Arachni, a web application scanner on Ubuntu

about arachnee

In the next article we are going to take a look at Arachni. It's about a framework developed with Ruby and created to offer users different features for web application scanning. Despite not receiving updates for 2 years, in its day it was thought to be of help to professionals in analysis and penetration tests, it can also be useful for server administrators or webmasters who evaluate the security of web applications .

Es multi platform, compatible with the main operating systems such as Windows, Mac OS X and Gnu / Linux. It is distributed through packages that allow for instant deployment. Is free and its source code is public, we can find it available in your GitHub page.

Is what versatile enough to cover a large number of use casesFrom a simple command line scanner utility to a global grid of high-performance scanners and a Ruby library for scripted auditing. Plus, its straightforward REST API makes integration easy.

This framework trains itself through monitoring and learning the behavior of the web application during the scanning process. In addition, you can perform an analysis using a number of factors to correctly assess the reliability of the results and identify or avoid false positives.

This scanner will take into account the dynamic nature of web applications. Can detect the changes caused while walking the paths of a web application, being able to adjust accordingly. In this way, attack / entry vectors that would otherwise be undetectable by non-humans can be handled without problems.

Furthermore, due to its integrated browser environment, it also client-side code can be audited and inspected, as well as supporting complicated web applications, which make heavy use of technologies such as JavaScript, HTML5, DOM manipulation, and AJAX.

Arachni general characteristics

  • Cookie-jar / cookie-string, custom header and SSL support with some options.
  • User agent spoofing.
  • Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP / 1.1 and HTTP / 1.0.
  • Proxy authentication.
  • Site authentication (SSL-based, Forms-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos, and others).
  • Automatic log-out and re-session detection during scanning.
  • Custom 404 page detection.
  • Command line interface.
  • Web user interface.
  • Pause / resume functionality. Hibernate support: suspend and restore from disk.
  • High-performance asynchronous HTTP requests.
  • With the ability to automatically detect the status of the server and adjust its concurrency automatically.
  • Support for custom default input values, using pairs of patterns (to be compared to input names) and values ​​that will be used to fill in corresponding inputs.

These are just some of the features. They can see these and all the others in detail, In the project GitHub page.

Related article:
Spaghetti, scan the security of your Web applications

Install Arachni scanner on Ubuntu

We will be able download the package necessary either from the project website or by opening a terminal (Ctrl + Alt + T) and typing the following command in it:

start download with wget

wget https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz

Now we only have extract the downloaded package running the following command in the same terminal:

tar -xvf arachni-1.5.1-0.5.12-linux-x86_64.tar.gz

Arachni Startup and Basic Usage

We will be able launch the Arachni web interface with the following command:

launch arachni web interface

~/arachni-1.5.1-0.5.12/bin$ ./arachni_web

Once started, we will open the browser and as URL we will write:

arachni's web home screen

https://localhost:9292/users/sign_in/

The default username and password, we can find them in the Wiki which can be seen in the above screenshot. Once in the interface, to start a new exploration, we will only have to click on the icon '+ New'.

start the scan with arachni

After entering the URL to be scanned, we continue by clicking on Go to start.

start scan

This is how the scan begins.

scan in progress

After the scan is complete, to download the report all we have to do is choose the format and click OK.

In short, even though This scanner has not received updates for a couple of years now, it is still versatile enough to cover a large number of use cases. For more information about this project, you can contact your Web page.


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.