[WEB HACKING] arachni - Web application security scanner framework

 많은 WVS(Web Vulnerability Scanner) 중 오픈소스 프레임워크인 arachni에 대한 이야기를 할까합니다. 간단하게 테스트 하였고, 무난하게 사용할 수 있을 것 같아 정리합니다.

Install arachni scanner

Download link
http://www.arachni-scanner.com/download/

64bit Command

#> wget https://github.com/Arachni/arachni/releases/download/v1.4/arachni-1.4-0.5.10-linux-x86_64.tar.gz

#> tar -xvf arachni-1.4-0.5.10-linux-x86_64.tar.gz

#> cd arachni-1.4-0.5.10

#> cd system/arachni-ui-web/bin

#> bundle install 

#> ./arachni

Run Scan

#> ./arachni http://127.0.0.1
Arachni - Web Application Security Scanner Framework v1.4
   Author: Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No checks were specified, loading all.
 [~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs.

 [*] Initializing...
 [*] Preparing plugins...
 [*] ... done.
 [~] Scheduled 302 redirection: http://127.0.0.1/ => /test

 [*] [HTTP: 302] http://127.0.0.1/
 [~] Analysis resulted in 0 usable paths.
...snip...

 [~] Total: 11
 [+] Without issues: 0
 [-] With issues: 11 ( 100% )

 [~] Report saved at: /test/arachni/system/arachni-ui-web/bin/127.0.0.1 2016-03-08 09_52_55 +0900.afr [0.04MB]

 [~] Audited 3 pages.

 [~] Duration: 00:00:14
 [~] Processed 171/262 HTTP requests.
 [~] -- 16.712 requests/second.
 [~] Processed 0/0 browser jobs.
 [~] -- 0.0 second/job.

 [~] Currently auditing          http://127.0.0.1/test/
 [~] Burst response time sum     37.542 seconds
 [~] Burst response count        37
 [~] Burst average response time 1.015 seconds
 [~] Burst average               10.069 requests/second
 [~] Timed-out requests          0
 [~] Original max concurrency    20
 [~] Throttled max concurrency   20

저장된 Report file(.afr)을 아래 명령처럼 reporter 를 이용하여 결과를 확인할 수 있습니다.

#> ./arachni_reporter  127.0.0.1\ 2016-03-08\ 09_52_55\ +0900.afr

WebUI로도 지원하니 구글링 좀 해보신 후 사용하시면 잘 활용할 수 있는 스캐너로 보입니다. :)

Reference

http://www.arachni-scanner.com