Empathy List Archives

websecurity@lists.webappsec.org

The Web Security Mailing List

Arachni v1.0 (WebUI v0.5) has been released (Open Source Web Application Security Scanner Framework)

Tasos Laskos

Fri, Aug 29, 2014 11:45 PM

Hey folks,

There's a new version of Arachni, an Open Source, modular and high-performance
Web Application Security Scanner Framework written in Ruby.

This release makes Arachni the first F/OSS system to have support for a browser
environment, allowing it to handle modern web applications which make use of
technologies such as HTML5/DOM/JavaScript/AJAX.

The new scan engine has been benchmarked (WIVET v3 and WAVSEP v1.5) higher than
even the most established commercial products in crawl coverage, vulnerability
identification and accuracy -- scores can be found in the release announcement.

Brief list of changes:

Updated workflow:
- No more crawl-first, scan workload is discovered and handled on-the-fly.
- Support for suspending scans to disk.
Addition of an integrated browser environment, supporting:
- HTML5/DOM/JavaScript/AJAX
- Detection of DOM-based issues.
New input vectors:
- DOM forms
- DOM links (with parameters in URL fragments)
- DOM cookies
- Link templates (for extracting arbitrary inputs from generic paths).
- DOM link templates (for extracting arbitrary inputs from generic URL fragments).
Support for URL-rewrite rules.
New checks:
- NoSQL injection (error based and blind).
- DOM XSS variants.
New reports providing enormous amounts of context for easy issue verification
and resolution -- especially for DOM-based ones.
Cleaned up RPC API.
License update:
- Proprietary, commercial license for SaaS providers and commercial distributors.
- Apache License v2.0 for all other use cases.

For more details about the new release please visit:
http://www.arachni-scanner.com/blog/arachni-v1-0-webui-v0-5/

Download page: http://www.arachni-scanner.com/download/

Homepage - http://www.arachni-scanner.com
Blog - http://www.arachni-scanner.com/blog
Documentation - https://github.com/Arachni/arachni/wiki
Support - http://support.arachni-scanner.com
GitHub page - http://github.com/Arachni/arachni
Code Documentation - http://rubydoc.info/github/Arachni/arachni
Author - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
Twitter - http://twitter.com/ArachniScanner
Copyright - 2010-2014 Tasos Laskos
License - Dual-licensed (Apache License v2/Proprietary)
(http://www.arachni-scanner.com/license/)

Cheers,
Tasos Laskos.

Hey folks, There's a new version of Arachni, an Open Source, modular and high-performance Web Application Security Scanner Framework written in Ruby. This release makes Arachni the first F/OSS system to have support for a browser environment, allowing it to handle modern web applications which make use of technologies such as HTML5/DOM/JavaScript/AJAX. The new scan engine has been benchmarked (WIVET v3 and WAVSEP v1.5) higher than even the most established commercial products in crawl coverage, vulnerability identification and accuracy -- scores can be found in the release announcement. Brief list of changes: * Updated workflow: * No more crawl-first, scan workload is discovered and handled on-the-fly. * Support for suspending scans to disk. * Addition of an integrated browser environment, supporting: * HTML5/DOM/JavaScript/AJAX * Detection of DOM-based issues. * New input vectors: * DOM forms * DOM links (with parameters in URL fragments) * DOM cookies * Link templates (for extracting arbitrary inputs from generic paths). * DOM link templates (for extracting arbitrary inputs from generic URL fragments). * Support for URL-rewrite rules. * New checks: * NoSQL injection (error based and blind). * DOM XSS variants. * New reports providing enormous amounts of context for easy issue verification and resolution -- especially for DOM-based ones. * Cleaned up RPC API. * License update: * Proprietary, commercial license for SaaS providers and commercial distributors. * Apache License v2.0 for all other use cases. For more details about the new release please visit: http://www.arachni-scanner.com/blog/arachni-v1-0-webui-v0-5/ Download page: http://www.arachni-scanner.com/download/ Homepage - http://www.arachni-scanner.com Blog - http://www.arachni-scanner.com/blog Documentation - https://github.com/Arachni/arachni/wiki Support - http://support.arachni-scanner.com GitHub page - http://github.com/Arachni/arachni Code Documentation - http://rubydoc.info/github/Arachni/arachni Author - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek) Twitter - http://twitter.com/ArachniScanner Copyright - 2010-2014 Tasos Laskos License - Dual-licensed (Apache License v2/Proprietary) (http://www.arachni-scanner.com/license/) Cheers, Tasos Laskos.