Go to Top

Limitations

All the fanfare, big talk and cool features in combination with the work, research and technology that powers Arachni cannot compensate for every challenge, naturally, there are a few limitations. This page is here to cut through the BS and let you know what you can realistically expect from the system.

DOM/JavaScript/AJAX and HTML5

Unfortunately, Arachni does not currently include a Javascript interpreter, full DOM implementation or AJAX support. This will limit coverage on webpages which make heavy use of Javascript and/or AJAX.

However, you can improve the situation by using the Proxy plug-in and teach Arachni of vectors it can’t parse via your browser. The system will sit between your browser and the webapp and monitor the exchanged traffic — this way JS execution is delegated to the browser.

A word of encouragement

Significant progress has been made on DOM/JS/AJAX and HTML5 support and it will be included in the, currently under development, v0.5 release.

False positives

Arachni invests a lot of effort into diminishing false-positive results but the truth is that they are just a fact of life. FPs are usually caused by erratic webapp or server behavior like fragile/unreliable network conditions or non-standard/broken HTTP responses.

One thing to keep in mind

Even though you may see false positive results during run-time do not despair, it is only until the scan has finished (and meta-analysis has been performed) that you should invest in the results’ accuracy.
If you do come across a FP the best thing to do is report it so that it can be fixed.

The role of scanners in the audit process

Automated scanners are NOT panacea — treat this as your creed.

Systems like Arachni are complementary to a manual audit and verification and further investigation of results will always be necessary. Automated audits have come a long way but cannot replace a human.