Go to Top

v0.4.1 is out!

Hi folks,

It’s been a long while but it is time at last for the new (v0.4.1) release of Arachni.

I took my time with this one as there were a lot of things that needed to be done in order to ensure Arachni’s transition from an experimental toy to a stable and reliable system — not sure if I’ve done that yet but that is the ultimate goal.

The most important (and time consuming) thing was the addition of a full RSpec suite covering the core libs as well as all system components (like modules, plugins, reports, etc.), an endeavour which shed plenty of light on some unfortunate code-rot and suboptimal design decisions and thus led to a lot improvements throughout the codebase.

Also, support has moved from the old Google Group to a specialised support portal, so asking for (and receiving) help will be a much more streamlined and efficient process. In addition to the discussion system, the support portal comes requiped with a very nifty knowledge base which will host a plethora of how-to and other types of articles.

The CHANGELOG is quite lengthy so let’s just take a look at the highlights:

  • General
    • The project has moved from GPLv2 to Apache License Version 2.
    • Improved detection of custom 404 pages.
    • The HTTP request queue now has a hard limit in order to prevent consumption of big amounts of memory, once the limit has been reached the already queued requests are performed before any more can be queued.
    • Implementation of a proper CookieJar. o Rewritten Spider. o A new custom fast URI parser parser has been added.
    • Major code clean-up and refactoring to make scripting much easier.
    • Addition of a session management component, handling logout detection and facilitating automates re-logins.
    • Support for more paranoid coverage options (fuzzing with both GET/POST requests, submitting combined permutations of links or forms with cookies).
    • Dispatcher’s now have their own component types (RPCD Handlers), allowing for deployment of server-side components with access to the local Dispatcher and whose API can be exposed over RPC.
    • Issue deduplication has become more aggressive (only 1 variation allowed for issues that were a result of a vulnerable input vector).
  • Modules
    • Updated
      • Unencrypted password forms — Checks for non-nil form fields before iterating.
      • SSN — Improved regexp and logging.
      • SQL injection — Now ignores irrelevant error messages in order to reduce false-positives.
      • XSS — Improved detection accuracy.
      • RFI — Added a seed URL without a protocol.
      • Path traversal — Added seeds with file:// URLs and for Tomcat webapps.
    • New
      • Insecure cookies — Logs cookies without the ‘secure’ flag.
      • HttpOnly cookies — Logs cookies without the ‘HttpOnly’ flag.
      • Session fixation
  • Plugins
    • New
      • VectorFeed — Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.
      • Script — Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.
    • Updated
      • Proxy plugin can now intercept HTTPS traffic, properly forwards headers and can record login sequences and configure the session manager accordingly. It has also received a nifty little control panel which gets injected into every response and allows you to monitor what is being logged.
      • AutoLogin — Now configured the session manager with the given settings and updated to require a ‘verifier’ pattern option to ensure that the login was successful.

At this point, I’d like to welcome a new team member, Robert Gouin, who will be relentlessly testing the system and making sure I don’t miss silly stuff.

This release comes with brand new packages and support for OSX, so you OSX users don’t have to worry any more.

Finally, let’s take a look at where the project is going:

  • v0.4.2 will include a brand new WebUI written in Rails, improved high-performance distributed capabilities, distributed crawling using the Roundabout design and more.
  • v0.5 will include DOM and JavaScript support. Ideally, it will be a native DOM written in Ruby and use TheRubyRacer as a JS runtime instead of driving a browser, but, in any case, Arachni will receive DOM and JS support.

So, that’s all for now, I hope you’ll enjoy the new release and please do provide feedback.

Tasos L.


About Tasos Laskos

CEO of Sarosys LLC, founder and lead developer of Arachni.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.