Go to Top

Demo: Direct scanning, code coverage instrumentation and introspection

You can find an update here.

Hey folks,

I’ve got something really cool to show you today. It’s not ground-braking and commercial tools have had similar functionality for some time now, however, as usual in Arachni-land, this approach will have some interesting twists that set it apart from the rest.

In all honesty, I should be working on Arachni v1.1, implementing support for JSON/XML input vectors, but I got this idea and once I started prototyping and seeing how amazingly well it works, I couldn’t help but keeping at it until I had a working system. This is still purely experimental and it’s not part of Arachni, but complements it beautifully.

I don’t know when, if or how it’ll be released, but I figured I better post this demo and see if there’s any interest.

In simple terms

This is what this system allows Arachni to do:

  • Directly scan your Ruby web application, by actually running the web application itself.
  • Know exactly what code got executed as a result of each request.
  • Have complete access to the web application execution context and environment.


In more bullet-list-formatted words:

  • Offline testing.
    • No need for a live application supported by an HTTP server.
  • Incredible performance for quick scans.
    • Direct communication with the running application.
    • No HTTP, I/O, network overhead.
  • Absolutely reliable communication with the application.
    • No need to worry about network conditions, available bandwidth, server stress or timed-out requests.
  • Hybrid analysis, offering:
    • Benefits of dynamic analysis:
      • Issues are proven to exist based on the results of code execution.
      • Coverage of dynamic input vectors and workflows.
        • Even when using metaprogramming techniques.
      • Testing of all the usual input vectors:
        • GET and POST parameters.
        • Cookies
        • Headers
        • URL Paths
        • More…
      • Real browser analysis, for:
        • Detection of client-side issues.
        • Coverage of applications which rely on HTML5/DOM/JavaScript/AJAX.
      • Detection of issues involving 3rd party entities, like:
        • Operating System command injection
        • SQL injection
        • LDAP injection
        • Unvalidated redirections
        • Lots and lots more…
    • Benefits of static analysis:
      • Access to the application’s source code.
      • Access to the application’s configuration.
    • Inspection of the application’s runtime environment in real-time.
      • Direct access to the internals of the running application.
      • Capture of full context upon detection of a vulnerable state.
        • Stack-traces.
        • Method arguments.
        • Source codes.
    • With special optimizations for:
      • Rails (v3 and v4)
      • Sinatra
      • More to come…
  • Code coverage reporting
    • See exactly how much of your codebase was covered by the scan.
    • Examine per issue coverage data, to determine exactly which parts of your code contributed to each logged issue.


The web application

For this demo let’s use a very simple Sinatra web application that’s vulnerable to XSS:

The scan

So, say you want to scan this application with this new fancy system:

The “coverage” options are for this new system while the “framework” options are for the Arachni Framework and will be familiar to anyone who’s used it before.

This is very easy to use even without a user interface. And even though it looks very simple, there’s a lot of cool magic going on behind the scenes in order to hook Arachni directly into the web application and let it access, quite literally, everything.

The results

This is nothing to the power the real interface will give you, but it’s enough to give you an idea.

(Keep in mind that the web application code actually starts at line 5.)

You basically get access to every code execution event and its local and instance context, along with access to the same data for all its callers. Pretty much the entire stack.

Locating reported issues becomes childsplay.

Sadly, what you can’t see in this demo is the performance. There’s no HTTP overhead at all, the scan runs as fast as your computer can run the code of the web application.

Still, everything appears as if it’s running over HTTP, so everything is perfectly familiar when it comes to reviewing the reports and reproducing issues manually.

What’s to come

The basics are already here, but more features are planned which can improve the experience:

  • Custom handling for popular frameworks like Rails, making the context of each issue easier to explore and digest.
  • Web user interface.
    • Live control and monitoring.
    • Instant issue review/replay.
    • Live IRB-like console, allowing you to evaluate code under the context of each logged issue — as well as its entire call stack.
  • Probably lots more…

That’s all I’ve got for you for now. If you’ve got any thoughts please let me know by posting a comment.


Tasos L.

, , , , , ,

About Tasos Laskos

CEO of Sarosys LLC, founder and lead developer of Arachni.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.