Web安全扫描工具-Arachni

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Web安全扫描工具-Arachni相关的知识,希望对你有一定的参考价值。

Arachni是一个多功能、模块化、高性能的Ruby框架,旨在帮助渗透测试人员和管理员评估web应用程序的安全性。同时Arachni开源免费,可安装在windows、linux以及mac系统上,并且可导出评估报告。

一、Arachni下载与启动,以LInux环境为例

下载地址:http://www.arachni-scanner.com/download/

解压文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz,然后进入arachni-1.5.1-0.5.12目录下的bin文件夹,运行./arachni_web,随后浏览器访问http://localhost:9292

二、Arachni配置扫描

Arachni目录里有关于该工具的简单使用说明,也可以找到安装后的初始用户名和密码

tdcqma:arachni-1.5.1-0.5.12 $ ls
LICENSE		TROUBLESHOOTING	bin
README		VERSION		system
tdcqma:arachni-1.5.1-0.5.12 $ cat README 
   Arachni - Web Application Security Scanner Framework

Homepage           - http://arachni-scanner.com
Blog               - http://arachni-scanner.com/blog
Documentation      - https://github.com/Arachni/arachni/wiki
Support            - http://support.arachni-scanner.com
GitHub page        - http://github.com/Arachni/arachni
Code Documentation - http://rubydoc.info/github/Arachni/arachni
Author             - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)
Twitter            - http://twitter.com/ArachniScanner
Copyright          - 2010-2017 Sarosys LLC
License            - Arachni Public Source License v1.0 -- see LICENSE file)
--------------------------------------------------------------------------------

To use Arachni run the executables under "bin/".

To launch the Web interface:
    bin/arachni_web

Default account details:

    Administrator:
        E-mail address: [email protected]
        Password:       administrator

    User:
        E-mail address: [email protected]
        Password:       regular_user

For a quick scan: via the command-line interface:
    bin/arachni http://test.com

To see the available CLI options:
    bin/arachni -h

For detailed documentation see:
    http://arachni-scanner.com/wiki/User-guide

Upgrading/migrating
--------------

To migrate your existing data into this new package please see:

    https://github.com/Arachni/arachni-ui-web/wiki/upgrading

Troubleshooting
--------------
See the included TROUBLESHOOTING file.

Disclaimer
--------------
Arachni is free software and you are allowed to use it as you see fit.
However, I can‘t be held responsible for your actions or for any damage
caused by the use of this software.

Copying
--------------
For the Arachni license please see the LICENSE file.

The bundled PhantomJS (http://phantomjs.org/) executable is distributed
under the BSD license:
    https://github.com/ariya/phantomjs/blob/master/LICENSE.BSD
tdcqma:arachni-1.5.1-0.5.12 $ 

 浏览器访问http://localhost:9292,进入登录页面

技术分享

登录后点击右上角的Administrator-》Edit account进行修改默认密码

技术分享 

技术分享

新建扫描,Scans-》+New并配置扫描选项,安全策略包括XSS、SQL注入等,默认情况下选Default即可。

技术分享

扫描结果分析,检出弱点总数及漏洞分类一览

技术分享

点击awaiting review进入漏洞详细说明界面

技术分享

技术分享

报告导出,以html格式为例

技术分享

 查看报告,包括总结图表及漏洞详细说明

技术分享

技术分享

以上是关于Web安全扫描工具-Arachni的主要内容,如果未能解决你的问题,请参考以下文章

linux web漏洞扫描arachni

linux安装Arachni进行web网站扫描

linux安装Arachni进行web网站扫描

Arachni 之Docker 部署使用笔记

安全牛学习笔记Arachni

ini Web服务器安全性片段