# ChangeLog ## Version 0.3 _(July 26, 2011)_ - HTTP client - Fixed race condition in timeout options. - Spider (**New**) - Replaced Anemone with a lightweight custom-written spider. - WebUI - Major refactoring. - Improved handling of connection errors during scan progress updates. - Added support for add-ons. (**New**) - Add-ons (**New**) - Scan scheduler - Auto-deploy -- Automatically converts any SSH enabled Linux box into an Arachni Dispatcher. - Fixed bug when IP addresses are used, instead of hostnames, for the Dispatchers. - Parser - Form action attributes are now sanitized using iterative URI decoding. - Link variables are extracted before URL sanitization takes place in order to keep values with URL-encoded characters intact. - The link variables of any current page's URL are now pushed to 'page.links'. - Auditor - Abstracted the rDiff audit methods from the "Blind (rDiff) SQL Injection" module and moved them in the Auditor. - Timing attack technique has been greatly improved and all timing attacks are now scheduled to run at the end of the scan. - Modules - API - Added the "redundant()" method -- Allows a module to prevents itself from auditting elements that have been previously logged by other modules. - Modules are now passed an instance of the framework. - Audit - Blind (rDiff) SQL Injection - Updated to support all element types (Links, Forms, Cookies, Headers). - Optimized using the new "redundant()" method -- It will no longer audit elements that have been previously logged by the 'sqli' or 'sqli_blind_rdiff' modules. - OS command injection (timing) - Optimized using the new "redundant()" method -- It will no longer audit elements that have been previously logged by the 'os_cmd_injection' module. - Code injection (timing) - Optimized using the new "redundant()" method -- It will no longer audit elements that have been previously logged by the 'code_injection' module. ## Version 0.2.4 _(July 1, 2011)_ - HTTP - Implemented a 10s time-out [Issue #40] - Command Line Interface - The interrupt handler (Ctrl+C) now presents the option to generate reports mid-scan. [Issue #41] - Added a counter of timed-out requests in the stats. - WebUI - The "Replay" form's action attribute now contains the full URL, including params. [Issue #38] - Fixed path clash that caused the "shutdown" button in the Dispatchers screen not to work. [Issue #39] - Fixed mix-up of output messages from different instances. [Issue #36] - Added a counter of timed-out requests in "Instance" screens. - External - Metasploit - Updated SQL injection exploit module to work with SQLmap 0.9. [Issue #37] - Reports - HTML - Fixed yet another error condition occuring with broken encodings. [Issue #31] - Auditor - Timing attacks now have a "control" to verify that the server is indeed alive i.e. requests won't time-out by default. ## Version 0.2.3 _(May 22, 2011)_ - WebUI - Added connection cache for XMLRPC server instances to remove HTTPS handshake overhead and take advantage of keep-alive support. - Added initial support for management of multiple Dispatchers. - XMLRPC Client->Dispatch Server - Updated to always use SSL [Issue #28] - Added per instance authentication tokens [Issue #28] - Modules - Audit - Path traversal: added double encoded traversals [Issue #29] - Reports - HTML - Fixed "invalid byte sequence in UTF-8" using iconv [Issue #27] - Added false positive reporting. Data are encrypted using 256bit AES (with AES primitives encrypted using RSA) and sent over HTTPS. [Issue #30] - Metareport - Fixed bug caused by not explicitly closed file handle. ## Version 0.2.2.2 _(March 22, 2011)_ - Added "arachni_web_autostart" under bin -- Automatically starts all systems required by the WebUI and makes shutting down everything easier too (Original by: Brandon Potter ) - Overrided Nokogiri to revert to UTF-8 when it comes across an unknown charset instead of throwing exceptions - Dependency versions are now defined explicitly [Issue #23] - Updated to Sinatra v1.2.1 - HTTP - Disabled peer verification on SSL [Issue #19] - Replaced callbacks with the new _Observable_ mixin (also updated components to use the new conventions) - WebUI - Plug-in options are preserved [Issue #19] - Check-all now skips disabled checkboxes - Report info is stored in a database [Issue #19] - Reports are now displayed in descending order based on scan completion datetime [Issue #19] - Any existing reports will be migrated into the new database [Issue #19] - XMLRPC service - Fixed segfault on forced shutdown when spider-first was enabled - Plug-ins - AutoLogin now registers its results - Reports -- Added formatters for the AutoLogin [Issue #19] and Profiler plug-ins - HMTL - Fixed exception on empty issue list - Fixed encoding exceptions (cheers to Chris Weber ) - Path extractors - Generic -- fixed error on invalid encoding sequences - Modules - Recon - Directory listing -- Now skips non-200 pages because it used to log false positives on redirections - Plug-ins - Added Profiler -- Performs taint analysis (with benign inputs) and response time analysis ## Version 0.2.2.1 _(February 13, 2011)_ - Web UI v0.1-pre (Utilizing the Client - Dispatch-server XMLRPC architecture) (**New**) - Basically a front-end to the XMLRPC client - Support for parallel scans - Report management - Can be used to monitor and control any running Dispatcher - Changed classification from "Vulnerabilities" to "Issues" (**New**) - Improved detection of custom 404 pages. - Reports updated to show plug-in results. - Updated framework-wide cookie handling. - Added parameter flipping functionality ( cheers to Nilesh Bhosale ) - Major performance optimizations (4x faster in most tests) - All modules now use asynchronous requests and are optimized for highest traffic efficiency - All index Arrays have been replaced by Sets to minimize look-up times - Mark-up parsing has been reduced dramatically - File I/O blocking in modules has been eliminated - Crawler - Improved performance - Added '--spider-first" option (**New**) - Substituted the XMLRPC server with an XMLRPC dispatch server (**New**) - Multiple clients - Parallel scans - Extensive logging - SSL cert based client authentication - Added modules (**New**) - Audit - XSS in event attributes of HTML elements - XSS in HTML tags - XSS in HTML 'script' tags - Blind SQL injection using timing attacks - Blind code injection using timing attacks (PHP, Ruby, Python, JSP, ASP.NET) - Blind OS command injection using timing attacks (*nix, Windows) - Recon - Common backdoors -- Looks for common shell names - .htaccess LIMIT misconfiguration - Interesting responses -- Listens to all traffic and logs interesting server messages - HTML object grepper - E-mail address disclosure - US Social Security Number disclosure - Forceful directory listing - Added plugins (**New**) - Dictionary attacker for HTTP Auth - Dictionary attacker for form based authentication - Cookie collector -- Listens to all traffic and logs changes in cookies - Healthmap -- Generates sitemap showing the health of each crawled/audited URL - Content-types -- Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files - WAF (Web Application Firewall) Detector - MetaModules -- Loads and runs high-level meta-analysis modules pre/mid/post-scan - AutoThrottle -- Dynamically adjusts HTTP throughput during the scan for maximum bandwidth utilization - TimeoutNotice -- Provides a notice for issues uncovered by timing attacks when the affected audited pages returned unusually high response times to begin with.
It also points out the danger of DoS attacks against pages that perform heavy-duty processing. - Uniformity -- Reports inputs that are uniformly vulnerable across a number of pages hinting to the lack of a central point of input sanitization. - New behavior on Ctrl+C - The system continues to run in the background instead of pausing - The user is presented with an auto-refreshing report and progress stats - Updated module API - Timing/delay attacks have been abstracted and simplified via helper methods - The modules are given access to vector skipping decisions - Simplified issue logging - Added the option of substring matching instead of regexp matching in order to improve performance. - Substituted regular expression matching with substring matching wherever possible. - Reports: - Added plug-in formatter components allowing plug-ins to have a say in how their results are presented (**New**) - New HTML report (Cheers to [Christos Chiotis](mailto:chris@survivetheinternet.com) for designing the new HTML report template.) (**New**) - Updated reports to include Plug-in results: - XML report - Stdout report - Text report ## Version 0.2.1 _(November 25, 2010)_ - Major performance improvements - Major system refactoring and code clean-up - Major module API refactoring providing even more flexibility regarding element auditing and manipulation - Integration with the Metasploit Framework via: (**New**) - ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the [Metasploit](http://www.metasploit.com/) framework. - Arachni plug-in for the [Metasploit](http://www.metasploit.com/) framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities. - Advanced generic WebApp exploit modules for the [Metasploit](http://www.metasploit.com/) framework, utilized either manually or automatically by the Arachni MSF plug-in. - Improved Blind SQL Injection module, significantly less requests per audit. - XMLRPC server (**New**) - XMLRPC CLI client (**New**) - NTLM authentication support (**New**) - Support for path extractor modules for the Spider (**New**) - Path extractors: (**New**) - Generic -- extracts URLs from arbitrary text - Anchors - Form actions - Frame sources - Links - META refresh - Script 'src' and script code - Sitemap - Plug-in support -- allowing the framework to be extended with virtually any functionality (**New**). - Added plug-ins: (**New**) - Passive proxy - Automated login - Added modules: (**New**) - Audit - XPath injection - LDAP injection - Recon - CVS/SVN user disclosure - Private IP address disclosure - Robot file reader (in the Common Files module) - XST - WebDAV detection - Allowed HTTP methods - Credit card number disclosure - HTTP PUT support - Extended proxy support (SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0). (**New**) ## Version 0.2 _(October 14, 2010)_ - Improved output. - Increased context awareness. - Extensive debugging output capabilities. - Added simple stats at the end of scans. - Rewritten HTTP interface. - High-performance asynchronous HTTP requests. - Adjustable HTTP request concurrency limit. - Adjustable HTTP response harvests. - Custom 404 page detection. - Optimized Trainer subsystem. - Invoked when it is most likely to detect new vectors. - Can be invoked by individual modules on-demand, forcing Arachni to learn from the HTTP responses they will cause -- a great asset to Fuzzers. - Refactored and improved Auditor. - No redundant requests, except when required by modules. - Better parameter handling. - Speed optimizations. - Added differential analysis to determine whether a vulnerability needs manual verification. - Refactored and improved module API. - Major API clean up. - With facilities providing more control and power over the audit process. - Significantly increased ease of development. - Modules have total flexibility and control over input combinations, injection values and their formating -- if they need to. - Modules can opt for sync or async HTTP requests (Default: async) - Improved interrupt handling - Scans can be paused/resumed at any time. - In the event of a system exit or user cancellation reports will still be created using whatever data were gathered during runtime. - When the scan is paused the user will be presented with the results gathered thus far. - Improved configuration profile handling - Added pre-configured profiles - Multiple profiles can be loaded at once - Ability to show running profiles as CLI arguments - Overall module improvements and optimizations. - New modules for: - Blind SQL Injection, using reverse-diff analysis. - Trainer, probes all inputs of a given page, in order to uncover new input vectors, and forces Arachni to learn from the responses. - Unvalidated redirects. - Forms that transmit passwords in clear text. - CSRF, implementing 4-pass rDiff analysis to drastically reduce noise. - Overall report improvements and optimizations. - New reports - Plain text report - XML report