... | @@ -123,12 +123,11 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). |
... | @@ -123,12 +123,11 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). |
|
* [Include vector (--audit-include-vector)](#audit-include-vector)
|
|
* [Include vector (--audit-include-vector)](#audit-include-vector)
|
|
* [Checks](#checks)
|
|
* [Checks](#checks)
|
|
* [List (--checks-list)](#checks-list)
|
|
* [List (--checks-list)](#checks-list)
|
|
* [Checks (--checks)](#checks-checks)
|
|
* [Load (--checks)](#checks-checks)
|
|
* [Example](#checks-checks_example)
|
|
* [Example](#checks-checks_example)
|
|
* [Plugins](#plugins)
|
|
* [Plugins](#plugins)
|
|
* [List plugins (--lsplug)](#lsplug)
|
|
* [List (--plugins-list)](#plugins-list)
|
|
* [Example](#lsplug_example)
|
|
* [Load (--plugin)](#plugin)
|
|
* [Load a plugin (--plugin)](#plugin)
|
|
|
|
* [Example](#plugin_example)
|
|
* [Example](#plugin_example)
|
|
* [Platforms](#platforms)
|
|
* [Platforms](#platforms)
|
|
* [List platforms (--lsplat)](#lsplat)
|
|
* [List platforms (--lsplat)](#lsplat)
|
... | @@ -912,7 +911,7 @@ Lists all available checks. |
... | @@ -912,7 +911,7 @@ Lists all available checks. |
|
|
|
|
|
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
|
|
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
|
|
|
|
|
|
<h3 id='checks-checks'><a href='#checks-checks'>Checks (--checks)</a></h3>
|
|
<h3 id='checks-checks'><a href='#checks-checks'>Load (--checks)</a></h3>
|
|
|
|
|
|
**Expects**: `string,string`
|
|
**Expects**: `string,string`
|
|
|
|
|
... | @@ -923,11 +922,11 @@ If an option has been provided, it will be treated as a pattern and be used to f |
... | @@ -923,11 +922,11 @@ If an option has been provided, it will be treated as a pattern and be used to f |
|
|
|
|
|
Loads the given checks, by name.
|
|
Loads the given checks, by name.
|
|
|
|
|
|
Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
|
|
|
|
|
|
|
|
You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
|
|
You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
|
|
You can prevent checks from being loaded by prefixing their name with a dash (`-`).
|
|
You can prevent checks from being loaded by prefixing their name with a dash (`-`).
|
|
|
|
|
|
|
|
**Note**: Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
|
|
|
|
|
|
<h4 id='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
|
|
<h4 id='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
|
|
|
|
|
|
As CSV:
|
|
As CSV:
|
... | @@ -948,7 +947,7 @@ The above will load all checks except for the `backup_files` and `xss` ones. |
... | @@ -948,7 +947,7 @@ The above will load all checks except for the `backup_files` and `xss` ones. |
|
|
|
|
|
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
|
|
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
|
|
|
|
|
|
<h3 id='lsplug'><a href='#lsplug'>List plugins (--lsplug)</a></h3>
|
|
<h3 id='plugins-list'><a href='#plugins-list'>List (--plugins-list)</a></h3>
|
|
|
|
|
|
**Expects**: `<n/a>`
|
|
**Expects**: `<n/a>`
|
|
|
|
|
... | @@ -959,797 +958,27 @@ The above will load all checks except for the `backup_files` and `xss` ones. |
... | @@ -959,797 +958,27 @@ The above will load all checks except for the `backup_files` and `xss` ones. |
|
|
|
|
|
Lists all available plugins.
|
|
Lists all available plugins.
|
|
|
|
|
|
<h4 id='lsplug_example'><a href='#lsplug_example'>Example</a></h4>
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni --lsplug
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available plugins:
|
|
|
|
|
|
|
|
[*] resolver:
|
|
|
|
--------------------
|
|
|
|
Name: Resolver
|
|
|
|
Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb
|
|
|
|
|
|
|
|
[*] healthmap:
|
|
|
|
--------------------
|
|
|
|
Name: Health map
|
|
|
|
Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.3
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb
|
|
|
|
|
|
|
|
[*] profiler:
|
|
|
|
--------------------
|
|
|
|
Name: Profiler
|
|
|
|
Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.5
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb
|
|
|
|
|
|
|
|
[*] uniformity:
|
|
|
|
--------------------
|
|
|
|
Name: Uniformity (Lack of central sanitization)
|
|
|
|
Description: Analyzes the scan results and logs issues which persist across different pages.
|
|
|
|
This is usually a sign for a lack of a central/single point of input sanitization,
|
|
|
|
a bad coding practise.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb
|
|
|
|
|
|
|
|
[*] manual_verification:
|
|
|
|
--------------------
|
|
|
|
Name: Issues requiring manual verification
|
|
|
|
Description: The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
|
|
|
|
even before any audit action has taken place -- this challenges the relevance of the audit procedure.
|
|
|
|
|
|
|
|
Thus, these issues require manual verification.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb
|
|
|
|
|
|
|
|
[*] timing_attacks:
|
|
|
|
--------------------
|
|
|
|
Name: Timing attack anomalies
|
|
|
|
Description: Analyzes the scan results and logs issues that used timing attacks
|
|
|
|
while the affected web pages demonstrated an unusually high response time.
|
|
|
|
A situation which renders the logged issues inconclusive or (possibly) false positives.
|
|
|
|
|
|
|
|
Pages with high response times usually include heavy-duty processing
|
|
|
|
which makes them prime targets for Denial-of-Service attacks.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb
|
|
|
|
|
|
|
|
[*] discovery:
|
|
|
|
--------------------
|
|
|
|
Name: Discovery module response anomalies
|
|
|
|
Description: Analyzes the scan results and identifies issues logged by discovery modules
|
|
|
|
(i.e. modules that look for certain files and folders on the server),
|
|
|
|
while the server responses were exhibiting an anomalous factor of similarity.
|
|
|
|
|
|
|
|
There's a good chance that these issues are false positives.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb
|
|
|
|
|
|
|
|
[*] autothrottle:
|
|
|
|
--------------------
|
|
|
|
Name: AutoThrottle
|
|
|
|
Description: Monitors HTTP response times and automatically
|
|
|
|
throttles the request concurrency in order to maintain stability
|
|
|
|
and avoid from killing the server.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.3
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb
|
|
|
|
|
|
|
|
[*] content_types:
|
|
|
|
--------------------
|
|
|
|
Name: Content-types
|
|
|
|
Description: Logs content-types of server responses.
|
|
|
|
It can help you categorize and identify publicly available file-types
|
|
|
|
which in turn can help you identify accidentally leaked files.
|
|
|
|
Options:
|
|
|
|
[~] exclude - Exclude content-types that match this regular expression.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: text
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb
|
|
|
|
|
|
|
|
[*] libnotify:
|
|
|
|
--------------------
|
|
|
|
Name: libnotify
|
|
|
|
Description: Uses the libnotify library to send notifications for each discovered issue
|
|
|
|
and a summary at the end of the scan.
|
|
|
|
Options:
|
|
|
|
[~] for_every_issue - Show every issue.
|
|
|
|
[~] Type: bool
|
|
|
|
[~] Default: true
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/libnotify.rb
|
|
|
|
|
|
|
|
[*] cookie_collector:
|
|
|
|
--------------------
|
|
|
|
Name: Cookie collector
|
|
|
|
Description: Monitors and collects cookies while establishing a timeline of changes.
|
|
|
|
|
|
|
|
WARNING: Highly discouraged when the audit includes cookies.
|
|
|
|
It will log thousands of results leading to a huge report,
|
|
|
|
highly increased memory and CPU usage.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.5
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/cookie_collector.rb
|
|
|
|
|
|
|
|
[*] proxy:
|
|
|
|
--------------------
|
|
|
|
Name: Proxy
|
|
|
|
Description:
|
|
|
|
* Gathers data based on user actions and exchanged HTTP
|
|
|
|
traffic and pushes that data to the framework's page-queue to be audited.
|
|
|
|
* Updates the framework cookies with the cookies of the HTTP requests and
|
|
|
|
responses, thus it can also be used to login to a web application.
|
|
|
|
* Supports SSL interception.
|
|
|
|
|
|
|
|
To skip crawling and only audit elements discovered by using the proxy
|
|
|
|
set '--link-count=0'.
|
|
|
|
Options:
|
|
|
|
[~] port - Port to bind to.
|
|
|
|
[~] Type: port
|
|
|
|
[~] Default: 8282
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] bind_address - IP address to bind to.
|
|
|
|
[~] Type: address
|
|
|
|
[~] Default: 0.0.0.0
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] timeout - How long to wait for a request to complete, in milliseconds.
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 20000
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
|
|
|
|
|
|
|
|
[*] beep_notify:
|
|
|
|
--------------------
|
|
|
|
Name: Beep notify
|
|
|
|
Description: It beeps when the scan finishes.
|
|
|
|
Options:
|
|
|
|
[~] repeat - How many times to beep.
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 4
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] interval - How long to wait between beeps.
|
|
|
|
[~] Type: float
|
|
|
|
[~] Default: 0.4
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/beep_notify.rb
|
|
|
|
|
|
|
|
[*] rescan:
|
|
|
|
--------------------
|
|
|
|
Name: ReScan
|
|
|
|
Description: It uses the AFR report of a previous scan to
|
|
|
|
extract the sitemap in order to avoid a redundant crawl.
|
|
|
|
|
|
|
|
Options:
|
|
|
|
[~] afr - Path to the AFR report.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/rescan.rb
|
|
|
|
|
|
|
|
[*] http_dicattack:
|
|
|
|
--------------------
|
|
|
|
Name: HTTP dictionary attacker
|
|
|
|
Description: Uses wordlists to crack password protected directories.
|
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
|
Options:
|
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/http_dicattack.rb
|
|
|
|
|
|
|
|
[*] vector_feed:
|
|
|
|
--------------------
|
|
|
|
Name: Vector feed
|
|
|
|
Description: Reads in vector data from which it creates elements to be audited.
|
|
|
|
Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
|
|
|
|
|
|
|
|
Notes:
|
|
|
|
* To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
|
|
|
|
* Can handle multiple YAML documents.
|
|
|
|
|
|
|
|
Example YAML file:
|
|
|
|
-
|
|
|
|
# you can pass pages to be audited by grep modules (and JS in the future)
|
|
|
|
type: page
|
|
|
|
url: http://localhost/
|
|
|
|
# response code
|
|
|
|
code: 200
|
|
|
|
# response headers
|
|
|
|
headers:
|
|
|
|
Content-Type: "text/html; charset=utf-8"
|
|
|
|
body: "HTML code goes here"
|
|
|
|
|
|
|
|
-
|
|
|
|
# default type is link which has method get
|
|
|
|
#type: link
|
|
|
|
action: http://localhost/link
|
|
|
|
inputs:
|
|
|
|
my_param: "my val"
|
|
|
|
|
|
|
|
-
|
|
|
|
# if a method is post it'll default to a form type
|
|
|
|
type: form
|
|
|
|
method: post
|
|
|
|
action: http://localhost/form
|
|
|
|
inputs:
|
|
|
|
post_this: "HUA!"
|
|
|
|
csrf: "my_csrf_token"
|
|
|
|
# do not fuzz/mutate/audit the following inputs (by name obviously)
|
|
|
|
skip:
|
|
|
|
- csrf
|
|
|
|
|
|
|
|
# GET only
|
|
|
|
-
|
|
|
|
type: cookie
|
|
|
|
action: http://localhost/cookie
|
|
|
|
inputs:
|
|
|
|
session_id: "43434234343sddsdsds"
|
|
|
|
|
|
|
|
# GET only
|
|
|
|
-
|
|
|
|
type: header
|
|
|
|
action: http://localhost/header
|
|
|
|
# only 1 input allowed, each header field=>value must be defined separately
|
|
|
|
inputs:
|
|
|
|
User-Agent: "Blah/2"
|
|
|
|
|
|
|
|
|
|
|
|
Options:
|
|
|
|
[~] vectors - Vector array (for configuration over RPC).
|
|
|
|
[~] Type: abstract
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] yaml_string - A string of YAML serialized vectors (for configuration over RPC).
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] yaml_file - A file containing the YAML serialized vectors.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/vector_feed.rb
|
|
|
|
|
|
|
|
[*] script:
|
|
|
|
--------------------
|
|
|
|
Name: Script
|
|
|
|
Description: Loads and runs an external Ruby script under the scope of a plugin,
|
|
|
|
used for debugging and general hackery.
|
|
|
|
|
|
|
|
Will not work over RPC.
|
|
|
|
Options:
|
|
|
|
[~] path - Path to the script.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/script.rb
|
|
|
|
|
|
|
|
[*] email_notify:
|
|
|
|
--------------------
|
|
|
|
Name: E-mail notify
|
|
|
|
Description: Sends a notification (and optionally a report) over SMTP at the end of the scan.
|
|
|
|
Options:
|
|
|
|
[~] to - E-mail address of the receiver.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] cc - E-mail address to which to send a carbon copy of the notification.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] bcc - E-mail address for a blind carbon copy.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] from - E-mail address of the sender.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] server_address - Address of the SMTP server to use.
|
|
|
|
[~] Type: address
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] server_port - SMTP port.
|
|
|
|
[~] Type: port
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] tls - Use TLS/SSL?.
|
|
|
|
[~] Type: bool
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] username - SMTP username.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password - SMTP password.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] authentication - Authentication.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: plain
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
|
|
|
|
[~] Type: enum
|
|
|
|
[~] Default: txt
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/email_notify.rb
|
|
|
|
|
|
|
|
[*] autologin:
|
|
|
|
--------------------
|
|
|
|
Name: AutoLogin
|
|
|
|
Description: It looks for the login form in the user provided URL,
|
|
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
|
|
Options:
|
|
|
|
[~] url - The URL that contains the login form.
|
|
|
|
[~] Type: url
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] params - Form parameters to submit. ( username=user&password=pass )
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] check - A pattern which will be used to verify a successful login.
|
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.5
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
|
|
|
|
|
|
|
|
[*] waf_detector:
|
|
|
|
--------------------
|
|
|
|
Name: WAF Detector
|
|
|
|
Description: Performs basic profiling on the web application
|
|
|
|
in order to assess the existence of a Web Application Firewall.
|
|
|
|
|
|
|
|
This is a 4 stage process:
|
|
|
|
1. Grab the original page as is
|
|
|
|
2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
|
|
|
|
3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
|
|
|
|
4. Make heads or tails of the gathered responses
|
|
|
|
|
|
|
|
Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
|
|
|
|
Options:
|
|
|
|
[~] precision - Stage precision (how many times to perform each detection stage).
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 5
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/waf_detector.rb
|
|
|
|
|
|
|
|
[*] form_dicattack:
|
|
|
|
--------------------
|
|
|
|
Name: Form dictionary attacker
|
|
|
|
Description: Uses wordlists to crack login forms.
|
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
|
Options:
|
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] username_field - The name of the username form field.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_field - The name of the password form field.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] login_verifier - A regular expression which will be used to verify a successful login.
|
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='plugin'><a href='#plugin'>Plugin (--plugin)</a></h3>
|
|
<h3 id='plugin'><a href='#plugin'>Plugin (--plugin)</a></h3>
|
|
|
|
|
|
**Expects**: `plugin name`
|
|
**Expects**: `string`
|
|
|
|
|
|
**Default**: `disabled`
|
|
**Default**: `disabled`
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
|
Tells Arachni which plugin components to run.
|
|
Loads a plugin by name and configures it with the given options.
|
|
Plugins are referenced by their filename without the `.rb` extension, use `--lsplug` to see all.
|
|
|
|
|
|
**Note**: Plugins are referenced by their filename without the `.rb` extension, use `--plugins-list` to see all.
|
|
|
|
|
|
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
|
|
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
|
|
|
|
|
|
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
|
|
Excluding the logout URL and running the `autologin1 plugin to automatically login to a web application:
|
|
|
|
|
|
```
|
|
```
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss \
|
|
arachni http://testfire.net --scope-page-limit=1 --checks=xss \
|
|
--plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
|
|
--plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
|
|
-e logout
|
|
--scope-exclude-pattern logout
|
|
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
[*] Initialising...
|
|
|
|
[~] AutoLogin: System paused.
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] AutoLogin: Found log-in form with name: login
|
|
|
|
[+] AutoLogin: Form submitted successfully.
|
|
|
|
[~] AutoLogin: Cookies set to:
|
|
|
|
[~] AutoLogin: * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
|
[~] AutoLogin: * amSessionId = 204023334531
|
|
|
|
[~] AutoLogin: * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
|
|
[~] AutoLogin: * amUserId = 100116014
|
|
|
|
[~] AutoLogin: * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
|
[*] XSS: Analyzing response #26...
|
|
|
|
[*] XSS: Analyzing response #27...
|
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
|
[*] Profiler: Analyzing response #9...
|
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
|
[*] XSS: Analyzing response #28...
|
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #22...
|
|
|
|
[*] XSS: Analyzing response #30...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] Profiler: Analyzing response #10...
|
|
|
|
[*] XSS: Analyzing response #31...
|
|
|
|
[*] XSS: Analyzing response #32...
|
|
|
|
[*] Profiler: Analyzing response #11...
|
|
|
|
[*] Profiler: Analyzing response #12...
|
|
|
|
[*] Profiler: Analyzing response #14...
|
|
|
|
[*] Profiler: Analyzing response #13...
|
|
|
|
[*] XSS: Analyzing response #33...
|
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
|
[*] XSS: Analyzing response #34...
|
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
|
[*] XSS: Analyzing response #21...
|
|
|
|
[*] XSS: Analyzing response #23...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #35...
|
|
|
|
[*] XSS: Analyzing response #24...
|
|
|
|
[*] XSS: Analyzing response #25...
|
|
|
|
[*] XSS: Analyzing response #29...
|
|
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:48:17 +0300
|
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
|
|
[+] System settings:
|
|
|
|
[~] ---------------
|
|
|
|
[~] Version: 0.4.1dev
|
|
|
|
[~] Revision: 0.2.7
|
|
|
|
[~] Audit started on: Sun Sep 9 02:48:08 2012
|
|
|
|
[~] Audit finished on: Sun Sep 9 02:48:15 2012
|
|
|
|
[~] Runtime: 00:00:06
|
|
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
|
|
[*] Audited elements:
|
|
|
|
[~] * Links
|
|
|
|
[~] * Forms
|
|
|
|
[~] * Cookies
|
|
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
|
|
[*] Filters:
|
|
|
|
[~] Exclude:
|
|
|
|
[~] (?-mix:logout)
|
|
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
|
|
[+] 2 issues were detected.
|
|
|
|
|
|
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
|
|
[~] Severity: High
|
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
|
[~] Element: form
|
|
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
|
|
[~] Description:
|
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
|
|
[~] References:
|
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
|
|
[*] Variations
|
|
|
|
[~] ----------
|
|
|
|
[~] Variation 1:
|
|
|
|
[~] URL: http://testfire.net/search.aspx
|
|
|
|
[~] Injected value: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
[~] Regular expression:
|
|
|
|
[~] Matched string: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
|
|
|
|
|
|
|
|
[+] [2] Cross-Site Scripting (XSS)
|
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
|
|
|
|
[~] Severity: High
|
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Element: link
|
|
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
|
|
[~] Description:
|
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
|
|
[~] Requires manual verification?: false
|
|
|
|
|
|
|
|
[~] References:
|
|
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
|
|
|
|
|
|
[*] Variations
|
|
|
|
[~] ----------
|
|
|
|
[~] Variation 1:
|
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Injected value: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
[~] Regular expression:
|
|
|
|
[~] Matched string: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
|
|
[*] Health map
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
|
|
[~] Legend:
|
|
|
|
[+] No issues
|
|
|
|
[-] Has issues
|
|
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
|
[-] http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
|
|
|
|
[~] Total: 3
|
|
|
|
[+] Without issues: 1
|
|
|
|
[-] With issues: 2 ( 67% )
|
|
|
|
|
|
|
|
[*] Profiler
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
|
|
|
|
[~] * Body
|
|
|
|
[+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
|
|
|
|
[~] * Body
|
|
|
|
|
|
|
|
[*] AutoLogin
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: It looks for the login form in the user provided URL,
|
|
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
|
|
|
|
|
|
[+] Form submitted successfully.
|
|
|
|
[~] Cookies set to:
|
|
|
|
[~] * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
|
[~] * amSessionId = 204023334531
|
|
|
|
[~] * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
|
|
[~] * amUserId = 100116014
|
|
|
|
[~] * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
|
|
|
|
|
|
[~] 100.0% [>] 100%
|
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
|
|
[~] Sent 40 requests.
|
|
|
|
[~] Received and analyzed 40 responses.
|
|
|
|
[~] In 00:00:06
|
|
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
|
|
```
|
|
```
|
|
|
|
|
|
<h2 id='platforms'><a href='#platforms'>Platforms</a></h2>
|
|
<h2 id='platforms'><a href='#platforms'>Platforms</a></h2>
|
... | | ... | |