"Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications."
The Hacker News


This is the official change log:
  • Major performance improvements
  • Major system refactoring and code clean-up
  • Major module API refactoring providing even more flexibility regarding element auditing and manipulation
  • Integration with the Metasploit Framework via: (New)
    • ArachniMetareport, an Arachni report specifically designed to provide WebApp context to the Metasploit framework.
    • Arachni plug-in for the Metasploit framework, used to load the ArachniMetareport in order to provide advanced automated and manual exploitation of WebApp vulnerabilities.
    • Advanced generic WebApp exploit modules for the Metasploit framework, utilized either manually or automatically by the Arachni MSF plug-in.
  • Improved Blind SQL Injection module, significantly less requests per audit.
  • XMLRPC server (New)
  • XMLRPC CLI client (New)
  • NTLM authentication support (New)
  • Support for path extractor modules for the Spider (New)
  • Path extractors: (New)
    • Generic — extracts URLs from arbitrary text
    • Anchors
    • Form actions
    • Frame sources
    • Links
    • META refresh
    • Script 'src' and script code
    • Sitemap
  • Plug-in support — allowing the framework to be extended with virtually any functionality (New).
  • Added plug-ins: (New)
    • Passive proxy
    • Automated login
  • Added modules: (New)
    • Audit
      • XPath injection
      • LDAP injection
    • Recon
      • CVS/SVN user disclosure
      • Private IP address disclosure
      • Robot file reader (in the Common Files module)
      • XST
      • WebDAV detection
      • Allowed HTTP methods
      • Credit card number disclosure
      • HTTP PUT support
  • Extended proxy support (SOCKS4, SOCKS4A, SOCKS5, HTTP/1.1 and HTTP/1.0). (New)
This release adds many improvements, optimizations, new features and components. We have new modules, plug-in support, modular path extractors for the Spider, XMLRPC Client/Server interfaces and probably more stuff I'm currently incapable of recalling. The new plug-in functionality has been used to implement a passive proxy and an automated login plug-in allowing for scripted, form based, authentication. Using the passive proxy you can selectively choose the pages you want to audit by browsing them, login to the web-application and enable Arachni to audit AJAX based web pages by allowing it to see what your browser sees. The AutoLogin plug-in enables the framework to log-in to a given web application before the scanning process starts and alleviates the need to go through the hassle of creating and setting your own cookie-jar. The new XMLRPC services allow for remote and distributed –agent-like– deployment of Arachni.

Download Arachni v0.2.1 (arachni-v0.2.1.tar.gz) here.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.