Skip to content
This repository

Version 0.4.6

There are a lot of options, customizations and tweaks you can use but fear not and don't let yourself be overwhelmed.

This guide will walk you through each and every one of them and teach you how to use them in order to make your scans as efficient as possible.

If you intend to scan big and complex sites it's best that you read through this guide and evaluate all available options.

Quickstart

Help

In order to see everything Arachni has to offer execute:

$ arachni -h

Examples

You can simply run Arachni like so:

$ arachni http://test.com

which will load all modules, the plugins under /plugins/defaults and audit all forms, links and cookies.

In the following example all modules will be run against http://test.com, auditing links/forms/cookies and following subdomains --with verbose output enabled.

The results of the audit will be saved in the the file test.com.afr.

$ arachni -fv http://test.com --report=afr:outfile=test.com.afr

The Arachni Framework Report (.afr) file can later be loaded by Arachni to create a report, like so:

$ arachni --repload=test.com.afr --report=html:outfile=my_report.html

or any other report type as shown by:

$ arachni --lsrep

You can make module loading easier by using wildcards (*) and exclusions (-).

To load all xss modules using a wildcard:

$ arachni http://example.net --modules=xss*

To load all audit modules using a wildcard:

$ arachni http://example.net --modules=audit/*

To exclude only the csrf module:

$ arachni http://example.net --modules=*,-csrf

Or you can mix and match; to run everything but the xss modules:

$ arachni http://example.net --modules=*,-xss*

Performing a full scan quickly

The full profile adds header auditing to the defaults.

NOTICE: Auditing headers can increase scan time by an order of magnitude (depending on the website) and may be considered over-the-top in most scenarios.

You can use it like so:

$ arachni --load-profile=profiles/full.afp http://example.net

If you installed the Gem then you'll have to look for the "profiles" directory in your gems path.

More resources

For more resources you can consult the articles in the knowledge base.

Command reference

Command Line Interface help output

General

Version (--version)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Outputs the Arachni banner and version information.

Verbosity (-v)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

When verbosity is enabled Arachni will give you detailed information about what's going on during the whole process.

Example

Let's give this a try:

arachni --audit-forms --modules=xss http://testfire.net/ --link-count=1

This will load the XSS module and audit all the forms in "http://testfire.net/".

Verbose mode disabled

Observe that there's no -v flag in the following run.

Don't worry about the rest of the parameters right now.

Quick note:

Arachni's output messages are classified into several categories, each of them prefixed with a different colored symbol:

  • [*] are status messages.
  • [~] are informational messages.
  • [+] are "ok" messages - positive matches.
  • [v] are verbose messages.
  • [!] are debug messages.
  • [-] are error messages.

I won't bother with coloring during the examples.

Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [*] Initialising...
 [*] Waiting for plugins to settle...
 [*] [HTTP: 200] http://testfire.net/
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [*] Auditing: [HTTP: 200] http://testfire.net/
 [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] Profiler: Analyzing response #3...
 [~] Trainer: Found 1 new links.
 [*] Profiler: Analyzing response #4...
 [*] Profiler: Analyzing response #5...
 [*] XSS: Analyzing response #6...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #7...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #8...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )

Verbose mode enabled

See the extra information in this example.

[v] messages are verbose messages.

In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.

$ arachni -v --audit-forms --modules=xss http://testfire.net/ --link-count=1
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [*] Initialising...
 [*] Waiting for plugins to settle...
 [*] [HTTP: 200] http://testfire.net/
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [*] Auditing: [HTTP: 200] http://testfire.net/
 [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] Profiler: Analyzing response #3...
 [~] Trainer: Found 1 new links.
 [*] Profiler: Analyzing response #4...
 [*] Profiler: Analyzing response #5...
 [*] XSS: Analyzing response #6...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [v] XSS: Injected string:  <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
 [v] XSS: Verified string:  <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
 [*] XSS: Analyzing response #7...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [v] XSS: Injected string:  '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
 [v] XSS: Verified string:  '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
 [*] XSS: Analyzing response #8...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [v] XSS: Injected string:  --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
 [v] XSS: Verified string:  --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--

Debug mode (--debug)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

When this flag is enabled the system will output a lot of messages detailing what's happening internally.

If you don't want to be flooded by annoying and obscure messages you can pipe debugging output to a separate file when running Arachni using:

$ arachni -pv --mods=xss http://localhost/~zapotek/tests/forms/xss.php --debug 2> debug.log

The debug.log file will contain something like:

$ cat debug.log
 [!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1
 [!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
 [!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
 [!] XSS:
 [!] XSS: Trainer set to: OFF
 [!] XSS: ------------
 [!] XSS: Injection string format combinations set to:
 [!] XSS: |
 [!] XSS: |----> Null character termination (Format::NULL [4]) and append to default value (Format::APPEND [2]). [Combo mask: 6]
 [!] XSS:
 [!] XSS: Prepared combinations:
 [!] XSS: |
 [!] XSS: |
 [!] XSS: |--> Auditing: __original_values__
 [!] XSS: |--> Combo:
 [!] XSS: |------> ["xss", ""]
 [!] XSS: |
 [!] XSS: |--> Auditing: __sample_values__
 [!] XSS: |--> Combo:
 [!] XSS: |------> ["xss", "1"]
 [!] XSS: |
 [!] XSS: |--> Auditing: xss
 [!] XSS: |--> Combo:
 [!] XSS: |------> ["xss", "1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"]
 [!] XSS:
 [!] XSS: ------------
 [!] XSS:
 [!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__original_values__
 [!] XSS: Submitting form with original values; overriding trainer option.
 [!] XSS: Trainer set to: ON
 [!] ------------
 [!] Queued request.
 [!] ID#: 0
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>""}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: true
 [!] ------------
 [!] XSS: Current audit ID: XSS:http://localhost/~zapotek/tests/forms/xss.php:form:["xss"]=__sample_values__
 [!] XSS: Submitting form with sample values; overriding trainer option.
 [!] XSS: Trainer set to: ON
 [!] ------------
 [!] Queued request.
 [!] ID#: 1
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>"1"}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: true
 [!] ------------
 [!] ------------
 [!] Queued request.
 [!] ID#: 2
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: false
 [!] ------------
 [!] ------------
 [!] Got response.
 [!] Request ID#: 2
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>"1<arachni_xss_5e2e830ed4f831cb30df6df05151022b94cd27991b459ae8c3b349e2bbd2dad1\x00"}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: false
 [!] ------------
 [!] XSS: Request ID: 2
 [!] ------------
 [!] Got response.
 [!] Request ID#: 0
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>""}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: true
 [!] ------------
 [!] Trainer: Started for response with request ID: #0
 [!] Trainer: Page hasn't changed, skipping...
 [!] ------------
 [!] Got response.
 [!] Request ID#: 1
 [!] URL: http://localhost/~zapotek/tests/forms/xss.php
 [!] Method: post
 [!] Params: {"xss"=>"1"}
 [!] Headers: {"cookie"=>"", "From"=>"", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/0.2.1"}
 [!] Train?: true
 [!] ------------
 [!] Trainer: Started for response with request ID: #1
 [!] Trainer: Training complete.

Only positives (--only-positives)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

This will suppress all messages except for positive matches -- vulnerabilities.

HTTP request limit (--http-req-limit)

Expects: integer

Default: 20

Multiple invocations?: no

Limit how many concurrent HTTP request are sent.

Note: If your scan seems unresponsive try lowering the limit.

Warning: Given enough bandwidth and a high limit it could cause a DoS. Be careful when setting this option too high, don't kill your server.

HTTP request queue size (--http-queue-size)

Expects: integer

Default: 500

Multiple invocations?: no

Maximum amount of HTTP requests to keep in the queue.

Note: More means better scheduling and better performance, fewer means less RAM consumption.

HTTP timeout (--http-timeout)

Expects: integer (milliseconds)

Default: 50000

Multiple invocations?: no

Limit how long the HTTP client should wait for a response from the server.

HTTP timeout (--https-only)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Forces the system to only follow HTTPS URLs.

(Target URL must be an HTTPS one as well.)

Cookie jar (--cookie-jar)

Expects: cookiejar file

Default: disabled

Multiple invocations?: no

Arachni allows you to pass your own cookies in the form of a Netscape cookie-jar file. If you want to audit restricted parts of a website that are accessible only to logged in users you should pass the session cookies to Arachni.

There's a number of ways to do that, I've found that Firebug's export cookie feature works best.

You should also take a look at the --exclude-cookie option discussed later.

Note: If you don't feel comfortable setting your own cookie-jar you can use the Proxy or AutoLogin plugin to login to the web application.

Cookie string (--cookie-string)

Expects: string

Default: disabled

Multiple invocations?: no

Cookies, as a string, to be sent to the web application.

Example

--cookie-string='userid=19;sessionid=deadbeefbabe'

User agent (--user-agent)

Expects: string

Default: "Arachni/<version>"

Multiple invocations?: no

You can pass your own user agent string which will be sent to the webserver under audit. Default is Arachni/<version>.

Custom header (--custom-header)

Expects: string

Default: disabled

Multiple invocations?: yes

Allows you to specify custom headers in the form of key-value pairs.

Example

--custom-header='field_name=field value'

Authorized by (--authed-by)

Expects: string

Default: disabled

Multiple invocations?: no

The string passed to this option will be included in the user-agent string and be the value of the From HTTP header field.

The --authed-by value should contain information about the person who authorized the scan, his name and e-mail.

Example

--authed-by='John Doe <jdoe@test.com>'

Login check URL (--login-check-url)

Expects: string

Default: disabled

Multiple invocations?: no

Requires: login-check-pattern

The URL passed to this option will be used to verify that the scanner is still logged in to the web application.

If HTTP response body of URL matches the login-check-pattern this should indicate that the scanner is logged in.

Login check pattern (--login-check-pattern)

Expects: string

Default: disabled

Multiple invocations?: no

Requires: login-check-url

A pattern used against the body of the login-check-pattern to verify that the scanner is still logged in to the web application.

A positive match should indicate that the scanner is logged in.

Profiles

Save profile (--save-profile)

Expects: filename

Default: disabled

Multiple invocations?: no

This option allows you to save your current running configuration, all the options passed to Arachni, to an Arachni Framework Profile (.afp) file.

Example

arachni -pv --modules=xss http://site.com/ --save-profile=myprofile

Load profile (--load-profile)

Expects: Arachni Framework Profile (.afp) file

Default: disabled

Multiple invocations?: yes

This option allows you to load and run a saved profile. The load profile option does not restrict your ability to specify more options or even resave the profile.

Example

arachni --load-profile=myprofile.afp

Show profile (--show-profile)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

This option will output the running configuration as a string of command line arguments.

Example

arachni --show-profile --load-profile=myprofile.afp

Crawler

Exclude (--exclude/-e)

Expects: regexp

Default: disabled

Multiple invocations?: yes

The --exclude option expects a regular expression or plain string and excludes URLs matching that expression from the crawling process.

Example

In this simple example we tell Arachni to exclude all URLs that contain the string xss. Thus no further action was taken.

$ arachni http://testfire.net --modules=xss --exclude=testfire
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.

 [*] Initialising...
 [*] Waiting for plugins to settle...
 [*] Resolver: Resolving hostnames...
 [*] Resolver: Done!

 [*] Dumping audit results in '2012-09-09 02.38.18 +0300.afr'.
 [*] Done!





 [+] Web Application Security Report - Arachni Framework

 [~] Report generated on: 2012-09-09 02:38:18 +0300
 [~] Report false positives at: http://github.com/Arachni/arachni/issues

 [+] System settings:
 [~] ---------------
 [~] Version:  0.4.1dev
 [~] Revision: 0.2.7
 [~] Audit started on:  Sun Sep  9 02:38:15 2012
 [~] Audit finished on: Sun Sep  9 02:38:16 2012
 [~] Runtime: 00:00:01

 [~] URL: http://testfire.net/
 [~] User agent: Arachni/v0.4.2

 [*] Audited elements:
 [~] * Links
 [~] * Forms
 [~] * Cookies

 [*] Modules: xss

 [*] Filters:
 [~]   Exclude:
 [~]     (?-mix:testfire)

 [~] =

 [+] 0 issues were detected.


 [+] Plugin data:
 [~] ---------------


 [~] 0.0% [=>                                                             ] 100%
 [~] Est. remaining time: --:--:--

 [~] Crawling, discovered 0 pages and counting.

 [~] Sent 0 requests.
 [~] Received and analyzed 0 responses.
 [~] In 00:00:01
 [~] Average: 0 requests/second.

 [~] Burst response time total    0
 [~] Burst response count total   0
 [~] Burst average response time  0
 [~] Burst average                0 requests/second
 [~] Timed-out requests           0
 [~] Original max concurrency     20
 [~] Throttled max concurrency    20

Exclude page by content (--exclude-page)

Expects: regexp

Default: disabled

Multiple invocations?: yes

The --exclude-page option expects a regular expression or plain string and excludes pages whose content matching that expression from the crawl process.

Include (--include/-i)

Expects: regexp

Default: disabled

Multiple invocations?: yes

This is the exact oposite of the --exclude option. When a regular expression is passed to the --include option, only URLs matching that regular expression will be crawled.

Redundant (--redundant)

Expects: regexp:integer

Default: disabled

Multiple invocations?: yes

The redundant option expects a regular expression and a counter, like so: --redundant='calendar.php':3

This will cause URLs that contain "calendar.php" to be crawled only 3 times.

This option is useful when auditing a website that has a lot of redundant pages like a photo gallery or a dynamically generated calendar.

Auto-redundant (--auto-redundant)

Expects: integer

Default: disabled (with a value of 10 if none has been specified)

Multiple invocations?: no

The auto-redundant option sets the limit of how many URLs with identical parameters should be followed.

This can prevent infinite loops caused by pages like photo galleries or catalogues.

Example

With --auto-redundant=2 and given the following list of URLs:

http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=other-stuff
http://test.com/?stuff=blah
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/?stuff=blah2&stuff2=bloo
http://test.com/path.php?stuff=blah&stuff2=1

Only the following will be followed:

http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/path.php?stuff=blah&stuff2=1

Follow subdomains (-f/--follow-subdomains)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

This flag will cause Arachni to follow links to subdomains.

Depth limit (--depth)

Expects: integer

Default: infinite

Multiple invocations?: no

It specifies how deep into the site structure the crawler should go.

Link count limit (--link-count)

Expects: integer

Default: infinite

Multiple invocations?: no

It specifies how many links the crawler should follow.

Redirect limit (--redirect-limit)

Expects: integer

Default: 20

Multiple invocations?: no

It specifies how many redirects the crawler should follow.

Extend paths (--extend-paths)

Expects: file

Default: disabled

Multiple invocations?: yes

Allows you to extend the scope of the crawl by seeding the crawler with the paths within the given file.

The file must contains one path per line.

Restrict paths (--restrict-paths)

Expects: file

Default: disabled

Multiple invocations?: yes

Uses the paths contained in file instead of performing a crawl.

Auditor

Audit links (--audit-links/-g)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Tells Arachni to audit the link elements of the page and their variables.

Audit forms (--audit-forms/-p)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Tells Arachni to audit the form elements of the page and their inputs.

Audit cookies (--audit-cookies/-c)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Tells Arachni to audit the cookies of the page.

Exclude cookie (--exclude-cookie)

Expects: cookie name

Default: disabled

Multiple invocations?: yes

Tells Arachni to exclude -- not audit -- a cookie by name. Usually used to avoid auditing a session ID cookie from the cookie-jar.

Note: Even if you audit a session cookie Arachni will restore it to its original value right after auditing it. However, some extra cautious websites may invalidate/block the session upon receiving an invalid token.

This is very unlikely but it's better to err on the side of caution.

Exclude vector (--exclude-vector)

Expects: input name

Default: disabled

Multiple invocations?: yes

Tells Arachni to exclude -- not audit -- an input vector by name.

Audit headers (--audit-headers)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Tells Arachni to audit the HTTP headers of the page.

Note: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.

Warning: Enabling this option will result in increased requests, maybe by an order of magnitude.

Coverage

Audit cookies extensively (--audit-cookies-extensively)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled Arachni will submit all links and forms of the page along with the cookie permutations.

Warning: Will severely increase the scan-time.

Fuzz methods (--fuzz-methods)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled Arachni will submit all links and forms using both the GET and POST HTTP request methods.

Warning: Will severely increase the scan-time.

Exclude binaries (--exclude-binaries)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Disables inclusion of binary HTTP response bodies in the audit.

Note: Binary content can confuse recon modules that perform pattern matching.

Modules

List modules (--lsmod)

Expects: regular expression

Default: disabled OR .*

Multiple invocations?: yes

Tells Arachni to list all available modules based on the regular expressions provided and exit.

Example

$ arachni --lsmod
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No modules were specified.
 [~]  -> Will run all mods.

 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.



 [~] Available modules:

 [*] code_injection:
--------------------
Name:       Code injection
Description:    It tries to inject code snippets into the
                web application and assess whether or not the injection
                was successful.
Elements:   form, link, cookie, header
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.6
References:
 [~] PHP        http://php.net/manual/en/function.eval.php
 [~] Perl       http://perldoc.perl.org/functions/eval.html
 [~] Python     http://docs.python.org/py3k/library/functions.html#eval
 [~] ASP        http://www.aspdev.org/asp/asp-eval-execute/
 [~] Ruby       http://en.wikipedia.org/wiki/Eval#Ruby
Targets:
 [~] PHP
 [~] Perl
 [~] Python
 [~] ASP
 [~] Ruby
Metasploitable: unix/webapp/arachni_php_eval
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb

 [*] path_traversal:
--------------------
Name:       PathTraversal
Description:    It injects paths of common files (/etc/passwd and boot.ini)
                and evaluates the existence of a path traversal vulnerability
                based on the presence of relevant content in the HTML responses.
Elements:   form, link, cookie, header
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.2.6
References:
 [~] OWASP      http://www.owasp.org/index.php/Path_Traversal
 [~] WASC       http://projects.webappsec.org/Path-Traversal
Targets:
 [~] Unix
 [~] Windows
 [~] Tomcat
Metasploitable: unix/webapp/arachni_path_traversal
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb

 [*] sqli_blind_rdiff:
--------------------
Name:       Blind (rDiff) SQL Injection
Description:    It uses rDiff analysis to decide how different inputs affect
                the behavior of the the web pages.
                Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
                (Note: This module may get confused by certain types of XSS vulnerabilities.
                    If this module returns a positive result you should investigate nonetheless.)
Elements:   link, form, cookie
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.3.2
References:
 [~] OWASP      http://www.owasp.org/index.php/Blind_SQL_Injection
 [~] MITRE - CAPEC      http://capec.mitre.org/data/definitions/7.html
Targets:
 [~] Generic
Metasploitable: unix/webapp/arachni_sqlmap
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb

Hit <space> <enter> to continue, any other key to exit.

You can filter module listing like so:

$ arachni --lsmod=xss --lsmod=path
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No modules were specified.
 [~]  -> Will run all mods.

 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.



 [~] Available modules:

 [*] xss_path:
--------------------
Name:       XSSPath
Description:    Cross-Site Scripting module for path injection
Elements:   path
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.8
References:
 [~] ha.ckers       http://ha.ckers.org/xss.html
 [~] Secunia        http://secunia.com/advisories/9716/
Targets:
 [~] Generic
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb

Modules (--modules/-m)

Expects: modname,modname,... OR '*'

Default: '*' -- all modules

Multiple invocations?: no

Tells Arachni which modules to load.

Modules are referenced by their filename without the .rb extension, use --lsmod to see all.

You can specify the modules to load as comma separated values (without spaces) or * to load all modules. You can prevent modules from loading by prefixing their name with a dash (-).

Example

As CSV:

$ arachni --modules=xss,sqli,path_traversal http://localhost/

All modules:

$ arachni http://localhost/

Excluding modules:

$ arachni --modules=*,-backup_files,-xss http://www.test.com

The above will load all modules except for the backup_files and xss modules.

Reports

List reports (--lsrep)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Lists all available reports.

Example

$ arachni --lsrep
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No modules were specified.
 [~]  -> Will run all mods.

 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.



 [~] Available reports:

 [*] yaml:
--------------------
Name:       YAML Report
Description:    Exports the audit results as a YAML file.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.yaml
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb

 [*] txt:
--------------------
Name:       Text report
Description:    Exports a report as a plain text file.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.txt
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.2.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb

 [*] xml:
--------------------
Name:       XML report
Description:    Exports a report as an XML file.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.xml
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.2.2
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb

 [*] metareport:
--------------------
Name:       Metareport
Description:    Creates a file to be used with the Arachni MSF plug-in.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.msf
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb

 [*] afr:
--------------------
Name:       Arachni Framework Report
Description:    Saves the file in the default Arachni Framework Report (.afr) format.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.afr
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb

 [*] html:
--------------------
Name:       HTML Report
Description:    Exports a report as an HTML document.
Options:
 [~]    tpl - Template to use.
 [~]    Type:        path
 [~]    Default:     /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
 [~]    Required?:   false

 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.html
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.3.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb

 [*] ap:
--------------------
Name:       AP
Description:    Awesome prints an AuditStore hash.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb

 [*] marshal:
--------------------
Name:       Marshal Report
Description:    Exports the audit results as a Marshal file.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.marshal
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb

 [*] json:
--------------------
Name:       JSON Report
Description:    Exports the audit results as a JSON file.
Options:
 [~]    outfile - Where to save the report.
 [~]    Type:        string
 [~]    Default:     2012-09-09 02.41.03 +0300.json
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb

 [*] stdout:
--------------------
Name:       Stdout
Description:    Prints the results to standard output.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.2.2
Path:   /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb

Load a report (--repload)

Expects: Arachni Framework Report (.afr) file

Default: disabled

Multiple invocations?: no

Tells Arachni to load an Arachni Framework Report (.afr) file. You can use this option to load a report file and convert it to another format.

Example

Load an AFR report file and send it to the stdout report.

$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki







 [+] Web Application Security Report - Arachni Framework

 [~] Report generated on: 2012-09-09 02:42:54 +0300
 [~] Report false positives at: http://github.com/Arachni/arachni/issues

 [+] System settings:
 [~] ---------------
 [~] Version:  0.4.1dev
 [~] Revision: 0.2.7
 [~] Audit started on:  Sun Sep  9 02:42:15 2012
 [~] Audit finished on: Sun Sep  9 02:42:18 2012
 [~] Runtime: 00:00:03

 [~] URL: http://testfire.net/
 [~] User agent: Arachni/v0.4.2

 [*] Audited elements:
 [~] * Forms

 [*] Modules: xss

 [*] Cookies:
 [~]   ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
 [~]   amSessionId = 203429333847

 [~] =

 [+] 1 issues were detected.

 [+] [1] Cross-Site Scripting (XSS)
 [~] ~~~~~~~~~~~~~~~~~~~~
 [~] ID Hash:  106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
 [~] Severity: High
 [~] URL:      http://testfire.net/search.aspx
 [~] Element:  form
 [~] Method:   GET
 [~] Tags:     xss, regexp, injection, script
 [~] Variable: txtSearch
 [~] Description:
 [~] Client-side code (like JavaScript) can
    be injected into the web application which is then returned to the user's browser.
    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.

 [~] CWE: http://cwe.mitre.org/data/definitions/79.html

 [~] Requires manual verification?: false

 [~] References:
 [~]   ha.ckers - http://ha.ckers.org/xss.html
 [~]   Secunia - http://secunia.com/advisories/9716/

 [*] Variations
 [~] ----------
 [~] Variation 1:
 [~] URL: http://testfire.net/search.aspx
 [~] Injected value:     <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
 [~] Regular expression:
 [~] Matched string:     <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>



 [+] Plugin data:
 [~] ---------------


 [*] Resolver
 [~] ~~~~~~~~~~~~~~
 [~] Description: Resolves vulnerable hostnames to IP addresses.

 [~] testfire.net: 65.61.137.117

 [*] Health map
 [~] ~~~~~~~~~~~~~~
 [~] Description: Generates a simple list of safe/unsafe URLs.

 [~] Legend:
 [+] No issues
 [-] Has issues

 [+] http://testfire.net/
 [-] http://testfire.net/search.aspx

 [~] Total: 2
 [+] Without issues: 1
 [-] With issues: 1 ( 50% )

 [*] Profiler
 [~] ~~~~~~~~~~~~~~
 [~] Description: Examines the behavior of the web application gathering general statistics
                and performs taint analysis to determine which inputs affect the output.

                It does not perform any vulnerability assessment nor does it send attack payloads.

 [~] Inputs affecting output:

 [+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
 [~] It was submitted using the following parameters:
 [~]   * txtSearch  = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
 [~]
 [~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
 [~]   * Body

Load an AFR file and create an HTML report from it.

$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki



 [*] Creating HTML report...
 [*] Saved in '2012-09-09 02.43.42 +0300.html'.

Report (--report)

Expects: repname

Default: stdout

Multiple invocations?: yes

Tells Arachni which report component to use. Reports are referenced by their filename without the .rb extension, use --lsrep to see all.

Example

Running the HTML report with an outfile option:

$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.

 [*] Initialising...
 [*] Waiting for plugins to settle...
 [*] [HTTP: 200] http://testfire.net/
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [*] Auditing: [HTTP: 200] http://testfire.net/
 [*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] Profiler: Analyzing response #3...
 [*] Profiler: Analyzing response #4...
 [~] Trainer: Found 1 new links.
 [*] Profiler: Analyzing response #5...
 [*] Profiler: Analyzing response #6...
 [*] XSS: Analyzing response #9...
 [*] XSS: Analyzing response #10...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #13...
 [*] XSS: Analyzing response #14...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #17...
 [*] XSS: Analyzing response #18...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] Profiler: Analyzing response #8...
 [*] Profiler: Analyzing response #7...
 [*] XSS: Analyzing response #12...
 [*] XSS: Analyzing response #11...
 [*] XSS: Analyzing response #15...
 [*] XSS: Analyzing response #16...
 [*] XSS: Analyzing response #19...
 [*] XSS: Analyzing response #20...

 [*] Resolver: Resolving hostnames...
 [*] Resolver: Done!

 [*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
 [*] Done!

 [*] Creating HTML report...
 [*] Saved in 'my_html_report.html'.

 [~] 100.0% [>] 100%
 [~] Est. remaining time: --:--:--

 [~] Crawler has discovered 2 pages.
 [~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.

 [~] Sent 25 requests.
 [~] Received and analyzed 25 responses.
 [~] In 00:00:04
 [~] Average: 6 requests/second.

 [~] Currently auditing           http://testfire.net/search.aspx?txtSearch=
 [~] Burst response time total    0
 [~] Burst response count total   0
 [~] Burst average response time  0
 [~] Burst average                0 requests/second
 [~] Timed-out requests           0
 [~] Original max concurrency     20
 [~] Throttled max concurrency    20

Plugins

List plugins (--lsplug)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Lists all available plugins.

Example

$ arachni --lsplug
Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No modules were specified.
 [~]  -> Will run all mods.

 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.



 [~] Available plugins:

 [*] resolver:
--------------------
Name:       Resolver
Description:    Resolves vulnerable hostnames to IP addresses.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb

 [*] healthmap:
--------------------
Name:       Health map
Description:    Generates a simple list of safe/unsafe URLs.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.3
Path:   /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb

 [*] profiler:
--------------------
Name:       Profiler
Description:    Examines the behavior of the web application gathering general statistics
                and performs taint analysis to determine which inputs affect the output.

                It does not perform any vulnerability assessment nor does it send attack payloads.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.5
Path:   /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb

 [*] uniformity:
--------------------
Name:       Uniformity (Lack of central sanitization)
Description:    Analyzes the scan results and logs issues which persist across different pages.
                This is usually a sign for a lack of a central/single point of input sanitization,
                a bad coding practise.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb

 [*] manual_verification:
--------------------
Name:       Issues requiring manual verification
Description:    The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
                even before any audit action has taken place -- this challenges the relevance of the audit procedure.

                Thus, these issues require manual verification.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb

 [*] timing_attacks:
--------------------
Name:       Timing attack anomalies
Description:    Analyzes the scan results and logs issues that used timing attacks
                while the affected web pages demonstrated an unusually high response time.
                A situation which renders the logged issues inconclusive or (possibly) false positives.

                Pages with high response times usually include heavy-duty processing
                which makes them prime targets for Denial-of-Service attacks.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.4
Path:   /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb

 [*] discovery:
--------------------
Name:       Discovery module response anomalies
Description:    Analyzes the scan results and identifies issues logged by discovery modules
                (i.e. modules that look for certain files and folders on the server),
                while the server responses were exhibiting an anomalous factor of similarity.

                There's a good chance that these issues are false positives.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb

 [*] autothrottle:
--------------------
Name:       AutoThrottle
Description:    Monitors HTTP response times and automatically
                throttles the request concurrency in order to maintain stability
                and avoid from killing the server.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.3
Path:   /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb

 [*] content_types:
--------------------
Name:       Content-types
Description:    Logs content-types of server responses.
                It can help you categorize and identify publicly available file-types
                which in turn can help you identify accidentally leaked files.
Options:
 [~]    exclude - Exclude content-types that match this regular expression.
 [~]    Type:        string
 [~]    Default:     text
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.4
Path:   /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb

 [*] libnotify:
--------------------
Name:       libnotify
Description:    Uses the libnotify library to send notifications for each discovered issue
                and a summary at the end of the scan.
Options:
 [~]    for_every_issue - Show every issue.
 [~]    Type:        bool
 [~]    Default:     true
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/workspace/arachni/plugins/libnotify.rb

 [*] cookie_collector:
--------------------
Name:       Cookie collector
Description:    Monitors and collects cookies while establishing a timeline of changes.

                WARNING: Highly discouraged when the audit includes cookies.
                    It will log thousands of results leading to a huge report,
                    highly increased memory and CPU usage.
Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.5
Path:   /home/zapotek/workspace/arachni/plugins/cookie_collector.rb

 [*] proxy:
--------------------
Name:       Proxy
Description:
                * Gathers data based on user actions and exchanged HTTP
                    traffic and pushes that data to the framework's page-queue to be audited.
                * Updates the framework cookies with the cookies of the HTTP requests and
                    responses, thus it can also be used to login to a web application.
                * Supports SSL interception.

                To skip crawling and only audit elements discovered by using the proxy
                set '--link-count=0'.
Options:
 [~]    port - Port to bind to.
 [~]    Type:        port
 [~]    Default:     8282
 [~]    Required?:   false

 [~]    bind_address - IP address to bind to.
 [~]    Type:        address
 [~]    Default:     0.0.0.0
 [~]    Required?:   false

 [~]    timeout - How long to wait for a request to complete, in milliseconds.
 [~]    Type:        integer
 [~]    Default:     20000
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.2
Path:   /home/zapotek/workspace/arachni/plugins/proxy.rb

 [*] beep_notify:
--------------------
Name:       Beep notify
Description:    It beeps when the scan finishes.
Options:
 [~]    repeat - How many times to beep.
 [~]    Type:        integer
 [~]    Default:     4
 [~]    Required?:   false

 [~]    interval - How long to wait between beeps.
 [~]    Type:        float
 [~]    Default:     0.4
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1
Path:   /home/zapotek/workspace/arachni/plugins/beep_notify.rb

 [*] rescan:
--------------------
Name:       ReScan
Description:    It uses the AFR report of a previous scan to
                extract the sitemap in order to avoid a redundant crawl.

Options:
 [~]    afr - Path to the AFR report.
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/rescan.rb

 [*] http_dicattack:
--------------------
Name:       HTTP dictionary attacker
Description:    Uses wordlists to crack password protected directories.
                If the cracking process is successful the found credentials will be set
                framework-wide and used for the duration of the audit.
                If that's not what you want set the crawler's link-count limit to "0".
Options:
 [~]    username_list - File with a list of usernames (newline separated).
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

 [~]    password_list - File with a list of passwords (newline separated).
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/http_dicattack.rb

 [*] vector_feed:
--------------------
Name:       Vector feed
Description:    Reads in vector data from which it creates elements to be audited.
    Can be used to perform extremely specialized/narrow audits on a per vector/element basis.

    Notes:
        * To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
        * Can handle multiple YAML documents.

    Example YAML file:
-
  # you can pass pages to be audited by grep modules (and JS in the future)
  type: page
  url: http://localhost/
  # response code
  code: 200
  # response headers
  headers:
    Content-Type: "text/html; charset=utf-8"
  body: "HTML code goes here"

-
  # default type is link which has method get
  #type: link
  action: http://localhost/link
  inputs:
    my_param: "my val"

-
  # if a method is post it'll default to a form type
  type: form
  method: post
  action: http://localhost/form
  inputs:
    post_this: "HUA!"
    csrf: "my_csrf_token"
  # do not fuzz/mutate/audit the following inputs (by name obviously)
  skip:
    - csrf

# GET only
-
  type: cookie
  action: http://localhost/cookie
  inputs:
    session_id: "43434234343sddsdsds"

# GET only
-
  type: header
  action: http://localhost/header
  # only 1 input allowed, each header field=>value must be defined separately
  inputs:
    User-Agent: "Blah/2"


Options:
 [~]    vectors -  Vector array (for configuration over RPC).
 [~]    Type:        abstract
 [~]    Default:
 [~]    Required?:   false

 [~]    yaml_string - A string of YAML serialized vectors (for configuration over RPC).
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   false

 [~]    yaml_file - A file containing the YAML serialized vectors.
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/vector_feed.rb

 [*] script:
--------------------
Name:       Script
Description:    Loads and runs an external Ruby script under the scope of a plugin,
                used for debugging and general hackery.

                Will not work over RPC.
Options:
 [~]    path - Path to the script.
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.1
Path:   /home/zapotek/workspace/arachni/plugins/script.rb

 [*] email_notify:
--------------------
Name:       E-mail notify
Description:    Sends a notification (and optionally a report) over SMTP at the end of the scan.
Options:
 [~]    to - E-mail address of the receiver.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    cc - E-mail address to which to send a carbon copy of the notification.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   false

 [~]    bcc - E-mail address for a blind carbon copy.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   false

 [~]    from - E-mail address of the sender.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    server_address - Address of the SMTP server to use.
 [~]    Type:        address
 [~]    Default:
 [~]    Required?:   true

 [~]    server_port - SMTP port.
 [~]    Type:        port
 [~]    Default:
 [~]    Required?:   true

 [~]    tls - Use TLS/SSL?.
 [~]    Type:        bool
 [~]    Default:
 [~]    Required?:   false

 [~]    username - SMTP username.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    password - SMTP password.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    authentication - Authentication.
 [~]    Type:        string
 [~]    Default:     plain
 [~]    Required?:   false

 [~]    report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
 [~]    Type:        enum
 [~]    Default:     txt
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/email_notify.rb

 [*] autologin:
--------------------
Name:       AutoLogin
Description:    It looks for the login form in the user provided URL,
                merges its input fields with the user supplied parameters and sets the cookies
                of the response and request as framework-wide cookies to be used by the spider later on.

Options:
 [~]    url - The URL that contains the login form.
 [~]    Type:        url
 [~]    Default:
 [~]    Required?:   true

 [~]    params - Form parameters to submit. ( username=user&password=pass )
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    check - A pattern which will be used to verify a successful login.
                    For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.5
Path:   /home/zapotek/workspace/arachni/plugins/autologin.rb

 [*] waf_detector:
--------------------
Name:       WAF Detector
Description:    Performs basic profiling on the web application
                in order to assess the existence of a Web Application Firewall.

                This is a 4 stage process:
                   1. Grab the original page as is
                   2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
                   3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
                   4. Make heads or tails of the gathered responses

                 Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
Options:
 [~]    precision - Stage precision (how many times to perform each detection stage).
 [~]    Type:        integer
 [~]    Default:     5
 [~]    Required?:   false

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.2
Path:   /home/zapotek/workspace/arachni/plugins/waf_detector.rb

 [*] form_dicattack:
--------------------
Name:       Form dictionary attacker
Description:    Uses wordlists to crack login forms.
                If the cracking process is successful the found credentials will be set
                framework-wide and used for the duration of the audit.
                If that's not what you want set the crawler's link-count limit to "0".
Options:
 [~]    username_list - File with a list of usernames (newline separated).
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

 [~]    password_list - File with a list of passwords (newline separated).
 [~]    Type:        path
 [~]    Default:
 [~]    Required?:   true

 [~]    username_field - The name of the username form field.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    password_field - The name of the password form field.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

 [~]    login_verifier - A regular expression which will be used to verify a successful login.
                    For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
 [~]    Type:        string
 [~]    Default:
 [~]    Required?:   true

Author:     Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version:    0.1.4
Path:   /home/zapotek/workspace/arachni/plugins/form_dicattack.rb

Plugin (--plugin)

Expects: plugin name

Default: disabled

Multiple invocations?: yes

Tells Arachni which plugin components to run. Plugins are referenced by their filename without the .rb extension, use --lsplug to see all.

Example

Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:

$ arachni http://testfire.net --link-count=1 --modules=xss \
    --plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
    -e logout

Arachni - Web Application Security Scanner Framework v0.4.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No audit options were specified.
 [~]  -> Will audit links, forms and cookies.

 [*] Initialising...
 [~] AutoLogin: System paused.
 [*] Waiting for plugins to settle...
 [*] AutoLogin: Found log-in form with name: login
 [+] AutoLogin: Form submitted successfully.
 [~] AutoLogin: Cookies set to:
 [~] AutoLogin:     * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
 [~] AutoLogin:     * amSessionId = 204023334531
 [~] AutoLogin:     * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
 [~] AutoLogin:     * amUserId = 100116014
 [~] AutoLogin:     * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
 [*] [HTTP: 200] http://testfire.net/
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.

 [*] Auditing: [HTTP: 200] http://testfire.net/
 [*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
 [*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
 [*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
 [*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
 [*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
 [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
 [*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] Profiler: Analyzing response #6...
 [*] Profiler: Analyzing response #7...
 [*] XSS: Analyzing response #26...
 [*] XSS: Analyzing response #27...
 [~] Trainer: Found 1 new links.
 [*] Profiler: Analyzing response #9...
 [*] Profiler: Analyzing response #8...
 [*] XSS: Analyzing response #28...
 [*] XSS: Analyzing response #15...
 [*] XSS: Analyzing response #16...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #22...
 [*] XSS: Analyzing response #30...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] Profiler: Analyzing response #10...
 [*] XSS: Analyzing response #31...
 [*] XSS: Analyzing response #32...
 [*] Profiler: Analyzing response #11...
 [*] Profiler: Analyzing response #12...
 [*] Profiler: Analyzing response #14...
 [*] Profiler: Analyzing response #13...
 [*] XSS: Analyzing response #33...
 [*] XSS: Analyzing response #17...
 [*] XSS: Analyzing response #18...
 [*] XSS: Analyzing response #19...
 [*] XSS: Analyzing response #34...
 [*] XSS: Analyzing response #20...
 [*] XSS: Analyzing response #21...
 [*] XSS: Analyzing response #23...
 [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
 [*] XSS: Analyzing response #35...
 [*] XSS: Analyzing response #24...
 [*] XSS: Analyzing response #25...
 [*] XSS: Analyzing response #29...

 [*] Resolver: Resolving hostnames...
 [*] Resolver: Done!


 [*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
 [*] Done!





 [+] Web Application Security Report - Arachni Framework

 [~] Report generated on: 2012-09-09 02:48:17 +0300
 [~] Report false positives at: http://github.com/Arachni/arachni/issues

 [+] System settings:
 [~] ---------------
 [~] Version:  0.4.1dev
 [~] Revision: 0.2.7
 [~] Audit started on:  Sun Sep  9 02:48:08 2012
 [~] Audit finished on: Sun Sep  9 02:48:15 2012
 [~] Runtime: 00:00:06

 [~] URL: http://testfire.net/
 [~] User agent: Arachni/v0.4.2

 [*] Audited elements:
 [~] * Links
 [~] * Forms
 [~] * Cookies

 [*] Modules: xss

 [*] Filters:
 [~]   Exclude:
 [~]     (?-mix:logout)

 [~] =

 [+] 2 issues were detected.

 [+] [1] Cross-Site Scripting (XSS)
 [~] ~~~~~~~~~~~~~~~~~~~~
 [~] ID Hash:  106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
 [~] Severity: High
 [~] URL:      http://testfire.net/search.aspx
 [~] Element:  form
 [~] Method:   GET
 [~] Tags:     xss, regexp, injection, script
 [~] Variable: txtSearch
 [~] Description:
 [~] Client-side code (like JavaScript) can
    be injected into the web application which is then returned to the user's browser.
    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.

 [~] CWE: http://cwe.mitre.org/data/definitions/79.html

 [~] Requires manual verification?: false

 [~] References:
 [~]   ha.ckers - http://ha.ckers.org/xss.html
 [~]   Secunia - http://secunia.com/advisories/9716/

 [*] Variations
 [~] ----------
 [~] Variation 1:
 [~] URL: http://testfire.net/search.aspx
 [~] Injected value:     <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
 [~] Regular expression:
 [~] Matched string:     <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>


 [+] [2] Cross-Site Scripting (XSS)
 [~] ~~~~~~~~~~~~~~~~~~~~
 [~] ID Hash:  2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
 [~] Severity: High
 [~] URL:      http://testfire.net/search.aspx?txtSearch=arachni_text
 [~] Element:  link
 [~] Method:   GET
 [~] Tags:     xss, regexp, injection, script
 [~] Variable: txtSearch
 [~] Description:
 [~] Client-side code (like JavaScript) can
    be injected into the web application which is then returned to the user's browser.
    This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.

 [~] CWE: http://cwe.mitre.org/data/definitions/79.html

 [~] Requires manual verification?: false

 [~] References:
 [~]   ha.ckers - http://ha.ckers.org/xss.html
 [~]   Secunia - http://secunia.com/advisories/9716/

 [*] Variations
 [~] ----------
 [~] Variation 1:
 [~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
 [~] Injected value:     '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
 [~] Regular expression:
 [~] Matched string:     '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>



 [+] Plugin data:
 [~] ---------------


 [*] Resolver
 [~] ~~~~~~~~~~~~~~
 [~] Description: Resolves vulnerable hostnames to IP addresses.

 [~] testfire.net: 65.61.137.117

 [*] Health map
 [~] ~~~~~~~~~~~~~~
 [~] Description: Generates a simple list of safe/unsafe URLs.

 [~] Legend:
 [+] No issues
 [-] Has issues

 [+] http://testfire.net/
 [-] http://testfire.net/search.aspx
 [-] http://testfire.net/search.aspx?txtSearch=arachni_text

 [~] Total: 3
 [+] Without issues: 1
 [-] With issues: 2 ( 67% )

 [*] Profiler
 [~] ~~~~~~~~~~~~~~
 [~] Description: Examines the behavior of the web application gathering general statistics
                and performs taint analysis to determine which inputs affect the output.

                It does not perform any vulnerability assessment nor does it send attack payloads.

 [~] Inputs affecting output:

 [+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
 [~] It was submitted using the following parameters:
 [~]   * txtSearch  = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
 [~]
 [~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
 [~]   * Body
 [+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
 [~] It was submitted using the following parameters:
 [~]   * txtSearch  = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
 [~]
 [~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
 [~]   * Body

 [*] AutoLogin
 [~] ~~~~~~~~~~~~~~
 [~] Description: It looks for the login form in the user provided URL,
                merges its input fields with the user supplied parameters and sets the cookies
                of the response and request as framework-wide cookies to be used by the spider later on.


 [+] Form submitted successfully.
 [~] Cookies set to:
 [~]     * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
 [~]     * amSessionId = 204023334531
 [~]     * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
 [~]     * amUserId = 100116014
 [~]     * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9

 [~] 100.0% [>] 100%
 [~] Est. remaining time: --:--:--

 [~] Crawler has discovered 2 pages.
 [~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.

 [~] Sent 40 requests.
 [~] Received and analyzed 40 responses.
 [~] In 00:00:06
 [~] Average: 6 requests/second.

 [~] Currently auditing           http://testfire.net/search.aspx?txtSearch=arachni_text
 [~] Burst response time total    0
 [~] Burst response count total   0
 [~] Burst average response time  0
 [~] Burst average                0 requests/second
 [~] Timed-out requests           0
 [~] Original max concurrency     20
 [~] Throttled max concurrency    20

Platforms

List platforms (--lsplat)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Lists all available platforms.

Disable fingerprinting (--no-fingerprinting)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Disables platform fingerprinting and results in all audit payloads being sent to the webapp.

Platforms (--platforms)

Expects: platform,platform,...

Default: auto

Multiple invocations?: no

Explicitly sets the platforms for the remote web application. You can use this to help Arachni be more efficient in its audit.

Proxy

Proxy server (--proxy)

Expects: server:port

Default: disabled

Multiple invocations?: no

Tells Arachni to send all requests via a proxy server.

Proxy authentication (--proxy-auth)

Expects: username:password

Default: disabled

Multiple invocations?: no

Tells Arachni authenticate itself with the proxy server using the supplied username and password.

Proxy type (--proxy-type)

Expects: http, http_1_0, socks4, socks5, socks4a

Default: disabled OR http

Multiple invocations?: no

Tells Arachni what protocol to use to connect and comunicate with the proxy server.

CLI Help Output

$ arachni -h
Arachni - Web Application Security Scanner Framework v0.4.6
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


  Usage:  arachni  [options] url

  Supported options:


    General ----------------------

    -h
    --help                      Output this.

    --version                   Show version information and exit.

    -v                          Be verbose.

    --debug                     Show what is happening internally.
                                  (You should give it a shot sometime ;) )

    --only-positives            Echo positive results *only*.

    --http-username=<string>    Username for HTTP authentication.

    --http-password=<string>    Password for HTTP authentication.

    --http-req-limit=<integer>  Concurrent HTTP requests limit.
                                  (Default: 20)
                                  (Be careful not to kill your server.)
                                  (*NOTE*: If your scan seems unresponsive try lowering the limit.)

    --http-queue-size=<integer> Maximum amount of requests to keep in the queue.
                                  Bigger size means better scheduling and better performance,
                                  smaller means less RAM consumption.
                                  (Default: 500)

    --http-timeout=<integer>    HTTP request timeout in milliseconds.

    --cookie-jar=<filepath>     Netscape HTTP cookie file, use curl to create it.

    --cookie-string='<name>=<value>; <name2>=<value2>'

                                Cookies, as a string, to be sent to the web application.

    --user-agent=<string>       Specify user agent.

    --custom-header='<name>=<value>'

                                Specify custom headers to be included in the HTTP requests.
                                (Can be used multiple times.)

    --authed-by=<string>        E-mail address of the person who authorized the scan.
                                  (It'll make it easier on the sys-admins during log reviews.)
                                  (Will be used as a value for the 'From' HTTP header.)

    --login-check-url=<url>     A URL used to verify that the scanner is still logged in to the web application.
                                  (Requires 'login-check-pattern'.)

    --login-check-pattern=<regexp>

                                A pattern used against the body of the 'login-check-url' to verify that the scanner is still logged in to the web application.
                                  (Requires 'login-check-url'.)

    Profiles -----------------------

    --save-profile=<filepath>   Save the current run profile/options to <filepath>.

    --load-profile=<filepath>   Load a run profile from <filepath>.
                                  (Can be used multiple times.)
                                  (You can complement it with more options, except for:
                                      * --modules
                                      * --redundant)

    --show-profile              Will output the running profile as CLI arguments.


    Crawler -----------------------

    -e <regexp>
    --exclude=<regexp>          Exclude urls matching <regexp>.
                                  (Can be used multiple times.)

    --exclude-page=<regexp>     Exclude pages whose content matches <regexp>.
                                  (Can be used multiple times.)

    -i <regexp>
    --include=<regexp>          Include *only* urls matching <regex>.
                                  (Can be used multiple times.)

    --redundant=<regexp>:<limit>

                                Limit crawl on redundant pages like galleries or catalogs.
                                  (URLs matching <regexp> will be crawled <limit> amount of times.)
                                  (Can be used multiple times.)

    --auto-redundant=<limit>    Only follow <limit> amount of URLs with identical query parameter names.
                                  (Default: inf)
                                  (Will default to 10 if no value has been specified.)

    -f
    --follow-subdomains         Follow links to subdomains.
                                  (Default: off)

    --depth=<integer>           Directory depth limit.
                                  (Default: inf)
                                  (How deep Arachni should go into the site structure.)

    --link-count=<integer>      How many links to follow.
                                  (Default: inf)

    --redirect-limit=<integer>  How many redirects to follow.
                                  (Default: 20)

    --extend-paths=<filepath>   Add the paths in <file> to the ones discovered by the crawler.
                                  (Can be used multiple times.)

    --restrict-paths=<filepath> Use the paths in <file> instead of crawling.
                                  (Can be used multiple times.)

    --https-only                Forces the system to only follow HTTPS URLs.


    Auditor ------------------------

    -g
    --audit-links               Audit links.

    -p
    --audit-forms               Audit forms.

    -c
    --audit-cookies             Audit cookies.

    --exclude-cookie=<name>     Cookie to exclude from the audit by name.
                                  (Can be used multiple times.)

    --exclude-vector=<name>     Input vector (parameter) not to audit by name.
                                  (Can be used multiple times.)

    --audit-headers             Audit HTTP headers.
                                  (*NOTE*: Header audits use brute force.
                                   Almost all valid HTTP request headers will be audited
                                   even if there's no indication that the web app uses them.)
                                  (*WARNING*: Enabling this option will result in increased requests,
                                   maybe by an order of magnitude.)

    Coverage -----------------------

    --audit-cookies-extensively Submit all links and forms of the page along with the cookie permutations.
                                  (*WARNING*: This will severely increase the scan-time.)

    --fuzz-methods              Audit links, forms and cookies using both GET and POST requests.
                                  (*WARNING*: This will severely increase the scan-time.)

    --exclude-binaries          Exclude non text-based pages from the audit.
                                  (Binary content can confuse recon modules that perform pattern matching.)

    Modules ------------------------

    --lsmod=<regexp>            List available modules based on the provided regular expression.
                                  (If no regexp is provided all modules will be listed.)
                                  (Can be used multiple times.)


    -m <modname,modname,...>
    --modules=<modname,modname,...>

                                Comma separated list of modules to load.
                                  (Modules are referenced by their filename without the '.rb' extension, use '--lsmod' to list all.
                                   Use '*' as a module name to deploy all modules or as a wildcard, like so:
                                      xss*   to load all xss modules
                                      sqli*  to load all sql injection modules
                                      etc.

                                   You can exclude modules by prefixing their name with a minus sign:
                                      --modules=*,-backup_files,-xss
                                   The above will load all modules except for the 'backup_files' and 'xss' modules.

                                   Or mix and match:
                                      -xss*   to unload all xss modules.)


    Reports ------------------------

    --lsrep=<regexp>            List available reports based on the provided regular expression.
                                  (If no regexp is provided all reports will be listed.)
                                  (Can be used multiple times.)

    --repload=<filepath>        Load audit results from an '.afr' report file.
                                    (Allows you to create new reports from finished scans.)

    --report='<report>:<optname>=<val>,<optname2>=<val2>,...'

                                <report>: the name of the report as displayed by '--lsrep'
                                  (Reports are referenced by their filename without the '.rb' extension, use '--lsrep' to list all.)
                                  (Default: stdout)
                                  (Can be used multiple times.)


    Plugins ------------------------

    --lsplug=<regexp>           List available plugins based on the provided regular expression.
                                  (If no regexp is provided all plugins will be listed.)
                                  (Can be used multiple times.)

    --plugin='<plugin>:<optname>=<val>,<optname2>=<val2>,...'

                                <plugin>: the name of the plugin as displayed by '--lsplug'
                                  (Plugins are referenced by their filename without the '.rb' extension, use '--lsplug' to list all.)
                                  (Can be used multiple times.)

    Platforms ----------------------

    --lsplat                    List available platforms.

    --no-fingerprinting         Disable platform fingerprinting.
                                  (By default, the system will try to identify the deployed server-side platforms automatically
                                   in order to avoid sending irrelevant payloads.)

    --platforms=<platform,platform,...>

                                Comma separated list of platforms (by shortname) to audit.
                                  (The given platforms will be used *in addition* to fingerprinting. In order to restrict the audit to
                                   these platforms enable the '--no-fingerprinting' option.)

    Proxy --------------------------

    --proxy=<server:port>       Proxy address to use.

    --proxy-auth=<user:passwd>  Proxy authentication credentials.

    --proxy-type=<type>         Proxy type; can be http, http_1_0, socks4, socks5, socks4a
                                  (Default: http)
Something went wrong with that request. Please try again.