Go to Top

Arachni Framework v1.3 & WebUI v0.5.8 release

Hello good people,

There are new Framework and WebUI versions out, with some interesting goodies.

Framework

As usual, let’s start with the most important Framework updates.

Options

  • There’s a new option called --browser-cluster-local-storage, allowing you to populate the browser’s localStorage from a JSON file.
  • New audit options for new elements:
    • --audit-ui-forms
    • --audit-ui-inputs

Reports

The Issue structure in the reports has been significantly simplified.

Issues used to be organised as parents with children, the parent Issue used to hold common data (vector type, check info etc.) and specific vulnerability data were stored in its children, in the variations attribute.

This structure was no longer necessary and made parsing and processing reports a bit tedious, so now all Issues include full data.

Improved DOM element coverage

There are new DOM element abstractions, allowing certain interesting DOM-based inputs to be audited just like any other:

  • UIForm: Represents <input> and <button> groups not belonging to any <form> elements, but instead associated via JavaScript code.
    • --audit-ui-forms
  • UIInput: For orphaned <input> elements, submitting their data via callbacks for DOM events.
    • --audit-ui-inputs

With modern web applications relying more and more on JavaScript to create interfaces, proper support for these elements became a necessity.

These types of inputs were already covered up to a point by specific security checks, however, they have now been promoted to first class citizens.

Browser

  • Recursive taint tracing for objects in arguments has had its depth limited, in order to avoid issues with circular references. This does not affect coverage, worst case scenario is that some issues may lack a bit of context when the taint is too deep inside a JS object.
  • Event triggering performance has been improved.

Plugins

  • Fixed a bug causing the proxy plugin to hang on shutdown.
  • Updated the login_script plugin to wait for the page to settle when using a JavaScript login script.

Improved performance

Some of the changes result in quite the performance boost.

Defaults Crawl only
Requests Duration Requests Duration
v1.2.1 28930 00:06:30 1652 00:04:03
v1.3 30019 00:05:49 1544 00:03:47

Doesn’t look like much since the overall duration isn’t that large for this test site, but when performing scans against larger targets the savings will be quite noticeable.

The same site was used for comparison in previous versions with different run-times, keep in mind that network conditions and site content can change over time, what’s important is the difference between versions against the same state.

Configurations

Defaults:
arachni http://testhtml5.vulnweb.com

Crawl only:
arachni http://testhtml5.vulnweb.com --checks -

Other

  • Path extractors have been updated to prevent junk paths from entering the system, this will result in cleaner sitemaps and a small performance improvement.
  • Added a system-wide sitemap policy to prevent feedback pages resulting from the audit to be included, this will result in much less noise in the resulting sitemap.

WebUI

The WebUI is waiting to be replaced so it’s not receiving new features, there were however a few updates:

  • A lot of DB fields have been updated in order to support null-bytes when using PostgreSQL — unfortunately, this is not backwards compatible.
  • Added audit options in profiles for the new Framework element abstractions.

Mac OSX 10.11 “El Capitan” issues

So, El Capitan must have been drunk at the helm, because it broke a lot of systems as it introduced changes meant to improve security; alas, said changes resulted in a lot of build systems (and systems that deal with libraries in general) exploding.

Once those issues get sorted, OSX 10.11 packages will be made available, until then this release will not work on OSX 10.11.

What’s next

While I was waiting for the experimental branch to get tested and get stable enough for this release, I had/have been working on more extreme improvements to the system in another branch.

The new updates will yield massive performance improvements and much reduced resource usage.

And there are even more extreme improvements coming after those, so in a couple of versions scan durations will be almost halved and resource consumption is going to almost be negligible to the average desktop.

To put this in perspective, the goal is a smooth(-ish) scan on a Raspberry Pi 1 B (resource-wise, not sure if all of Arachni’s dependencies actually work on ARM), which isn’t that far off with the current experimental improvements — I don’t mean to oversell this, obviously performance is going to suffer when running on ultra-low resource environments, but it should still work.

I’ll write up a post with more details on the above in a few days.

Cheers,

Tasos L.

, , , , ,

About Tasos Laskos

CEO of Sarosys LLC, founder and lead developer of Arachni.

Leave a Reply