option is useful when auditing a website that has a lot of redundant pages like a photo gallery or a dynamically generated calendar.
|
|
|
|
|
|
<h3 id='auto-redundant'><a href='#auto-redundant'>Auto-redundant (--auto-redundant)</a></h3>
|
|
|
|
|
|
*Expects*: integer
|
|
|
*Default*: disabled (with a value of 10 if none has been specified)
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
The auto-redundant option sets the limit of how many URLs with identical parameters
|
|
|
should be followed.
|
|
|
|
|
|
This can prevent infinite loops caused by pages like photo galleries or catalogues.
|
|
|
|
|
|
<h4 id='auto-redundant_example'><a href='#auto-redundant_example'>Example</a></h4>
|
|
|
|
|
|
With ```--auto-redundant=2``` and given the following list of URLs:
|
|
|
```
|
|
|
http://test.com/?stuff=1
|
|
|
http://test.com/?stuff=2
|
|
|
http://test.com/?stuff=other-stuff
|
|
|
http://test.com/?stuff=blah
|
|
|
http://test.com/?stuff=blah&stuff2=1
|
|
|
http://test.com/?stuff=blah&stuff2=2
|
|
|
http://test.com/?stuff=blah2&stuff2=bloo
|
|
|
http://test.com/path.php?stuff=blah&stuff2=1
|
|
|
```
|
|
|
|
|
|
Only the following will be followed:
|
|
|
```
|
|
|
http://test.com/?stuff=1
|
|
|
http://test.com/?stuff=2
|
|
|
http://test.com/?stuff=blah&stuff2=1
|
|
|
http://test.com/?stuff=blah&stuff2=2
|
|
|
http://test.com/path.php?stuff=blah&stuff2=1
|
|
|
```
|
|
|
|
|
|
<h3 id='follow-subdomains'><a href='#follow-subdomains'>Follow subdomains (-f/--follow-subdomains)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
This flag will cause Arachni to follow links to subdomains.
|
|
|
|
|
|
<h3 id='depth'><a href='#depth'>Depth limit (--depth)</a></h3>
|
|
|
|
|
|
*Expects*: integer
|
|
|
*Default*: infinite
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
It specifies how deep into the site structure the crawler should go.
|
|
|
|
|
|
<h3 id='link-count'><a href='#link-count'>Link count limit (--link-count)</a></h3>
|
|
|
|
|
|
*Expects*: integer
|
|
|
*Default*: infinite
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
It specifies how many links the crawler should follow.
|
|
|
|
|
|
<h3 id='redirect-limit'><a href='#redirect-limit'>Redirect limit (--redirect-limit)</a></h3>
|
|
|
|
|
|
*Expects*: integer
|
|
|
*Default*: infinite
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
It specifies how many redirects the crawler should follow.
|
|
|
|
|
|
<h3 id='extend-paths'><a href='#extend-paths'>Extend paths (--extend-paths)</a></h3>
|
|
|
|
|
|
*Expects*: file
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Allows you to extend the scope of the audit by supplementing the paths discovered by the crawler with the paths in the file.
|
|
|
The file must contains one path per line.
|
|
|
|
|
|
<h3 id='restrict-paths'><a href='#restrict-paths'>Restrict paths (--restrict-paths)</a></h3>
|
|
|
|
|
|
*Expects*: file
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Uses the paths contained in file instead of performing a crawl.
|
|
|
|
|
|
|
|
|
<h2 id='auditor'><a href='#auditor'>Auditor</a></h2>
|
|
|
|
|
|
<h3 id='audit-links'><a href='#audit-links'>Audit links (--audit-links/-g)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to audit the link elements of the page and their variables.
|
|
|
|
|
|
<h3 id='audit-forms'><a href='#audit-forms'>Audit forms (--audit-forms/-p)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to audit the form elements of the page and their inputs.
|
|
|
|
|
|
<h3 id='audit-cookies'><a href='#audit-cookies'>Audit cookies (--audit-cookies/-c)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to audit the cookies of the page.
|
|
|
|
|
|
<h3 id='exclude-cookie'><a href='#exclude-cookie'>Exclude cookie (--exclude-cookie)</a></h3>
|
|
|
|
|
|
*Expects*: cookie name
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Tells Arachni to exclude -- not audit -- a cookie by name.
|
|
|
Usually used to avoid auditing a session ID cookie from the cookie-jar.
|
|
|
|
|
|
*Note*: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it.
|
|
|
However, some extra cautious websites may invalidate/block the session upon receiving an invalid token.
|
|
|
This is very unlikely but it's better to err on the side of caution.
|
|
|
|
|
|
<h3 id='exclude-vector'><a href='#exclude-vector'>Exclude cookie (--exclude-vector)</a></h3>
|
|
|
|
|
|
*Expects*: input name
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Tells Arachni to exclude -- not audit -- an input vector by name.
|
|
|
|
|
|
<h3 id='audit-headers'><a href='#audit-headers'>Audit headers (--audit-headers)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to audit the HTTP headers of the page.
|
|
|
|
|
|
*Note*: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
|
|
|
*Warning*: Enabling this option will result in increased requests, maybe by an order of magnitude.
|
|
|
|
|
|
<h2 id='coverage'><a href='#coverage'>Coverage</a></h2>
|
|
|
|
|
|
<h3 id='audit-cookies-extensively'><a href='#audit-cookies-extensively'>Audit cookies extensively (--audit-cookies-extensively)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
If enabled Arachni will submit all links and forms of the page along with the cookie permutations.
|
|
|
|
|
|
*Warning*: Will severely increase the scan-time.
|
|
|
|
|
|
<h3 id='fuzz-methods'><a href='#fuzz-methods'>Fuzz methods (--fuzz-methods)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
If enabled Arachni will submit all links and forms using both the _GET_ and _POST_
|
|
|
HTTP request methods.
|
|
|
|
|
|
*Warning*: Will severely increase the scan-time.
|
|
|
|
|
|
<h3 id='exclude-binaries'><a href='#exclude-binaries'>Exclude binaries (--exclude-binaries)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Disables inclusion of binary HTTP response bodies in the audit.
|
|
|
|
|
|
*Note*: Binary content can confuse recon modules that perform pattern matching.
|
|
|
|
|
|
<h2 id='modules'><a href='#modules'>Modules</a></h2>
|
|
|
|
|
|
<h3 id='lsmod'><a href='#lsmod'>List modules (--lsmod)</a></h3>
|
|
|
|
|
|
*Expects*: regular expression
|
|
|
*Default*: disabled OR .*
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Tells Arachni to list all available modules based on the regular expressions provided and exit.
|
|
|
|
|
|
<h4 id='lsmod_example'><a href='#lsmod_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```
|
|
|
$ arachni --lsmod
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available modules:
|
|
|
|
|
|
[*] code_injection:
|
|
|
--------------------
|
|
|
Name: Code injection
|
|
|
Description: It tries to inject code snippets into the
|
|
|
web application and assess whether or not the injection
|
|
|
was successful.
|
|
|
Elements: form, link, cookie, header
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.6
|
|
|
References:
|
|
|
[~] PHP http://php.net/manual/en/function.eval.php
|
|
|
[~] Perl http://perldoc.perl.org/functions/eval.html
|
|
|
[~] Python http://docs.python.org/py3k/library/functions.html#eval
|
|
|
[~] ASP http://www.aspdev.org/asp/asp-eval-execute/
|
|
|
[~] Ruby http://en.wikipedia.org/wiki/Eval#Ruby
|
|
|
Targets:
|
|
|
[~] PHP
|
|
|
[~] Perl
|
|
|
[~] Python
|
|
|
[~] ASP
|
|
|
[~] Ruby
|
|
|
Metasploitable: unix/webapp/arachni_php_eval
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb
|
|
|
|
|
|
[*] path_traversal:
|
|
|
--------------------
|
|
|
Name: PathTraversal
|
|
|
Description: It injects paths of common files (/etc/passwd and boot.ini)
|
|
|
and evaluates the existence of a path traversal vulnerability
|
|
|
based on the presence of relevant content in the HTML responses.
|
|
|
Elements: form, link, cookie, header
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.2.6
|
|
|
References:
|
|
|
[~] OWASP http://www.owasp.org/index.php/Path_Traversal
|
|
|
[~] WASC http://projects.webappsec.org/Path-Traversal
|
|
|
Targets:
|
|
|
[~] Unix
|
|
|
[~] Windows
|
|
|
[~] Tomcat
|
|
|
Metasploitable: unix/webapp/arachni_path_traversal
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb
|
|
|
|
|
|
[*] sqli_blind_rdiff:
|
|
|
--------------------
|
|
|
Name: Blind (rDiff) SQL Injection
|
|
|
Description: It uses rDiff analysis to decide how different inputs affect
|
|
|
the behavior of the the web pages.
|
|
|
Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
|
|
|
(Note: This module may get confused by certain types of XSS vulnerabilities.
|
|
|
If this module returns a positive result you should investigate nonetheless.)
|
|
|
Elements: link, form, cookie
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.3.2
|
|
|
References:
|
|
|
[~] OWASP http://www.owasp.org/index.php/Blind_SQL_Injection
|
|
|
[~] MITRE - CAPEC http://capec.mitre.org/data/definitions/7.html
|
|
|
Targets:
|
|
|
[~] Generic
|
|
|
Metasploitable: unix/webapp/arachni_sqlmap
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb
|
|
|
|
|
|
Hit <space> <enter> to continue, any other key to exit.
|
|
|
```
|
|
|
|
|
|
|
|
|
You can filter module listing like so:
|
|
|
|
|
|
```
|
|
|
$ arachni --lsmod=xss --lsmod=path
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available modules:
|
|
|
|
|
|
[*] xss_path:
|
|
|
--------------------
|
|
|
Name: XSSPath
|
|
|
Description: Cross-Site Scripting module for path injection
|
|
|
Elements: path
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.8
|
|
|
References:
|
|
|
[~] ha.ckers http://ha.ckers.org/xss.html
|
|
|
[~] Secunia http://secunia.com/advisories/9716/
|
|
|
Targets:
|
|
|
[~] Generic
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='modules'><a href='#modules'>Modules (--modules/-m)</a></h3>
|
|
|
|
|
|
*Expects*: modname,modname,... OR '*'
|
|
|
*Default*: '*' -- all modules
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni which modules to load.
|
|
|
Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to see all.
|
|
|
You can specify the modules to load as comma separated values (without spaces) or '*' to load all modules.
|
|
|
You can prevent modules from loading by prefixing their name with a dash (-).
|
|
|
|
|
|
|
|
|
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
|
|
|
|
|
|
As CSV:
|
|
|
|
|
|
```
|
|
|
$ arachni --modules=xss,sqli,path_traversal http://localhost/
|
|
|
```
|
|
|
|
|
|
|
|
|
All modules:
|
|
|
|
|
|
```
|
|
|
$ arachni http://localhost/
|
|
|
```
|
|
|
|
|
|
|
|
|
Excluding modules:
|
|
|
|
|
|
```
|
|
|
$ arachni --modules=*,-backup_files,-xss http://www.test.com
|
|
|
```
|
|
|
|
|
|
The above will load all modules except for the 'backup_files' and 'xss' modules.
|
|
|
|
|
|
<h2 id='reports'><a href='#reports'>Reports</a></h2>
|
|
|
|
|
|
<h3 id='lsrep'><a href='#lsrep'>List reports (--lsrep)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Lists all available reports.
|
|
|
|
|
|
<h4 id='lsrep_example'><a href='#lsrep_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```
|
|
|
$ arachni --lsrep
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available reports:
|
|
|
|
|
|
[*] yaml:
|
|
|
--------------------
|
|
|
Name: YAML Report
|
|
|
Description: Exports the audit results as a YAML file.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.yaml
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb
|
|
|
|
|
|
[*] txt:
|
|
|
--------------------
|
|
|
Name: Text report
|
|
|
Description: Exports a report as a plain text file.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.txt
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.2.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb
|
|
|
|
|
|
[*] xml:
|
|
|
--------------------
|
|
|
Name: XML report
|
|
|
Description: Exports a report as an XML file.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.xml
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.2.2
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb
|
|
|
|
|
|
[*] metareport:
|
|
|
--------------------
|
|
|
Name: Metareport
|
|
|
Description: Creates a file to be used with the Arachni MSF plug-in.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.msf
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb
|
|
|
|
|
|
[*] afr:
|
|
|
--------------------
|
|
|
Name: Arachni Framework Report
|
|
|
Description: Saves the file in the default Arachni Framework Report (.afr) format.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.afr
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb
|
|
|
|
|
|
[*] html:
|
|
|
--------------------
|
|
|
Name: HTML Report
|
|
|
Description: Exports a report as an HTML document.
|
|
|
Options:
|
|
|
[~] tpl - Template to use.
|
|
|
[~] Type: path
|
|
|
[~] Default: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.html
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.3.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb
|
|
|
|
|
|
[*] ap:
|
|
|
--------------------
|
|
|
Name: AP
|
|
|
Description: Awesome prints an AuditStore hash.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb
|
|
|
|
|
|
[*] marshal:
|
|
|
--------------------
|
|
|
Name: Marshal Report
|
|
|
Description: Exports the audit results as a Marshal file.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.marshal
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb
|
|
|
|
|
|
[*] json:
|
|
|
--------------------
|
|
|
Name: JSON Report
|
|
|
Description: Exports the audit results as a JSON file.
|
|
|
Options:
|
|
|
[~] outfile - Where to save the report.
|
|
|
[~] Type: string
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.json
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb
|
|
|
|
|
|
[*] stdout:
|
|
|
--------------------
|
|
|
Name: Stdout
|
|
|
Description: Prints the results to standard output.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.2.2
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='repload'><a href='#repload'>Load a report (--repload)</a></h3>
|
|
|
|
|
|
*Expects*: Arachni Framework Report (.afr) file
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to load an Arachni Framework Report (.afr) file.
|
|
|
You can use this option to load a report file and convert it to another format.
|
|
|
|
|
|
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
|
|
|
|
|
|
Load an AFR report file and send it to the "stdout" report.
|
|
|
|
|
|
```
|
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:42:54 +0300
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
|
[~] ---------------
|
|
|
[~] Version: 0.4.1dev
|
|
|
[~] Revision: 0.2.7
|
|
|
[~] Audit started on: Sun Sep 9 02:42:15 2012
|
|
|
[~] Audit finished on: Sun Sep 9 02:42:18 2012
|
|
|
[~] Runtime: 00:00:03
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
[*] Audited elements:
|
|
|
[~] * Forms
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
[*] Cookies:
|
|
|
[~] ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
|
|
|
[~] amSessionId = 203429333847
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
[+] 1 issues were detected.
|
|
|
|
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
|
[~] Severity: High
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
[~] Element: form
|
|
|
[~] Method: GET
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
[~] Variable: txtSearch
|
|
|
[~] Description:
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
[~] References:
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
[*] Variations
|
|
|
[~] ----------
|
|
|
[~] Variation 1:
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
[~] Injected value: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
|
[~] Regular expression:
|
|
|
[~] Matched string: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
[*] Health map
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
[~] Legend:
|
|
|
[+] No issues
|
|
|
[-] Has issues
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
|
|
|
[~] Total: 2
|
|
|
[+] Without issues: 1
|
|
|
[-] With issues: 1 ( 50% )
|
|
|
|
|
|
[*] Profiler
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
[~] It was submitted using the following parameters:
|
|
|
[~] * txtSearch = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
|
|
|
[~]
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
|
|
|
[~] * Body
|
|
|
```
|
|
|
|
|
|
|
|
|
Load an AFR file and create an HTML report from it.
|
|
|
|
|
|
```
|
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[*] Creating HTML report...
|
|
|
[*] Saved in '2012-09-09 02.43.42 +0300.html'.
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='report'><a href='#report'>Report (--report)</a></h3>
|
|
|
|
|
|
*Expects*: repname
|
|
|
*Default*: stdout
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Tells Arachni which report component to use.
|
|
|
Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to see all.
|
|
|
|
|
|
<h4 id='report_example'><a href='#report_example'>Example</a></h4>
|
|
|
|
|
|
Running the HTML report with an outfile option:
|
|
|
|
|
|
```
|
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
[*] Initialising...
|
|
|
[*] Waiting for plugins to settle...
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
[*] Profiler: Analyzing response #3...
|
|
|
[*] Profiler: Analyzing response #4...
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
[*] Profiler: Analyzing response #5...
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
[*] XSS: Analyzing response #9...
|
|
|
[*] XSS: Analyzing response #10...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #13...
|
|
|
[*] XSS: Analyzing response #14...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
[*] XSS: Analyzing response #12...
|
|
|
[*] XSS: Analyzing response #11...
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
|
|
|
[*] Done!
|
|
|
|
|
|
[*] Creating HTML report...
|
|
|
[*] Saved in 'my_html_report.html'.
|
|
|
|
|
|
[~] 100.0% [>] 100%
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
[~] Sent 25 requests.
|
|
|
[~] Received and analyzed 25 responses.
|
|
|
[~] In 00:00:04
|
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=
|
|
|
[~] Burst response time total 0
|
|
|
[~] Burst response count total 0
|
|
|
[~] Burst average response time 0
|
|
|
[~] Burst average 0 requests/second
|
|
|
[~] Timed-out requests 0
|
|
|
[~] Original max concurrency 20
|
|
|
[~] Throttled max concurrency 20
|
|
|
```
|
|
|
|
|
|
|
|
|
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
|
|
|
|
|
|
<h3 id='lsplug'><a href='#lsplug'>List plugins (--lsplug)</a></h3>
|
|
|
|
|
|
*Expects*: <n/a>
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Lists all available plugins.
|
|
|
|
|
|
<h4 id='lsplug_example'><a href='#lsplug_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
```
|
|
|
$ arachni --lsplug
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available plugins:
|
|
|
|
|
|
[*] resolver:
|
|
|
--------------------
|
|
|
Name: Resolver
|
|
|
Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb
|
|
|
|
|
|
[*] healthmap:
|
|
|
--------------------
|
|
|
Name: Health map
|
|
|
Description: Generates a simple list of safe/unsafe URLs.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.3
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb
|
|
|
|
|
|
[*] profiler:
|
|
|
--------------------
|
|
|
Name: Profiler
|
|
|
Description: Examines the behavior of the web application gathering general statistics
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.5
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb
|
|
|
|
|
|
[*] uniformity:
|
|
|
--------------------
|
|
|
Name: Uniformity (Lack of central sanitization)
|
|
|
Description: Analyzes the scan results and logs issues which persist across different pages.
|
|
|
This is usually a sign for a lack of a central/single point of input sanitization,
|
|
|
a bad coding practise.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb
|
|
|
|
|
|
[*] manual_verification:
|
|
|
--------------------
|
|
|
Name: Issues requiring manual verification
|
|
|
Description: The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
|
|
|
even before any audit action has taken place -- this challenges the relevance of the audit procedure.
|
|
|
|
|
|
Thus, these issues require manual verification.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb
|
|
|
|
|
|
[*] timing_attacks:
|
|
|
--------------------
|
|
|
Name: Timing attack anomalies
|
|
|
Description: Analyzes the scan results and logs issues that used timing attacks
|
|
|
while the affected web pages demonstrated an unusually high response time.
|
|
|
A situation which renders the logged issues inconclusive or (possibly) false positives.
|
|
|
|
|
|
Pages with high response times usually include heavy-duty processing
|
|
|
which makes them prime targets for Denial-of-Service attacks.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.4
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb
|
|
|
|
|
|
[*] discovery:
|
|
|
--------------------
|
|
|
Name: Discovery module response anomalies
|
|
|
Description: Analyzes the scan results and identifies issues logged by discovery modules
|
|
|
(i.e. modules that look for certain files and folders on the server),
|
|
|
while the server responses were exhibiting an anomalous factor of similarity.
|
|
|
|
|
|
There's a good chance that these issues are false positives.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb
|
|
|
|
|
|
[*] autothrottle:
|
|
|
--------------------
|
|
|
Name: AutoThrottle
|
|
|
Description: Monitors HTTP response times and automatically
|
|
|
throttles the request concurrency in order to maintain stability
|
|
|
and avoid from killing the server.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.3
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb
|
|
|
|
|
|
[*] content_types:
|
|
|
--------------------
|
|
|
Name: Content-types
|
|
|
Description: Logs content-types of server responses.
|
|
|
It can help you categorize and identify publicly available file-types
|
|
|
which in turn can help you identify accidentally leaked files.
|
|
|
Options:
|
|
|
[~] exclude - Exclude content-types that match this regular expression.
|
|
|
[~] Type: string
|
|
|
[~] Default: text
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.4
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb
|
|
|
|
|
|
[*] libnotify:
|
|
|
--------------------
|
|
|
Name: libnotify
|
|
|
Description: Uses the libnotify library to send notifications for each discovered issue
|
|
|
and a summary at the end of the scan.
|
|
|
Options:
|
|
|
[~] for_every_issue - Show every issue.
|
|
|
[~] Type: bool
|
|
|
[~] Default: true
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/libnotify.rb
|
|
|
|
|
|
[*] cookie_collector:
|
|
|
--------------------
|
|
|
Name: Cookie collector
|
|
|
Description: Monitors and collects cookies while establishing a timeline of changes.
|
|
|
|
|
|
WARNING: Highly discouraged when the audit includes cookies.
|
|
|
It will log thousands of results leading to a huge report,
|
|
|
highly increased memory and CPU usage.
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.5
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/cookie_collector.rb
|
|
|
|
|
|
[*] proxy:
|
|
|
--------------------
|
|
|
Name: Proxy
|
|
|
Description:
|
|
|
* Gathers data based on user actions and exchanged HTTP
|
|
|
traffic and pushes that data to the framework's page-queue to be audited.
|
|
|
* Updates the framework cookies with the cookies of the HTTP requests and
|
|
|
responses, thus it can also be used to login to a web application.
|
|
|
* Supports SSL interception.
|
|
|
|
|
|
To skip crawling and only audit elements discovered by using the proxy
|
|
|
set '--link-count=0'.
|
|
|
Options:
|
|
|
[~] port - Port to bind to.
|
|
|
[~] Type: port
|
|
|
[~] Default: 8282
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] bind_address - IP address to bind to.
|
|
|
[~] Type: address
|
|
|
[~] Default: 0.0.0.0
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] timeout - How long to wait for a request to complete, in milliseconds.
|
|
|
[~] Type: integer
|
|
|
[~] Default: 20000
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
|
|
|
|
|
|
[*] beep_notify:
|
|
|
--------------------
|
|
|
Name: Beep notify
|
|
|
Description: It beeps when the scan finishes.
|
|
|
Options:
|
|
|
[~] repeat - How many times to beep.
|
|
|
[~] Type: integer
|
|
|
[~] Default: 4
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] interval - How long to wait between beeps.
|
|
|
[~] Type: float
|
|
|
[~] Default: 0.4
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/beep_notify.rb
|
|
|
|
|
|
[*] rescan:
|
|
|
--------------------
|
|
|
Name: ReScan
|
|
|
Description: It uses the AFR report of a previous scan to
|
|
|
extract the sitemap in order to avoid a redundant crawl.
|
|
|
|
|
|
Options:
|
|
|
[~] afr - Path to the AFR report.
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/rescan.rb
|
|
|
|
|
|
[*] http_dicattack:
|
|
|
--------------------
|
|
|
Name: HTTP dictionary attacker
|
|
|
Description: Uses wordlists to crack password protected directories.
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
Options:
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/http_dicattack.rb
|
|
|
|
|
|
[*] vector_feed:
|
|
|
--------------------
|
|
|
Name: Vector feed
|
|
|
Description: Reads in vector data from which it creates elements to be audited.
|
|
|
Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
|
|
|
|
|
|
Notes:
|
|
|
* To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
|
|
|
* Can handle multiple YAML documents.
|
|
|
|
|
|
Example YAML file:
|
|
|
-
|
|
|
# you can pass pages to be audited by grep modules (and JS in the future)
|
|
|
type: page
|
|
|
url: http://localhost/
|
|
|
# response code
|
|
|
code: 200
|
|
|
# response headers
|
|
|
headers:
|
|
|
Content-Type: "text/html; charset=utf-8"
|
|
|
body: "HTML code goes here"
|
|
|
|
|
|
-
|
|
|
# default type is link which has method get
|
|
|
#type: link
|
|
|
action: http://localhost/link
|
|
|
inputs:
|
|
|
my_param: "my val"
|
|
|
|
|
|
-
|
|
|
# if a method is post it'll default to a form type
|
|
|
type: form
|
|
|
method: post
|
|
|
action: http://localhost/form
|
|
|
inputs:
|
|
|
post_this: "HUA!"
|
|
|
csrf: "my_csrf_token"
|
|
|
# do not fuzz/mutate/audit the following inputs (by name obviously)
|
|
|
skip:
|
|
|
- csrf
|
|
|
|
|
|
# GET only
|
|
|
-
|
|
|
type: cookie
|
|
|
action: http://localhost/cookie
|
|
|
inputs:
|
|
|
session_id: "43434234343sddsdsds"
|
|
|
|
|
|
# GET only
|
|
|
-
|
|
|
type: header
|
|
|
action: http://localhost/header
|
|
|
# only 1 input allowed, each header field=>value must be defined separately
|
|
|
inputs:
|
|
|
User-Agent: "Blah/2"
|
|
|
|
|
|
|
|
|
Options:
|
|
|
[~] vectors - Vector array (for configuration over RPC).
|
|
|
[~] Type: abstract
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] yaml_string - A string of YAML serialized vectors (for configuration over RPC).
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] yaml_file - A file containing the YAML serialized vectors.
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/vector_feed.rb
|
|
|
|
|
|
[*] script:
|
|
|
--------------------
|
|
|
Name: Script
|
|
|
Description: Loads and runs an external Ruby script under the scope of a plugin,
|
|
|
used for debugging and general hackery.
|
|
|
|
|
|
Will not work over RPC.
|
|
|
Options:
|
|
|
[~] path - Path to the script.
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.1
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/script.rb
|
|
|
|
|
|
[*] email_notify:
|
|
|
--------------------
|
|
|
Name: E-mail notify
|
|
|
Description: Sends a notification (and optionally a report) over SMTP at the end of the scan.
|
|
|
Options:
|
|
|
[~] to - E-mail address of the receiver.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] cc - E-mail address to which to send a carbon copy of the notification.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] bcc - E-mail address for a blind carbon copy.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] from - E-mail address of the sender.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] server_address - Address of the SMTP server to use.
|
|
|
[~] Type: address
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] server_port - SMTP port.
|
|
|
[~] Type: port
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] tls - Use TLS/SSL?.
|
|
|
[~] Type: bool
|
|
|
[~] Default:
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] username - SMTP username.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] password - SMTP password.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] authentication - Authentication.
|
|
|
[~] Type: string
|
|
|
[~] Default: plain
|
|
|
[~] Required?: false
|
|
|
|
|
|
[~] report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
|
|
|
[~] Type: enum
|
|
|
[~] Default: txt
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/email_notify.rb
|
|
|
|
|
|
[*] autologin:
|
|
|
--------------------
|
|
|
Name: AutoLogin
|
|
|
Description: It looks for the login form in the user provided URL,
|
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
Options:
|
|
|
[~] url - The URL that contains the login form.
|
|
|
[~] Type: url
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] params - Form parameters to submit. ( username=user&password=pass )
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] check - A pattern which will be used to verify a successful login.
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.5
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
|
|
|
|
|
|
[*] waf_detector:
|
|
|
--------------------
|
|
|
Name: WAF Detector
|
|
|
Description: Performs basic profiling on the web application
|
|
|
in order to assess the existence of a Web Application Firewall.
|
|
|
|
|
|
This is a 4 stage process:
|
|
|
1. Grab the original page as is
|
|
|
2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
|
|
|
3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
|
|
|
4. Make heads or tails of the gathered responses
|
|
|
|
|
|
Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
|
|
|
Options:
|
|
|
[~] precision - Stage precision (how many times to perform each detection stage).
|
|
|
[~] Type: integer
|
|
|
[~] Default: 5
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.2
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/waf_detector.rb
|
|
|
|
|
|
[*] form_dicattack:
|
|
|
--------------------
|
|
|
Name: Form dictionary attacker
|
|
|
Description: Uses wordlists to crack login forms.
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
Options:
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
[~] Type: path
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] username_field - The name of the username form field.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] password_field - The name of the password form field.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
[~] login_verifier - A regular expression which will be used to verify a successful login.
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
[~] Type: string
|
|
|
[~] Default:
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
Version: 0.1.4
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
|
|
|
```
|
|
|
|
|
|
|
|
|
<h3 id='plugin'><a href='#plugin'>Plugin (--plugin)</a></h3>
|
|
|
|
|
|
*Expects*: plugin name
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: yes
|
|
|
|
|
|
Tells Arachni which plugin components to run.
|
|
|
Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to see all.
|
|
|
|
|
|
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
|
|
|
|
|
|
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
|
|
|
|
|
|
```
|
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss \
|
|
|
--plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
|
|
|
-e logout
|
|
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
[*] Initialising...
|
|
|
[~] AutoLogin: System paused.
|
|
|
[*] Waiting for plugins to settle...
|
|
|
[*] AutoLogin: Found log-in form with name: login
|
|
|
[+] AutoLogin: Form submitted successfully.
|
|
|
[~] AutoLogin: Cookies set to:
|
|
|
[~] AutoLogin: * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
[~] AutoLogin: * amSessionId = 204023334531
|
|
|
[~] AutoLogin: * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
|
[~] AutoLogin: * amUserId = 100116014
|
|
|
[~] AutoLogin: * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
[*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
[*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
[*] Harvesting HTTP responses...
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
[*] XSS: Analyzing response #26...
|
|
|
[*] XSS: Analyzing response #27...
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
[*] Profiler: Analyzing response #9...
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
[*] XSS: Analyzing response #28...
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #22...
|
|
|
[*] XSS: Analyzing response #30...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] Profiler: Analyzing response #10...
|
|
|
[*] XSS: Analyzing response #31...
|
|
|
[*] XSS: Analyzing response #32...
|
|
|
[*] Profiler: Analyzing response #11...
|
|
|
[*] Profiler: Analyzing response #12...
|
|
|
[*] Profiler: Analyzing response #14...
|
|
|
[*] Profiler: Analyzing response #13...
|
|
|
[*] XSS: Analyzing response #33...
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
[*] XSS: Analyzing response #34...
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
[*] XSS: Analyzing response #21...
|
|
|
[*] XSS: Analyzing response #23...
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
[*] XSS: Analyzing response #35...
|
|
|
[*] XSS: Analyzing response #24...
|
|
|
[*] XSS: Analyzing response #25...
|
|
|
[*] XSS: Analyzing response #29...
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:48:17 +0300
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
|
[~] ---------------
|
|
|
[~] Version: 0.4.1dev
|
|
|
[~] Revision: 0.2.7
|
|
|
[~] Audit started on: Sun Sep 9 02:48:08 2012
|
|
|
[~] Audit finished on: Sun Sep 9 02:48:15 2012
|
|
|
[~] Runtime: 00:00:06
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
[*] Audited elements:
|
|
|
[~] * Links
|
|
|
[~] * Forms
|
|
|
[~] * Cookies
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
[*] Filters:
|
|
|
[~] Exclude:
|
|
|
[~] (?-mix:logout)
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
[+] 2 issues were detected.
|
|
|
|
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
|
[~] Severity: High
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
[~] Element: form
|
|
|
[~] Method: GET
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
[~] Variable: txtSearch
|
|
|
[~] Description:
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
[~] References:
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
[*] Variations
|
|
|
[~] ----------
|
|
|
[~] Variation 1:
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
[~] Injected value: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
[~] Regular expression:
|
|
|
[~] Matched string: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
|
|
|
|
|
[+] [2] Cross-Site Scripting (XSS)
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
[~] ID Hash: 2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
|
|
|
[~] Severity: High
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
[~] Element: link
|
|
|
[~] Method: GET
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
[~] Variable: txtSearch
|
|
|
[~] Description:
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
[~] References:
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
[*] Variations
|
|
|
[~] ----------
|
|
|
[~] Variation 1:
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
[~] Injected value: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
[~] Regular expression:
|
|
|
[~] Matched string: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
[*] Health map
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
[~] Legend:
|
|
|
[+] No issues
|
|
|
[-] Has issues
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
[-] http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
|
|
[~] Total: 3
|
|
|
[+] Without issues: 1
|
|
|
[-] With issues: 2 ( 67% )
|
|
|
|
|
|
[*] Profiler
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
[~] It was submitted using the following parameters:
|
|
|
[~] * txtSearch = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
|
|
|
[~]
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
|
|
|
[~] * Body
|
|
|
[+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
|
|
|
[~] It was submitted using the following parameters:
|
|
|
[~] * txtSearch = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
|
|
|
[~]
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
|
|
|
[~] * Body
|
|
|
|
|
|
[*] AutoLogin
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
[~] Description: It looks for the login form in the user provided URL,
|
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
|
|
|
[+] Form submitted successfully.
|
|
|
[~] Cookies set to:
|
|
|
[~] * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
[~] * amSessionId = 204023334531
|
|
|
[~] * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
|
[~] * amUserId = 100116014
|
|
|
[~] * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
|
|
|
|
[~] 100.0% [>] 100%
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
[~] Sent 40 requests.
|
|
|
[~] Received and analyzed 40 responses.
|
|
|
[~] In 00:00:06
|
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
[~] Burst response time total 0
|
|
|
[~] Burst response count total 0
|
|
|
[~] Burst average response time 0
|
|
|
[~] Burst average 0 requests/second
|
|
|
[~] Timed-out requests 0
|
|
|
[~] Original max concurrency 20
|
|
|
[~] Throttled max concurrency 20
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h2 id='proxy'><a href='#proxy'>Proxy</a></h2>
|
|
|
|
|
|
<h3 id='proxy_server'><a href='#proxy_server'>Proxy server (--proxy)</a></h3>
|
|
|
|
|
|
*Expects*: server:port
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni to send all requests via a proxy server.
|
|
|
|
|
|
<h3 id='proxy-auth'><a href='#proxy-auth'>Proxy authentication (--proxy-auth)</a></h3>
|
|
|
|
|
|
*Expects*: username:password
|
|
|
*Default*: disabled
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni authenticate itself with the proxy server using the supplied username and password.
|
|
|
|
|
|
<h3 id='proxy-type'><a href='#proxy-type'>Proxy type (--proxy-type)</a></h3>
|
|
|
|
|
|
*Expects*: http, http_1_0, socks4, socks5, socks4a
|
|
|
*Default*: disabled OR http
|
|
|
*Multiple invocations?*: no
|
|
|
|
|
|
Tells Arachni what protocol to use to connect and comunicate with the proxy server.
|
|
|
|
|
|
<h2 id='cli_help_output'><a href='#cli_help_output'>CLI Help Output</a></h2>
|
|
|
|
|
|
|
|
|
```
|
|
|
$ arachni -h
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
Usage: arachni [options] url
|
|
|
|
|
|
Supported options:
|
|
|
|
|
|
|
|
|
General ----------------------
|
|
|
|
|
|
-h
|
|
|
--help Output this.
|
|
|
|
|
|
-v Be verbose.
|
|
|
|
|
|
--debug Show what is happening internally.
|
|
|
(You should give it a shot sometime ;) )
|
|
|
|
|
|
--only-positives Echo positive results *only*.
|
|
|
|
|
|
--http-req-limit=<integer> Concurrent HTTP requests limit.
|
|
|
(Default: 20)
|
|
|
(Be careful not to kill your server.)
|
|
|
(*NOTE*: If your scan seems unresponsive try lowering the limit.)
|
|
|
|
|
|
--http-timeout=<integer> HTTP request timeout in milliseconds.
|
|
|
|
|
|
--cookie-jar=<filepath> Netscape HTTP cookie file, use curl to create it.
|
|
|
|
|
|
--cookie-string='<name>=<value>; <name2>=<value2>'
|
|
|
|
|
|
Cookies, as a string, to be sent to the web application.
|
|
|
|
|
|
--user-agent=<string> Specify user agent.
|
|
|
|
|
|
--custom-header='<name>=<value>'
|
|
|
|
|
|
Specify custom headers to be included in the HTTP requests.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--authed-by=<string> Who authorized the scan, include name and e-mail address.
|
|
|
(It'll make it easier on the sys-admins during log reviews.)
|
|
|
(Will be appended to the user-agent string.)
|
|
|
|
|
|
--login-check-url=<url> A URL used to verify that the scanner is still logged in to the web application.
|
|
|
(Requires 'login-check-pattern'.)
|
|
|
|
|
|
--login-check-pattern=<regexp>
|
|
|
|
|
|
A pattern used against the body of the 'login-check-url' to verify that the scanner is still logged in to the web application.
|
|
|
(Requires 'login-check-url'.)
|
|
|
|
|
|
Profiles -----------------------
|
|
|
|
|
|
--save-profile=<filepath> Save the current run profile/options to <filepath>.
|
|
|
|
|
|
--load-profile=<filepath> Load a run profile from <filepath>.
|
|
|
(Can be used multiple times.)
|
|
|
(You can complement it with more options, except for:
|
|
|
* --modules
|
|
|
* --redundant)
|
|
|
|
|
|
--show-profile Will output the running profile as CLI arguments.
|
|
|
|
|
|
|
|
|
Crawler -----------------------
|
|
|
|
|
|
-e <regexp>
|
|
|
--exclude=<regexp> Exclude urls matching <regexp>.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
-i <regexp>
|
|
|
--include=<regexp> Include *only* urls matching <regex>.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--redundant=<regexp>:<limit>
|
|
|
|
|
|
Limit crawl on redundant pages like galleries or catalogs.
|
|
|
(URLs matching <regexp> will be crawled <limit> amount of times.)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--auto-redundant=<limit> Only follow <limit> amount of URLs with identical query parameter names.
|
|
|
(Default: inf)
|
|
|
(Will default to 10 if no value has been specified.)
|
|
|
|
|
|
-f
|
|
|
--follow-subdomains Follow links to subdomains.
|
|
|
(Default: off)
|
|
|
|
|
|
--depth=<integer> Directory depth limit.
|
|
|
(Default: inf)
|
|
|
(How deep Arachni should go into the site structure.)
|
|
|
|
|
|
--link-count=<integer> How many links to follow.
|
|
|
(Default: inf)
|
|
|
|
|
|
--redirect-limit=<integer> How many redirects to follow.
|
|
|
(Default: 20)
|
|
|
|
|
|
--extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--restrict-paths=<filepath> Use the paths in <file> instead of crawling.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
|
|
|
Auditor ------------------------
|
|
|
|
|
|
-g
|
|
|
--audit-links Audit links.
|
|
|
|
|
|
-p
|
|
|
--audit-forms Audit forms.
|
|
|
|
|
|
-c
|
|
|
--audit-cookies Audit cookies.
|
|
|
|
|
|
--exclude-cookie=<name> Cookie to exclude from the audit by name.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--exclude-vector=<name> Input vector (parameter) not to audit by name.
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--audit-headers Audit HTTP headers.
|
|
|
(*NOTE*: Header audits use brute force.
|
|
|
Almost all valid HTTP request headers will be audited
|
|
|
even if there's no indication that the web app uses them.)
|
|
|
(*WARNING*: Enabling this option will result in increased requests,
|
|
|
maybe by an order of magnitude.)
|
|
|
|
|
|
Coverage -----------------------
|
|
|
|
|
|
--audit-cookies-extensively Submit all links and forms of the page along with the cookie permutations.
|
|
|
(*WARNING*: This will severely increase the scan-time.)
|
|
|
|
|
|
--fuzz-methods Audit links, forms and cookies using both GET and POST requests.
|
|
|
(*WARNING*: This will severely increase the scan-time.)
|
|
|
|
|
|
--exclude-binaries Exclude non text-based pages from the audit.
|
|
|
(Binary content can confuse recon modules that perform pattern matching.)
|
|
|
|
|
|
Modules ------------------------
|
|
|
|
|
|
--lsmod=<regexp> List available modules based on the provided regular expression.
|
|
|
(If no regexp is provided all modules will be listed.)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
|
|
|
-m <modname,modname..>
|
|
|
--modules=<modname,modname..>
|
|
|
|
|
|
Comma separated list of modules to load.
|
|
|
(Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to list all.
|
|
|
Use '*' as a module name to deploy all modules or as a wildcard, like so:
|
|
|
xss* to load all xss modules
|
|
|
sqli* to load all sql injection modules
|
|
|
etc.
|
|
|
|
|
|
You can exclude modules by prefixing their name with a minus sign:
|
|
|
--modules=*,-backup_files,-xss
|
|
|
The above will load all modules except for the 'backup_files' and 'xss' modules.
|
|
|
|
|
|
Or mix and match:
|
|
|
-xss* to unload all xss modules.)
|
|
|
|
|
|
|
|
|
Reports ------------------------
|
|
|
|
|
|
--lsrep=<regexp> List available reports based on the provided regular expression.
|
|
|
(If no regexp is provided all reports will be listed.)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--repload=<filepath> Load audit results from an '.afr' report file.
|
|
|
(Allows you to create new reports from finished scans.)
|
|
|
|
|
|
--report='<report>:<optname>=<val>,<optname2>=<val2>,...'
|
|
|
|
|
|
<report>: the name of the report as displayed by '--lsrep'
|
|
|
(Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to list all.)
|
|
|
(Default: stdout)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
|
|
|
Plugins ------------------------
|
|
|
|
|
|
--lsplug=<regexp> List available plugins based on the provided regular expression.
|
|
|
(If no regexp is provided all plugins will be listed.)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
--plugin='<plugin>:<optname>=<val>,<optname2>=<val2>,...'
|
|
|
|
|
|
<plugin>: the name of the plugin as displayed by '--lsplug'
|
|
|
(Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to list all.)
|
|
|
(Can be used multiple times.)
|
|
|
|
|
|
|
|
|
Proxy --------------------------
|
|
|
|
|
|
--proxy=<server:port> Proxy address to use.
|
|
|
|
|
|
--proxy-auth=<user:passwd> Proxy authentication credentials.
|
|
|
|
|
|
--proxy-type=<type> Proxy type; can be http, http_1_0, socks4, socks5, socks4a
|
|
|
(Default: http)
|
|
|
|
|
|
```
|
|
|
|