Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications. It is free, with its source code public and available for review. It is multi-platform, supporting all major operating systems (MS Windows, Mac OS X and Linux) and distributed via portable packages which allow for instant deployment.
It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform. In addition, its simple REST API makes integration a cinch.
Plugins add extra functionality to the system in a modular fashion, this way the core remains lean and makes it easy for anyone to add arbitrary functionality.
proxy) — Analyzes requests and responses between the web app and the browser assisting in AJAX audits, logging-in and/or restricting the scope of the audit.
cookie_collector) — Keeps track of cookies while establishing a timeline of changes.
waf_detector) — Establishes a baseline of normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.
beep_notify) — Beeps when the scan finishes.
email_notify) — Sends a notification (and optionally a report) over SMTP at the end of the scan.
vector_feed) — Reads in vector data from which it creates elements to be audited. Can be used to perform extremely specialized/narrow audits on a per vector/element basis. Useful for unit-testing or a gazillion other things.
script) — Loads and runs an external Ruby script under the scope of a plugin, used for debugging and general hackery.
uncommon_headers) — Logs uncommon headers.
content_types) — Logs content-types of server responses aiding in the identification of interesting (possibly leaked) files.