Web Application Security Scanner Framework
Under Other
By Arachni

javascript crawler web-application hacking xss hack ruby modular security-audit detection scanner analysis penetration-testing dom audit sql-injection scanners arachni vulnerability-detection


This project is no longer maintained, for details please read:

Arachni - Web Application Security Scanner Framework






Code Documentation


Tasos Laskos (@Zap0tek)


2010-2017 Sarosys LLC

Arachni Public Source License v1.0 - (see LICENSE file)


Arachni is a feature-full, modular, high-performance Ruby framework aimed towards
helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by monitoring and learning from the web application's
behavior during the scan process and is able to perform meta-analysis using a number of
factors in order to correctly assess the trustworthiness of results and intelligently
identify (or avoid) false-positives.

Unlike other scanners, it takes into account the dynamic nature of web applications,
can detect changes caused while travelling through the paths of a web application’s
cyclomatic complexity and is able to adjust itself accordingly. This way, attack/input
vectors that would otherwise be undetectable by non-humans can be handled seamlessly.

Moreover, due to its integrated browser environment, it can also audit and inspect
client-side code, as well as support highly complicated web applications which make
heavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.

Finally, it is versatile enough to cover a great deal of use cases, ranging from
a simple command line scanner utility, to a global high performance grid of
scanners, to a Ruby library allowing for scripted audits, to a multi-user
multi-scan web collaboration platform.

Note: Despite the fact that Arachni is mostly targeted towards web application
security, it can easily be used for general purpose scraping, data-mining, etc.
with the addition of custom components.

Arachni offers:
A stable, efficient, high-performance framework

Check, report and plugin developers are allowed to easily and quickly create and
deploy their components with the minimum amount of restrictions imposed upon them,
while provided with the necessary infrastructure to accomplish their goals.

Furthermore, they are encouraged to take full advantage of the Ruby language under
a unified framework that will increase their productivity without stifling them
or complicating their tasks.

Moreover, that same framework can be utilized as any other Ruby library and lead
to the development of brand new scanners or help you create highly customized
scan/audit scenarios and/or scripted scans.


Although some parts of the Framework are fairly complex you will never have to deal them directly.
From a user’s or a component developer’s point of view everything appears simple
and straight-forward all the while providing power, performance and flexibility.

From the simple command-line utility scanner to the intuitive and user-friendly
Web interface and collaboration platform, Arachni follows the principle of least
surprise and provides you with plenty of feedback and guidance.

In simple terms

Arachni is designed to automatically detect security issues in web applications.
All it expects is the URL of the target website and after a while it will present
you with its findings.


Integrated browser environment

Arachni includes an integrated, real browser environment in order to provide
sufficient coverage to modern web applications which make use of technologies
such as HTML5, JavaScript, DOM manipulation, AJAX, etc.

In addition to the monitoring of the vanilla DOM and JavaScript environments,
Arachni's browsers also hook into popular frameworks to make the logged data
easier to digest:

In essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to
monitor DOM events and JavaScript data and execution flows. As a result, not only
can the system trigger and identify DOM-based issues, but it will accompany them
with a great deal of information regarding the state of the page at the time.

Relevant information include:

In essence, you have access to roughly the same information that your favorite
debugger (for example, FireBug) would provide, as if you had set a breakpoint to
take place at the right time for identifying an issue.


The browser-cluster is what coordinates the browser analysis of resources and
allows the system to perform operations which would normally be quite time
consuming in a high-performance fashion.

Configuration options include:


The system can provide great coverage to modern web applications due to its
integrated browser environment. This allows it to interact with complex applications
that make heavy use of client-side code (like JavaScript) just like a human would.

In addition to that, it also knows about which browser state changes the application
has been programmed to handle and is able to trigger them programatically in
order to provide coverage for a full set of possible scenarios.

By inspecting all possible pages and their states (when using client-side code)
Arachni is able to extract and audit the following elements and their inputs:

Open distributed architecture

Arachni is designed to fit into your workflow and easily integrate with your
existing infrastructure.

Depending on the level of control you require over the process, you can either
choose the REST service or the custom RPC protocol.

Both approaches allow you to:



Scope configuration



Arachni is a highly modular system, employing several components of distinct
types to perform its duties.

In addition to enabling or disabling the bundled components so as to adjust the
system's behavior and features as needed, functionality can be extended via the
addition of user-created components to suit almost every need.

Platform fingerprinters

In order to make efficient use of the available bandwidth, Arachni performs
rudimentary platform fingerprinting and tailors the audit process to the server-side
deployed technologies by only using applicable payloads.

Currently, the following platforms can be identified:

The user also has the option of specifying extra platforms (like a DB server)
in order to help the system be as efficient as possible. Alternatively, fingerprinting
can be disabled altogether.

Finally, Arachni will always err on the side of caution and send all available
payloads when it fails to identify specific platforms.


Checks are system components which perform security checks and log issues.


Active checks engage the web application via its inputs.


Passive checks look for the existence of files, folders and signatures.



Plugins add extra functionality to the system in a modular fashion, this way the
core remains lean and makes it easy for anyone to add arbitrary functionality.


Default plugins will run for every scan and are placed under /plugins/defaults/.


Plugins under /plugins/defaults/meta/ perform analysis on the scan results
to determine trustworthiness or just add context information or general insights.

Trainer subsystem

The Trainer is what enables Arachni to learn from the scan it performs and
incorporate that knowledge, on the fly, for the duration of the audit.

Checks have the ability to individually force the Framework to learn from the
HTTP responses they are going to induce.

However, this is usually not required since Arachni is aware of which requests
are more likely to uncover new elements or attack vectors and will adapt itself

Still, this can be an invaluable asset to Fuzzer checks.

Running the specs

You can run rake spec to run all specs or you can run them selectively using the following:

rake spec:core            # for the core libraries
rake spec:checks # for the checks
rake spec:plugins # for the plugins
rake spec:reports # for the reports
rake spec:path_extractors # for the path extractors

Please be warned, the core specs will require a beast of a machine due to the
necessity to test the Grid/multi-Instance features of the system.

Note: The check specs will take many hours to complete due to the timing-attack tests.

Bug reports/Feature requests

Submit bugs using GitHub Issues and
get support via the Support Portal.


(Before starting any work, please read the instructions
for working with the source code.)

We're happy to accept help from fellow code-monkeys and these are the steps you
need to follow in order to contribute code:


Arachni Public Source License v1.0 -- please see the LICENSE file for more information.