| ... | ... | @@ -98,10 +98,8 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/). |
|
|
|
* [Scope](#scope)
|
|
|
|
* [Include (--scope-include-pattern)](#scope-include-pattern)
|
|
|
|
* [Include subdomains (--scope-include-subdomains)](#scope-include-subdomains)
|
|
|
|
* [Exclude (--exclude/-e)](#exclude)
|
|
|
|
* [Example](#exclude_example)
|
|
|
|
* [Exclude page by content (--exclude-page)](#exclude-page)
|
|
|
|
* [Example](#exclude-page_example)
|
|
|
|
* [Exclude (--scope-exclude-patterns)](#scope-exclude-patterns)
|
|
|
|
* [Exclude page by content (--exclude-content-pattern)](#exclude-content-pattern)
|
|
|
|
* [Redundant (--redundant)](#redundant)
|
|
|
|
* [Auto-redundant (--auto-redundant)](#auto-redundant)
|
|
|
|
* [Example](#auto-redundant_example)
|
| ... | ... | @@ -474,7 +472,7 @@ Cookies, as a string, to be sent to the web application. |
|
|
|
|
|
|
|
<h4 id='http-cookie-string_example'><a href='#http-cookie-string_example'>Example</a></h4>
|
|
|
|
|
|
|
|
--cookie-string='userid=19;sessionid=deadbeefbabe'
|
|
|
|
--http-cookie-string='userid=19;sessionid=deadbeefbabe'
|
|
|
|
|
|
|
|
<h3 id='http-authentication-username'><a href='#http-authentication-username'>Authentication username (--http-authentication-username)</a></h3>
|
|
|
|
|
| ... | ... | @@ -614,115 +612,26 @@ Restricts the scope of the scan to resources whose URL matches any of the specif |
|
|
|
|
|
|
|
Allow the system to include subdomains in the scan.
|
|
|
|
|
|
|
|
<h3 id='exclude'><a href='#exclude'>Exclude (--exclude/-e)</a></h3>
|
|
|
|
<h3 id='scope-exclude-patterns'><a href='#scope-exclude-patterns'>Exclude (--scope-exclude-patterns)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `regexp`
|
|
|
|
**Expects**: `pattern`
|
|
|
|
|
|
|
|
**Default**: `disabled`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
|
|
|
|
The `--exclude` option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
|
|
|
|
|
|
|
|
<h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4>
|
|
|
|
|
|
|
|
In this simple example we tell Arachni to exclude all URLs that contain the string _xss_.
|
|
|
|
Thus no further action was taken.
|
|
|
|
|
|
|
|
```
|
|
|
|
$ arachni http://testfire.net --modules=xss --exclude=testfire
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.4.2
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Excludes resources whose URL matches any of these patterns.
|
|
|
|
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
<h3 id='exclude-content-pattern'><a href='#exclude-content-pattern'>Exclude page by content (--exclude-content-pattern)</a></h3>
|
|
|
|
|
|
|
|
Website: http://arachni-scanner.com
|
|
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
[*] Initialising...
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.38.18 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
|
|
[~] Report generated on: 2012-09-09 02:38:18 +0300
|
|
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
|
|
[+] System settings:
|
|
|
|
[~] ---------------
|
|
|
|
[~] Version: 0.4.1dev
|
|
|
|
[~] Revision: 0.2.7
|
|
|
|
[~] Audit started on: Sun Sep 9 02:38:15 2012
|
|
|
|
[~] Audit finished on: Sun Sep 9 02:38:16 2012
|
|
|
|
[~] Runtime: 00:00:01
|
|
|
|
|
|
|
|
[~] URL: http://testfire.net/
|
|
|
|
[~] User agent: Arachni/v0.4.2
|
|
|
|
|
|
|
|
[*] Audited elements:
|
|
|
|
[~] * Links
|
|
|
|
[~] * Forms
|
|
|
|
[~] * Cookies
|
|
|
|
|
|
|
|
[*] Modules: xss
|
|
|
|
|
|
|
|
[*] Filters:
|
|
|
|
[~] Exclude:
|
|
|
|
[~] (?-mix:testfire)
|
|
|
|
|
|
|
|
[~] =
|
|
|
|
|
|
|
|
[+] 0 issues were detected.
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
|
|
[~] 0.0% [=> ] 100%
|
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawling, discovered 0 pages and counting.
|
|
|
|
|
|
|
|
[~] Sent 0 requests.
|
|
|
|
[~] Received and analyzed 0 responses.
|
|
|
|
[~] In 00:00:01
|
|
|
|
[~] Average: 0 requests/second.
|
|
|
|
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
<h3 id='exclude-page'><a href='#exclude-page'>Exclude page by content (--exclude-page)</a></h3>
|
|
|
|
|
|
|
|
**Expects**: `regexp`
|
|
|
|
**Expects**: `pattern`
|
|
|
|
|
|
|
|
**Default**: `disabled`
|
|
|
|
|
|
|
|
**Multiple invocations?**: `yes`
|
|
|
|
|
|
|
|
The `--exclude-page` option expects a regular expression or plain string
|
|
|
|
and excludes pages whose content matching that expression from the crawl process.
|
|
|
|
Excludes pages whose content matches any of the given patterns.
|
|
|
|
|
|
|
|
<h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3>
|
|
|
|
|
| ... | ... | |
