Arachni

Arachni是一個多功能、模塊化、高性能的Ruby框架，旨在幫助安全測試人員和管理員評估web應用程序的安全性。同時Arachni開源免費，可安裝在windows、linux以及mac系統上，並且可導出評估報告。

一、Arachni下載與啓動，以LInux環境爲例

下載地址：http://www.arachni-scanner.com/download/

解壓文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz，然後進入arachni-1.5.1-0.5.12目錄下的bin文件夾，運行./arachni_web，隨後瀏覽器訪問http://localhost:9292

二、Arachni配置掃描

Arachni目錄裏有關於該工具的簡單使用說明，也可以找到安裝後的初始用戶名和密碼

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

tdcqma:arachni-1.5.1-0.5.12 $ ls LICENSE     TROUBLESHOOTING bin README      VERSION     system tdcqma:arachni-1.5.1-0.5.12 $ cat README    Arachni - Web Application Security Scanner Framework   Homepage           - http://arachni-scanner.com Blog               - http://arachni-scanner.com/blog Documentation      - https://github.com/Arachni/arachni/wiki Support            - http://support.arachni-scanner.com GitHub page        - http://github.com/Arachni/arachni Code Documentation - http://rubydoc.info/github/Arachni/arachni Author             - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek) Twitter            - http://twitter.com/ArachniScanner Copyright          - 2010-2017 Sarosys LLC License            - Arachni Public Source License v1.0 -- see LICENSE file) --------------------------------------------------------------------------------   To use Arachni run the executables under "bin/".   To launch the Web interface:     bin/arachni_web   Default account details:       Administrator:         E-mail address: [email protected]         Password:       administrator       User:         E-mail address: [email protected]         Password:       regular_user   For a quick scan: via the command-line interface:     bin/arachni http://test.com   To see the available CLI options:     bin/arachni -h   For detailed documentation see:     http://arachni-scanner.com/wiki/User-guide   Upgrading/migrating --------------   To migrate your existing data into this new package please see:       https://github.com/Arachni/arachni-ui-web/wiki/upgrading   Troubleshooting -------------- See the included TROUBLESHOOTING file.   Disclaimer -------------- Arachni is free software and you are allowed to use it as you see fit. However, I can't be held responsible for your actions or for any damage caused by the use of this software.   Copying -------------- For the Arachni license please see the LICENSE file.   The bundled PhantomJS (http://phantomjs.org/) executable is distributed under the BSD license:     https://github.com/ariya/phantomjs/blob/master/LICENSE.BSD tdcqma:arachni-1.5.1-0.5.12 $

 瀏覽器訪問http://localhost:9292，進入登錄頁面

登錄後點擊右上角的Administrator-》Edit account進行修改默認密碼

新建掃描，Scans-》+New並配置掃描選項，安全策略包括XSS、SQL注入等，默認情況下選Default即可。

掃描結果分析，檢出弱點總數及漏洞分類一覽

點擊awaiting review進入漏洞詳細說明界面

報告導出，以HTML格式爲例

 查看報告，包括總結圖表及漏洞詳細說明