... | @@ -117,21 +117,14 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). |
... | @@ -117,21 +117,14 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). |
|
* [Cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
|
|
* [Cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
|
|
* [Headers (--audit-headers)](#audit-headers)
|
|
* [Headers (--audit-headers)](#audit-headers)
|
|
* [Link template (--audit-link-template)](#audit-link-template)
|
|
* [Link template (--audit-link-template)](#audit-link-template)
|
|
|
|
* [Example](#audit-link-template_example)
|
|
* [With both methods (--with-both-meth)](#fuzz-methods)
|
|
* [With both methods (--with-both-meth)](#fuzz-methods)
|
|
* [Exclude vector (--audit-exclude-vector)](#audit-exclude-vector)
|
|
* [Exclude vector (--audit-exclude-vector)](#audit-exclude-vector)
|
|
* [Include vector (--audit-include-vector)](#audit-include-vector)
|
|
* [Include vector (--audit-include-vector)](#audit-include-vector)
|
|
* [Modules](#modules)
|
|
* [Checks](#checks)
|
|
* [List modules (--lsmod)](#lsmod)
|
|
* [List (--checks-list)](#checks-list)
|
|
* [Example](#lsmod_example)
|
|
* [Checks (--checks)](#checks-checks)
|
|
* [Modules (--modules/-m)](#modules-modules)
|
|
* [Example](#checks-checks_example)
|
|
* [Example](#mods_example)
|
|
|
|
* [Reports](#reports)
|
|
|
|
* [List reports (--lsrep)](#lsrep)
|
|
|
|
* [Example](#lsrep_example)
|
|
|
|
* [Load a report (--repload)](#repload)
|
|
|
|
* [Example](#repload_example)
|
|
|
|
* [Report (--report)](#report)
|
|
|
|
* [Example](#report_example)
|
|
|
|
* [Plugins](#plugins)
|
|
* [Plugins](#plugins)
|
|
* [List plugins (--lsplug)](#lsplug)
|
|
* [List plugins (--lsplug)](#lsplug)
|
|
* [Example](#lsplug_example)
|
|
* [Example](#lsplug_example)
|
... | @@ -904,621 +897,54 @@ Don't audit input vectors whose name matches the pattern. |
... | @@ -904,621 +897,54 @@ Don't audit input vectors whose name matches the pattern. |
|
|
|
|
|
Only audit input vectors whose name matches the pattern.
|
|
Only audit input vectors whose name matches the pattern.
|
|
|
|
|
|
<h2 id='modules'><a href='#modules'>Modules</a></h2>
|
|
<h2 id='checks'><a href='#checks'>Checks</a></h2>
|
|
|
|
|
|
<h3 id='lsmod'><a href='#lsmod'>List modules (--lsmod)</a></h3>
|
|
<h3 id='checks-list'><a href='#checks-list'>List (--checks-list)</a></h3>
|
|
|
|
|
|
**Expects**: `regular expression`
|
|
**Expects**: `pattern`
|
|
|
|
|
|
**Default**: `disabled OR .*`
|
|
**Default**: `disabled`
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
|
Tells Arachni to list all available modules based on the regular expressions provided and exit.
|
|
Lists all available checks.
|
|
|
|
|
|
<h4 id='lsmod_example'><a href='#lsmod_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --lsmod
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available modules:
|
|
|
|
|
|
|
|
[*] code_injection:
|
|
|
|
--------------------
|
|
|
|
Name: Code injection
|
|
|
|
Description: It tries to inject code snippets into the
|
|
|
|
web application and assess whether or not the injection
|
|
|
|
was successful.
|
|
|
|
Elements: form, link, cookie, header
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.6
|
|
|
|
References:
|
|
|
|
[~] PHP http://php.net/manual/en/function.eval.php
|
|
|
|
[~] Perl http://perldoc.perl.org/functions/eval.html
|
|
|
|
[~] Python http://docs.python.org/py3k/library/functions.html#eval
|
|
|
|
[~] ASP http://www.aspdev.org/asp/asp-eval-execute/
|
|
|
|
[~] Ruby http://en.wikipedia.org/wiki/Eval#Ruby
|
|
|
|
Targets:
|
|
|
|
[~] PHP
|
|
|
|
[~] Perl
|
|
|
|
[~] Python
|
|
|
|
[~] ASP
|
|
|
|
[~] Ruby
|
|
|
|
Metasploitable: unix/webapp/arachni_php_eval
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb
|
|
|
|
|
|
|
|
[*] path_traversal:
|
|
|
|
--------------------
|
|
|
|
Name: PathTraversal
|
|
|
|
Description: It injects paths of common files (/etc/passwd and boot.ini)
|
|
|
|
and evaluates the existence of a path traversal vulnerability
|
|
|
|
based on the presence of relevant content in the HTML responses.
|
|
|
|
Elements: form, link, cookie, header
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2.6
|
|
|
|
References:
|
|
|
|
[~] OWASP http://www.owasp.org/index.php/Path_Traversal
|
|
|
|
[~] WASC http://projects.webappsec.org/Path-Traversal
|
|
|
|
Targets:
|
|
|
|
[~] Unix
|
|
|
|
[~] Windows
|
|
|
|
[~] Tomcat
|
|
|
|
Metasploitable: unix/webapp/arachni_path_traversal
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb
|
|
|
|
|
|
|
|
[*] sqli_blind_rdiff:
|
|
|
|
--------------------
|
|
|
|
Name: Blind (rDiff) SQL Injection
|
|
|
|
Description: It uses rDiff analysis to decide how different inputs affect
|
|
|
|
the behavior of the the web pages.
|
|
|
|
Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
|
|
|
|
(Note: This module may get confused by certain types of XSS vulnerabilities.
|
|
|
|
If this module returns a positive result you should investigate nonetheless.)
|
|
|
|
Elements: link, form, cookie
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.3.2
|
|
|
|
References:
|
|
|
|
[~] OWASP http://www.owasp.org/index.php/Blind_SQL_Injection
|
|
|
|
[~] MITRE - CAPEC http://capec.mitre.org/data/definitions/7.html
|
|
|
|
Targets:
|
|
|
|
[~] Generic
|
|
|
|
Metasploitable: unix/webapp/arachni_sqlmap
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb
|
|
|
|
|
|
|
|
Hit <space> <enter> to continue, any other key to exit.
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
You can filter module listing like so:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --lsmod=xss --lsmod=path
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
|
|
|
|
|
|
[~] No modules were specified.
|
|
<h3 id='checks-checks'><a href='#checks-checks'>Checks (--checks)</a></h3>
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
**Expects**: `string,string`
|
|
|
|
|
|
[~] Available modules:
|
|
**Default**: `* (all)`
|
|
|
|
|
|
[*] xss_path:
|
|
|
|
--------------------
|
|
|
|
Name: XSSPath
|
|
|
|
Description: Cross-Site Scripting module for path injection
|
|
|
|
Elements: path
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.8
|
|
|
|
References:
|
|
|
|
[~] ha.ckers http://ha.ckers.org/xss.html
|
|
|
|
[~] Secunia http://secunia.com/advisories/9716/
|
|
|
|
Targets:
|
|
|
|
[~] Generic
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='modules-modules'><a href='#modules-modules'>Modules (--modules/-m)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `modname,modname,... OR '*'`
|
|
|
|
|
|
|
|
**Default**: `'*' -- all modules`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `no`
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
|
|
|
|
Tells Arachni which modules to load.
|
|
Loads the given checks, by name.
|
|
|
|
|
|
Modules are referenced by their filename without the `.rb` extension, use `--lsmod` to see all.
|
|
Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
|
|
|
|
|
|
You can specify the modules to load as comma separated values (without spaces) or `*` to load all modules.
|
|
You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
|
|
You can prevent modules from loading by prefixing their name with a dash (`-`).
|
|
You can prevent checks from being loaded by prefixing their name with a dash (`-`).
|
|
|
|
|
|
|
|
<h4 id='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
|
|
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
|
|
|
|
|
|
|
|
As CSV:
|
|
As CSV:
|
|
|
|
|
|
$ arachni --modules=xss,sqli,path_traversal http://localhost/
|
|
arachni --checks=xss,sqli,path_traversal http://example.com/
|
|
|
|
|
|
|
|
|
|
All modules:
|
|
|
|
|
|
|
|
$ arachni http://localhost/
|
|
|
|
|
|
|
|
|
|
|
|
Excluding modules:
|
|
|
|
|
|
|
|
$ arachni --modules=*,-backup_files,-xss http://www.test.com
|
|
|
|
|
|
|
|
The above will load all modules except for the _backup_files_ and _xss_ modules.
|
|
|
|
|
|
|
|
<h2 id='reports'><a href='#reports'>Reports</a></h2>
|
|
|
|
|
|
|
|
<h3 id='lsrep'><a href='#lsrep'>List reports (--lsrep)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `<n/a>`
|
|
|
|
|
|
|
|
**Default**: `disabled`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
|
|
|
|
|
|
Lists all available reports.
|
|
|
|
|
|
|
|
<h4 id='lsrep_example'><a href='#lsrep_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --lsrep
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available reports:
|
|
|
|
|
|
|
|
[*] yaml:
|
|
All:
|
|
--------------------
|
|
|
|
Name: YAML Report
|
|
|
|
Description: Exports the audit results as a YAML file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.yaml
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb
|
|
|
|
|
|
|
|
[*] txt:
|
|
|
|
--------------------
|
|
|
|
Name: Text report
|
|
|
|
Description: Exports a report as a plain text file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.txt
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb
|
|
|
|
|
|
|
|
[*] xml:
|
|
|
|
--------------------
|
|
|
|
Name: XML report
|
|
|
|
Description: Exports a report as an XML file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.xml
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2.2
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb
|
|
|
|
|
|
|
|
[*] metareport:
|
|
|
|
--------------------
|
|
|
|
Name: Metareport
|
|
|
|
Description: Creates a file to be used with the Arachni MSF plug-in.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.msf
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb
|
|
|
|
|
|
|
|
[*] afr:
|
|
|
|
--------------------
|
|
|
|
Name: Arachni Framework Report
|
|
|
|
Description: Saves the file in the default Arachni Framework Report (.afr) format.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.afr
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb
|
|
|
|
|
|
|
|
[*] html:
|
|
|
|
--------------------
|
|
|
|
Name: HTML Report
|
|
|
|
Description: Exports a report as an HTML document.
|
|
|
|
Options:
|
|
|
|
[~] tpl - Template to use.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] outfile - Where to save the report.
|
|
arachni http://example.com/
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.html
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.3.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb
|
|
|
|
|
|
|
|
[*] ap:
|
|
Excluding checks:
|
|
--------------------
|
|
|
|
Name: AP
|
|
|
|
Description: Awesome prints an AuditStore hash.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb
|
|
|
|
|
|
|
|
[*] marshal:
|
|
arachni --checks=*,-backup_files,-xss http://example.com/
|
|
--------------------
|
|
|
|
Name: Marshal Report
|
|
|
|
Description: Exports the audit results as a Marshal file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.marshal
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb
|
|
|
|
|
|
|
|
[*] json:
|
|
|
|
--------------------
|
|
|
|
Name: JSON Report
|
|
|
|
Description: Exports the audit results as a JSON file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.json
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb
|
|
|
|
|
|
|
|
[*] stdout:
|
|
|
|
--------------------
|
|
|
|
Name: Stdout
|
|
|
|
Description: Prints the results to standard output.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2.2
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='repload'><a href='#repload'>Load a report (--repload)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `Arachni Framework Report (.afr) file`
|
|
|
|
|
|
|
|
**Default**: `disabled`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `no`
|
|
|
|
|
|
|
|
|
|
|
|
Tells Arachni to load an Arachni Framework Report (.afr) file.
|
|
|
|
You can use this option to load a report file and convert it to another format.
|
|
|
|
|
|
|
|
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
|
|
|
|
|
|
|
|
Load an AFR report file and send it to the _stdout_ report.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:42:54 +0300
|
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
|
|
[+] System settings:
|
|
|
|
[~] ---------------
|
|
|
|
[~] Version: 0.4.1dev
|
|
|
|
[~] Revision: 0.2.7
|
|
|
|
[~] Audit started on: Sun Sep 9 02:42:15 2012
|
|
|
|
[~] Audit finished on: Sun Sep 9 02:42:18 2012
|
|
|
|
[~] Runtime: 00:00:03
|
|
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
|
|
[*] Audited elements:
|
|
|
|
[~] * Forms
|
|
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
|
|
[*] Cookies:
|
|
|
|
[~] ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
|
|
|
|
[~] amSessionId = 203429333847
|
|
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
|
|
[+] 1 issues were detected.
|
|
|
|
|
|
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
|
|
[~] Severity: High
|
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
|
[~] Element: form
|
|
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
|
|
[~] Description:
|
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
|
|
[~] References:
|
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
|
|
[*] Variations
|
|
|
|
[~] ----------
|
|
|
|
[~] Variation 1:
|
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
|
[~] Injected value: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
|
|
[~] Regular expression:
|
|
|
|
[~] Matched string: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
|
|
[*] Health map
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
|
|
[~] Legend:
|
|
|
|
[+] No issues
|
|
|
|
[-] Has issues
|
|
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
|
|
|
|
|
[~] Total: 2
|
|
|
|
[+] Without issues: 1
|
|
|
|
[-] With issues: 1 ( 50% )
|
|
|
|
|
|
|
|
[*] Profiler
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
|
|
|
|
[~] * Body
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
Load an AFR file and create an HTML report from it.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[*] Creating HTML report...
|
|
|
|
[*] Saved in '2012-09-09 02.43.42 +0300.html'.
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='report'><a href='#report'>Report (--report)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `repname`
|
|
|
|
|
|
|
|
**Default**: `stdout`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
|
|
|
Tells Arachni which report component to use.
|
|
|
|
Reports are referenced by their filename without the `.rb` extension, use `--lsrep` to see all.
|
|
|
|
|
|
|
|
<h4 id='report_example'><a href='#report_example'>Example</a></h4>
|
|
|
|
|
|
|
|
Running the HTML report with an outfile option:
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
[*] Initialising...
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
[*] Profiler: Analyzing response #3...
|
|
|
|
[*] Profiler: Analyzing response #4...
|
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
|
[*] Profiler: Analyzing response #5...
|
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
|
[*] XSS: Analyzing response #9...
|
|
|
|
[*] XSS: Analyzing response #10...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #13...
|
|
|
|
[*] XSS: Analyzing response #14...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
|
[*] XSS: Analyzing response #12...
|
|
|
|
[*] XSS: Analyzing response #11...
|
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
[*] Creating HTML report...
|
|
|
|
[*] Saved in 'my_html_report.html'.
|
|
|
|
|
|
|
|
[~] 100.0% [>] 100%
|
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
|
|
[~] Sent 25 requests.
|
|
|
|
[~] Received and analyzed 25 responses.
|
|
|
|
[~] In 00:00:04
|
|
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
The above will load all checks except for the `backup_files` and `xss` ones.
|
|
|
|
|
|
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
|
|
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
|
|
|
|
|
... | | ... | |