Arachni是一个多功能、模块化、高性能的Ruby框架,旨在帮助安全测试人员和管理员评估web应用程序的安全性。同时Arachni开源免费,可安装在windows、linux以及mac系统上,并且可导出评估报告。

一、Arachni下载与启动,以LInux环境为例

下载地址:http://www.arachni-scanner.com/download/

解压文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz,然后进入arachni-1.5.1-0.5.12目录下的bin文件夹,运行./arachni_web,随后浏览器访问http://localhost:9292

二、Arachni配置扫描

Arachni目录里有关于该工具的简单使用说明,也可以找到安装后的初始用户名和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
tdcqma:arachni - 1.5 . 1 - 0.5 . 12   $ ls
LICENSE     TROUBLESHOOTING  bin
README      VERSION     system
tdcqma:arachni - 1.5 . 1 - 0.5 . 12   $ cat README
    Arachni  -   Web Application Security Scanner Framework
 
Homepage            -   http: / / arachni - scanner.com
Blog                -   http: / / arachni - scanner.com / blog
Documentation       -   https: / / github.com / Arachni / arachni / wiki
Support             -   http: / / support.arachni - scanner.com
GitHub page         -   http: / / github.com / Arachni / arachni
Code Documentation  -   http: / / rubydoc.info / github / Arachni / arachni
Author              -   Tasos  "Zapotek"   Laskos (http: / / twitter.com / Zap0tek)
Twitter             -   http: / / twitter.com / ArachniScanner
Copyright           -   2010 - 2017   Sarosys LLC
License             -   Arachni Public Source License v1. 0   - -   see LICENSE  file )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
To use Arachni run the executables under  "bin/" .
 
To launch the Web interface:
     bin / arachni_web
 
Default account details:
 
     Administrator:
         E - mail address: admin@admin.admin
         Password:       administrator
 
     User:
         E - mail address: user@user.user
         Password:       regular_user
 
For a quick scan: via the command - line interface:
     bin / arachni http: / / test.com
 
To see the available CLI options:
     bin / arachni  - h
 
For detailed documentation see:
     http: / / arachni - scanner.com / wiki / User - guide
 
Upgrading / migrating
- - - - - - - - - - - - - -
 
To migrate your existing data into this new package please see:
 
     https: / / github.com / Arachni / arachni - ui - web / wiki / upgrading
 
Troubleshooting
- - - - - - - - - - - - - -
See the included TROUBLESHOOTING  file .
 
Disclaimer
- - - - - - - - - - - - - -
Arachni  is   free software  and   you are allowed to use it as you see fit.
However, I can't be held responsible  for   your actions  or   for   any   damage
caused by the use of this software.
 
Copying
- - - - - - - - - - - - - -
For the Arachni license please see the LICENSE  file .
 
The bundled PhantomJS (http: / / phantomjs.org / ) executable  is   distributed
under the BSD license:
     https: / / github.com / ariya / phantomjs / blob / master / LICENSE.BSD
tdcqma:arachni - 1.5 . 1 - 0.5 . 12   $


 浏览器访问http://localhost:9292,进入登录页面

image.png

登录后点击右上角的Administrator-》Edit account进行修改默认密码

image.png


新建扫描,Scans-》+New并配置扫描选项,安全策略包括XSS、SQL注入等,默认情况下选Default即可。

image.png

扫描结果分析,检出弱点总数及漏洞分类一览

image.png

点击awaiting review进入漏洞详细说明界面

image.png


报告导出,以HTML格式为例

image.png

 查看报告,包括总结图表及漏洞详细说明

image.png