Skip to content
GitLab

Command line user interface · Changes

Page history
Updated Command-line-user-interface (markdown) authored by Tasos Laskos's avatar Tasos Laskos
Show whitespace changes
Inline Side-by-side
guides/user/Command-line-user-interface.md
View page @ 2d337646
...@@ -431,9 +431,10 @@ This will suppress all messages except for positive matches -- vulnerabilities. ...@@ -431,9 +431,10 @@ This will suppress all messages except for positive matches -- vulnerabilities.
Limit how many concurrent HTTP request are sent. Limit how many concurrent HTTP request are sent.
*Note*: If your scan seems unresponsive try lowering the limit. **Note**: If your scan seems unresponsive try lowering the limit.
*Warning*: Given enough bandwidth and a high limit it could cause a DoS.
Be careful when setting this option too high, don't kill your server. **Warning**: Given enough bandwidth and a high limit it could cause a DoS.
Be careful when setting this option too high, don't kill your server.
<h3 id='http-timeout'><a href='#http-timeout'>HTTP timeout (--http-timeout)</a></h3> <h3 id='http-timeout'><a href='#http-timeout'>HTTP timeout (--http-timeout)</a></h3>
...@@ -456,6 +457,7 @@ Limit how long the HTTP client should wait for a response from the server. ...@@ -456,6 +457,7 @@ Limit how long the HTTP client should wait for a response from the server.
Forces the system to only follow HTTPS URLs. Forces the system to only follow HTTPS URLs.
_(Target URL must be an HTTPS one as well.)_ _(Target URL must be an HTTPS one as well.)_
<h3 id='cookie-jar'><a href='#cookie-jar'>Cookie jar (--cookie-jar)</a></h3> <h3 id='cookie-jar'><a href='#cookie-jar'>Cookie jar (--cookie-jar)</a></h3>
...@@ -472,9 +474,9 @@ If you want to audit restricted parts of a website that are accessible only to l ...@@ -472,9 +474,9 @@ If you want to audit restricted parts of a website that are accessible only to l
There's a number of ways to do that, I've found that Firebug's export cookie feature works best. There's a number of ways to do that, I've found that Firebug's export cookie feature works best.
You should also take a look at the _--exclude-cookie_ option discussed later. You should also take a look at the `--exclude-cookie` option discussed later.
*Note*: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application. **Note**: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.
<h3 id='cookie-string'><a href='#cookie-string'>Cookie string (--cookie-string)</a></h3> <h3 id='cookie-string'><a href='#cookie-string'>Cookie string (--cookie-string)</a></h3>
...@@ -503,7 +505,7 @@ Cookies, as a string, to be sent to the web application. ...@@ -503,7 +505,7 @@ Cookies, as a string, to be sent to the web application.
You can pass your own user agent string which will be sent to the webserver under audit. You can pass your own user agent string which will be sent to the webserver under audit.
Default is _Arachni/&lt;version&gt;_. Default is `Arachni/<version>`.
<h3 id='custom-header'><a href='#custom-header'>Custom header (--custom-header)</a></h3> <h3 id='custom-header'><a href='#custom-header'>Custom header (--custom-header)</a></h3>
...@@ -532,9 +534,9 @@ Allows you to specify custom headers in the form of key-value pairs. ...@@ -532,9 +534,9 @@ Allows you to specify custom headers in the form of key-value pairs.
**Multiple invocations?**: `no` **Multiple invocations?**: `no`
The string passed to this option will be included in the user-agent string and be the value of the "From" HTTP header field. The string passed to this option will be included in the user-agent string and be the value of the _From_ HTTP header field.
The _--authed-by_ value should contain information about the person who authorized the scan, his name and e-mail. The `--authed-by` value should contain information about the person who authorized the scan, his name and e-mail.
<h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4> <h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4>
...@@ -550,12 +552,12 @@ The _--authed-by_ value should contain information about the person who authoriz ...@@ -550,12 +552,12 @@ The _--authed-by_ value should contain information about the person who authoriz
**Multiple invocations?**: `no` **Multiple invocations?**: `no`
*Requires*: "login-check-pattern":#login-check-pattern **Requires**: [login-check-pattern](#login-check-pattern)
The URL passed to this option will be used to verify that the scanner is still The URL passed to this option will be used to verify that the scanner is still
logged in to the web application. logged in to the web application.
If HTTP response body of URL matches the "login-check-pattern":#login-check-pattern If HTTP response body of URL matches the [login-check-pattern](#login-check-pattern)
this should indicate that the scanner is logged in. this should indicate that the scanner is logged in.
<h3 id='login-check-pattern'><a href='#login-check-pattern'>Login check pattern (--login-check-pattern)</a></h3> <h3 id='login-check-pattern'><a href='#login-check-pattern'>Login check pattern (--login-check-pattern)</a></h3>
...@@ -566,9 +568,9 @@ this should indicate that the scanner is logged in. ...@@ -566,9 +568,9 @@ this should indicate that the scanner is logged in.
**Multiple invocations?**: `no` **Multiple invocations?**: `no`
*Requires*: "login-check-url":#login-check-url **Requires**: [login-check-url](#login-check-url)
A pattern used against the body of the "login-check-url":#login-check-url to A pattern used against the body of the [login-check-pattern](#login-check-pattern) to
verify that the scanner is still logged in to the web application. verify that the scanner is still logged in to the web application.
A positive match should indicate that the scanner is logged in. A positive match should indicate that the scanner is logged in.
...@@ -625,7 +627,7 @@ This option will output the running configuration as a string of command line ar ...@@ -625,7 +627,7 @@ This option will output the running configuration as a string of command line ar
<h4 id='show-profile_example'><a href='#show-profile_example'>Example</a></h4> <h4 id='show-profile_example'><a href='#show-profile_example'>Example</a></h4>
```arachni --show-profile --load-profile=myprofile.afp</pre></code> ` arachni --show-profile --load-profile=myprofile.afp`
<h2 id='crawler'><a href='#crawler'>Crawler</a></h2> <h2 id='crawler'><a href='#crawler'>Crawler</a></h2>
...@@ -638,11 +640,11 @@ This option will output the running configuration as a string of command line ar ...@@ -638,11 +640,11 @@ This option will output the running configuration as a string of command line ar
**Multiple invocations?**: `yes` **Multiple invocations?**: `yes`
The _--exclude_ option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process. The `--exclude` option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
<h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4> <h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4>
In this simple example we tell Arachni to exclude all URLs that contain the string "xss". In this simple example we tell Arachni to exclude all URLs that contain the string _xss_.
Thus no further action was taken. Thus no further action was taken.
``` ```
...@@ -736,21 +738,20 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -736,21 +738,20 @@ Arachni - Web Application Security Scanner Framework v0.4.2
**Multiple invocations?**: `yes` **Multiple invocations?**: `yes`
The `--exclude-page` option expects a regular expression or plain string
The _--exclude-page_ option expects a regular expression or plain string
and excludes pages whose content matching that expression from the crawl process. and excludes pages whose content matching that expression from the crawl process.
<h3 id='include'><a href='#include'>Include (--include/-i)</a></h3> <h3 id='include'><a href='#include'>Include (--include/-i)</a></h3>
**Expects**: `regexp` **Expects**: `regexp`
**Default**: `'.*'` **Default**: `disabled`
**Multiple invocations?**: `yes` **Multiple invocations?**: `yes`
This is the exact oposite of the _--exclude_ option. This is the exact oposite of the `--exclude` option.
When a regular expression is passed to the _--include_ option, *only* URLs matching that regular expression will be crawled. When a regular expression is passed to the `--include` option, **only** URLs matching that regular expression will be crawled.
<h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3> <h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3>
...@@ -922,8 +923,9 @@ Tells Arachni to audit the cookies of the page. ...@@ -922,8 +923,9 @@ Tells Arachni to audit the cookies of the page.
Tells Arachni to exclude -- not audit -- a cookie by name. Tells Arachni to exclude -- not audit -- a cookie by name.
Usually used to avoid auditing a session ID cookie from the cookie-jar. Usually used to avoid auditing a session ID cookie from the cookie-jar.
*Note*: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it. **Note**: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it.
However, some extra cautious websites may invalidate/block the session upon receiving an invalid token. However, some extra cautious websites may invalidate/block the session upon receiving an invalid token.
This is very unlikely but it's better to err on the side of caution. This is very unlikely but it's better to err on the side of caution.
<h3 id='exclude-vector'><a href='#exclude-vector'>Exclude cookie (--exclude-vector)</a></h3> <h3 id='exclude-vector'><a href='#exclude-vector'>Exclude cookie (--exclude-vector)</a></h3>
...@@ -948,8 +950,9 @@ Tells Arachni to exclude -- not audit -- an input vector by name. ...@@ -948,8 +950,9 @@ Tells Arachni to exclude -- not audit -- an input vector by name.
Tells Arachni to audit the HTTP headers of the page. Tells Arachni to audit the HTTP headers of the page.
*Note*: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them. **Note**: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
*Warning*: Enabling this option will result in increased requests, maybe by an order of magnitude.
**Warning**: Enabling this option will result in increased requests, maybe by an order of magnitude.
<h2 id='coverage'><a href='#coverage'>Coverage</a></h2> <h2 id='coverage'><a href='#coverage'>Coverage</a></h2>
...@@ -964,7 +967,7 @@ Tells Arachni to audit the HTTP headers of the page. ...@@ -964,7 +967,7 @@ Tells Arachni to audit the HTTP headers of the page.
If enabled Arachni will submit all links and forms of the page along with the cookie permutations. If enabled Arachni will submit all links and forms of the page along with the cookie permutations.
*Warning*: Will severely increase the scan-time. **Warning**: Will severely increase the scan-time.
<h3 id='fuzz-methods'><a href='#fuzz-methods'>Fuzz methods (--fuzz-methods)</a></h3> <h3 id='fuzz-methods'><a href='#fuzz-methods'>Fuzz methods (--fuzz-methods)</a></h3>
...@@ -978,7 +981,7 @@ If enabled Arachni will submit all links and forms of the page along with the co ...@@ -978,7 +981,7 @@ If enabled Arachni will submit all links and forms of the page along with the co
If enabled Arachni will submit all links and forms using both the _GET_ and _POST_ If enabled Arachni will submit all links and forms using both the _GET_ and _POST_
HTTP request methods. HTTP request methods.
*Warning*: Will severely increase the scan-time. **Warning**: Will severely increase the scan-time.
<h3 id='exclude-binaries'><a href='#exclude-binaries'>Exclude binaries (--exclude-binaries)</a></h3> <h3 id='exclude-binaries'><a href='#exclude-binaries'>Exclude binaries (--exclude-binaries)</a></h3>
...@@ -991,7 +994,7 @@ HTTP request methods. ...@@ -991,7 +994,7 @@ HTTP request methods.
Disables inclusion of binary HTTP response bodies in the audit. Disables inclusion of binary HTTP response bodies in the audit.
*Note*: Binary content can confuse recon modules that perform pattern matching. **Note**: Binary content can confuse recon modules that perform pattern matching.
<h2 id='modules'><a href='#modules'>Modules</a></h2> <h2 id='modules'><a href='#modules'>Modules</a></h2>
...@@ -1146,9 +1149,11 @@ Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xs ...@@ -1146,9 +1149,11 @@ Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xs
Tells Arachni which modules to load. Tells Arachni which modules to load.
Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to see all.
You can specify the modules to load as comma separated values (without spaces) or '*' to load all modules. Modules are referenced by their filename without the `.rb` extension, use `--lsmod` to see all.
You can prevent modules from loading by prefixing their name with a dash (-).
You can specify the modules to load as comma separated values (without spaces) or `*` to load all modules.
You can prevent modules from loading by prefixing their name with a dash (`-`).
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4> <h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
...@@ -1173,7 +1178,7 @@ Excluding modules: ...@@ -1173,7 +1178,7 @@ Excluding modules:
$ arachni --modules=*,-backup_files,-xss http://www.test.com $ arachni --modules=*,-backup_files,-xss http://www.test.com
``` ```
The above will load all modules except for the 'backup_files' and 'xss' modules. The above will load all modules except for the _backup_files_ and _xss_ modules.
<h2 id='reports'><a href='#reports'>Reports</a></h2> <h2 id='reports'><a href='#reports'>Reports</a></h2>
...@@ -1361,7 +1366,7 @@ You can use this option to load a report file and convert it to another format. ...@@ -1361,7 +1366,7 @@ You can use this option to load a report file and convert it to another format.
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4> <h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
Load an AFR report file and send it to the "stdout" report. Load an AFR report file and send it to the _stdout_ report.
``` ```
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr $ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
...@@ -1512,7 +1517,7 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -1512,7 +1517,7 @@ Arachni - Web Application Security Scanner Framework v0.4.2
Tells Arachni which report component to use. Tells Arachni which report component to use.
Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to see all. Reports are referenced by their filename without the `.rb` extension, use `--lsrep` to see all.
<h4 id='report_example'><a href='#report_example'>Example</a></h4> <h4 id='report_example'><a href='#report_example'>Example</a></h4>
...@@ -2124,7 +2129,7 @@ Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb ...@@ -2124,7 +2129,7 @@ Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
Tells Arachni which plugin components to run. Tells Arachni which plugin components to run.
Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to see all. Plugins are referenced by their filename without the `.rb` extension, use `--lsplug` to see all.
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4> <h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
...@@ -2480,6 +2485,8 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -2480,6 +2485,8 @@ Arachni - Web Application Security Scanner Framework v0.4.2
-h -h
--help Output this. --help Output this.
--version Show version information and exit.
-v Be verbose. -v Be verbose.
--debug Show what is happening internally. --debug Show what is happening internally.
...@@ -2538,6 +2545,9 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -2538,6 +2545,9 @@ Arachni - Web Application Security Scanner Framework v0.4.2
--exclude=<regexp> Exclude urls matching <regexp>. --exclude=<regexp> Exclude urls matching <regexp>.
(Can be used multiple times.) (Can be used multiple times.)
--exclude-page=<regexp> Exclude pages whose content matches <regexp>.
(Can be used multiple times.)
-i <regexp> -i <regexp>
--include=<regexp> Include *only* urls matching <regex>. --include=<regexp> Include *only* urls matching <regex>.
(Can be used multiple times.) (Can be used multiple times.)
...@@ -2569,9 +2579,11 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -2569,9 +2579,11 @@ Arachni - Web Application Security Scanner Framework v0.4.2
--extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler. --extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler.
(Can be used multiple times.) (Can be used multiple times.)
--restrict-paths=<filepath> Use the paths in <file> instead of crawling. --interceptor.callict-paths=<filepath> Use the paths in <file> instead of crawling.
(Can be used multiple times.) (Can be used multiple times.)
--https-only Forces the system to only follow HTTPS URLs.
Auditor ------------------------ Auditor ------------------------
...@@ -2672,4 +2684,5 @@ Arachni - Web Application Security Scanner Framework v0.4.2 ...@@ -2672,4 +2684,5 @@ Arachni - Web Application Security Scanner Framework v0.4.2
--proxy-type=<type> Proxy type; can be http, http_1_0, socks4, socks5, socks4a --proxy-type=<type> Proxy type; can be http, http_1_0, socks4, socks5, socks4a
(Default: http) (Default: http)
``` ```