It’s been a long while but it is time at last for the new (v0.4.1) release of Arachni.
I took my time with this one as there were a lot of things that needed to be done in order to ensure Arachni’s transition from an experimental toy to a stable and reliable system — not sure if I’ve done that yet but that is the ultimate goal.
The most important (and time consuming) thing was the addition of a full RSpec suite covering the core libs as well as all system components (like modules, plugins, reports, etc.), an endeavour which shed plenty of light on some unfortunate code-rot and suboptimal design decisions and thus led to a lot improvements throughout the codebase.
Also, support has moved from the old Google Group to a specialised support portal, so asking for (and receiving) help will be a much more streamlined and efficient process. In addition to the discussion system, the support portal comes requiped with a very nifty knowledge base which will host a plethora of how-to and other types of articles.
The CHANGELOG is quite lengthy so let’s just take a look at the highlights:
- The project has moved from GPLv2 to Apache License Version 2.
- Improved detection of custom 404 pages.
- The HTTP request queue now has a hard limit in order to prevent consumption of big amounts of memory, once the limit has been reached the already queued requests are performed before any more can be queued.
- Implementation of a proper CookieJar. o Rewritten Spider. o A new custom fast URI parser parser has been added.
- Major code clean-up and refactoring to make scripting much easier.
- Addition of a session management component, handling logout detection and facilitating automates re-logins.
- Support for more paranoid coverage options (fuzzing with both GET/POST requests, submitting combined permutations of links or forms with cookies).
- Dispatcher’s now have their own component types (RPCD Handlers), allowing for deployment of server-side components with access to the local Dispatcher and whose API can be exposed over RPC.
- Issue deduplication has become more aggressive (only 1 variation allowed for issues that were a result of a vulnerable input vector).
- Unencrypted password forms — Checks for non-nil form fields before iterating.
- SSN — Improved regexp and logging.
- SQL injection — Now ignores irrelevant error messages in order to reduce false-positives.
- XSS — Improved detection accuracy.
- RFI — Added a seed URL without a protocol.
- Path traversal — Added seeds with file:// URLs and for Tomcat webapps.
- Insecure cookies — Logs cookies without the ‘secure’ flag.
- HttpOnly cookies — Logs cookies without the ‘HttpOnly’ flag.
- Session fixation
- VectorFeed — Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.
- Script — Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.
- Proxy plugin can now intercept HTTPS traffic, properly forwards headers and can record login sequences and configure the session manager accordingly. It has also received a nifty little control panel which gets injected into every response and allows you to monitor what is being logged.
- AutoLogin — Now configured the session manager with the given settings and updated to require a ‘verifier’ pattern option to ensure that the login was successful.
At this point, I’d like to welcome a new team member, Robert Gouin, who will be relentlessly testing the system and making sure I don’t miss silly stuff.
This release comes with brand new packages and support for OSX, so you OSX users don’t have to worry any more.
Finally, let’s take a look at where the project is going:
- v0.4.2 will include a brand new WebUI written in Rails, improved high-performance distributed capabilities, distributed crawling using the Roundabout design and more.
So, that’s all for now, I hope you’ll enjoy the new release and please do provide feedback.