New RPC infrastructure
Ruby’s XMLRPC has been ditched (as initially discussed in these two [1, 2] posts) in favor of Arachni-RPC.
Arachni-RPC is lightweight, simple and fast which makes it ideal for large Grid deployments and
makes it easy for 3rd parties to interoperate with Arachni’s servers.
Notice: If you were using the old XMLRPC interface please update your code to use the new RPC API.
High Performance Grid
I’ve been talking about this one so much that I’ve actually grown a bit sick of it — joking aside
though this is one of Arachni’s most important features.
It allows you to connect multiple nodes into a Grid and use them to perform lightning-fast scans.
This is due to the way Arachni distributes the workload, which is finely grained down to individual
page elements to ensure fair and optimal distribution; because workload distribution is so fluid it
effectively becomes a sort of bandwidth and CPU aggregation.
To put this in simple(-istic) terms:
If you have 2 Amazon instances and you need to scan one site, by utilising the HPG you’ll be
able to cut the scan time down to approximately half of what it would take by using a single
node (plus the initial crawl time).
And if you have a huge site you can use 50 nodes and so the story goes…
This feature was an imaginary, almost unattainable, milestone back when I added the initial
client/server implementation and I didn’t really think that I’d ever be able to make it happen.
Luckily, I was wrong and I’m proud to present you with the first Open Source High Performance
Grid web application security scanner!
(By the way, does anyone know of a commercial scanner that can do this?)
Notice: With the WebUI’s updated AutoDeploy add-on you’ll be able to go into World domination
mode by performing point and click Grid deployments!
Another notice: Use responsibly, don’t DDoS people.
Yet another notice: It’s still considered experimental so let me know if you come across a bug.
Updated WebUI
The WebUI now contains a few context-sensitive help dialogs to help out the newcomers and it
has been updated to use the Thin webserver to send responses asynchronously in order to
increase performance and feel “snappier”.
It also supports HTTP basic auth just in case you want some simple password protection and has
been updated to provide access to the brand new HPG goodies.
Spider improvements
There was a bug with redirections that prevented the spider from achieving optimal coverage
which has now been resolved.
More than that, the scope of the crawl can now be either extended or restricted by supplying
newline-separated lists of URLs which should help you import 3rd party sitemaps.
Plugins
The plugin API has been extended in order to allow plugins to let the framework know if they can
be distributed across HPG Instances and, if so, how to merge their results for the final report.
Another big (although invisible to the end-user) change is the conversion of all meta-modules to
full-fledged plugins to simplify management and Grid distribution.
And these new plugins have been added:
ReScan — It uses the AFR report of a previous scan to extract the sitemap in order to avoid a
redundant crawl.
BeepNotify — Beeps when the scan finishes.
LibNotify — Uses the libnotify library to send notifications for each discovered issue and a
summary at the end of the scan.
EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
Manual verification — Flags issues that require manual verification as untrusted in order to
reduce the signal-to-noise ratio.
Resolver — Resolves vulnerable hostnames to IP addresses.
Modules
I’ve got both good and bad news for this….
In an attempt to cleanup and optimise pattern matching in v0.3 I inadvertently broke some
aspects of it which crippled the XSS (xss), SQL injection (sqli) and Path Traversal (path_traversal) modules –I sincerely apologise, mea culpa.
The good news is that I’ve made things right, cleaned up the API and the existing modules and
improved their accuracy.
Reports
The HTML report has waved goodbye to Highcharts due to licensing reasons and now uses jqPlot
for all its charting and graphing needs.
I’ve also removed the “report false-positive” button since a part of that process required RSA
encryption which for some reason caused segfaults on Mac OSX.
Good news is that the HTML reports will be significantly smaller in size from now on.
Moreover, the following new report formats have been added:
JSON — Exports the audit results as a JSON serialized Hash.
Marshal — Exports the audit results as a Marshal serialized Hash.
YAML — Exports the audit results as a YAML serialized Hash.
Cygwin package for Windows
About time indeed, Windows users can now enjoy Arachni’s features — albeit via a preconfigured
Cygwin environment.
The important point is that you no longer have to manually hassle to install Arachni via MinGW or
Cygwin yourselves or use a VM and what have you…
Simply download and run the self-extracting archive, double click the “Cygwin” batch file and lo
and behold: you’ve got a bash shell ready to execute Arachni’s scripts.
Unfortunately, there’s a performance penalty involved when running Arachni in Cygwin but until I
port it to run natively on Windows it’ll have to do.
Before I forget, the Wiki has been cleaned up and brought up to date so if you need to go
through the documentation that should be your first stop.
Download links and instructions
[Enlace externo eliminado para invitados]
