|
## Version 1.0
|
|
## Version 1.1
|
|
|
|
|
|
The RPC client command line interface is similar to the
|
|
The RPC client command line interface is similar to the
|
|
[[Command line user interface | Command line user interface]].
|
|
[[Command line user interface | Command line user interface]].
|
... | @@ -11,8 +11,8 @@ The differences between the two are: |
... | @@ -11,8 +11,8 @@ The differences between the two are: |
|
* Support for SSL peer verification for Dispatch server.
|
|
* Support for SSL peer verification for Dispatch server.
|
|
|
|
|
|
```
|
|
```
|
|
Arachni - Web Application Security Scanner Framework v1.0
|
|
Arachni - Web Application Security Scanner Framework v1.1
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
... | @@ -87,7 +87,7 @@ Scope |
... | @@ -87,7 +87,7 @@ Scope |
|
|
|
|
|
--scope-dom-depth-limit LIMIT
|
|
--scope-dom-depth-limit LIMIT
|
|
How deep to go into the DOM tree of each page, for pages with JavaScript code.
|
|
How deep to go into the DOM tree of each page, for pages with JavaScript code.
|
|
(Default: 10)
|
|
(Default: 5)
|
|
(Setting it to '0' will disable browser analysis.)
|
|
(Setting it to '0' will disable browser analysis.)
|
|
|
|
|
|
--scope-https-only Forces the system to only follow HTTPS URLs.
|
|
--scope-https-only Forces the system to only follow HTTPS URLs.
|
... | @@ -115,6 +115,15 @@ Audit |
... | @@ -115,6 +115,15 @@ Audit |
|
/input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/
|
|
/input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/
|
|
(Can be used multiple times.)
|
|
(Can be used multiple times.)
|
|
|
|
|
|
|
|
--audit-jsons Audit JSON request inputs.
|
|
|
|
|
|
|
|
--audit-xmls Audit XML request inputs.
|
|
|
|
|
|
|
|
--audit-parameter-names Inject payloads into parameter names.
|
|
|
|
|
|
|
|
--audit-with-extra-parameter
|
|
|
|
Inject payloads into extra element parameters.
|
|
|
|
|
|
--audit-with-both-methods
|
|
--audit-with-both-methods
|
|
Audit elements with both GET and POST requests.
|
|
Audit elements with both GET and POST requests.
|
|
(*WARNING*: This will severely increase the scan-time.)
|
|
(*WARNING*: This will severely increase the scan-time.)
|
... | @@ -145,7 +154,7 @@ Input |
... | @@ -145,7 +154,7 @@ Input |
|
HTTP
|
|
HTTP
|
|
--http-user-agent USER_AGENT
|
|
--http-user-agent USER_AGENT
|
|
Value for the 'User-Agent' HTTP request header.
|
|
Value for the 'User-Agent' HTTP request header.
|
|
(Default: Arachni/v1.0)
|
|
(Default: Arachni/v2.0dev)
|
|
|
|
|
|
--http-request-concurrency MAX_CONCURRENCY
|
|
--http-request-concurrency MAX_CONCURRENCY
|
|
Maximum HTTP request concurrency.
|
|
Maximum HTTP request concurrency.
|
... | @@ -155,7 +164,7 @@ HTTP |
... | @@ -155,7 +164,7 @@ HTTP |
|
|
|
|
|
--http-request-timeout TIMEOUT
|
|
--http-request-timeout TIMEOUT
|
|
HTTP request timeout in milliseconds.
|
|
HTTP request timeout in milliseconds.
|
|
(Default: 50000)
|
|
(Default: 10000)
|
|
|
|
|
|
--http-request-redirect-limit LIMIT
|
|
--http-request-redirect-limit LIMIT
|
|
Maximum amount of redirects to follow for each HTTP request.
|
|
Maximum amount of redirects to follow for each HTTP request.
|
... | @@ -173,7 +182,7 @@ HTTP |
... | @@ -173,7 +182,7 @@ HTTP |
|
|
|
|
|
--http-response-max-size LIMIT
|
|
--http-response-max-size LIMIT
|
|
Do not download response bodies larger than the specified LIMIT, in bytes.
|
|
Do not download response bodies larger than the specified LIMIT, in bytes.
|
|
(Default: inf)
|
|
(Default: 500000)
|
|
|
|
|
|
--http-cookie-jar COOKIE_JAR_FILE
|
|
--http-cookie-jar COOKIE_JAR_FILE
|
|
Netscape-styled HTTP cookiejar file.
|
|
Netscape-styled HTTP cookiejar file.
|
... | @@ -197,6 +206,34 @@ HTTP |
... | @@ -197,6 +206,34 @@ HTTP |
|
Proxy type.
|
|
Proxy type.
|
|
(Default: auto)
|
|
(Default: auto)
|
|
|
|
|
|
|
|
--http-ssl-verify-peer Verify SSL peer.
|
|
|
|
(Default: false)
|
|
|
|
|
|
|
|
--http-ssl-verify-host Verify SSL host.
|
|
|
|
(Default: false)
|
|
|
|
|
|
|
|
--http-ssl-certificate PATH
|
|
|
|
SSL certificate to use.
|
|
|
|
|
|
|
|
--http-ssl-certificate-type pem,der
|
|
|
|
SSL certificate type.
|
|
|
|
|
|
|
|
--http-ssl-key PATH SSL private key to use.
|
|
|
|
|
|
|
|
--http-ssl-key-type pem,der
|
|
|
|
SSL key type.
|
|
|
|
|
|
|
|
--http-ssl-key-password PASSWORD
|
|
|
|
Password for the SSL private key.
|
|
|
|
|
|
|
|
--http-ssl-ca PATH File holding one or more certificates with which to verify the peer.
|
|
|
|
|
|
|
|
--http-ssl-ca-directory PATH
|
|
|
|
Directory holding multiple certificate files with which to verify the peer.
|
|
|
|
|
|
|
|
--http-ssl-version TLSv1,TLSv1_0,TLSv1_1,TLSv1_2,SSLv2,SSLv3
|
|
|
|
SSL version to use.
|
|
|
|
|
|
|
|
|
|
Checks
|
|
Checks
|
|
--checks-list [PATTERN] List available checks based on the provided pattern.
|
|
--checks-list [PATTERN] List available checks based on the provided pattern.
|
... | @@ -207,7 +244,7 @@ Checks |
... | @@ -207,7 +244,7 @@ Checks |
|
Checks are referenced by their filename without the '.rb' extension, use '--checks-list' to list all.
|
|
Checks are referenced by their filename without the '.rb' extension, use '--checks-list' to list all.
|
|
Use '*' as a check name to load all checks or as a wildcard, like so:
|
|
Use '*' as a check name to load all checks or as a wildcard, like so:
|
|
xss* to load all XSS checks
|
|
xss* to load all XSS checks
|
|
sqli* to load all SQL injection checks
|
|
sql_injection* to load all SQL injection checks
|
|
etc.
|
|
etc.
|
|
|
|
|
|
You can exclude checks by prefixing their name with a minus sign:
|
|
You can exclude checks by prefixing their name with a minus sign:
|
... | @@ -267,7 +304,7 @@ Browser cluster |
... | @@ -267,7 +304,7 @@ Browser cluster |
|
|
|
|
|
--browser-cluster-job-timeout SECONDS
|
|
--browser-cluster-job-timeout SECONDS
|
|
Maximum allowed time for each job.
|
|
Maximum allowed time for each job.
|
|
(Default: 120)
|
|
(Default: 15)
|
|
|
|
|
|
--browser-cluster-worker-time-to-live LIMIT
|
|
--browser-cluster-worker-time-to-live LIMIT
|
|
Re-spawn the browser of each worker every LIMIT jobs.
|
|
Re-spawn the browser of each worker every LIMIT jobs.
|
... | | ... | |