Arachni v0.4 Web App Security Scanner

Tasos Laskos at Zapotek reports that Arachni 0.4 Open Source Web Application Security Scanner Framework is now available, and this new version makes this tool even faster and more useful than ever.

If you are not familiar with Arachni, it is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.  The application trains itself by learning from the HTTP responses it receives during the audit process, and is able to perform meta-analysis to assess the trustworthiness of results and identify false-positives.

It takes into account the dynamic nature of web applications, can detect changes caused while travelling through the paths of a web app’s complexity, and is able to make adjustments accordingly. This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

Arachni is versatile, covering a great deal of use cases, ranging from a simple command line scan, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits.

The addition of the Grid scanning capability allows you to connect multiple nodes into a grid to perform lightning-fast scans.  Arachni distributes the workload granularly, down to individual page elements, to ensure optimal distribution, aggregating bandwidth and CPU.

It will work under any flavor of unix that supports Ruby, including Cygwin for Windows implementations.

New Goodies:

  • A new light-weight RPC implementation (No more XMLRPC).
  • High Performance Grid (HPG) — Combines the resources of multiple nodes for lightning-fast scans.
  • Updated WebUI to provide access to HPG features and context-sensitive help.
  • New plugins:
    • ReScan — Uses the AFR report of a previous scan to avoid a redundant crawl.
    • BeepNotify — Beeps when the scan finishes.  Handy.
    • LibNotify — Send notifications for each discovered issue and a summary at the end of the scan.
    • EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
    • Manual verification — Flags issues that require manual verification as untrusted reducing the signal-to-noise ratio.
    • Resolver — Resolves vulnerable hostnames to IP addresses.
  • Accuracy improvements and bugfixes for the XSS, SQL Injection and Path Traversal modules.
  • New report formats (JSON, Marshal, YAML).
  • Cygwin package for Windows.

For a more detailed walk-through of what’s new check-out: