Skip to content


  • Add agents feature for distributed plugin execution
  • Add an API endpoint to to perform a bulk create of many objects (hosts,
    services, vulns, commands and credentials). This is used to avoid doing a lot
    of API requests to upload data. Now one request should be enough
  • Major style and color changes to the Web UI
  • Add API token authentication method
  • Use server side stored sessions to properly invalidate cookies of logged out users
  • Add "New" button to create credentials without host or service assigned yet
  • Allow filtering hosts by its service's ports in the Web UI
  • Performance improvements in vulnerabilities and vulnerability templates API (they
    were doing a lot of SQL queries because of a programming bug)
  • Require being in the faraday-manage group when running faraday from a .deb or .rpm package
  • Change the first page shown after the user logs in. Now it displays a workspace
    selection dialog
  • Add API endpoint to import Vuln Templates from a CSV file
  • Create the exported CSV of the status report in the backend instead of in the
    problem, which was much slower
  • Add API endpoint to import hosts from a CSV file
  • Add faraday-manage rename-user command to change a user's username
  • Allow resizing columns in Vulnerability Templates view
  • Avoid copying technical details when a vuln template is generated from the status report
  • Use exact matches when searching vulns by target
  • Add API endpoint to get which tools impacted in a host
  • Add pagination to activity feed
  • Add ordering for date and creator to vuln templates view
  • Modify tabs in vuln template, add Details tab
  • Add copy IP to clipboard button in hosts view
  • Add creator and create date columns to vuln template view
  • When a plugin creates a host with its IP set to a domain name,
    resolve the IP address of that domain
  • Add support for logging in RFC5254 format
  • Add active filter in workspaces view. Only show active workspaces
    in other parts of the Web UI
  • Enforce end date to be greater than start date in workspaces API
  • Fix bug in faraday-manage create-tables that incorrectly marked schema
    migrations as applied
  • Fix bug in many plugins that loaded hostnames incorrectly (one hostname per chararcter)
  • Improve references parsing in OpenVAS plugin
  • Fix a bug in Nessus plugin when parsing reports without host_start
  • Fix bug hostname search is now working in status-report
  • Fix showing of services with large names in the Web UI
  • Fix broken select all hosts checkbox
  • Fix bug viewing an attachment/evidence when its filename contained whitespaces
  • Fix "Are you sure you want to quit Faraday?" dialog showing twice in GTK
Assets 2

@llazzaro llazzaro released this Jun 6, 2019 · 844 commits to master since this release

  • Refactor the project to use absolute imports to make the installation easier
    (with a file). This also was a first step to make our codebase
    compatible with python 3.
  • Change the commands used to run faraday. ./,
    ./, ./ and bin/flugin are replaced for faraday-server, faraday-manage,
    faraday-client and fplugin respectively
  • Changed suggested installation method. Now we provide binary executables with all python dependencies
    embedded into them
  • Add admin panel to the Web UI to manage custom fields
  • Fix slow host list when creating vulns in a workspace with many hosts
  • Usability improvements in status report: change the way vulns are selected and confirmed
  • Improve workspace workspace creation from the Web UI
  • Fix attachment api when file was not found in .faraday/storage
  • Fix visualization of the fields Policy Violations and References.
  • Add a setting in server.ini to display the Vulnerability Cost widget of the Dashboard
  • Fix status report resize when the browser console closes.
  • Fix severity dropdown when creating vulnerability templates
  • Update OS icons in the Web UI.
  • Fix bug when using custom fields, we must use the field_name instead of the display_name
  • Prevent creation of custom fields with the same name
  • Add custom fields to vuln templates.
  • Fix user's menu visibily when vuln detail is open
  • Remove "show all" option in the status report pagination
  • The activity feed widget of the dashboard now displays the hostname of the
    machine that runned each command
  • Add loading spinner in hosts report.
  • Fix "invalid dsn" bug in sql-shell
  • Fix hostnames bug in Nikto and Core Impact plugins
  • Change Openvas plugin: Low and Debug threats are not taken as vulnerabilities.
  • Add fplugin command to close vulns created after a certain time
  • Add list-plugins command to faraday-manage to see all available plugins
  • Fix a logging error in PluginBase class
  • Fix an error when using NexposePlugin from command line.
  • Add CSV parser to Dnsmap Plugin
  • Fix bug when creating web vulnerabilities in dirb plugin
  • Change Nexpose Severity Mappings.
Assets 7

@llazzaro llazzaro released this Apr 4, 2019 · 1274 commits to master since this release

  • New feature vulnerability preview to view vulnerability data.
  • Update Fierce Plugin. Import can be done from GTK console.
  • Update Goohost plugin and now Faraday imports Goohost .txt report.
  • Update plugin for support WPScan v-3.4.5
  • Update Qualysguard plugin to its version
  • Update custom fields with Searcher
  • Update Recon-ng Plugin so that it accepts XML reports
  • Add postresql version to status-change command
  • Couchdb configuration section will not be added anymore
  • Add unit test for config/default.xml
Assets 2

@llazzaro llazzaro released this Feb 21, 2019 · 1421 commits to master since this release

3.6 [Feb 21th, 2019]:

  • Fix CSRF (Cross-Site Request Forgery) vulnerability in vulnerability attachments API.
    This allowed an attacker to upload evidence to vulns. He/she required to know the
    desired workspace name and vulnerability id so it complicated the things a bit. We
    classified this vuln as a low impact one.
  • Readonly and disabled workspaces
  • Add fields 'impact', 'easeofresolution' and 'policyviolations' to vulnerability_template
  • Add pagination in 'Command history', 'Last Vulnerabilities', 'Activity logs' into dashboard
  • Add status_code field to web vulnerability
  • Preserve selection after bulk edition of vulnerabilities in the Web UI
  • Faraday's database will be created using UTF-8 encoding
  • Fix bug of "select a different workspace" from an empty list loop.
  • Fix bug when creating duplicate custom fields
  • Fix bug when loading in server.ini with extra configs
  • Fix ./ command. It wasn't working since the last schema migration
  • ./ createsuperuser command renamed to ./ create-superuser
  • Fix bug when non-numeric vulnerability IDs were passed to the attachments API
  • Fix logic in search exploits
  • Add ability to 'Searcher' to execute rules in loop with dynamic variables
  • Send searcher alert with custom mail
  • Add gitlab-ci.yml file to execute test and pylint on gitlab runner
  • Fix 500 error when updating services and vulns with specific read-only parameters set
  • Fix SQLMap plugin to support newer versions of the tool
  • Improve service's parser for Lynis plugin
  • Fix bug when parsing URLs in Acunetix reports
  • Fix and update NetSparker Plugin
  • Fix bug in nessus plugin. It was trying to create a host without IP. Enabled logs on the server for plugin processing (use --debug)
  • Fix bug when parsing hostnames in Nessus reports
  • Fix SSLyze report automatic detection, so reports can be imported from the web ui
  • Update Dnsmap Plugin
Assets 3

@llazzaro llazzaro released this Jan 18, 2019 · 1724 commits to master since this release

  • Redesgin of new/edit vulnerability forms
  • Add new custom fields feature to vulnerabilities
  • Add ./ migrate to perform alembic migrations
  • Faraday will use webargs==4.4.1 because webargs==5.0.0 fails with Python2
  • New system for online plugins using Threads, a few fixes for metasploit plugin online also.
  • Fix Command "python process-reports" now stops once all reports have been processed
  • Fix bug in query when it checks if a vulnerability or a workspace exists
  • Fix Once a workspace is created through the web UI, a folder with its name is created inside ~/.faraday/report/
  • The now has a new support funtionality that creates a .zip file with all the information faraday's support team will need to throubleshoot your issue
  • Status-check checks PostgreSQL encoding
  • Fix a bug when fail importation of reports, command duration say "In Progress" forever.
  • Fix confirmed bug in vulns API
  • Update websockets code to use latest lib version
  • bootstrap updated to v3.4.0
  • support now throws a message once it finishes the process.
  • Update Lynis to its version 2.7.1
  • Updated arp-scan plugin, added support in the Host class for mac address which was deprecated before v3.0
  • OpenVAS Plugin now supports OpenVAS v-9.0.3
Assets 3

@llazzaro llazzaro released this Dec 11, 2018 · 1950 commits to master since this release

  • In GTK, check active_workspace its not null
  • Add fbruteforce services fplugin
  • Attachments can be added to a vulnerability through the API.
  • Catch gaierror error on lynis plugin
  • Add OR and NOT with parenthesis support on status report search
  • Info API now is public
  • Web UI now detects Appscan plugin
  • Improve performance on the workspace using cusotm query
  • Workspaces can be set as active/disable in welcome page.
  • Change Nmap plugin, response field in VulnWeb now goes to Data field.
  • Update code to support latest SQLAlchemy version
  • Fix create_vuln fplugin bug that incorrectly reported duplicated vulns
Assets 2

@llazzaro llazzaro released this Nov 21, 2018 · 2051 commits to master since this release

  • Add workspace disable feature
  • Add mac vendor to host and services
  • Fix typos and add sorting in workspace name (workspace list view)
  • Improve warning when you try to select hosts instead of services as targets of a Vulnerability Web
  • Deleted old Nexpose plugin. Now Faraday uses Nexpose-Full.
  • Update sqlmap plugin
  • Add updated zap plugin
  • Add hostnames to nessus plugin
  • Python interpreter in SSLCheck plugin is not hardcoded anymore.
  • Fix importer key error when some data from couchdb didn't contain the "type" key
  • Fix AttributeError when importing vulns without exploitation from CouchDB
  • Fix KeyError in This issue occurred during the import of Vulnerability Templates
  • Fix error when file config.xml doesn't exist as the moment of executing initdb
  • Improve invalid credentials warning by indicating the user to run Faraday GTK with --login option
  • Fix typos in VulnDB and add two new vulnerabilities (Default Credentials, Privilege Escalation)
  • Improved tests performance with new versions of the Faker library
  • abort() calls were checked and changed to flask.abort()
Assets 3

@llazzaro llazzaro released this Oct 23, 2018 · 2165 commits to master since this release

  • Added logical operator AND to status report search
  • Restkit dependency removed.
  • Improvement on change-password
  • Add feature to show only unconfirmed vulns.
  • Add ssl information to status-check
  • Update wpscan plugin to support latest version.
  • Allow workspace names starting with numbers.
Assets 2

@Ezequieltbh Ezequieltbh released this Sep 24, 2018 · 2205 commits to master since this release

  • Fix bug: status_check
  • Fix bug: initdb
Assets 2

@Ezequieltbh Ezequieltbh released this Sep 20, 2018 · 2209 commits to master since this release

  • Fix get exploits API
  • New searcher feature
  • Added host_os column to status report
  • Fix and error while trying to execute server with --start
  • Added option --choose-password to initdb
  • Continous scan updated for Nessus 7
  • Refactor on server.config to remove globals
  • Added a directory for custom templates for executive reports (pro and corp)
  • Activity feed shows more results and allows to filter empty results
  • Allow ot create workspace that start with numbers
  • Added more variables to executive reports (pro and corp)
  • Fixed some value checking on tasks api (date field)
  • OpenVas plugin updated
  • Appscan plugin update
  • Added no confirmed vulns to report api
  • Fixed a bug on workspace API when the workspace already exists on database
  • Fix owner filter on status report
  • Fixes on import_csv fplugin when the api returned 409
  • Fixes on status_check
  • Fixed a bug on webui when workspace permission was changed (pro and corp)
  • Update nexpose plugin
  • Ugrid library updated to latest version
  • Bug fix on plugin automatic detection
  • Fixed a bug on executive reports when multiple reports were scheduled
  • Avoid closing the executive report and new vuln modal when the form has data
  • Status report open new tab for evidence
  • Added change_password to
  • Update wapiti plugin
  • Fixed vuln count on executive report (pro and corp)
  • Fixed css align in some tables
  • Fixed No ports available error on the client
Assets 2
You can’t perform that action at this time.