Skip to content
GitLab

Command line user interface · Changes

Page history
Converted textile to markdown authored by Tasos Laskos's avatar Tasos Laskos
Show whitespace changes
Inline Side-by-side
guides/user/Command-line-user-interface.md
View page @ fcadd6f3
## Version 0.4.2
There are a lot of options, customizations and tweaks you can use but fear not and don't let yourself be overwhelmed.
This guide will walk you through each and every one of them and teach you how to use them in order to make your scans as efficient as possible.
_If you intend to scan big and complex sites it's best that you read through this guide and evaluate all available options._
### Quickstart
#### Help
In order to see everything Arachni has to offer execute:
$ arachni -h
#### Examples
You can simply run Arachni like so:
$ arachni http://test.com
which will load all modules, the plugins under `/plugins/defaults` and audit
all forms, links and cookies.
In the following example all modules will be run against _http://test.com_,
auditing links/forms/cookies and following subdomains --with verbose output enabled.
The results of the audit will be saved in the the file _test.com.afr_.
$ arachni -fv http://test.com --report=afr:outfile=test.com.afr
The Arachni Framework Report (.afr) file can later be loaded by Arachni to
create a report, like so:
$ arachni --repload=test.com.afr --report=html:outfile=my_report.html
or any other report type as shown by:
$ arachni --lsrep
#### You can make module loading easier by using wildcards (*) and exclusions (-).
To load all `xss` modules using a wildcard:
$ arachni http://example.net --modules=xss*
To load all _audit_ modules using a wildcard:
$ arachni http://example.net --modules=audit/*
To exclude only the _csrf_ module:
$ arachni http://example.net --modules=*,-csrf
Or you can mix and match; to run everything but the _xss_ modules:
$ arachni http://example.net --modules=*,-xss*
#### Performing a full scan quickly
The _full_ profile adds header auditing to the defaults.
_NOTICE: Auditing headers can increase scan time by an order of magnitude
(depending on the website) and may be considered over-the-top in most scenarios._
You can use it like so:
$ arachni --load-profile=profiles/full.afp http://example.net
_If you installed the Gem then you'll have to look for the "profiles" directory
in your gems path._
### Command reference
[Command Line Interface help output](#cli_help_output)
* [General](#general)
* [Version (--version)](#version)
* [Verbosity (-v)](#verbosity)
* [Example](#verbosity_example)
* [Debug mode (--debug)](#debug)
* [Only positives (--only-positives)](#only-positives)
* [HTTP request limit (--http-req-limit)](#http-req-limit)
* [HTTP request timeout (--http-timeout)](#http-timeout)
* [HTTPS only (--https-only)](#https-only)
* [Cookie jar (--cookie-jar)](#cookie-jar)
* [Cookie string (--cookie-string)](#cookie-string)
* [User agent (--user-agent)](#user-agent)
* [Custom header (--custom-header)](#custom-header)
* [Example](#custom-header_example)
* [Authorized by (--authed-by)](#authed-by)
* [Example](#authed-by_example)
* [Login check URL (--login-check-url)](#login-check-url)
* [Login check pattern (--login-check-pattern)](#login-check-pattern)
* [Profiles](#profiles)
* [Save profile (--save-profile)](#save-profile)
* [Example](#save-profile_example)
* [Load profile (--load-profile)](#load-profile)
* [Example](#load-profile_example)
* [Show profile (--show-profile)](#show-profile)
* [Example](#show-profile_example)
* [Crawler](#crawler)
* [Exclude (--exclude/-e)](#exclude)
* [Example](#exclude_example)
* [Exclude page by content (--exclude-page)](#exclude-page)
* [Example](#exclude-page_example)
* [Include (--include/-i)](#include)
* [Redundant (--redundant)](#redundant)
* [Audo-redundant (--auto-redundant)](#auto-redundant)
* [Example](#auto-redundant_example)
* [Follow subdomains (-f/--follow-subdomains)](#follow-subdomains)
* [Depth limit (--depth)](#depth)
* [Link count limit (--link-count)](#link-count)
* [Redirect limit (--redirect-limit)](#redirect-limit)
* [Extend paths (--extend-paths)](#extend-paths)
* [Restrict paths (--restrict-paths)](#restrict-paths)
* [Auditor](#auditor)
* [Audit links (--audit-links/-g)](#audit-links)
* [Audit forms (--audit-forms/-p)](#audit-forms)
* [Audit cookies (--audit-cookies/-c)](#audit-cookies)
* [Exclude cookie (--exclude-cookie)](#exclude-cookie)
* [Exclude vector (--exclude-vector)](#exclude-vector)
* [Audit headers (--audit-headers)](#audit-headers)
* [Coverage](#coverage)
* [Audit cookies extensively (--audit-cookies-extensively)](#audit-cookies-extensively)
* [Fuzz methods (--fuzz-methods)](#fuzz-methods)
* [Exclude binaries (--exclude-binaries)](#exclude-binaries)
* [Modules](#modules)
* [List modules (--lsmod)](#lsmod)
* [Example](#lsmod_example)
* [Modules (--modules/-m)](#modules)
* [Example](#mods_example)
* [Reports](#reports)
* [List reports (--lsrep)](#lsrep)
* [Example](#lsrep_example)
* [Load a report (--repload)](#repload)
* [Example](#repload_example)
* [Report (--report)](#report)
* [Example](#report_example)
* [Plugins](#plugins)
* [List plugins (--lsplug)](#lsplug)
* [Example](#lsplug_example)
* [Load a plugin (--plugin)](#plugin)
* [Example](#plugin_example)
* [Proxy](#proxy)
* [Proxy server (--proxy)](#proxy_server)
* [Proxy authentication (--proxy-auth)](#proxy-auth)
* [Proxy type (--proxy-type)](#proxy-type)
<h2 id='general'><a href='#general'>General</a></h2>
<h3 id='version'><a href='#version'>Version (--version)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Outputs the Arachni banner and version information.
<h3 id='verbosity'><a href='#verbosity'>Verbosity (-v)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
When verbosity is enabled Arachni will give you detailed information about what's going on during the whole process.
<h4 id='verbosity_example'><a href='#verbosity_example'>Example</a></h4>
Let's give this a try:
```arachni --audit-forms --modules=xss http://testfire.net/ --link-count=1```
This will load the XSS module and audit all the forms in "http://testfire.net/".
*Verbose mode disabled*
Observe that there's no _-v_ flag in the following run.
_Don't worry about the rest of the parameters right now._
*Quick note:*
Arachni's output messages are classified into several categories, each of them prefixed with a different colored symbol.
"[*]" messages are status messages.
"[+]" messages are "ok" messages - positive matches.
_I won't bother with coloring during the examples._
```
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initialising...
[*] Waiting for plugins to settle...
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #3...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #4...
[*] Profiler: Analyzing response #5...
[*] XSS: Analyzing response #6...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #7...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #8...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
```
*Verbose mode enabled*
See the extra information in this example.
"[v]" messages are verbose messages.
In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.
```
$ arachni -v --audit-forms --modules=xss http://testfire.net/ --link-count=1
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Initialising...
[*] Waiting for plugins to settle...
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #3...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #4...
[*] Profiler: Analyzing response #5...
[*] XSS: Analyzing response #6...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[v] XSS: Injected string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
[v] XSS: Verified string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
[*] XSS: Analyzing response #7...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[v] XSS: Injected string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
[v] XSS: Verified string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
[*] XSS: Analyzing response #8...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[v] XSS: Injected string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
[v] XSS: Verified string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
```
<h3 id='debug'><a href='debug'>Debug mode (--debug)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
When this flag is enabled the system will output a lot of messages detailing what's happening internally.
If you don't want to be flooded by annoying and obscure messages you can pipe debugging output to a separate file when running Arachni using:
```
$ arachni -pv --mods=xss http://localhost/~zapotek/tests/forms/xss.php --debug 2> debug.log
```
The debug.log file will contain something like:
```
$ cat debug.log
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
[!] XSS:
[!] XSS: Trainer set to: OFF
[!] XSS: ------------
[!] XSS: Injection string format combinations set to:
[!] XSS: |
[!] XSS: |----> Null character termination (Format::NULL [4]) and append to default value (Format::APPEND [2]). [Combo mask: 6]
[!] XSS:
[!] XSS: Prepared combinations:
[!] XSS: |
[!] XSS: |
[!] XSS: |--> Auditing: __original_values__
[!] XSS: |--> Combo:
[!] XSS: |------> ["xss", ""]
[!] XSS: |
[!] XSS: |--> Auditing: __sample_values__
[!] XSS: |--> Combo:
[!] XSS: |------> ["xss", "1"]
[!] XSS: |
[!] XSS: |--> Auditing: xss
[!] XSS: |--> Combo:
[!] XSS: |------> ["xss", "1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"]
[!] XSS:
[!] XSS: ------------
[!] XSS:
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
[!] XSS: Submitting form with original values; overriding trainer option.
[!] XSS: Trainer set to: ON
[!] ------------
[!] Queued request.
[!] ID#: 0
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>""}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: true
[!] ------------
[!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
[!] XSS: Submitting form with sample values; overriding trainer option.
[!] XSS: Trainer set to: ON
[!] ------------
[!] Queued request.
[!] ID#: 1
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>"1"}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: true
[!] ------------
[!] ------------
[!] Queued request.
[!] ID#: 2
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: false
[!] ------------
[!] ------------
[!] Got response.
[!] Request ID#: 2
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: false
[!] ------------
[!] XSS: Request ID: 2
[!] ------------
[!] Got response.
[!] Request ID#: 0
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>""}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: true
[!] ------------
[!] Trainer: Started for response with request ID: #0
[!] Trainer: Page hasn't changed, skipping...
[!] ------------
[!] Got response.
[!] Request ID#: 1
[!] URL: http://localhost/~zapotek/tests/forms/xss.php
[!] Method: post
[!] Params: {"xss"=>"1"}
[!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
[!] Train?: true
[!] ------------
[!] Trainer: Started for response with request ID: #1
[!] Trainer: Training complete.
```
<h3 id='only-positives'><a href='#only-positives'>Only positives (--only-positives)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
This will suppress all messages except for positive matches -- vulnerabilities.
<h3 id='http-req-limit'><a href='#http-req-limit'>HTTP request limit (--http-req-limit)</a></h3>
*Expects*: integer
*Default*: 60
*Multiple invocations?*: no
Limit how many concurrent HTTP request are sent.
*Note*: If your scan seems unresponsive try lowering the limit.
*Warning*: Given enough bandwidth and a high limit it could cause a DoS.
Be careful when setting this option too high, don't kill your server.
<h3 id='http-timeout'><a href='#http-timeout'>HTTP timeout (--http-timeout)</a></h3>
*Expects*: integer (milliseconds)
*Default*: 50000
*Multiple invocations?*: no
Limit how long the HTTP client should wait for a response from the server.
<h3 id='https-only'><a href='#https-only'>HTTP timeout (--https-only)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Forces the system to only follow HTTPS URLs.
_(Target URL must be an HTTPS one as well.)_
<h3 id='cookie-jar'><a href='#cookie-jar'>Cookie jar (--cookie-jar)</a></h3>
*Expects*: cookiejar file
*Default*: disabled
*Multiple invocations?*: no
Arachni allows you to pass your own cookies in the form of a Netscape cookie-jar file.
If you want to audit restricted parts of a website that are accessible only to logged in users you should pass the session cookies to Arachni.
There's a number of ways to do that, I've found that Firebug's export cookie feature works best.
You should also take a look at the _--exclude-cookie_ option discussed later.
*Note*: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.
<h3 id='cookie-string'><a href='#cookie-string'>Cookie string (--cookie-string)</a></h3>
*Expects*: string
*Default*: disabled
*Multiple invocations?*: no
Cookies, as a string, to be sent to the web application.
<h4 id='cookie-string_example'><a href='#cookie-string_example'>Example</a></h4>
```
--cookie-string='userid=19;sessionid=deadbeefbabe'
```
<h3 id='user-agent'><a href='#user-agent'>User agent (--user-agent)</a></h3>
*Expects*: string
*Default*: "Arachni/<version>"
*Multiple invocations?*: no
You can pass your own user agent string which will be sent to the webserver under audit.
Default is _Arachni/&lt;version&gt;_.
<h3 id='custom-header'><a href='#custom-header'>Custom header (--custom-header)</a></h3>
*Expects*: string
*Default*: disabled
*Multiple invocations?*: yes
Allows you to specify custom headers in the form of key-value pairs.
<h4 id='custom-header_example'><a href='#custom-header_example'>Example</a></h4>
``` --custom-header='field_name=field value'```
<h3 id='authed-by'><a href='#authed-by'>Authorized by (--authed-by)</a></h3>
*Expects*: string
*Default*: disabled
*Multiple invocations?*: no
The string passed to this option will be included in the user-agent string and be the value of the "From" HTTP header field.
The _--authed-by_ value should contain information about the person who authorized the scan, his name and e-mail.
<h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4>
``` --authed-by='John Doe <jdoe@test.com>'```
<h3 id='login-check-url'><a href='#login-check-url'>Login check URL (--login-check-url)</a></h3>
*Expects*: string
*Default*: disabled
*Multiple invocations?*: no
*Requires*: "login-check-pattern":#login-check-pattern
The URL passed to this option will be used to verify that the scanner is still
logged in to the web application.
If HTTP response body of URL matches the "login-check-pattern":#login-check-pattern
this should indicate that the scanner is logged in.
<h3 id='login-check-pattern'><a href='#login-check-pattern'>Login check pattern (--login-check-pattern)</a></h3>
*Expects*: string
*Default*: disabled
*Multiple invocations?*: no
*Requires*: "login-check-url":#login-check-url
A pattern used against the body of the "login-check-url":#login-check-url to
verify that the scanner is still logged in to the web application.
A positive match should indicate that the scanner is logged in.
<h2 id='profiles'><a href='#profiles'>Profiles</a></h2>
<h3 id='save-profile'><a href='#save-profile'>Save profile (--save-profile)</a></h3>
*Expects*: filename
*Default*: disabled
*Multiple invocations?*: no
This option allows you to save your current running configuration, all the options passed to Arachni, to an Arachni Framework Profile (.afp) file.
<h4 id='save-profile_example'><a href='#save-profile_example'>Example</a></h4>
```arachni -pv --modules=xss http://site.com/ --save-profile=myprofile```
<h3 id='load-profile'><a href='#load-profile'>Load profile (--load-profile)</a></h3>
*Expects*: Arachni Framework Profile (.afp) file
*Default*: disabled
*Multiple invocations?*: yes
This option allows you to load and run a saved profile.
The load profile option does not restrict your ability to specify more options or even resave the profile.
<h4 id='load-profile_example'><a href='#load-profile_example'>Example</a></h4>
```arachni --load-profile=myprofile.afp```
<h3 id='show-profile'><a href='#show-profile'>Show profile (--show-profile)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
This option will output the running configuration as a string of command line arguments.
<h4 id='show-profile_example'><a href='#show-profile_example'>Example</a></h4>
```arachni --show-profile --load-profile=myprofile.afp</pre></code>
<h2 id='crawler'><a href='#crawler'>Crawler</a></h2>
<h3 id='exclude'><a href='#exclude'>Exclude (--exclude/-e)</a></h3>
*Expects*: regexp
*Default*: disabled
*Multiple invocations?*: yes
The _--exclude_ option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.
<h4 id='exclude_example'><a href='#exclude_example'>Example</a></h4>
In this simple example we tell Arachni to exclude all URLs that contain the string "xss".
Thus no further action was taken.
```
$ arachni http://testfire.net --modules=xss --exclude=testfire
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[*] Initialising...
[*] Waiting for plugins to settle...
[*] Resolver: Resolving hostnames...
[*] Resolver: Done!
[*] Dumping audit results in '2012-09-09 02.38.18 +0300.afr'.
[*] Done!
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2012-09-09 02:38:18 +0300
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 0.4.1dev
[~] Revision: 0.2.7
[~] Audit started on: Sun Sep 9 02:38:15 2012
[~] Audit finished on: Sun Sep 9 02:38:16 2012
[~] Runtime: 00:00:01
[~] URL: http://testfire.net/
[~] User agent: Arachni/v0.4.2
[*] Audited elements:
[~] * Links
[~] * Forms
[~] * Cookies
[*] Modules: xss
[*] Filters:
[~] Exclude:
[~] (?-mix:testfire)
[~] =
[+] 0 issues were detected.
[+] Plugin data:
[~] ---------------
[~] 0.0% [=> ] 100%
[~] Est. remaining time: --:--:--
[~] Crawling, discovered 0 pages and counting.
[~] Sent 0 requests.
[~] Received and analyzed 0 responses.
[~] In 00:00:01
[~] Average: 0 requests/second.
[~] Burst response time total 0
[~] Burst response count total 0
[~] Burst average response time 0
[~] Burst average 0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20
```
<h3 id='exclude-page'><a href='#exclude-page'>Exclude page by content (--exclude-page)</a></h3>
*Expects*: regexp
*Default*: disabled
*Multiple invocations?*: yes
The _--exclude-page_ option expects a regular expression or plain string
and excludes pages whose content matching that expression from the crawl process.
<h3 id='include'><a href='#include'>Include (--include/-i)</a></h3>
*Expects*: regexp
*Default*: '.*'
*Multiple invocations?*: yes
This is the exact oposite of the _--exclude_ option.
When a regular expression is passed to the _--include_ option, *only* URLs matching that regular expression will be crawled.
<h3 id='redundant'><a href='#redundant'>Redundant (--redundant)</a></h3>
*Expects*: regexp:integer
*Default*: disabled
*Multiple invocations?*: yes
The redundant option expects a regular expression and a counter, like so:
```--redundant='calendar.php':3```
This will cause URLs that contain "calendar.php" to be crawled only 3 times.
This option is useful when auditing a website that has a lot of redundant pages like a photo gallery or a dynamically generated calendar.
<h3 id='auto-redundant'><a href='#auto-redundant'>Auto-redundant (--auto-redundant)</a></h3>
*Expects*: integer
*Default*: disabled (with a value of 10 if none has been specified)
*Multiple invocations?*: no
The auto-redundant option sets the limit of how many URLs with identical parameters
should be followed.
This can prevent infinite loops caused by pages like photo galleries or catalogues.
<h4 id='auto-redundant_example'><a href='#auto-redundant_example'>Example</a></h4>
With ```--auto-redundant=2``` and given the following list of URLs:
```
http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=other-stuff
http://test.com/?stuff=blah
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/?stuff=blah2&stuff2=bloo
http://test.com/path.php?stuff=blah&stuff2=1
```
Only the following will be followed:
```
http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/path.php?stuff=blah&stuff2=1
```
<h3 id='follow-subdomains'><a href='#follow-subdomains'>Follow subdomains (-f/--follow-subdomains)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
This flag will cause Arachni to follow links to subdomains.
<h3 id='depth'><a href='#depth'>Depth limit (--depth)</a></h3>
*Expects*: integer
*Default*: infinite
*Multiple invocations?*: no
It specifies how deep into the site structure the crawler should go.
<h3 id='link-count'><a href='#link-count'>Link count limit (--link-count)</a></h3>
*Expects*: integer
*Default*: infinite
*Multiple invocations?*: no
It specifies how many links the crawler should follow.
<h3 id='redirect-limit'><a href='#redirect-limit'>Redirect limit (--redirect-limit)</a></h3>
*Expects*: integer
*Default*: infinite
*Multiple invocations?*: no
It specifies how many redirects the crawler should follow.
<h3 id='extend-paths'><a href='#extend-paths'>Extend paths (--extend-paths)</a></h3>
*Expects*: file
*Default*: disabled
*Multiple invocations?*: yes
Allows you to extend the scope of the audit by supplementing the paths discovered by the crawler with the paths in the file.
The file must contains one path per line.
<h3 id='restrict-paths'><a href='#restrict-paths'>Restrict paths (--restrict-paths)</a></h3>
*Expects*: file
*Default*: disabled
*Multiple invocations?*: yes
Uses the paths contained in file instead of performing a crawl.
<h2 id='auditor'><a href='#auditor'>Auditor</a></h2>
<h3 id='audit-links'><a href='#audit-links'>Audit links (--audit-links/-g)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to audit the link elements of the page and their variables.
<h3 id='audit-forms'><a href='#audit-forms'>Audit forms (--audit-forms/-p)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to audit the form elements of the page and their inputs.
<h3 id='audit-cookies'><a href='#audit-cookies'>Audit cookies (--audit-cookies/-c)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to audit the cookies of the page.
<h3 id='exclude-cookie'><a href='#exclude-cookie'>Exclude cookie (--exclude-cookie)</a></h3>
*Expects*: cookie name
*Default*: disabled
*Multiple invocations?*: yes
Tells Arachni to exclude -- not audit -- a cookie by name.
Usually used to avoid auditing a session ID cookie from the cookie-jar.
*Note*: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it.
However, some extra cautious websites may invalidate/block the session upon receiving an invalid token.
This is very unlikely but it's better to err on the side of caution.
<h3 id='exclude-vector'><a href='#exclude-vector'>Exclude cookie (--exclude-vector)</a></h3>
*Expects*: input name
*Default*: disabled
*Multiple invocations?*: yes
Tells Arachni to exclude -- not audit -- an input vector by name.
<h3 id='audit-headers'><a href='#audit-headers'>Audit headers (--audit-headers)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to audit the HTTP headers of the page.
*Note*: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.
*Warning*: Enabling this option will result in increased requests, maybe by an order of magnitude.
<h2 id='coverage'><a href='#coverage'>Coverage</a></h2>
<h3 id='audit-cookies-extensively'><a href='#audit-cookies-extensively'>Audit cookies extensively (--audit-cookies-extensively)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
If enabled Arachni will submit all links and forms of the page along with the cookie permutations.
*Warning*: Will severely increase the scan-time.
<h3 id='fuzz-methods'><a href='#fuzz-methods'>Fuzz methods (--fuzz-methods)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
If enabled Arachni will submit all links and forms using both the _GET_ and _POST_
HTTP request methods.
*Warning*: Will severely increase the scan-time.
<h3 id='exclude-binaries'><a href='#exclude-binaries'>Exclude binaries (--exclude-binaries)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Disables inclusion of binary HTTP response bodies in the audit.
*Note*: Binary content can confuse recon modules that perform pattern matching.
<h2 id='modules'><a href='#modules'>Modules</a></h2>
<h3 id='lsmod'><a href='#lsmod'>List modules (--lsmod)</a></h3>
*Expects*: regular expression
*Default*: disabled OR .*
*Multiple invocations?*: yes
Tells Arachni to list all available modules based on the regular expressions provided and exit.
<h4 id='lsmod_example'><a href='#lsmod_example'>Example</a></h4>
```
$ arachni --lsmod
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available modules:
[*] code_injection:
--------------------
Name: Code injection
Description: It tries to inject code snippets into the
web application and assess whether or not the injection
was successful.
Elements: form, link, cookie, header
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.6
References:
[~] PHP http://php.net/manual/en/function.eval.php
[~] Perl http://perldoc.perl.org/functions/eval.html
[~] Python http://docs.python.org/py3k/library/functions.html#eval
[~] ASP http://www.aspdev.org/asp/asp-eval-execute/
[~] Ruby http://en.wikipedia.org/wiki/Eval#Ruby
Targets:
[~] PHP
[~] Perl
[~] Python
[~] ASP
[~] Ruby
Metasploitable: unix/webapp/arachni_php_eval
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb
[*] path_traversal:
--------------------
Name: PathTraversal
Description: It injects paths of common files (/etc/passwd and boot.ini)
and evaluates the existence of a path traversal vulnerability
based on the presence of relevant content in the HTML responses.
Elements: form, link, cookie, header
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.6
References:
[~] OWASP http://www.owasp.org/index.php/Path_Traversal
[~] WASC http://projects.webappsec.org/Path-Traversal
Targets:
[~] Unix
[~] Windows
[~] Tomcat
Metasploitable: unix/webapp/arachni_path_traversal
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb
[*] sqli_blind_rdiff:
--------------------
Name: Blind (rDiff) SQL Injection
Description: It uses rDiff analysis to decide how different inputs affect
the behavior of the the web pages.
Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
(Note: This module may get confused by certain types of XSS vulnerabilities.
If this module returns a positive result you should investigate nonetheless.)
Elements: link, form, cookie
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.3.2
References:
[~] OWASP http://www.owasp.org/index.php/Blind_SQL_Injection
[~] MITRE - CAPEC http://capec.mitre.org/data/definitions/7.html
Targets:
[~] Generic
Metasploitable: unix/webapp/arachni_sqlmap
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb
Hit <space> <enter> to continue, any other key to exit.
```
You can filter module listing like so:
```
$ arachni --lsmod=xss --lsmod=path
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available modules:
[*] xss_path:
--------------------
Name: XSSPath
Description: Cross-Site Scripting module for path injection
Elements: path
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.8
References:
[~] ha.ckers http://ha.ckers.org/xss.html
[~] Secunia http://secunia.com/advisories/9716/
Targets:
[~] Generic
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb
```
<h3 id='modules'><a href='#modules'>Modules (--modules/-m)</a></h3>
*Expects*: modname,modname,... OR '*'
*Default*: '*' -- all modules
*Multiple invocations?*: no
Tells Arachni which modules to load.
Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to see all.
You can specify the modules to load as comma separated values (without spaces) or '*' to load all modules.
You can prevent modules from loading by prefixing their name with a dash (-).
<h4 id='mods_example'><a href='#mods_example'>Example</a></h4>
As CSV:
```
$ arachni --modules=xss,sqli,path_traversal http://localhost/
```
All modules:
```
$ arachni http://localhost/
```
Excluding modules:
```
$ arachni --modules=*,-backup_files,-xss http://www.test.com
```
The above will load all modules except for the 'backup_files' and 'xss' modules.
<h2 id='reports'><a href='#reports'>Reports</a></h2>
<h3 id='lsrep'><a href='#lsrep'>List reports (--lsrep)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Lists all available reports.
<h4 id='lsrep_example'><a href='#lsrep_example'>Example</a></h4>
```
$ arachni --lsrep
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available reports:
[*] yaml:
--------------------
Name: YAML Report
Description: Exports the audit results as a YAML file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.yaml
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb
[*] txt:
--------------------
Name: Text report
Description: Exports a report as a plain text file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.txt
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb
[*] xml:
--------------------
Name: XML report
Description: Exports a report as an XML file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.xml
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.2
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb
[*] metareport:
--------------------
Name: Metareport
Description: Creates a file to be used with the Arachni MSF plug-in.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.msf
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb
[*] afr:
--------------------
Name: Arachni Framework Report
Description: Saves the file in the default Arachni Framework Report (.afr) format.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.afr
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb
[*] html:
--------------------
Name: HTML Report
Description: Exports a report as an HTML document.
Options:
[~] tpl - Template to use.
[~] Type: path
[~] Default: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
[~] Required?: false
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.html
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.3.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb
[*] ap:
--------------------
Name: AP
Description: Awesome prints an AuditStore hash.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb
[*] marshal:
--------------------
Name: Marshal Report
Description: Exports the audit results as a Marshal file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.marshal
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb
[*] json:
--------------------
Name: JSON Report
Description: Exports the audit results as a JSON file.
Options:
[~] outfile - Where to save the report.
[~] Type: string
[~] Default: 2012-09-09 02.41.03 +0300.json
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb
[*] stdout:
--------------------
Name: Stdout
Description: Prints the results to standard output.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2.2
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb
```
<h3 id='repload'><a href='#repload'>Load a report (--repload)</a></h3>
*Expects*: Arachni Framework Report (.afr) file
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to load an Arachni Framework Report (.afr) file.
You can use this option to load a report file and convert it to another format.
<h4 id='repload_example'><a href='#repload_example'>Example</a></h4>
Load an AFR report file and send it to the "stdout" report.
```
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2012-09-09 02:42:54 +0300
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 0.4.1dev
[~] Revision: 0.2.7
[~] Audit started on: Sun Sep 9 02:42:15 2012
[~] Audit finished on: Sun Sep 9 02:42:18 2012
[~] Runtime: 00:00:03
[~] URL: http://testfire.net/
[~] User agent: Arachni/v0.4.2
[*] Audited elements:
[~] * Forms
[*] Modules: xss
[*] Cookies:
[~] ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
[~] amSessionId = 203429333847
[~] =
[+] 1 issues were detected.
[+] [1] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
[~] Severity: High
[~] URL: http://testfire.net/search.aspx
[~] Element: form
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx
[~] Injected value: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
[~] Regular expression:
[~] Matched string: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
[+] Plugin data:
[~] ---------------
[*] Resolver
[~] ~~~~~~~~~~~~~~
[~] Description: Resolves vulnerable hostnames to IP addresses.
[~] testfire.net: 65.61.137.117
[*] Health map
[~] ~~~~~~~~~~~~~~
[~] Description: Generates a simple list of safe/unsafe URLs.
[~] Legend:
[+] No issues
[-] Has issues
[+] http://testfire.net/
[-] http://testfire.net/search.aspx
[~] Total: 2
[+] Without issues: 1
[-] With issues: 1 ( 50% )
[*] Profiler
[~] ~~~~~~~~~~~~~~
[~] Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
[~] Inputs affecting output:
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
[~] * Body
```
Load an AFR file and create an HTML report from it.
```
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[*] Creating HTML report...
[*] Saved in '2012-09-09 02.43.42 +0300.html'.
```
<h3 id='report'><a href='#report'>Report (--report)</a></h3>
*Expects*: repname
*Default*: stdout
*Multiple invocations?*: yes
Tells Arachni which report component to use.
Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to see all.
<h4 id='report_example'><a href='#report_example'>Example</a></h4>
Running the HTML report with an outfile option:
```
$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[*] Initialising...
[*] Waiting for plugins to settle...
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #3...
[*] Profiler: Analyzing response #4...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #5...
[*] Profiler: Analyzing response #6...
[*] XSS: Analyzing response #9...
[*] XSS: Analyzing response #10...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #13...
[*] XSS: Analyzing response #14...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #17...
[*] XSS: Analyzing response #18...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] Profiler: Analyzing response #8...
[*] Profiler: Analyzing response #7...
[*] XSS: Analyzing response #12...
[*] XSS: Analyzing response #11...
[*] XSS: Analyzing response #15...
[*] XSS: Analyzing response #16...
[*] XSS: Analyzing response #19...
[*] XSS: Analyzing response #20...
[*] Resolver: Resolving hostnames...
[*] Resolver: Done!
[*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
[*] Done!
[*] Creating HTML report...
[*] Saved in 'my_html_report.html'.
[~] 100.0% [>] 100%
[~] Est. remaining time: --:--:--
[~] Crawler has discovered 2 pages.
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
[~] Sent 25 requests.
[~] Received and analyzed 25 responses.
[~] In 00:00:04
[~] Average: 6 requests/second.
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=
[~] Burst response time total 0
[~] Burst response count total 0
[~] Burst average response time 0
[~] Burst average 0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20
```
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
<h3 id='lsplug'><a href='#lsplug'>List plugins (--lsplug)</a></h3>
*Expects*: <n/a>
*Default*: disabled
*Multiple invocations?*: no
Lists all available plugins.
<h4 id='lsplug_example'><a href='#lsplug_example'>Example</a></h4>
```
$ arachni --lsplug
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available plugins:
[*] resolver:
--------------------
Name: Resolver
Description: Resolves vulnerable hostnames to IP addresses.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb
[*] healthmap:
--------------------
Name: Health map
Description: Generates a simple list of safe/unsafe URLs.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.3
Path: /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb
[*] profiler:
--------------------
Name: Profiler
Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb
[*] uniformity:
--------------------
Name: Uniformity (Lack of central sanitization)
Description: Analyzes the scan results and logs issues which persist across different pages.
This is usually a sign for a lack of a central/single point of input sanitization,
a bad coding practise.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb
[*] manual_verification:
--------------------
Name: Issues requiring manual verification
Description: The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
even before any audit action has taken place -- this challenges the relevance of the audit procedure.
Thus, these issues require manual verification.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb
[*] timing_attacks:
--------------------
Name: Timing attack anomalies
Description: Analyzes the scan results and logs issues that used timing attacks
while the affected web pages demonstrated an unusually high response time.
A situation which renders the logged issues inconclusive or (possibly) false positives.
Pages with high response times usually include heavy-duty processing
which makes them prime targets for Denial-of-Service attacks.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb
[*] discovery:
--------------------
Name: Discovery module response anomalies
Description: Analyzes the scan results and identifies issues logged by discovery modules
(i.e. modules that look for certain files and folders on the server),
while the server responses were exhibiting an anomalous factor of similarity.
There's a good chance that these issues are false positives.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb
[*] autothrottle:
--------------------
Name: AutoThrottle
Description: Monitors HTTP response times and automatically
throttles the request concurrency in order to maintain stability
and avoid from killing the server.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.3
Path: /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb
[*] content_types:
--------------------
Name: Content-types
Description: Logs content-types of server responses.
It can help you categorize and identify publicly available file-types
which in turn can help you identify accidentally leaked files.
Options:
[~] exclude - Exclude content-types that match this regular expression.
[~] Type: string
[~] Default: text
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb
[*] libnotify:
--------------------
Name: libnotify
Description: Uses the libnotify library to send notifications for each discovered issue
and a summary at the end of the scan.
Options:
[~] for_every_issue - Show every issue.
[~] Type: bool
[~] Default: true
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/libnotify.rb
[*] cookie_collector:
--------------------
Name: Cookie collector
Description: Monitors and collects cookies while establishing a timeline of changes.
WARNING: Highly discouraged when the audit includes cookies.
It will log thousands of results leading to a huge report,
highly increased memory and CPU usage.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/cookie_collector.rb
[*] proxy:
--------------------
Name: Proxy
Description:
* Gathers data based on user actions and exchanged HTTP
traffic and pushes that data to the framework's page-queue to be audited.
* Updates the framework cookies with the cookies of the HTTP requests and
responses, thus it can also be used to login to a web application.
* Supports SSL interception.
To skip crawling and only audit elements discovered by using the proxy
set '--link-count=0'.
Options:
[~] port - Port to bind to.
[~] Type: port
[~] Default: 8282
[~] Required?: false
[~] bind_address - IP address to bind to.
[~] Type: address
[~] Default: 0.0.0.0
[~] Required?: false
[~] timeout - How long to wait for a request to complete, in milliseconds.
[~] Type: integer
[~] Default: 20000
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
[*] beep_notify:
--------------------
Name: Beep notify
Description: It beeps when the scan finishes.
Options:
[~] repeat - How many times to beep.
[~] Type: integer
[~] Default: 4
[~] Required?: false
[~] interval - How long to wait between beeps.
[~] Type: float
[~] Default: 0.4
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1
Path: /home/zapotek/workspace/arachni/plugins/beep_notify.rb
[*] rescan:
--------------------
Name: ReScan
Description: It uses the AFR report of a previous scan to
extract the sitemap in order to avoid a redundant crawl.
Options:
[~] afr - Path to the AFR report.
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/rescan.rb
[*] http_dicattack:
--------------------
Name: HTTP dictionary attacker
Description: Uses wordlists to crack password protected directories.
If the cracking process is successful the found credentials will be set
framework-wide and used for the duration of the audit.
If that's not what you want set the crawler's link-count limit to "0".
Options:
[~] username_list - File with a list of usernames (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] password_list - File with a list of passwords (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/http_dicattack.rb
[*] vector_feed:
--------------------
Name: Vector feed
Description: Reads in vector data from which it creates elements to be audited.
Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
Notes:
* To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
* Can handle multiple YAML documents.
Example YAML file:
-
# you can pass pages to be audited by grep modules (and JS in the future)
type: page
url: http://localhost/
# response code
code: 200
# response headers
headers:
Content-Type: "text/html; charset=utf-8"
body: "HTML code goes here"
-
# default type is link which has method get
#type: link
action: http://localhost/link
inputs:
my_param: "my val"
-
# if a method is post it'll default to a form type
type: form
method: post
action: http://localhost/form
inputs:
post_this: "HUA!"
csrf: "my_csrf_token"
# do not fuzz/mutate/audit the following inputs (by name obviously)
skip:
- csrf
# GET only
-
type: cookie
action: http://localhost/cookie
inputs:
session_id: "43434234343sddsdsds"
# GET only
-
type: header
action: http://localhost/header
# only 1 input allowed, each header field=>value must be defined separately
inputs:
User-Agent: "Blah/2"
Options:
[~] vectors - Vector array (for configuration over RPC).
[~] Type: abstract
[~] Default:
[~] Required?: false
[~] yaml_string - A string of YAML serialized vectors (for configuration over RPC).
[~] Type: string
[~] Default:
[~] Required?: false
[~] yaml_file - A file containing the YAML serialized vectors.
[~] Type: path
[~] Default:
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/vector_feed.rb
[*] script:
--------------------
Name: Script
Description: Loads and runs an external Ruby script under the scope of a plugin,
used for debugging and general hackery.
Will not work over RPC.
Options:
[~] path - Path to the script.
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/script.rb
[*] email_notify:
--------------------
Name: E-mail notify
Description: Sends a notification (and optionally a report) over SMTP at the end of the scan.
Options:
[~] to - E-mail address of the receiver.
[~] Type: string
[~] Default:
[~] Required?: true
[~] cc - E-mail address to which to send a carbon copy of the notification.
[~] Type: string
[~] Default:
[~] Required?: false
[~] bcc - E-mail address for a blind carbon copy.
[~] Type: string
[~] Default:
[~] Required?: false
[~] from - E-mail address of the sender.
[~] Type: string
[~] Default:
[~] Required?: true
[~] server_address - Address of the SMTP server to use.
[~] Type: address
[~] Default:
[~] Required?: true
[~] server_port - SMTP port.
[~] Type: port
[~] Default:
[~] Required?: true
[~] tls - Use TLS/SSL?.
[~] Type: bool
[~] Default:
[~] Required?: false
[~] username - SMTP username.
[~] Type: string
[~] Default:
[~] Required?: true
[~] password - SMTP password.
[~] Type: string
[~] Default:
[~] Required?: true
[~] authentication - Authentication.
[~] Type: string
[~] Default: plain
[~] Required?: false
[~] report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
[~] Type: enum
[~] Default: txt
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/email_notify.rb
[*] autologin:
--------------------
Name: AutoLogin
Description: It looks for the login form in the user provided URL,
merges its input fields with the user supplied parameters and sets the cookies
of the response and request as framework-wide cookies to be used by the spider later on.
Options:
[~] url - The URL that contains the login form.
[~] Type: url
[~] Default:
[~] Required?: true
[~] params - Form parameters to submit. ( username=user&password=pass )
[~] Type: string
[~] Default:
[~] Required?: true
[~] check - A pattern which will be used to verify a successful login.
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
[~] Type: string
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
[*] waf_detector:
--------------------
Name: WAF Detector
Description: Performs basic profiling on the web application
in order to assess the existence of a Web Application Firewall.
This is a 4 stage process:
1. Grab the original page as is
2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
4. Make heads or tails of the gathered responses
Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
Options:
[~] precision - Stage precision (how many times to perform each detection stage).
[~] Type: integer
[~] Default: 5
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/waf_detector.rb
[*] form_dicattack:
--------------------
Name: Form dictionary attacker
Description: Uses wordlists to crack login forms.
If the cracking process is successful the found credentials will be set
framework-wide and used for the duration of the audit.
If that's not what you want set the crawler's link-count limit to "0".
Options:
[~] username_list - File with a list of usernames (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] password_list - File with a list of passwords (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] username_field - The name of the username form field.
[~] Type: string
[~] Default:
[~] Required?: true
[~] password_field - The name of the password form field.
[~] Type: string
[~] Default:
[~] Required?: true
[~] login_verifier - A regular expression which will be used to verify a successful login.
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
[~] Type: string
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
```
<h3 id='plugin'><a href='#plugin'>Plugin (--plugin)</a></h3>
*Expects*: plugin name
*Default*: disabled
*Multiple invocations?*: yes
Tells Arachni which plugin components to run.
Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to see all.
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
```
$ arachni http://testfire.net --link-count=1 --modules=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
-e logout
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[*] Initialising...
[~] AutoLogin: System paused.
[*] Waiting for plugins to settle...
[*] AutoLogin: Found log-in form with name: login
[+] AutoLogin: Form submitted successfully.
[~] AutoLogin: Cookies set to:
[~] AutoLogin: * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
[~] AutoLogin: * amSessionId = 204023334531
[~] AutoLogin: * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
[~] AutoLogin: * amUserId = 100116014
[~] AutoLogin: * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #6...
[*] Profiler: Analyzing response #7...
[*] XSS: Analyzing response #26...
[*] XSS: Analyzing response #27...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #9...
[*] Profiler: Analyzing response #8...
[*] XSS: Analyzing response #28...
[*] XSS: Analyzing response #15...
[*] XSS: Analyzing response #16...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #22...
[*] XSS: Analyzing response #30...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] Profiler: Analyzing response #10...
[*] XSS: Analyzing response #31...
[*] XSS: Analyzing response #32...
[*] Profiler: Analyzing response #11...
[*] Profiler: Analyzing response #12...
[*] Profiler: Analyzing response #14...
[*] Profiler: Analyzing response #13...
[*] XSS: Analyzing response #33...
[*] XSS: Analyzing response #17...
[*] XSS: Analyzing response #18...
[*] XSS: Analyzing response #19...
[*] XSS: Analyzing response #34...
[*] XSS: Analyzing response #20...
[*] XSS: Analyzing response #21...
[*] XSS: Analyzing response #23...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #35...
[*] XSS: Analyzing response #24...
[*] XSS: Analyzing response #25...
[*] XSS: Analyzing response #29...
[*] Resolver: Resolving hostnames...
[*] Resolver: Done!
[*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
[*] Done!
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2012-09-09 02:48:17 +0300
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 0.4.1dev
[~] Revision: 0.2.7
[~] Audit started on: Sun Sep 9 02:48:08 2012
[~] Audit finished on: Sun Sep 9 02:48:15 2012
[~] Runtime: 00:00:06
[~] URL: http://testfire.net/
[~] User agent: Arachni/v0.4.2
[*] Audited elements:
[~] * Links
[~] * Forms
[~] * Cookies
[*] Modules: xss
[*] Filters:
[~] Exclude:
[~] (?-mix:logout)
[~] =
[+] 2 issues were detected.
[+] [1] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
[~] Severity: High
[~] URL: http://testfire.net/search.aspx
[~] Element: form
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx
[~] Injected value: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[~] Regular expression:
[~] Matched string: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[+] [2] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
[~] Severity: High
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Element: link
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Injected value: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[~] Regular expression:
[~] Matched string: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[+] Plugin data:
[~] ---------------
[*] Resolver
[~] ~~~~~~~~~~~~~~
[~] Description: Resolves vulnerable hostnames to IP addresses.
[~] testfire.net: 65.61.137.117
[*] Health map
[~] ~~~~~~~~~~~~~~
[~] Description: Generates a simple list of safe/unsafe URLs.
[~] Legend:
[+] No issues
[-] Has issues
[+] http://testfire.net/
[-] http://testfire.net/search.aspx
[-] http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Total: 3
[+] Without issues: 1
[-] With issues: 2 ( 67% )
[*] Profiler
[~] ~~~~~~~~~~~~~~
[~] Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
[~] Inputs affecting output:
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
[~] * Body
[+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
[~] * Body
[*] AutoLogin
[~] ~~~~~~~~~~~~~~
[~] Description: It looks for the login form in the user provided URL,
merges its input fields with the user supplied parameters and sets the cookies
of the response and request as framework-wide cookies to be used by the spider later on.
[+] Form submitted successfully.
[~] Cookies set to:
[~] * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
[~] * amSessionId = 204023334531
[~] * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
[~] * amUserId = 100116014
[~] * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
[~] 100.0% [>] 100%
[~] Est. remaining time: --:--:--
[~] Crawler has discovered 2 pages.
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
[~] Sent 40 requests.
[~] Received and analyzed 40 responses.
[~] In 00:00:06
[~] Average: 6 requests/second.
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Burst response time total 0
[~] Burst response count total 0
[~] Burst average response time 0
[~] Burst average 0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20
```
<h2 id='proxy'><a href='#proxy'>Proxy</a></h2>
<h3 id='proxy_server'><a href='#proxy_server'>Proxy server (--proxy)</a></h3>
*Expects*: server:port
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni to send all requests via a proxy server.
<h3 id='proxy-auth'><a href='#proxy-auth'>Proxy authentication (--proxy-auth)</a></h3>
*Expects*: username:password
*Default*: disabled
*Multiple invocations?*: no
Tells Arachni authenticate itself with the proxy server using the supplied username and password.
<h3 id='proxy-type'><a href='#proxy-type'>Proxy type (--proxy-type)</a></h3>
*Expects*: http, http_1_0, socks4, socks5, socks4a
*Default*: disabled OR http
*Multiple invocations?*: no
Tells Arachni what protocol to use to connect and comunicate with the proxy server.
<h2 id='cli_help_output'><a href='#cli_help_output'>CLI Help Output</a></h2>
```
$ arachni -h
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
Usage: arachni [options] url
Supported options:
General ----------------------
-h
--help Output this.
-v Be verbose.
--debug Show what is happening internally.
(You should give it a shot sometime ;) )
--only-positives Echo positive results *only*.
--http-req-limit=<integer> Concurrent HTTP requests limit.
(Default: 20)
(Be careful not to kill your server.)
(*NOTE*: If your scan seems unresponsive try lowering the limit.)
--http-timeout=<integer> HTTP request timeout in milliseconds.
--cookie-jar=<filepath> Netscape HTTP cookie file, use curl to create it.
--cookie-string='<name>=<value>; <name2>=<value2>'
Cookies, as a string, to be sent to the web application.
--user-agent=<string> Specify user agent.
--custom-header='<name>=<value>'
Specify custom headers to be included in the HTTP requests.
(Can be used multiple times.)
--authed-by=<string> Who authorized the scan, include name and e-mail address.
(It'll make it easier on the sys-admins during log reviews.)
(Will be appended to the user-agent string.)
--login-check-url=<url> A URL used to verify that the scanner is still logged in to the web application.
(Requires 'login-check-pattern'.)
--login-check-pattern=<regexp>
A pattern used against the body of the 'login-check-url' to verify that the scanner is still logged in to the web application.
(Requires 'login-check-url'.)
Profiles -----------------------
--save-profile=<filepath> Save the current run profile/options to <filepath>.
--load-profile=<filepath> Load a run profile from <filepath>.
(Can be used multiple times.)
(You can complement it with more options, except for:
* --modules
* --redundant)
--show-profile Will output the running profile as CLI arguments.
Crawler -----------------------
-e <regexp>
--exclude=<regexp> Exclude urls matching <regexp>.
(Can be used multiple times.)
-i <regexp>
--include=<regexp> Include *only* urls matching <regex>.
(Can be used multiple times.)
--redundant=<regexp>:<limit>
Limit crawl on redundant pages like galleries or catalogs.
(URLs matching <regexp> will be crawled <limit> amount of times.)
(Can be used multiple times.)
--auto-redundant=<limit> Only follow <limit> amount of URLs with identical query parameter names.
(Default: inf)
(Will default to 10 if no value has been specified.)
-f
--follow-subdomains Follow links to subdomains.
(Default: off)
--depth=<integer> Directory depth limit.
(Default: inf)
(How deep Arachni should go into the site structure.)
--link-count=<integer> How many links to follow.
(Default: inf)
--redirect-limit=<integer> How many redirects to follow.
(Default: 20)
--extend-paths=<filepath> Add the paths in <file> to the ones discovered by the crawler.
(Can be used multiple times.)
--restrict-paths=<filepath> Use the paths in <file> instead of crawling.
(Can be used multiple times.)
Auditor ------------------------
-g
--audit-links Audit links.
-p
--audit-forms Audit forms.
-c
--audit-cookies Audit cookies.
--exclude-cookie=<name> Cookie to exclude from the audit by name.
(Can be used multiple times.)
--exclude-vector=<name> Input vector (parameter) not to audit by name.
(Can be used multiple times.)
--audit-headers Audit HTTP headers.
(*NOTE*: Header audits use brute force.
Almost all valid HTTP request headers will be audited
even if there's no indication that the web app uses them.)
(*WARNING*: Enabling this option will result in increased requests,
maybe by an order of magnitude.)
Coverage -----------------------
--audit-cookies-extensively Submit all links and forms of the page along with the cookie permutations.
(*WARNING*: This will severely increase the scan-time.)
--fuzz-methods Audit links, forms and cookies using both GET and POST requests.
(*WARNING*: This will severely increase the scan-time.)
--exclude-binaries Exclude non text-based pages from the audit.
(Binary content can confuse recon modules that perform pattern matching.)
Modules ------------------------
--lsmod=<regexp> List available modules based on the provided regular expression.
(If no regexp is provided all modules will be listed.)
(Can be used multiple times.)
-m <modname,modname..>
--modules=<modname,modname..>
Comma separated list of modules to load.
(Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to list all.
Use '*' as a module name to deploy all modules or as a wildcard, like so:
xss* to load all xss modules
sqli* to load all sql injection modules
etc.
You can exclude modules by prefixing their name with a minus sign:
--modules=*,-backup_files,-xss
The above will load all modules except for the 'backup_files' and 'xss' modules.
Or mix and match:
-xss* to unload all xss modules.)
Reports ------------------------
--lsrep=<regexp> List available reports based on the provided regular expression.
(If no regexp is provided all reports will be listed.)
(Can be used multiple times.)
--repload=<filepath> Load audit results from an '.afr' report file.
(Allows you to create new reports from finished scans.)
--report='<report>:<optname>=<val>,<optname2>=<val2>,...'
<report>: the name of the report as displayed by '--lsrep'
(Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to list all.)
(Default: stdout)
(Can be used multiple times.)
Plugins ------------------------
--lsplug=<regexp> List available plugins based on the provided regular expression.
(If no regexp is provided all plugins will be listed.)
(Can be used multiple times.)
--plugin='<plugin>:<optname>=<val>,<optname2>=<val2>,...'
<plugin>: the name of the plugin as displayed by '--lsplug'
(Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to list all.)
(Can be used multiple times.)
Proxy --------------------------
--proxy=<server:port> Proxy address to use.
--proxy-auth=<user:passwd> Proxy authentication credentials.
--proxy-type=<type> Proxy type; can be http, http_1_0, socks4, socks5, socks4a
(Default: http)
```