Go to Top

Arachni 0.4.4-0.4.2 release

Hey folks,

There’s a new version out containing new security checks, accuracy and coverage improvements and bug fixes.

Framework v0.4.4

Modules

There are new passive (recon) and active (audit)  modules along with big coverage improvements for existing ones.

Recon

New

  • X-Forwarded-For Access Restriction Bypass ( x_forwarded_for_access_restriction_bypass)
    • Retries denied requests with a X-Forwarded-For header to try and trick the web application into thinking that the request originates from localhost and checks whether the restrictions were bypassed.

     

  • Form-based upload ( form_upload)
    • Flags file-upload forms as they require manual testing.

Improved

  • .htaccess LIMIT misconfiguration ( htaccess_limit)
    • Updated to use verb tampering as well.

Audit

New

  • Source code disclosure ( source_code_disclosure)
    • Checks whether or not the web application can be forced to reveal source code.
  • Code execution via the php://input wrapper ( code_execution_php_input_wrapper)
    • It injects PHP code into the HTTP request body and uses the php://input wrapper to try and load it.

Improved

  • Blind SQL Injection (Boolean/Differential analysis) ( sqli_blind_rdiff)
    • Improved accuracy of results.
  • Path traversal ( path_traversal)
    • Severity set to “High”.
    • Updated to start with / and go all the way up to /../../../../../../.
    • Added fingerprints for /proc/self/environ.
    • Improved coverage for MS Windows.
  • Remote file inclusion ( rfi)
    • Updated to handle cases where the web application appends its own extension to the injected string.

     

Web user interface v0.4.2

The user interface hasn’t received many changes but a crippling bug has been resolved, which caused the interface to hang after a certain amount of time.

  • Fixed bug causing the system to hang after 1:24 hours of scan monitoring, caused by improper caching of RPC clients.
  • Scan
    • Monitoring
      • Redirect to the Scans list page with an alert if the monitored scan was deleted.
  • Profiles
    • Added HTTP auth options.

     

I hope you enjoy it and take some time to provide feedback.

Cheers,

Tasos L.

, , , ,

About Tasos Laskos

CEO of Sarosys LLC, founder and lead developer of Arachni.

3 Responses to "Arachni 0.4.4-0.4.2 release"

  • justin
    August 14, 2013 - 5:04 am Reply

    thanks!

  • Cody
    August 21, 2013 - 1:25 am Reply

    Is there a screencast showcasing this framework in action? Or tutorials for beginners?

    • Tasos Laskos
      August 21, 2013 - 1:35 am Reply

      Not really, you just download the packages, checkout the included README file for pointers and if you need help you can consult the Help page.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.