Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Command line user interface

Tasos Laskos edited this page · 8 revisions

Version 1.2

There are a lot of options, customizations and tweaks you can use but fear not and don't let yourself be overwhelmed. This guide will walk you through each and every one of them and teach you how to use them in order to make your scans as efficient as possible.

If you intend to scan big and complex sites it's best that you read through this guide and evaluate all available options.

Quickstart

Help

In order to see everything Arachni has to offer execute:

arachni -h

Control screen

To see a control screen via which you can inspect an issue summary and perform actions like pausing/resuming, aborting, suspending etc., press Enter while the scan is running.

Examples

You can simply run Arachni like so:

arachni http://test.com

which will load all checks, the plugins under /plugins/defaults and audit all forms, links and cookies.

In the following example, all checks will be run against http://test.com, auditing links/forms/cookies and following subdomains while also printing verbose mesages.

The results of the scan will be saved in the the file test.com.afr.

arachni --output-verbose --scope-include-subdomains http://test.com --report-save-path=test.com.afr

The Arachni Framework Report (.afr) file can later be used to create reports in several formats, like so:

arachni_reporter test.com.afr --reporter=html:outfile=my_report.html.zip

To see all available reporter components run:

arachni_reporter --reporters-list

You can make check loading easier by using wildcards (*) and exclusions (-).

To load all xss checks using a wildcard:

arachni http://example.net --checks=xss*

To load all active checks using a wildcard:

arachni http://example.net --checks=active/*

To exclude only the csrf check:

arachni http://example.net --checks=*,-csrf

Or you can mix and match; to run everything but the xss checks:

arachni http://example.net --checks=*,-xss*

More resources

For more resources you can consult the articles in the knowledge base.

Command reference

Command Line Interface help output

Generic

Version (--version)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Outputs the Arachni banner and version information.

Authorized by (--authorized-by)

Expects: string

Default: disabled

Multiple invocations?: no

The string passed to this option will be used as the value for the From HTTP reuest header field. The option value should be the e-mail address of the person who authorized the scan.

Output

Verbose (--output-verbose)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

When verbose messages are enabled, Arachni will give you detailed information about what's going on during the whole process.

Example

Let's give this a try:

arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1

This will load the XSS checks and audit all the forms in http://testfire.net/.

Verbose mode disabled

Observe that there's no --output-verbose flag in the previous run.

Don't worry about the rest of the parameters right now.

Quick note:

Arachni's output messages are classified into several categories, each of them prefixed with a different colored symbol:

  • [*] are status messages.
  • [~] are informational messages.
  • [+] are sucess messages.
  • [v] are verbose messages.
  • [!] are debug messages.
  • [-] are error messages.

I won't bother with coloring during the examples.

Arachni - Web Application Security Scanner Framework v1.0
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [*] Initializing...
 [*] Waiting for plugins to settle...
 [*] BrowserCluster: Initializing 6 browsers...
 [*] BrowserCluster: Initialization completed with 6 browsers in the pool.

 [*] [HTTP: 200] http://testfire.net/
 [~] Identified as: windows, iis, asp, aspx
 [~] Analysis resulted in 0 usable paths.
 [~] DOM depth: 0 (Limit: 10)
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
 [*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] XSS: Analyzing response #2...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [*] XSS: Analyzing response #3...
 [*] XSS: Analyzing response #4...
 [*] XSS: Analyzing response #5...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [*] XSS: Analyzing response #6...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx

Verbose mode enabled

Observe the extra information in this run.

[v] messages are verbose messages.

$ arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1 --output-verbose
Arachni - Web Application Security Scanner Framework v1.0
   Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [*] Initializing...
 [*] Waiting for plugins to settle...
 [*] BrowserCluster: Initializing 6 browsers...
 [*] BrowserCluster: Initialization completed with 6 browsers in the pool.

 [*] [HTTP: 200] http://testfire.net/
 [~] Identified as: windows, iis, asp, aspx
 [~] Analysis resulted in 0 usable paths.
 [~] DOM depth: 0 (Limit: 10)
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [v] XSS: --> With: "<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>" -> "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
 [*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
 [v] XSS: --> With: nil -> ""
 [*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
 [v] XSS: --> With: nil -> ""
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [v] XSS: --> With: "()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'" -> "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
 [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [v] XSS: --> With: "--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--" -> "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
 [*] XSS: Analyzing response #2...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [v] XSS: Injected:  "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
 [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
 [v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882


 [*] XSS: Analyzing response #3...
 [*] XSS: Analyzing response #4...
 [*] XSS: Analyzing response #6...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [v] XSS: Injected:  "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
 [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
 [v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text--%3E%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%3C%21-- HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882


 [*] XSS: Analyzing response #5...
 [~] XSS: Response is tainted, looking for proof of vulnerability.
 [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [v] XSS: Injected:  "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
 [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
 [v] XSS: Request:
GET /search.aspx?txtSearch=arachni_text%28%29%22%26%251%27-%3B%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%27 HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882

Debug (--output-debug)

Expects: integer

Default: 1

Multiple invocations?: no

When this flag is enabled the system will output a lot of messages detailing what's happening internally. The level/detail of the messages can be specified in the form of an integer between 1 and 3.

If you don't want to be flooded by annoying and obscure messages, you can pipe debugging output to a separate file when running Arachni using:

arachni http://example.com --output-debug 2> debug.log

Only positives (--output-only-positives)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

This will suppress all messages except for for the ones denoting sucess -- usually regarding the discovery of some issue.

Scope

pattern refers to valid Ruby regular expressions without being enclosed by /.

Examples:

  • exclude-me: Excludes any string that includes the exclude-me substring.
  • exclude.*me: Excludes any string that includes exclude, followed by any content, and then me.
  • \/gallery\/winter\/: Excludes any string that includes the /gallery/winter/ substring -- slashes need to be escaped.

Include (--scope-include-pattern)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Restricts the scope of the scan to resources whose URL matches the pattern.

Include subdomains (--scope-include-subdomains)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Allow the system to include subdomains in the scan.

Exclude (--scope-exclude-pattern)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Excludes resources whose URL matches the pattern.

Exclude page by content (--scope-exclude-content-pattern)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Excludes pages whose content matches the pattern.

Exclude binaries (--scope-exclude-binaries)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Excludes pages with binary content.

Note: Binary content can confuse passive check that perform pattern matching.

Redundant (--scope-redundant-path-pattern)

Expects: pattern:integer

Default: disabled

Multiple invocations?: yes

This option expects a pattern and a counter, like so: --scope-redundant-path-pattern='calendar.php:3'

This will cause URLs that contain calendar.php to be crawled only 3 times.

This option is useful when scanning websites that have a lot of redundant pages like a photo gallery or a dynamically generated calendar.

Auto-redundant (--scope-auto-redundant)

Expects: integer

Default: disabled (with a value of 10 if none has been specified)

Multiple invocations?: no

This option limits how many resources with URLs with identical parameters should be includes in the scan.

This can prevent infinite loops caused by pages like photo galleries or catalogues.

Example

With --scope-auto-redundant=2 and given the following list of URLs:

http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=other-stuff
http://test.com/?stuff=blah
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/?stuff=blah2&stuff2=bloo
http://test.com/path.php?stuff=blah&stuff2=1

Only the following will be included:

http://test.com/?stuff=1
http://test.com/?stuff=2
http://test.com/?stuff=blah&stuff2=1
http://test.com/?stuff=blah&stuff2=2
http://test.com/path.php?stuff=blah&stuff2=1

Directory depth limit (--scope-directory-depth-limit)

Expects: integer

Default: infinite

Multiple invocations?: no

This option limits how deep into the site structure the scan should go.

Page limit (--scope-page-limit)

Expects: integer

Default: infinite

Multiple invocations?: no

This option limits how many pages should be included in the scan.

Extend paths (--scope-extend-paths)

Expects: filepath

Default: disabled

Multiple invocations?: yes

Allows you to extend the scope of the scan by seeding the system with the paths contained within the given file.

Note: The file must contains one path per line.

Restrict paths (--scope-restrict-paths)

Expects: filepath

Default: disabled

Multiple invocations?: yes

Uses the paths contained within the given file instead of performing a crawl.

Note: The file must contains one path per line.

URL rewrite (--scope-url-rewrite)

Expects: pattern:substitution

Default: disabled

Multiple invocations?: yes

This option expects a pattern and a substitution, like so: --scope-url-rewrite='/articles\/[\w-]+\/(\d+)/:articles.php?id=\1'

The above will rewrite the URL http://test.com/articles/some-stuff/23 as http://test.com/articles.php?id=23.

DOM depth limit (--scope-dom-depth-limit)

Expects: integer

Default: 5

Multiple invocations?: no

This option limits how deep into each page's DOM structure the scan should go.

Note: DOM levels are counted as stacked interactions with the page's interface.

HTTPS only (--scope-https-only)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Forces the system to only follow HTTPS URLs.

Note: The target URL must be an HTTPS one as well.

Audit

Audit links (--audit-links)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Enable auditing of links.

Audit forms (--audit-forms)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Enable auditing of forms.

Audit cookies (--audit-cookies)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Enable auditing of cookies.

Audit cookies extensively (--audit-cookies-extensively)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled the system will submit all links and forms of the page along with the cookie permutations.

Warning: Will severely increase the scan-time.

Audit headers (--audit-headers)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Audit HTTP request headers.

Note: Header audits use brute force. Almost all valid HTTP request headers will be audited even if there's no indication that the web app uses them.

Warning: Enabling this option will result in increased requests, maybe by an order of magnitude.

Link template (--audit-link-template)

Expects: pattern

Default: disabled

Multiple invocations?: yes

This option allows you to extract and audit inputs from generic paths based on a specified template in the form of a Ruby regular expression using names groups.

Example

To extract the input1 and input2 inputs from: http://test.com/input1/value1/input2/value2

Use: /input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/

Parameter names (--audit-parameter-names)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, the system will inject payloads into parameter names instead of just values.

With extra parameter (--audit-with-extra-parameter)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, the system will add an extra parameter to all vectors and audit it as well.

With both methods (--audit-with-both-methods)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, the system will submit all elements using both GET and POST HTTP request methods.

Warning: Will severely increase the scan-time.

Exclude vector (--audit-exclude-vector)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Don't audit input vectors whose name matches the pattern.

Include vector (--audit-include-vector)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Only audit input vectors whose name matches the pattern.

HTTP

User agent (--http-user-agent)

Expects: string

Default: "Arachni/<version>"

Multiple invocations?: no

Specify a value for the User-Agent request header field.

Request concurrency (--http-request-concurrency)

Expects: integer

Default: 20

Multiple invocations?: no

Sets the maximum amount of requests to be active at any given time; this usually directly translates to the amount of open connections.

Note: If your scan seems unresponsive try lowering the limit to easy the server's burden.

Warning: Given enough bandwidth and a high enough concurrency setting the scan could cause a DoS. Be careful when setting this option too high, don't kill your server.

Request timeout (--http-request-timeout)

Expects: integer (milliseconds)

Default: 10000

Multiple invocations?: no

Limit how long the client should wait for a response from the server.

Request redirect limit (--http-request-redirect-limit)

Expects: integer

Default: 5

Multiple invocations?: no

Limits the amount of redirects the client should follow for each request.

Request queue size (--http-request-queue-size)

Expects: integer

Default: 100

Multiple invocations?: no

Maximum amount of requests to keep in the client queue.

Note: More means better scheduling and better performance, less means less RAM consumption.

Request header (--http-request-header)

Expects: string

Default: disabled

Multiple invocations?: yes

Allows you to specify custom request headers in the form of key-value pairs.

Example

--http-request-header='field_name=field value'

Response max size (--http-response-max-size)

Expects: integer

Default: 500000

Multiple invocations?: no

Limits the size of response bodies the client accepts. Essentially, the client will not download bodies of responses which have a Content-Length larger than the specified value.

Cookie jar (--http-cookie-jar)

Expects: filepath

Default: disabled

Multiple invocations?: no

Arachni allows you to pass your own cookies in the form of a Netscape cookie-jar file. If you want to audit restricted parts of a website that are accessible only to logged in users you should pass the session cookies to Arachni.

There's a number of ways to do that, I've found that Firebug's export cookie feature works best.

Note: If you don't feel comfortable setting your own cookie-jar, you can use the proxy or autologin plugins to login to the web application.

Cookie string (--http-cookie-string)

Expects: string

Default: disabled

Multiple invocations?: no

Cookies, as a string, to be sent to the web application.

Example

--http-cookie-string='userid=19;sessionid=deadbeefbabe'

Authentication

The HTTP authentication type is detected automatically, all that is necessary is specifying the username and password.

The only situation where that's not the case is when using Kerberos. In that case a ticket needs to be acquired via kinit and no username nor password need to be specified in the scan configuration.

If you are using the official packages, this can be accomplished like so:

./bin/arachni_shell -c 'kinit user@host.com'

After acquiring the Kerberos ticket you can perform the scan wthout any extra authentication configuration.

Username (--http-authentication-username)

Expects: string

Default: disabled

Multiple invocations?: no

Username to use for HTTP authentication.

Password (--http-authentication-password)

Expects: string

Default: disabled

Multiple invocations?: no

Password to use for HTTP authentication.

Proxy (--http-proxy)

Expects: server:port

Default: disabled

Multiple invocations?: no

Sets a proxy server for the client.

Proxy authentication (--http-proxy-auth)

Expects: username:password

Default: disabled

Multiple invocations?: no

Sets authentication credentials for the specified proxy server.

Proxy type (--http-proxy-type)

Expects: http, http_1_0, socks4, socks5, socks4a

Default: auto

Multiple invocations?: no

Sets the protocol for the specified proxy server.

SSL verify peer (--http-ssl-verify-peer)

Expects: n/a

Default: disabled

Multiple invocations?: no

Verify SSL peer.

SSL verify host (--http-ssl-verify-host)

Expects: n/a

Default: disabled

Multiple invocations?: no

Verify SSL host.

SSL certificate (--http-ssl-certificate)

Expects: filepath

Default: disabled

Multiple invocations?: no

SSL certificate to use.

SSL certificate type (--http-ssl-certificate-type)

Expects: pem,der

Default: pem

Multiple invocations?: no

SSL certificate type.

SSL key (--http-ssl-key)

Expects: filepath

Default: disabled

Multiple invocations?: no

SSL private key to use.

SSL key type (--http-ssl-key-type)

Expects: pem,der

Default: pem

Multiple invocations?: no

SSL private key type.

SSL key password (--http-ssl-key-password)

Expects: string

Default: disabled

Multiple invocations?: no

Password for the SSL private key.

SSL CA (--http-ssl-ca)

Expects: filepath

Default: disabled

Multiple invocations?: no

File holding one or more certificates with which to verify the peer.

SSL CA directory (--http-ssl-ca-directory)

Expects: path

Default: disabled

Multiple invocations?: no

Directory holding multiple certificate files with which to verify the peer.

SSL version (--http-ssl-version)

Expects: TLSv1,TLSv1_0,TLSv1_1,TLSv1_2,SSLv2,SSLv3

Default: auto

Multiple invocations?: no

SSL version to use.

Input

Value (--input-value)

Expects: pattern:value

Default: disabled

Multiple invocations?: yes

Sets a value for inputs whose name matches the pattern.

Values file (--input-values-file)

Expects: filepath

Default: disabled

Multiple invocations?: no

YAML file containing a Hash object with regular expressions, to match against input names, as keys and input values as values.

Without defaults (--input-without-defaults)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, system default values won't be used.

Force (--input-force)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Forces the system to fill-in even non-empty inputs.

Checks

List (--checks-list)

Expects: pattern

Default: disabled

Multiple invocations?: yes

Lists all available checks.

If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.

Load (--checks)

Expects: string,string

Default: * (all)

Multiple invocations?: no

Loads the given checks, by name.

You can specify the checks to load as comma separated values (without spaces) or * to load all. You can prevent checks from being loaded by prefixing their name with a dash (-).

Note: Checks are referenced by their filename without the .rb extension, use --checks-list to see all.

Example

As CSV:

arachni --checks=xss,sqli,path_traversal http://example.com/

All:

arachni http://example.com/

Excluding checks:

arachni --checks=*,-backup_files,-xss http://example.com/

The above will load all checks except for the backup_files and xss ones.

Plugins

List (--plugins-list)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Lists all available plugins.

Load (--plugin)

Expects: string

Default: disabled

Multiple invocations?: yes

Loads a plugin by name and configures it with the given options.

Note: Plugins are referenced by their filename without the .rb extension, use --plugins-list to see all.

Example

Excluding the logout URL and running the `autologin1 plugin to automatically login to a web application:

arachni http://testfire.net --scope-page-limit=1 --checks=xss \
    --plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
    --scope-exclude-pattern logout

Platforms

List (--platforms-list)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Lists all available platforms.

Disable fingerprinting (--platforms-no-fingerprinting)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

Disables platform fingerprinting and results in all audit payloads being sent to the webapp.

Configure (--platforms)

Expects: string,string,...

Default: auto

Multiple invocations?: no

Explicitly sets the platforms for the remote web application. You can use this to help the system be more efficient in its scan.

Session

Check URL (--session-check-url)

Expects: string

Default: disabled

Multiple invocations?: no

Requires: session-check-pattern

The URL passed to this option will be used to verify that the system is still logged in to the web application.

If the HTTP response body of URL matches the session-check-pattern this should indicate that the system is logged in.

Check pattern (--session-check-pattern)

Expects: string

Default: disabled

Multiple invocations?: no

Requires: session-check-url

A pattern used against the body of the session-check-url to verify that the system is still logged in to the web application.

A positive match should indicate that the system is logged in.

Profiles

Save (--profile-save-filepath)

Expects: filepath

Default: disabled

Multiple invocations?: no

This option allows you to save your current running configuration, all the options passed to Arachni, to an Arachni Framework Profile (.afp) file.

Load (--profile-load-filepath)

Expects: filepath

Default: disabled

Multiple invocations?: no

This option allows you to load and run a saved profile.

Note: This option does not impede your ability to specify more options or resave the profile.

Browser cluster

Wait for element (--browser-cluster-wait-for-element)

Expects: PATTERN:CSS

Default: disabled

Multiple invocations?: yes

Wait for element matching the CSS selector to appear when visiting a page whose URL matches the PATTERN.

Note: There is no special timeout setting for this operation, the global browser cluster job timeout option will be enforced.

Example

To wait for an element with an ID attribute of myElement to appear when visiting a page whose URL includes the string withElement (like: http://test.com/blah#withElement):

--browser-cluster-wait-for-element='withElement:#myElement'

Sometimes it is necesary to wait for an element for a page whose URL does not include a string. This is common for client-side MVC frameworks when the seed URL includes no route in the fragment section.

In this case, in order to wait for an element with an ID attribute of myElement when the URL has no hash (#) part:

--browser-cluster-wait-for-element='^((?!#).)*$:#myElement'

Pool size (--browser-cluster-pool-size)

Expects: integer

Default: 6

Multiple invocations?: no

Amount of browser workers (process) to maintain in the pool.

Job timeout (--browser-cluster-job-timeout)

Expects: integer

Default: 25

Multiple invocations?: no

Maximum allowed time for each job, measured in seconds.

Worker time to live (--browser-cluster-worker-time-to-live)

Expects: integer

Default: 100

Multiple invocations?: no

Amount of jobs each worker should process before having its process respawned.

Note: Mainly used to prevent individual browser process from accumulating too much RAM.

Ignore images (--browser-cluster-ignore-images)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, the browsers will not load any images.

Screen width (--browser-cluster-screen-width)

Expects: integer

Default: 1600

Multiple invocations?: no

Sets the browsers' screen width.

Note: Can be used to test responsive and mobile applications.

Screen height (--browser-cluster-screen-height)

Expects: integer

Default: 1200

Multiple invocations?: no

Sets the browsers' screen height.

Note: Can be used to test responsive and mobile applications.

Report

Save path (--report-save-path)

Expects: string

Default: .

Multiple invocations?: no

Directory or file path where to store the scan report.

Note: You can use the generated file to create reports in several formats with the arachni_reporter executable.

Snapshot

Save path (--snapshot-save-path)

Expects: string

Default: .

Multiple invocations?: no

Directory or file path where to store the snapshot of a suspended scan.

Note: You can use the generated file to resume the scan with the arachni_restore executable.

Timeout

Timeout (--timeout)

Expects: hours:minutes:seconds

Default: infinite

Multiple invocations?: no

Maximum amount of time to allow the scan to run.

Suspend (--timeout-suspend)

Expects: <n/a>

Default: disabled

Multiple invocations?: no

If enabled, the scan will be suspended when the --timeout is reached, instead of being aborted.

CLI Help Output

$ arachni -h
Arachni - Web Application Security Scanner Framework v1.2
   Author: Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


Usage: ./bin/arachni [options] URL

Generic
  -h, --help                  Output this message.

      --version               Show version information.

      --authorized-by EMAIL_ADDRESS
                              E-mail address of the person who authorized the scan.
                                (It'll make it easier on the sys-admins during log reviews.)
                                (Will be used as a value for the 'From' HTTP request header.)


Output
      --output-verbose        Show verbose output.

      --output-debug [LEVEL 1-3]
                              Show debugging information.

      --output-only-positives Only output positive results.


Scope
      --scope-include-pattern PATTERN
                              Only include resources whose path/action matches PATTERN.
                                (Can be used multiple times.)

      --scope-include-subdomains
                              Follow links to subdomains.
                                (Default: false)

      --scope-exclude-pattern PATTERN
                              Exclude resources whose path/action matches PATTERN.
                                (Can be used multiple times.)

      --scope-exclude-content-pattern PATTERN
                              Exclude pages whose content matches PATTERN.
                                (Can be used multiple times.)

      --scope-exclude-binaries
                              Exclude non text-based pages.
                                (Binary content can confuse passive checks that perform pattern matching.)

      --scope-redundant-path-pattern PATTERN:LIMIT
                              Limit crawl on redundant pages like galleries or catalogs.
                                (URLs matching PATTERN will be crawled LIMIT amount of times.)
                                (Can be used multiple times.)

      --scope-auto-redundant [LIMIT]
                              Only follow URLs with identical query parameter names LIMIT amount of times.
                                (Default: 10)

      --scope-directory-depth-limit LIMIT
                              Directory depth limit.
                                (Default: inf)
                                (How deep Arachni should go into the site structure.)

      --scope-page-limit LIMIT
                              How many pages to crawl and audit.
                                (Default: inf)

      --scope-extend-paths FILE
                              Add the paths in FILE to the ones discovered by the crawler.
                                (Can be used multiple times.)

      --scope-restrict-paths FILE
                              Use the paths in FILE instead of crawling.
                                (Can be used multiple times.)

      --scope-url-rewrite PATTERN:SUBSTITUTION
                              Rewrite URLs based on the given PATTERN and SUBSTITUTION.
                                To convert:  http://test.com/articles/some-stuff/23 to http://test.com/articles.php?id=23
                                Use:         /articles\/[\w-]+\/(\d+)/:articles.php?id=\1

      --scope-dom-depth-limit LIMIT
                              How deep to go into the DOM tree of each page, for pages with JavaScript code.
                                (Default: 5)
                                (Setting it to '0' will disable browser analysis.)

      --scope-https-only      Forces the system to only follow HTTPS URLs.
                                (Default: false)


Audit
      --audit-links           Audit links.

      --audit-forms           Audit forms.

      --audit-cookies         Audit cookies.

      --audit-cookies-extensively
                              Submit all links and forms of the page along with the cookie permutations.
                                (*WARNING*: This will severely increase the scan-time.)

      --audit-headers         Audit headers.

      --audit-link-template TEMPLATE
                              Regular expression with named captures to use to extract input information from generic paths.
                                To extract the 'input1' and 'input2' inputs from:
                                  http://test.com/input1/value1/input2/value2
                                Use:
                                  /input1\/(?<input1>\w+)\/input2\/(?<input2>\w+)/
                                (Can be used multiple times.)

      --audit-jsons           Audit JSON request inputs.

      --audit-xmls            Audit XML request inputs.

      --audit-parameter-names Inject payloads into parameter names.

      --audit-with-extra-parameter
                              Inject payloads into extra element parameters.

      --audit-with-both-methods
                              Audit elements with both GET and POST requests.
                                (*WARNING*: This will severely increase the scan-time.)

      --audit-exclude-vector PATTERN
                              Exclude input vectorS whose name matches PATTERN.
                                (Can be used multiple times.)

      --audit-include-vector PATTERN
                              Include only input vectors whose name matches PATTERN.
                                (Can be used multiple times.)


Input
      --input-value PATTERN:VALUE
                              PATTERN to match against input names and VALUE to use for them.
                                (Can be used multiple times.)

      --input-values-file FILE
                              YAML file containing a Hash object with regular expressions, to match against input names, as keys and input values as values.

      --input-without-defaults
                              Do not use the system default input values.

      --input-force           Fill-in even non-empty inputs.


HTTP
      --http-user-agent USER_AGENT
                              Value for the 'User-Agent' HTTP request header.
                                (Default: Arachni/v2.0dev)

      --http-request-concurrency MAX_CONCURRENCY
                              Maximum HTTP request concurrency.
                                (Default: 20)
                                (Be careful not to kill your server.)
                                (*NOTE*: If your scan seems unresponsive try lowering the limit.)

      --http-request-timeout TIMEOUT
                              HTTP request timeout in milliseconds.
                                (Default: 10000)

      --http-request-redirect-limit LIMIT
                              Maximum amount of redirects to follow for each HTTP request.
                                (Default: 5)

      --http-request-queue-size QUEUE_SIZE
                              Maximum amount of requests to keep in the queue.
                                Bigger size means better scheduling and better performance,
                                smaller means less RAM consumption.
                                (Default: 100)

      --http-request-header NAME=VALUE
                              Specify custom headers to be included in the HTTP requests.
                                (Can be used multiple times.)

      --http-response-max-size LIMIT
                              Do not download response bodies larger than the specified LIMIT, in bytes.
                                (Default: 500000)

      --http-cookie-jar COOKIE_JAR_FILE
                              Netscape-styled HTTP cookiejar file.

      --http-cookie-string COOKIE
                              Cookie representation as an 'Cookie' HTTP request header.

      --http-authentication-username USERNAME
                              Username for HTTP authentication.

      --http-authentication-password PASSWORD
                              Password for HTTP authentication.

      --http-proxy ADDRESS:PORT
                              Proxy to use.

      --http-proxy-authentication USERNAME:PASSWORD
                              Proxy authentication credentials.

      --http-proxy-type http,http_1_0,socks4,socks5,socks4a
                              Proxy type.
                                (Default: auto)

      --http-ssl-verify-peer  Verify SSL peer.
                                (Default: false)

      --http-ssl-verify-host  Verify SSL host.
                                (Default: false)

      --http-ssl-certificate PATH
                              SSL certificate to use.

      --http-ssl-certificate-type pem,der
                              SSL certificate type.

      --http-ssl-key PATH     SSL private key to use.

      --http-ssl-key-type pem,der
                              SSL key type.

      --http-ssl-key-password PASSWORD
                              Password for the SSL private key.

      --http-ssl-ca PATH      File holding one or more certificates with which to verify the peer.

      --http-ssl-ca-directory PATH
                              Directory holding multiple certificate files with which to verify the peer.

      --http-ssl-version TLSv1,TLSv1_0,TLSv1_1,TLSv1_2,SSLv2,SSLv3
                              SSL version to use.


Checks
      --checks-list [PATTERN] List available checks based on the provided pattern.
                                (If no pattern is provided all checks will be listed.)

      --checks CHECK,CHECK2,...
                              Comma separated list of checks to load.
                                    Checks are referenced by their filename without the '.rb' extension, use '--checks-list' to list all.
                                    Use '*' as a check name to load all checks or as a wildcard, like so:
                                        xss*   to load all XSS checks
                                        sql_injection*  to load all SQL injection checks
                                        etc.

                                    You can exclude checks by prefixing their name with a minus sign:
                                        --checks=*,-backup_files,-xss
                                    The above will load all checks except for the 'backup_files' and 'xss' checks.

                                    Or mix and match:
                                        -xss*   to unload all XSS checks.


Plugins
      --plugins-list [PATTERN]
                              List available plugins based on the provided pattern.
                                (If no pattern is provided all plugins will be listed.)

      --plugin 'PLUGIN:OPTION=VALUE,OPTION2=VALUE2'
                              PLUGIN is the name of the plugin as displayed by '--plugins-list'.
                                (Plugins are referenced by their filename without the '.rb' extension, use '--plugins-list' to list all.)
                                (Can be used multiple times.)


Platforms
      --platforms-list        List available platforms.

      --platforms-no-fingerprinting
                              Disable platform fingerprinting.
                                (By default, the system will try to identify the deployed server-side platforms automatically
                                in order to avoid sending irrelevant payloads.)

      --platforms PLATFORM,PLATFORM2,...
                              Comma separated list of platforms (by shortname) to audit.
                                (The given platforms will be used *in addition* to fingerprinting. In order to restrict the audit to
                                these platforms enable the '--platforms-no-fingerprinting' option.)


Session
      --session-check-url URL URL to use to verify that the scanner is still logged in to the web application.
                                (Requires 'session-check-pattern'.)

      --session-check-pattern PATTERN
                              Pattern used against the body of the 'session-check-url' to verify that the scanner is still logged in to the web application.
                                (Requires 'session-check-url'.)


Profiles
      --profile-save-filepath FILEPATH
                              Save the current configuration profile/options to FILEPATH.

      --profile-load-filepath FILEPATH
                              Load a configuration profile from FILEPATH.


Browser cluster
      --browser-cluster-wait-for-element PATTERN:CSS
                              Wait for element matching CSS to appear when visiting a page whose URL matches the PATTERN.

      --browser-cluster-pool-size SIZE
                              Amount of browser workers to keep in the pool and put to work.
                                (Default: 6)

      --browser-cluster-job-timeout SECONDS
                              Maximum allowed time for each job.
                                (Default: 25)

      --browser-cluster-worker-time-to-live LIMIT
                              Re-spawn the browser of each worker every LIMIT jobs.
                                (Default: 100)

      --browser-cluster-ignore-images
                              Do not load images.

      --browser-cluster-screen-width
                              Browser screen width.
                                (Default: 1600)

      --browser-cluster-screen-height
                              Browser screen height.
                                (Default: 1200)


Report
      --report-save-path PATH Directory or file path where to store the scan report.
                                You can use the generated file to create reports in several formats with the 'arachni_reporter' executable.


Snapshot
      --snapshot-save-path PATH
                              Directory or file path where to store the snapshot of a suspended scan.
                                You can use the generated file to resume the scan with the 'arachni_restore' executable.


Timeout
      --timeout HOURS:MINUTES:SECONDS
                              Stop the scan after the given duration is exceeded.

      --timeout-suspend       Suspend after the timeout.
                                You can use the generated file to resume the scan with the 'arachni_restore' executable.
Something went wrong with that request. Please try again.