Hello good people,
There’s a new Framework bugfix release, v1.0.6.
There are a lot of small fixes and cleanups but the most notable changes are about improvements and fixes to payloads for the following active checks:
- sql_injection — Slight payload update to catch double-quote cases.
- code_injection — Slight PHP payload update, to ensure it works in more cases.
- code_injection_timing — Updated payloads to mirror code_injection.
- os_command_injection — Updated payloads to handle chained commands.
- os_command_injection_timing — Updated payloads to handle chained commands.
- path_traversal — Fixed MS Windows output pattern.
- sql_injection_differential — Set platform to generic sql.
- no_sql_injection_differential — Set platform to generic nosql.
Given that, please do grab the latest package from the download page to enjoy the improved vulnerability coverage.
What’s coming in v1.1
I’d like to take this opportunity to give you a heads up on what to expect from the currently under development v1.1. Aside from the feature requests visible in the referenced milestone, there are some more cool features you should know about.
JSON and XML input vectors
v1.1 will introduce support for auditing JSON input vectors, which will be extracted by monitoring the interactions of the browser with each web application — which has actually already been implemented. In addition to that, there will also be support for similar XML vectors.
This also paves the way for scanning web services, with more of the missing pieces to be filled in over time.
Massive crawl performance improvement
As you probably know, integrated browser environments were introduced in v1.0, which allowed Arachni to provide top-of-the-line coverage for web applications which make use of advanced client-side technologies.
This was not an easy nor simple feat, which is why the initial crawl/audit scheduling, even though clever, was erring on the side of caution and not performance. A much better scheduler was envisioned, but not implemented, as I wanted to first get v1.0 stable and gather feedback before introducing further complexity.
Now, v1.0 has reached a solid enough state, so it’s time to take off the limiter and go all Autobahn on the crawler. On average, you can expect scan durations to be cut in half. However, the more client-side states a web application has, the more dramatic will the improvement be, so for example, when scanning single-page web applications, a 10-fold reduction wouldn’t be at all surprising.
Another look at full JRuby support and thus support for MS Windows
v1.0 was supposed to be portable and multi-platform, unfortunately though, the official Ruby interpreters aren’t all that stable on MS Windows systems, so even though the Framework can run on Windows, I could not in good faith provide official packages for it.
To overcome this issue, using JRuby seemed like a good alternative and it indeed was. The Framework runs on JRuby and that opened an array of new possibilities. However, a subtle difference in socket API behavior between JRuby and the official Ruby interpreter resulted in a serious bug in Arachni’s RPC implementation.
To cut this short, the bug has been identified and can be fixed, so a native and stable MS Windows Arachni package is a very real possibility, using JRuby.