Programatically scanning using Arachni (Part 1)

This concept has come to my mind a few times although I kept forgetting to write it up.
This article will focus on demonstrating how to perform a scan using Arachni from your own Ruby scripts/programs.

Prologue

Arachni has been designed to be modular by way of components — from very specific (reports and modules) to highly generalised (plug-ins).
The first have a single purpose, the latter are there to allow you to do pretty much anything you want while manipulating data and/or the system from the inside.

So you’ve already got a place to put your code if you want to perform a common, restricted and focused operation without fear of shooting yourself in the foot or bringing down the system. And you also have a place to put your code if you want to perform complex and abstract operations while being able to take advantage of a ready-set environment that can provide you with a wealth of features and information.

All of the above though put you inside the framework — inside the proverbial box if you will.
What if you want to jump out of the box like a stripper hiding inside a huge cake though?

Lucky for you I’m an obsessive bastard with sleep issues so once the idea to demo this came into my head I knew I would be unable to sleep until I got it out.

Why would you want to do this?

I haven’t got a damn clue…that’s your business; I can show you how though.
But, some stuff come to mind, like adding security testing for your web application straight inside your test suit.

So in the near future you may be able to perform a lightning fast security check for your Rails webapp simply by running:

Or you may prefer to have complete control over what and how it’s audited down to the individual element.

Getting started

Arachni consists of a collection of classes which are driven by the Framework which is, in turn, driven by one of the User Interfaces.

Each class focuses on a specific and individual task like providing an HTTP client, managing components, storing options, crawling a website etc.
Some of these classes are there simply to order a few of the others around and the Framework is the Grand Poobah.
It takes your options and configures the other classes accordingly, it cracks the whip when you tell it to run the audit and cleans up after itself and provides access to all knowledge gathered during the scan at any given point.

So it has a lot of goodies and booty you can take home.

Like I said, Arachni is simply a collection of classes… classes to which you can have direct access, so if you want you can be the one to boss them around.
Enough talking, let’s see some code — I’ll be working with the code in the experimental branch so I’m assuming that you’ve got that installed as well.

Arachni::UI::Output

First of all, Arachni needs an Arachni::UI::Output module which is used to provide a system-wide output interface — every user interface must implement this module.

I decided on this design when I first started learning Ruby and working on Arachni so I didn’t know any better back then.
I still haven’t figured out if this was a brilliant idea or the stupidest thing I’ve done though.

By making this module available, every class in the system automatically knows who to ask if it wants to output something.
On the other hand, this is pretty much hardcoded everywhere.
On the other other hand (don’t keep count) you’d have to hardcode something anyways, so why not this?

In any case, since it’s necessary let’s at least put it in the namespace, for this we’ll use the one provided by the CLI interface.

If you’re curious, this is what the Output module does:

Output:

If your terminal supports colors you’ll see these messages color coded.

Arachni::Options

The Options class is a Singleton, which means that only one instance of it shall exist.
As you might have guessed, it holds system options and comes preconfigured with some default settings and paths.

For convenience’s sake, this is the options object that pretty much all classes expect and share.

Arachni::Framework

Enough with the boring stuff, let’s dive right in!

Congrats, you now have a framework to work with! Let’s see what we can do with it…

Auditing a single page

using #{issue.method}.”
# => Cross-Site Scripting (XSS) at http://testfire.net/search.aspx in form input txtSearch using GET.

Et voila!
I bet you didn't think it'd be that easy right? ;)

More cool stuff on the next part...

SociBook del.icio.us Digg Facebook Google Yahoo Buzz StumbleUpon

Posted in: Arachni, Programming, Projects, Ruby, Security, Web Application

Tags: , , , , , , , , , , ,



addLeave a comment