Skip to content
GitLab

Command line user interface · Changes

Page history
Edit authored by Tasos Laskos's avatar Tasos Laskos
Hide whitespace changes
Inline Side-by-side
guides/user/Command-line-user-interface.md 0 → 100644
View page @ 46a2e71d
## Version 1.3.2
There are a lot of options, customizations and tweaks you can use but fear not and don't let yourself be overwhelmed.
This guide will walk you through each and every one of them and teach you how to use them in order to make your scans as efficient as possible.
_If you intend to scan big and complex sites it's best that you read through this guide and evaluate all available options._
### Quickstart
#### Help
In order to see everything Arachni has to offer execute:
arachni -h
#### Control screen
To see a control screen via which you can inspect an issue summary and perform actions like pausing/resuming, aborting, suspending etc., press `Enter` while the scan is running.
#### Examples
You can simply run Arachni like so:
arachni http://example.com
which will load all checks, the plugins under `/plugins/defaults` and audit
all forms, links and cookies.
In the following example, all checks will be run against http://example.com,
auditing links/forms/cookies and following subdomains while also printing verbose messages.
The results of the scan will be saved in the the file `example.com.afr`.
arachni --output-verbose --scope-include-subdomains http://example.com --report-save-path=example.com.afr
The Arachni Framework Report (`.afr`) file can later be used to create reports in several formats, like so:
arachni_reporter example.com.afr --reporter=html:outfile=my_report.html.zip
To see all available reporter components run:
arachni_reporter --reporters-list
#### You can make check loading easier by using wildcards (*) and exclusions (-).
To load all `xss` checks using a wildcard:
arachni http://example.net --checks=xss*
To load all active checks using a wildcard:
arachni http://example.net --checks=active/*
To exclude only the `csrf` check:
arachni http://example.net --checks=*,-csrf
Or you can mix and match; to run everything but the `xss` checks:
arachni http://example.net --checks=*,-xss*
#### More resources
For more resources you can consult the [articles](http://support.arachni-scanner.com/kb/general-use)
in the [knowledge base](http://support.arachni-scanner.com/kb/).
### Command reference
[Command Line Interface help output](#cli_help_output)
* [Generic](#generic)
* [Version (--version)](#version)
* [Authorized by (--authorized-by)](#authorized-by)
* [Output](#output)
* [Verbose (--output-verbose)](#output-verbose)
* [Example](#output-verbose_example)
* [Debug (--output-debug)](#output-debug)
* [Only positives (--output-only-positives)](#output-only-positives)
* [Scope](#scope)
* [Include (--scope-include-pattern)](#scope-include-pattern)
* [Include subdomains (--scope-include-subdomains)](#scope-include-subdomains)
* [Exclude (--scope-exclude-pattern)](#scope-exclude-pattern)
* [Exclude page by content (--scope-exclude-content-pattern)](#scope-exclude-content-pattern)
* [Exclude binaries (--scope-exclude-binaries)](#scope-exclude-binaries)
* [Redundant paths (--scope-redundant-path-pattern)](#scope-redundant-path-pattern)
* [Auto-redundant (--scope-auto-redundant)](#scope-auto-redundant)
* [Example](#scope-auto-redundant_example)
* [Directory depth limit (--scope-directory-depth-limit)](#scope-directory-depth-limit)
* [Page limit (--scope-page-limit)](#scope-page-limit)
* [Extend paths (--scope-extend-paths)](#scope-extend-paths)
* [Restrict paths (--scope-restrict-paths)](#scope-restrict-paths)
* [URL rewrite (--scope-url-rewrite)](#scope-url-rewrite)
* [HTTPS only (--scope-https-only)](#scope-https-only)
* [Audit](#audit)
* [Links (--audit-links)](#audit-links)
* [Forms (--audit-forms)](#audit-forms)
* [Cookies (--audit-cookies)](#audit-cookies)
* [Cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
* [Headers (--audit-headers)](#audit-headers)
* [Link template (--audit-link-template)](#audit-link-template)
* [Example](#audit-link-template_example)
* [JSONs (--audit-jsons)](#audit-jsons)
* [XMLs (--audit-xmls)](#audit-xmls)
* [UI Inputs (--audit-ui-inputs)](#audit-ui-inputs)
* [UI Forms (--audit-ui-forms)](#audit-ui-forms)
* [Parameter names (--audit-parameter-names)](#audit-parameter-names)
* [With extra parameter (--audit-with-extra-parameter)](#audit-with-extra-parameter)
* [With both methods (--audit-with-both-methods)](#audit-with-both-methods)
* [Exclude vector (--audit-exclude-vector)](#audit-exclude-vector)
* [Include vector (--audit-include-vector)](#audit-include-vector)
* [HTTP](#http)
* [User agent (--http-user-agent)](#http-user-agent)
* [Request concurrency (--http-request-concurrency)](#http-request-concurrency)
* [Request timeout (--http-request-timeout)](#http-request-timeout)
* [Request redirect limit (--http-request-redirect-limit)](#http-request-redirect-limit)
* [Request queue size (--http-request-queue-size)](#http-request-queue-size)
* [Request header (--http-request-header)](#http-request-header)
* [Example](#http-request-header_example)
* [Response max size (--http-response-max-size)](#http-response-max-size)
* [Cookie-jar (--http-cookie-jar)](#http-cookie-jar)
* [Cookie string (--http-cookie-string)](#http-cookie-string)
* [Example](#http-cookie-string_example)
* [Authentication](#http-authentication)
* [Username (--http-authentication-username)](#http-authentication-username)
* [Password (--http-authentication-password)](#http-authentication-password)
* [Proxy (--http-proxy)](#http-proxy)
* [Proxy authentication (--http-proxy-authentication)](#http-proxy-authentication)
* [Proxy type (--http-proxy-type)](#http-proxy-type)
* [SSL verify peer (--http-ssl-verify-peer)](#http-ssl-verify-peer)
* [SSL verify host (--http-ssl-verify-host)](#http-ssl-verify-host)
* [SSL certificate (--http-ssl-certificate)](#http-ssl-certificate)
* [SSL certificate type (--http-ssl-certificate-type)](#http-ssl-certificate-type)
* [SSL key (--http-ssl-key)](#http-ssl-key)
* [SSL key type (--http-ssl-key-type)](#http-ssl-key-type)
* [SSL key password (--http-ssl-key-password)](#http-ssl-key-password)
* [SSL CA (--http-ssl-ca)](#http-ssl-ca)
* [SSL CA directory (--http-ssl-ca-directory)](#http-ssl-ca-directory)
* [SSL version (--http-ssl-version)](#http-ssl-version)
* [Input](#input)
* [Value (--input-value)](#input-value)
* [Values file (--input-values-file)](#input-values-file)
* [Without defaults (--input-without-defaults)](#input-without-defaults)
* [Force (--input-force)](#input-force)
* [Checks](#checks)
* [List (--checks-list)](#checks-list)
* [Load (--checks)](#checks-checks)
* [Example](#checks-checks_example)
* [Plugins](#plugins)
* [List (--plugins-list)](#plugins-list)
* [Load (--plugin)](#plugin)
* [Example](#plugin_example)
* [Platforms](#platforms)
* [List (--platforms-list)](#platforms-list)
* [Disable fingerprinting (--platforms-no-fingerprinting)](#platforms-no-fingerprinting)
* [Configure (--platforms)](#platforms-platforms)
* [Example](#platforms-platforms_example)
* [Session](#session)
* [Check URL (--session-check-url)](#session-check-url)
* [Check pattern (--session-check-pattern)](#session-check-pattern)
* [Profiles](#profiles)
* [Save (--profile-save-filepath)](#profile-save-filepath)
* [Load (--profile-load-filepath)](#profile-load-filepath)
* [Browser cluster](#browser-cluster)
* [Local storage (--browser-cluster-local-storage)](#browser-cluster-local-storage)
* [Wait for element (--browser-cluster-wait-for-element)](#browser-cluster-wait-for-element)
* [Example](#browser-cluster-wait-for-element_example)
* [Pool size (--browser-cluster-pool-size)](#browser-cluster-pool-size)
* [Job timeout (--browser-cluster-job-timeout)](#browser-cluster-job-timeout)
* [Worker time to live (--browser-cluster-worker-time-to-live)](#browser-cluster-worker-time-to-live)
* [Ignore images (--browser-cluster-ignore-images)](#browser-cluster-ignore-images)
* [Screen width (--browser-cluster-screen-width)](#browser-cluster-screen-width)
* [Screen height (--browser-cluster-screen-height)](#browser-cluster-screen-height)
* [Report](#report)
* [Save path (--report-save-path)](#report-save-path)
* [Snapshot](#snapshot)
* [Save path (--snapshot-save-path)](#snapshot-save-path)
* [Timeout](#timeout)
* [Timeout (--timeout)](#timeout)
* [Suspend (--timeout-suspend)](#timeout-suspend)
<h2 name='generic'><a href='#generic'>Generic</a></h2>
<h3 name='version'><a href='#version'>Version (--version)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Outputs the Arachni banner and version information.
<h3 name='authorized-by'><a href='#authorized-by'>Authorized by (--authorized-by)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
The string passed to this option will be used as the value for the `From` HTTP request header field.
The option value should be the e-mail address of the person who authorized the scan.
<h2 name='output'><a href='#output'>Output</a></h2>
<h3 name='output-verbose'><a href='#output-verbose'>Verbose (--output-verbose)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
When verbose messages are enabled, Arachni will give you detailed information about what's going on during the whole process.
<h4 name='output-verbose_example'><a href='#output-verbose_example'>Example</a></h4>
Let's give this a try:
arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1
This will load the XSS checks and audit all the forms in `http://testfire.net/`.
**Verbose mode disabled**
Observe that there's no `--output-verbose` flag in the previous run.
_Don't worry about the rest of the parameters right now._
**Quick note:**
Arachni's output messages are classified into several categories, each of them prefixed with a different colored symbol:
* `[*]` are status messages.
* `[~]` are informational messages.
* `[+]` are success messages.
* `[v]` are verbose messages.
* `[!]` are debug messages.
* `[-]` are error messages.
_I won't bother with coloring during the examples._
```
Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
```
**Verbose mode enabled**
Observe the extra information in this run.
`[v]` messages are verbose messages.
```
$ arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1 --output-verbose
Arachni - Web Application Security Scanner Framework v1.0
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initializing...
[*] Waiting for plugins to settle...
[*] BrowserCluster: Initializing 6 browsers...
[*] BrowserCluster: Initialization completed with 6 browsers in the pool.
[*] [HTTP: 200] http://testfire.net/
[~] Identified as: windows, iis, asp, aspx
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 10)
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>" -> "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
[v] XSS: --> With: nil -> ""
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'" -> "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
[v] XSS: --> With: "--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--" -> "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] XSS: Analyzing response #2...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #3...
[*] XSS: Analyzing response #4...
[*] XSS: Analyzing response #6...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text--%3E%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%3C%21-- HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
[*] XSS: Analyzing response #5...
[~] XSS: Response is tainted, looking for proof of vulnerability.
[+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
[v] XSS: Injected: "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
[v] XSS: Proof: <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
[v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%28%29%22%26%251%27-%3B%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%27 HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
```
<h3 name='output-debug'><a href='#output-debug'>Debug (--output-debug)</a></h3>
**Expects**: `integer`
**Default**: `1`
**Multiple invocations?**: `no`
When this flag is enabled the system will output a lot of messages detailing what's happening internally.
The level/detail of the messages can be specified in the form of an integer between `1` and `3`.
If you don't want to be flooded by annoying and obscure messages, you can pipe debugging output to a separate file when running Arachni using:
```
arachni http://example.com --output-debug 2> debug.log
```
<h3 name='output-only-positives'><a href='#output-only-positives'>Only positives (--output-only-positives)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
This will suppress all messages except for for the ones denoting sucess -- usually regarding the discovery of some issue.
<h2 name='scope'><a href='#scope'>Scope</a></h2>
`pattern` refers to valid Ruby regular expressions without being enclosed by `/`.
Examples:
* `exclude-me`: Excludes any string that includes the `exclude-me` substring.
* `exclude.*me`: Excludes any string that includes `exclude`, followed by any content, and then `me`.
* `\/gallery\/winter\/`: Excludes any string that includes the `/gallery/winter/` substring -- slashes need to be escaped.
<h3 name='scope-include-pattern'><a href='#scope-include-pattern'>Include (--scope-include-pattern)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Restricts the scope of the scan to resources whose URL matches the pattern.
<h3 name='scope-include-subdomains'><a href='#scope-include-subdomains'>Include subdomains (--scope-include-subdomains)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Allow the system to include subdomains in the scan.
<h3 name='scope-exclude-pattern'><a href='#scope-exclude-pattern'>Exclude (--scope-exclude-pattern)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Excludes resources whose URL matches the pattern.
<h3 name='scope-exclude-content-pattern'><a href='#scope-exclude-content-pattern'>Exclude page by content (--scope-exclude-content-pattern)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Excludes pages whose content matches the pattern.
<h3 name='scope-exclude-binaries'><a href='#scope-exclude-binaries'>Exclude binaries (--scope-exclude-binaries)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Excludes pages with binary content.
**Note**: Binary content can confuse passive check that perform pattern matching.
<h3 name='scope-redundant-path-pattern'><a href='#scope-redundant-path-pattern'>Redundant (--scope-redundant-path-pattern)</a></h3>
**Expects**: `pattern:integer`
**Default**: `disabled`
**Multiple invocations?**: `yes`
This option expects a pattern and a counter, like so:
`--scope-redundant-path-pattern='calendar.php:3'`
This will cause URLs that contain `calendar.php` to be crawled only 3 times.
This option is useful when scanning websites that have a lot of redundant pages like a photo gallery or a dynamically generated calendar.
<h3 name='scope-auto-redundant'><a href='#scope-auto-redundant'>Auto-redundant (--scope-auto-redundant)</a></h3>
**Expects**: `integer`
**Default**: `disabled (with a value of 10 if none has been specified)`
**Multiple invocations?**: `no`
This option limits how many resources with URLs with identical parameters should be includes in the scan.
This can prevent infinite loops caused by pages like photo galleries or catalogues.
<h4 name='scope-auto-redundant_example'><a href='#scope-auto-redundant_example'>Example</a></h4>
With `--scope-auto-redundant=2` and given the following list of URLs:
```
http://example.com/?stuff=1
http://example.com/?stuff=2
http://example.com/?stuff=other-stuff
http://example.com/?stuff=blah
http://example.com/?stuff=blah&stuff2=1
http://example.com/?stuff=blah&stuff2=2
http://example.com/?stuff=blah2&stuff2=bloo
http://example.com/path.php?stuff=blah&stuff2=1
```
Only the following will be included:
```
http://example.com/?stuff=1
http://example.com/?stuff=2
http://example.com/?stuff=blah&stuff2=1
http://example.com/?stuff=blah&stuff2=2
http://example.com/path.php?stuff=blah&stuff2=1
```
<h3 name='scope-directory-depth-limit'><a href='#scope-directory-depth-limit'>Directory depth limit (--scope-directory-depth-limit)</a></h3>
**Expects**: `integer`
**Default**: `infinite`
**Multiple invocations?**: `no`
This option limits how deep into the site structure the scan should go.
<h3 name='scope-page-limit'><a href='#scope-page-limit'>Page limit (--scope-page-limit)</a></h3>
**Expects**: `integer`
**Default**: `infinite`
**Multiple invocations?**: `no`
This option limits how many pages should be included in the scan.
<h3 name='scope-extend-paths'><a href='#scope-extend-paths'>Extend paths (--scope-extend-paths)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Allows you to extend the scope of the scan by seeding the system with the paths contained within the given file.
**Note**: The file must contains one path per line.
<h3 name='scope-restrict-paths'><a href='#scope-restrict-paths'>Restrict paths (--scope-restrict-paths)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Uses the paths contained within the given file instead of performing a crawl.
**Note**: The file must contains one path per line.
<h3 name='scope-url-rewrite'><a href='#scope-url-rewrite'>URL rewrite (--scope-url-rewrite)</a></h3>
**Expects**: `pattern:substitution`
**Default**: `disabled`
**Multiple invocations?**: `yes`
This option expects a pattern and a substitution, like so:
`--scope-url-rewrite='articles/[\w-]+/(\d+):articles.php?id=\1'`
The above will rewrite the URL `http://example.com/articles/some-stuff/23` as `http://example.com/articles.php?id=23`.
<h3 name='scope-dom-depth-limit'><a href='#scope-dom-depth-limit'>DOM depth limit (--scope-dom-depth-limit)</a></h3>
**Expects**: `integer`
**Default**: `5`
**Multiple invocations?**: `no`
This option limits how deep into each page's DOM structure the scan should go.
**Note**: DOM levels are counted as stacked interactions with the page's interface.
<h3 name='scope-https-only'><a href='#scope-https-only'>HTTPS only (--scope-https-only)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Forces the system to only follow HTTPS URLs.
**Note**: The target URL must be an HTTPS one as well.
<h2 name='audit'><a href='#audit'>Audit</a></h2>
<h3 name='audit-links'><a href='#audit-links'>Audit links (--audit-links)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Enable auditing of links.
<h3 name='audit-forms'><a href='#audit-forms'>Audit forms (--audit-forms)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Enable auditing of forms.
<h3 name='audit-cookies'><a href='#audit-cookies'>Audit cookies (--audit-cookies)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Enable auditing of cookies.
<h3 name='audit-cookies-extensively'><a href='#audit-cookies-extensively'>Audit cookies extensively (--audit-cookies-extensively)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled the system will submit all links and forms of the page along with the cookie permutations.
**Warning**: Will severely increase the scan-time.
<h3 name='audit-headers'><a href='#audit-headers'>Audit headers (--audit-headers)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Audit HTTP request headers.
**Note**: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
**Warning**: Enabling this option will result in increased requests, maybe by an order of magnitude.
<h3 name='audit-link-template'><a href='#audit-link-template'>Link template (--audit-link-template)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
This option allows you to extract and audit inputs from generic paths based on a specified template
in the form of a Ruby regular expression using names groups.
<h4 name='audit-link-template_example'><a href='#audit-link-template_example'>Example</a></h4>
To extract the `input1` and `input2` inputs from: `http://example.com/input1/value1/input2/value2`
Use: `input1/(?<input1>\w+)/input2/(?<input2>\w+)`
<h3 name='audit-jsons'><a href='#audit-jsons'>JSONs (--audit-jsons)</a></h3>
**Expects**: `<n/a>`
**Default**: `enabled`
**Multiple invocations?**: `no`
Enable auditing of JSON inputs extracted from browser or proxy requests.
<h3 name='audit-xmls'><a href='#audit-xmls'>XMLs (--audit-xmls)</a></h3>
**Expects**: `<n/a>`
**Default**: `enabled`
**Multiple invocations?**: `no`
Enable auditing of XML inputs extracted from browser or proxy requests.
<h3 name='audit-ui-inputs'><a href='#audit-ui-inputs'>UI Inputs (--audit-ui-inputs)</a></h3>
**Expects**: `<n/a>`
**Default**: `enabled`
**Multiple invocations?**: `no`
Enable auditing of orphan user interface inputs (like `<input>` elements not belonging to any form) which submit their data via DOM event callbacks.
<h3 name='audit-ui-forms'><a href='#audit-ui-forms'>UI Forms (--audit-ui-forms)</a></h3>
**Expects**: `<n/a>`
**Default**: `enabled`
**Multiple invocations?**: `no`
Enable auditing of input and button groups which don't belong to any form, but are instead associated via JavaScript code and submitted via DOM event callbacks.
<h3 name='audit-parameter-names'><a href='#audit-parameter-names'>Parameter names (--audit-parameter-names)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, the system will inject payloads into parameter names instead of just values.
<h3 name='audit-with-extra-parameter'><a href='#audit-with-extra-parameter'>With extra parameter (--audit-with-extra-parameter)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, the system will add an extra parameter to all vectors and audit it as well.
<h3 name='audit-with-both-methods'><a href='#audit-with-both-methods'>With both methods (--audit-with-both-methods)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, the system will submit all elements using both `GET` and `POST` HTTP request methods.
**Warning**: Will severely increase the scan-time.
<h3 name='audit-exclude-vector'><a href='#audit-exclude-vector'>Exclude vector (--audit-exclude-vector)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Don't audit input vectors whose name matches the pattern.
<h3 name='audit-include-vector'><a href='#audit-include-vector'>Include vector (--audit-include-vector)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Only audit input vectors whose name matches the pattern.
<h2 name='http'><a href='#http'>HTTP</a></h2>
<h3 name='http-user-agent'><a href='#http-user-agent'>User agent (--http-user-agent)</a></h3>
**Expects**: `string`
**Default**: `"Arachni/<version>"`
**Multiple invocations?**: `no`
Specify a value for the `User-Agent` request header field.
<h3 name='http-request-concurrency'><a href='#http-request-concurrency'>Request concurrency (--http-request-concurrency)</a></h3>
**Expects**: `integer`
**Default**: `20`
**Multiple invocations?**: `no`
Sets the maximum amount of requests to be active at any given time; this usually directly translates to the amount of open connections.
**Note**: If your scan seems unresponsive try lowering the limit to easy the server's burden.
**Warning**: Given enough bandwidth and a high enough concurrency setting the scan could cause a DoS.
Be careful when setting this option too high, don't kill your server.
<h3 name='http-request-timeout'><a href='#http-request-timeout'>Request timeout (--http-request-timeout)</a></h3>
**Expects**: `integer (milliseconds)`
**Default**: `10000`
**Multiple invocations?**: `no`
Limit how long the client should wait for a response from the server.
<h3 name='http-request-redirect-limit'><a href='#http-request-redirect-limit'>Request redirect limit (--http-request-redirect-limit)</a></h3>
**Expects**: `integer`
**Default**: `5`
**Multiple invocations?**: `no`
Limits the amount of redirects the client should follow for each request.
<h3 name='http-request-queue-size'><a href='#http-request-queue-size'>Request queue size (--http-request-queue-size)</a></h3>
**Expects**: `integer`
**Default**: `100`
**Multiple invocations?**: `no`
Maximum amount of requests to keep in the client queue.
**Note**: More means better scheduling and better performance, less means less RAM consumption.
<h3 name='http-request-header'><a href='#http-request-header'>Request header (--http-request-header)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Allows you to specify custom request headers in the form of key-value pairs.
<h4 name='http-request-header_example'><a href='#http-request-header_example'>Example</a></h4>
--http-request-header='field_name=field value'
<h3 name='http-response-max-size'><a href='#http-response-max-size'>Response max size (--http-response-max-size)</a></h3>
**Expects**: `integer`
**Default**: `500000`
**Multiple invocations?**: `no`
Limits the size of response bodies the client accepts. Essentially, the client will not download bodies of responses which have a `Content-Length` larger than the specified value.
<h3 name='http-cookie-jar'><a href='#http-cookie-jar'>Cookie jar (--http-cookie-jar)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
Arachni allows you to pass your own cookies in the form of a Netscape cookie-jar file.
If you want to audit restricted parts of a website that are accessible only to logged in users you should pass the session cookies to Arachni.
There's a number of ways to do that, I've found that Firebug's export cookie feature works best.
**Note**: If you don't feel comfortable setting your own cookie-jar, you can use the `proxy` or `autologin` plugins to login to the web application.
<h3 name='http-cookie-string'><a href='#http-cookie-string'>Cookie string (--http-cookie-string)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
Cookies, as a string, to be sent to the web application.
<h4 name='http-cookie-string_example'><a href='#http-cookie-string_example'>Example</a></h4>
--http-cookie-string='userid=19;sessionid=deadbeefbabe'
<h3 name='http-authentication'><a href='#http-authentication'>Authentication</a></h3>
The HTTP authentication type is detected automatically, all that is necessary is specifying
the <a href='#http-authentication-username'>username</a> and <a href='#http-authentication-password'>password</a>.
The only situation where that's not the case is when using Kerberos. In that case a ticket needs
to be acquired via `kinit` and no username nor password need to be specified in the scan configuration.
If you are using the official packages, this can be accomplished like so:
./bin/arachni_shell -c 'kinit user@host.com'
After acquiring the Kerberos ticket you can perform the scan wthout any extra authentication configuration.
<h4 name='http-authentication-username'><a href='#http-authentication-username'>Username (--http-authentication-username)</a></h4>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
Username to use for HTTP authentication.
<h4 name='http-authentication-password'><a href='#http-authentication-password'>Password (--http-authentication-password)</a></h4>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
Password to use for HTTP authentication.
<h3 name='http-proxy'><a href='#http-proxy'>Proxy (--http-proxy)</a></h3>
**Expects**: `server:port`
**Default**: `disabled`
**Multiple invocations?**: `no`
Sets a proxy server for the client.
<h3 name='http-proxy-authentication'><a href='#http-proxy-authentication'>Proxy authentication (--http-proxy-auth)</a></h3>
**Expects**: `username:password`
**Default**: `disabled`
**Multiple invocations?**: `no`
Sets authentication credentials for the specified proxy server.
<h3 name='http-proxy-type'><a href='#http-proxy-type'>Proxy type (--http-proxy-type)</a></h3>
**Expects**: `http, http_1_0, socks4, socks5, socks4a`
**Default**: `auto`
**Multiple invocations?**: `no`
Sets the protocol for the specified proxy server.
<h3 name='http-ssl-verify-peer'><a href='#http-ssl-verify-peer'>SSL verify peer (--http-ssl-verify-peer)</a></h3>
**Expects**: `n/a`
**Default**: `disabled`
**Multiple invocations?**: `no`
Verify SSL peer.
<h3 name='http-ssl-verify-host'><a href='#http-ssl-verify-host'>SSL verify host (--http-ssl-verify-host)</a></h3>
**Expects**: `n/a`
**Default**: `disabled`
**Multiple invocations?**: `no`
Verify SSL host.
<h3 name='http-ssl-certificate'><a href='#http-ssl-certificate'>SSL certificate (--http-ssl-certificate)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
SSL certificate to use.
<h3 name='http-ssl-certificate-type'><a href='#http-ssl-certificate-type'>SSL certificate type (--http-ssl-certificate-type)</a></h3>
**Expects**: `pem,der`
**Default**: `pem`
**Multiple invocations?**: `no`
SSL certificate type.
<h3 name='http-ssl-key'><a href='#http-ssl-key'>SSL key (--http-ssl-key)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
SSL private key to use.
<h3 name='http-ssl-key-type'><a href='#http-ssl-key-type'>SSL key type (--http-ssl-key-type)</a></h3>
**Expects**: `pem,der`
**Default**: `pem`
**Multiple invocations?**: `no`
SSL private key type.
<h3 name='http-ssl-key-password'><a href='#http-ssl-key-password'>SSL key password (--http-ssl-key-password)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
Password for the SSL private key.
<h3 name='http-ssl-ca'><a href='#http-ssl-ca'>SSL CA (--http-ssl-ca)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
File holding one or more certificates with which to verify the peer.
<h3 name='http-ssl-ca-directory'><a href='#http-ssl-ca-directory'>SSL CA directory (--http-ssl-ca-directory)</a></h3>
**Expects**: `path`
**Default**: `disabled`
**Multiple invocations?**: `no`
Directory holding multiple certificate files with which to verify the peer.
<h3 name='http-ssl-version'><a href='#http-ssl-version'>SSL version (--http-ssl-version)</a></h3>
**Expects**: `TLSv1,TLSv1_0,TLSv1_1,TLSv1_2,SSLv2,SSLv3`
**Default**: `auto`
**Multiple invocations?**: `no`
SSL version to use.
<h2 name='input'><a href='#input'>Input</a></h2>
<h3 name='input-value'><a href='#input-value'>Value (--input-value)</a></h3>
**Expects**: `pattern:value`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Sets a value for inputs whose name matches the pattern.
<h3 name='input-values-file'><a href='#input-values-file'>Values file (--input-values-file)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
YAML file containing a `Hash` object with regular expressions, to match against input names, as keys and input values as values.
<h3 name='input-without-defaults'><a href='#input-without-defaults'>Without defaults (--input-without-defaults)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, system default values won't be used.
<h3 name='input-force'><a href='#input-force'>Force (--input-force)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Forces the system to fill-in even non-empty inputs.
<h2 name='checks'><a href='#checks'>Checks</a></h2>
<h3 name='checks-list'><a href='#checks-list'>List (--checks-list)</a></h3>
**Expects**: `pattern`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Lists all available checks.
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
<h3 name='checks-checks'><a href='#checks-checks'>Load (--checks)</a></h3>
**Expects**: `string,string`
**Default**: `* (all)`
**Multiple invocations?**: `no`
Loads the given checks, by name.
You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
You can prevent checks from being loaded by prefixing their name with a dash (`-`).
**Note**: Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
<h4 name='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
As CSV:
arachni --checks=xss,sqli,path_traversal http://example.com/
All:
arachni http://example.com/
Excluding checks:
arachni --checks=*,-backup_files,-xss http://example.com/
The above will load all checks except for the `backup_files` and `xss` ones.
<h2 name='plugins'><a href='#plugins'>Plugins</a></h2>
<h3 name='plugins-list'><a href='#plugins-list'>List (--plugins-list)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Lists all available plugins.
<h3 name='plugin'><a href='#plugin'>Load (--plugin)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Loads a plugin by name and configures it with the given options.
**Note**: Plugins are referenced by their filename without the `.rb` extension, use `--plugins-list` to see all.
<h4 name='plugin_example'><a href='#plugin_example'>Example</a></h4>
Excluding the logout URL and running the `autologin1 plugin to automatically login to a web application:
```
arachni http://testfire.net --scope-page-limit=1 --checks=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
--scope-exclude-pattern logout
```
<h2 name='platforms'><a href='#platforms'>Platforms</a></h2>
<h3 name='platforms-list'><a href='#platforms-list'>List (--platforms-list)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Lists all available platforms.
<h3 name='platforms-no-fingerprinting'><a href='#platforms-no-fingerprinting'>Disable fingerprinting (--platforms-no-fingerprinting)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
Disables platform fingerprinting and results in all audit payloads being sent to the webapp.
<h3 name='platforms-platforms'><a href='#platforms-platforms'>Configure (--platforms)</a></h3>
**Expects**: `string,string,...`
**Default**: `auto`
**Multiple invocations?**: `no`
Explicitly sets the platforms for the remote web application. You can use this to help
the system be more efficient in its scan.
<h2 name='session'><a href='#session'>Session</a></h2>
<h3 name='session-check-url'><a href='#session-check-url'>Check URL (--session-check-url)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
**Requires**: [session-check-pattern](#session-check-pattern)
The URL passed to this option will be used to verify that the system is still
logged in to the web application.
If the HTTP response body of URL matches the [session-check-pattern](#session-check-pattern)
this should indicate that the system is logged in.
<h3 name='session-check-pattern'><a href='#session-check-pattern'>Check pattern (--session-check-pattern)</a></h3>
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `no`
**Requires**: [session-check-url](#session-check-url)
A pattern used against the body of the [session-check-url](#session-check-url) to
verify that the system is still logged in to the web application.
A positive match should indicate that the system is logged in.
<h2 name='profiles'><a href='#profiles'>Profiles</a></h2>
<h3 name='profile-save-filepath'><a href='#profile-save-filepath'>Save (--profile-save-filepath)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
This option allows you to save your current running configuration, all the options passed to Arachni, to an Arachni Framework Profile (`.afp`) file.
<h3 name='profile-load-filepath'><a href='#profile-load-filepath'>Load (--profile-load-filepath)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
This option allows you to load and run a saved profile.
**Note**: This option does not impede your ability to specify more options or resave the profile.
<h2 name='browser-cluster'><a href='#browser-cluster'>Browser cluster</a></h2>
<h3 name='browser-cluster-local-storage'><a href='#browser-cluster-local-storage'>Local storage (--browser-cluster-local-storage)</a></h3>
**Expects**: `filepath`
**Default**: `disabled`
**Multiple invocations?**: `no`
Populates the browsers' local storage from the JSON data found in the specified file.
<h3 name='browser-cluster-wait-for-element'><a href='#browser-cluster-wait-for-element'>Wait for element (--browser-cluster-wait-for-element)</a></h3>
**Expects**: `PATTERN:CSS`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Wait for element matching the `CSS` selector to appear when visiting a page whose URL matches the `PATTERN`.
**Note**: There is no special timeout setting for this operation, the global <a href='#browser-cluster-job-timeout'>browser cluster job timeout</a> option will be enforced.
<h4 name='browser-cluster-wait-for-element_example'><a href='#browser-cluster-wait-for-element_example'>Example</a></h4>
To wait for an element with an ID attribute of `myElement` to appear when visiting a page whose URL includes the string `withElement` (like: `http://example.com/blah#withElement`):
```
--browser-cluster-wait-for-element='withElement:#myElement'
```
Sometimes it is necesary to wait for an element for a page whose URL does not include a string. This is common for client-side MVC frameworks when the seed URL includes no route in the fragment section.
In this case, in order to wait for an element with an ID attribute of `myElement` when the URL has no hash (`#`) part:
```
--browser-cluster-wait-for-element='^((?!#).)*$:#myElement'
```
<h3 name='browser-cluster-pool-size'><a href='#browser-cluster-pool-size'>Pool size (--browser-cluster-pool-size)</a></h3>
**Expects**: `integer`
**Default**: `6`
**Multiple invocations?**: `no`
Amount of browser workers (process) to maintain in the pool.
<h3 name='browser-cluster-job-timeout'><a href='#browser-cluster-job-timeout'>Job timeout (--browser-cluster-job-timeout)</a></h3>
**Expects**: `integer`
**Default**: `25`
**Multiple invocations?**: `no`
Maximum allowed time for each job, measured in seconds.
<h3 name='browser-cluster-worker-time-to-live'><a href='#browser-cluster-worker-time-to-live'>Worker time to live (--browser-cluster-worker-time-to-live)</a></h3>
**Expects**: `integer`
**Default**: `100`
**Multiple invocations?**: `no`
Amount of jobs each worker should process before having its process respawned.
**Note**: Mainly used to prevent individual browser process from accumulating too much RAM.
<h3 name='browser-cluster-ignore-images'><a href='#browser-cluster-ignore-images'>Ignore images (--browser-cluster-ignore-images)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, the browsers will not load any images.
<h3 name='browser-cluster-screen-width'><a href='#browser-cluster-screen-width'>Screen width (--browser-cluster-screen-width)</a></h3>
**Expects**: `integer`
**Default**: `1600`
**Multiple invocations?**: `no`
Sets the browsers' screen width.
**Note**: Can be used to test responsive and mobile applications.
<h3 name='browser-cluster-screen-height'><a href='#browser-cluster-screen-height'>Screen height (--browser-cluster-screen-height)</a></h3>
**Expects**: `integer`
**Default**: `1200`
**Multiple invocations?**: `no`
Sets the browsers' screen height.
**Note**: Can be used to test responsive and mobile applications.
<h2 name='report'><a href='#report'>Report</a></h2>
<h3 name='report-save-path'><a href='#report-save-path'>Save path (--report-save-path)</a></h3>
**Expects**: `string`
**Default**: `.`
**Multiple invocations?**: `no`
Directory or file path where to store the scan report.
**Note**: You can use the generated file to create reports in several formats with the `arachni_reporter` executable.
<h2 name='snapshot'><a href='#snapshot'>Snapshot</a></h2>
<h3 name='snapshot-save-path'><a href='#snapshot-save-path'>Save path (--snapshot-save-path)</a></h3>
**Expects**: `string`
**Default**: `.`
**Multiple invocations?**: `no`
Directory or file path where to store the snapshot of a suspended scan.
**Note**: You can use the generated file to resume the scan with the `arachni_restore` executable.
<h2 name='timeout'><a href='#timeout'>Timeout</a></h2>
<h3 name='timeout-timeout'><a href='#timeout-timeout'>Timeout (--timeout)</a></h3>
**Expects**: `hours:minutes:seconds`
**Default**: `infinite`
**Multiple invocations?**: `no`
Maximum amount of time to allow the scan to run.
<h3 name='timeout-suspend'><a href='#timeout-suspend'>Suspend (--timeout-suspend)</a></h3>
**Expects**: `<n/a>`
**Default**: `disabled`
**Multiple invocations?**: `no`
If enabled, the scan will be suspended when the `--timeout` is reached, instead of being aborted.
<h2 name='cli_help_output'><a href='#cli_help_output'>CLI Help Output</a></h2>
```
$ arachni -h
Arachni - Web Application Security Scanner Framework v1.3.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
Usage: ./bin/arachni [options] URL
Generic
-h, --help Output this message.
--version Show version information.
--authorized-by EMAIL_ADDRESS
E-mail address of the person who authorized the scan.
(It'll make it easier on the sys-admins during log reviews.)
(Will be used as a value for the 'From' HTTP request header.)
Output
--output-verbose Show verbose output.
--output-debug [LEVEL 1-3]
Show debugging information.
--output-only-positives Only output positive results.
Scope
--scope-include-pattern PATTERN
Only include resources whose path/action matches PATTERN.
(Can be used multiple times.)
--scope-include-subdomains
Follow links to subdomains.
(Default: false)
--scope-exclude-pattern PATTERN
Exclude resources whose path/action matches PATTERN.
(Can be used multiple times.)
--scope-exclude-content-pattern PATTERN
Exclude pages whose content matches PATTERN.
(Can be used multiple times.)
--scope-exclude-binaries
Exclude non text-based pages.
(Binary content can confuse passive checks that perform pattern matching.)
--scope-redundant-path-pattern PATTERN:LIMIT
Limit crawl on redundant pages like galleries or catalogs.
(URLs matching PATTERN will be crawled LIMIT amount of times.)
(Can be used multiple times.)
--scope-auto-redundant [LIMIT]
Only follow URLs with identical query parameter names LIMIT amount of times.
(Default: 10)
--scope-directory-depth-limit LIMIT
Directory depth limit.
(Default: inf)
(How deep Arachni should go into the site structure.)
--scope-page-limit LIMIT
How many pages to crawl and audit.
(Default: inf)
--scope-extend-paths FILE
Add the paths in FILE to the ones discovered by the crawler.
(Can be used multiple times.)
--scope-restrict-paths FILE
Use the paths in FILE instead of crawling.
(Can be used multiple times.)
--scope-url-rewrite PATTERN:SUBSTITUTION
Rewrite URLs based on the given PATTERN and SUBSTITUTION.
To convert: http://example.com/articles/some-stuff/23 to http://example.com/articles.php?id=23
Use: articles/[\w-]+/(\d+):articles.php?id=\1
--scope-dom-depth-limit LIMIT
How deep to go into the DOM tree of each page, for pages with JavaScript code.
(Default: 5)
(Setting it to '0' will disable browser analysis.)
--scope-https-only Forces the system to only follow HTTPS URLs.
(Default: false)
Audit
--audit-links Audit links.
--audit-forms Audit forms.
--audit-cookies Audit cookies.
--audit-cookies-extensively
Submit all links and forms of the page along with the cookie permutations.
(*WARNING*: This will severely increase the scan-time.)
--audit-headers Audit headers.
--audit-link-template TEMPLATE
Regular expression with named captures to use to extract input information from generic paths.
To extract the 'input1' and 'input2' inputs from:
http://example.com/input1/value1/input2/value2
Use:
input1/(?<input1>\w+)/input2/(?<input2>\w+)
(Can be used multiple times.)
--audit-jsons Audit JSON request inputs.
--audit-xmls Audit XML request inputs.
--audit-ui-inputs Audit orphan Input elements with events.
--audit-ui-forms Audit UI Forms.
Input and button groups that do not belong to a parent <form> element.
--audit-parameter-names Inject payloads into parameter names.
--audit-with-extra-parameter
Inject payloads into extra element parameters.
--audit-with-both-methods
Audit elements with both GET and POST requests.
(*WARNING*: This will severely increase the scan-time.)
--audit-exclude-vector PATTERN
Exclude input vectorS whose name matches PATTERN.
(Can be used multiple times.)
--audit-include-vector PATTERN
Include only input vectors whose name matches PATTERN.
(Can be used multiple times.)
Input
--input-value PATTERN:VALUE
PATTERN to match against input names and VALUE to use for them.
(Can be used multiple times.)
--input-values-file FILE
YAML file containing a Hash object with regular expressions, to match against input names, as keys and input values as values.
--input-without-defaults
Do not use the system default input values.
--input-force Fill-in even non-empty inputs.
HTTP
--http-user-agent USER_AGENT
Value for the 'User-Agent' HTTP request header.
(Default: Arachni/v1.3.2)
--http-request-concurrency MAX_CONCURRENCY
Maximum HTTP request concurrency.
(Default: 20)
(Be careful not to kill your server.)
(*NOTE*: If your scan seems unresponsive try lowering the limit.)
--http-request-timeout TIMEOUT
HTTP request timeout in milliseconds.
(Default: 10000)
--http-request-redirect-limit LIMIT
Maximum amount of redirects to follow for each HTTP request.
(Default: 5)
--http-request-queue-size QUEUE_SIZE
Maximum amount of requests to keep in the queue.
Bigger size means better scheduling and better performance,
smaller means less RAM consumption.
(Default: 100)
--http-request-header NAME=VALUE
Specify custom headers to be included in the HTTP requests.
(Can be used multiple times.)
--http-response-max-size LIMIT
Do not download response bodies larger than the specified LIMIT, in bytes.
(Default: 500000)
--http-cookie-jar COOKIE_JAR_FILE
Netscape-styled HTTP cookiejar file.
--http-cookie-string COOKIE
Cookie representation as an 'Cookie' HTTP request header.
--http-authentication-username USERNAME
Username for HTTP authentication.
--http-authentication-password PASSWORD
Password for HTTP authentication.
--http-proxy ADDRESS:PORT
Proxy to use.
--http-proxy-authentication USERNAME:PASSWORD
Proxy authentication credentials.
--http-proxy-type http,http_1_0,socks4,socks5,socks4a
Proxy type.
(Default: auto)
--http-ssl-verify-peer Verify SSL peer.
(Default: false)
--http-ssl-verify-host Verify SSL host.
(Default: false)
--http-ssl-certificate PATH
SSL certificate to use.
--http-ssl-certificate-type pem,der
SSL certificate type.
--http-ssl-key PATH SSL private key to use.
--http-ssl-key-type pem,der
SSL key type.
--http-ssl-key-password PASSWORD
Password for the SSL private key.
--http-ssl-ca PATH File holding one or more certificates with which to verify the peer.
--http-ssl-ca-directory PATH
Directory holding multiple certificate files with which to verify the peer.
--http-ssl-version TLSv1,TLSv1_0,TLSv1_1,TLSv1_2,SSLv2,SSLv3
SSL version to use.
Checks
--checks-list [PATTERN] List available checks based on the provided pattern.
(If no pattern is provided all checks will be listed.)
--checks CHECK,CHECK2,...
Comma separated list of checks to load.
Checks are referenced by their filename without the '.rb' extension, use '--checks-list' to list all.
Use '*' as a check name to load all checks or as a wildcard, like so:
xss* to load all XSS checks
sql_injection* to load all SQL injection checks
etc.
You can exclude checks by prefixing their name with a minus sign:
--checks=*,-backup_files,-xss
The above will load all checks except for the 'backup_files' and 'xss' checks.
Or mix and match:
-xss* to unload all XSS checks.
Plugins
--plugins-list [PATTERN]
List available plugins based on the provided pattern.
(If no pattern is provided all plugins will be listed.)
--plugin 'PLUGIN:OPTION=VALUE,OPTION2=VALUE2'
PLUGIN is the name of the plugin as displayed by '--plugins-list'.
(Plugins are referenced by their filename without the '.rb' extension, use '--plugins-list' to list all.)
(Can be used multiple times.)
Platforms
--platforms-list List available platforms.
--platforms-no-fingerprinting
Disable platform fingerprinting.
(By default, the system will try to identify the deployed server-side platforms automatically
in order to avoid sending irrelevant payloads.)
--platforms PLATFORM,PLATFORM2,...
Comma separated list of platforms (by shortname) to audit.
(The given platforms will be used *in addition* to fingerprinting. In order to restrict the audit to
these platforms enable the '--platforms-no-fingerprinting' option.)
Session
--session-check-url URL URL to use to verify that the scanner is still logged in to the web application.
(Requires 'session-check-pattern'.)
--session-check-pattern PATTERN
Pattern used against the body of the 'session-check-url' to verify that the scanner is still logged in to the web application.
(Requires 'session-check-url'.)
Profiles
--profile-save-filepath FILEPATH
Save the current configuration profile/options to FILEPATH.
--profile-load-filepath FILEPATH
Load a configuration profile from FILEPATH.
Browser cluster
--browser-cluster-local-storage FILE
Sets the browsers' local storage using the JSON data in FILE.
--browser-cluster-wait-for-element PATTERN:CSS
Wait for element matching CSS to appear when visiting a page whose URL matches the PATTERN.
--browser-cluster-pool-size SIZE
Amount of browser workers to keep in the pool and put to work.
(Default: 6)
--browser-cluster-job-timeout SECONDS
Maximum allowed time for each job.
(Default: 25)
--browser-cluster-worker-time-to-live LIMIT
Re-spawn the browser of each worker every LIMIT jobs.
(Default: 100)
--browser-cluster-ignore-images
Do not load images.
--browser-cluster-screen-width
Browser screen width.
(Default: 1600)
--browser-cluster-screen-height
Browser screen height.
(Default: 1200)
Report
--report-save-path PATH Directory or file path where to store the scan report.
You can use the generated file to create reports in several formats with the 'arachni_reporter' executable.
Snapshot
--snapshot-save-path PATH
Directory or file path where to store the snapshot of a suspended scan.
You can use the generated file to resume the scan with the 'arachni_restore' executable.
Timeout
--timeout HOURS:MINUTES:SECONDS
Stop the scan after the given duration is exceeded.
--timeout-suspend Suspend after the timeout.
You can use the generated file to resume the scan with the 'arachni_restore' executable.
```