Arachni是一個多功能、模塊化、高性能的Ruby框架,旨在幫助安全測試人員和管理員評估web應用程序的安全性。同時Arachni開源免費,可安裝在windows、linux以及mac系統上,並且可導出評估報告。
一、Arachni下載與啓動,以LInux環境爲例
下載地址:http://www.arachni-scanner.com/download/
解壓文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz,然後進入arachni-1.5.1-0.5.12目錄下的bin文件夾,運行./arachni_web,隨後瀏覽器訪問http://localhost:9292
二、Arachni配置掃描
Arachni目錄裏有關於該工具的簡單使用說明,也可以找到安裝後的初始用戶名和密碼
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 | tdcqma:arachni - 1.5 . 1 - 0.5 . 12 $ ls LICENSE TROUBLESHOOTING bin README VERSION system tdcqma:arachni - 1.5 . 1 - 0.5 . 12 $ cat README Arachni - Web Application Security Scanner Framework Homepage - http: / / arachni - scanner.com Blog - http: / / arachni - scanner.com / blog Documentation - https: / / github.com / Arachni / arachni / wiki Support - http: / / support.arachni - scanner.com GitHub page - http: / / github.com / Arachni / arachni Code Documentation - http: / / rubydoc.info / github / Arachni / arachni Author - Tasos "Zapotek" Laskos (http: / / twitter.com / Zap0tek) Twitter - http: / / twitter.com / ArachniScanner Copyright - 2010 - 2017 Sarosys LLC License - Arachni Public Source License v1. 0 - - see LICENSE file ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - To use Arachni run the executables under "bin/" . To launch the Web interface: bin / arachni_web Default account details: Administrator: Password: administrator User: Password: regular_user For a quick scan: via the command - line interface: bin / arachni http: / / test.com To see the available CLI options: bin / arachni - h For detailed documentation see: http: / / arachni - scanner.com / wiki / User - guide Upgrading / migrating - - - - - - - - - - - - - - To migrate your existing data into this new package please see: https: / / github.com / Arachni / arachni - ui - web / wiki / upgrading Troubleshooting - - - - - - - - - - - - - - See the included TROUBLESHOOTING file . Disclaimer - - - - - - - - - - - - - - Arachni is free software and you are allowed to use it as you see fit. However, I can't be held responsible for your actions or for any damage caused by the use of this software. Copying - - - - - - - - - - - - - - For the Arachni license please see the LICENSE file . The bundled PhantomJS (http: / / phantomjs.org / ) executable is distributed under the BSD license: https: / / github.com / ariya / phantomjs / blob / master / LICENSE.BSD tdcqma:arachni - 1.5 . 1 - 0.5 . 12 $ |
瀏覽器訪問http://localhost:9292,進入登錄頁面
登錄後點擊右上角的Administrator-》Edit account進行修改默認密碼
新建掃描,Scans-》+New並配置掃描選項,安全策略包括XSS、SQL注入等,默認情況下選Default即可。
掃描結果分析,檢出弱點總數及漏洞分類一覽
點擊awaiting review進入漏洞詳細說明界面
報告導出,以HTML格式爲例
查看報告,包括總結圖表及漏洞詳細說明