Arachni是一个多功能、模块化、高性能的Ruby框架，旨在帮助渗透测试人员和管理员评估web应用程序的安全性。同时Arachni开源免费，可安装在windows、linux以及mac系统上，并且可导出评估报告。

一、Arachni下载与启动，以LInux环境为例

下载地址：http://www.arachni-scanner.com/download/

解压文件arachni-1.5.1-0.5.12-darwin-x86_64.tar.gz，然后进入arachni-1.5.1-0.5.12目录下的bin文件夹，运行./arachni_web，随后浏览器访问http://localhost:9292

二、Arachni配置扫描

Arachni目录里有关于该工具的简单使用说明，也可以找到安装后的初始用户名和密码

tdcqma:arachni-1.5.1-0.5.12 $ ls

LICENSETROUBLESHOOTINGbin

READMEVERSIONsystem

tdcqma:arachni-1.5.1-0.5.12 $ cat README

Arachni - Web Application Security Scanner Framework

Homepage - http://arachni-scanner.com

Blog - http://arachni-scanner.com/blog

Documentation - https://github.com/Arachni/arachni/wiki

Support - http://support.arachni-scanner.com

GitHub page - http://github.com/Arachni/arachni

Code Documentation - http://rubydoc.info/github/Arachni/arachni

Author - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)

Twitter - http://twitter.com/ArachniScanner

Copyright - 2010-2017 Sarosys LLC

License - Arachni Public Source License v1.0 -- see LICENSE file)

--------------------------------------------------------------------------------

To use Arachni run the executables under "bin/".

To launch the Web interface:

bin/arachni_web

Default account details:

Administrator:

E-mail address: admin@admin.admin

Password: administrator

User:

E-mail address: user@user.user

Password: regular_user

For a quick scan: via the command-line interface:

bin/arachni http://test.com

To see the available CLI options:

bin/arachni -h

For detailed documentation see:

http://arachni-scanner.com/wiki/User-guide

Upgrading/migrating

--------------

To migrate your existing data into this new package please see:

https://github.com/Arachni/arachni-ui-web/wiki/upgrading

Troubleshooting

--------------

See the included TROUBLESHOOTING file.

Disclaimer

--------------

Arachni is free software and you are allowed to use it as you see fit.

However, I can‘t be held responsible for your actions or for any damage

caused by the use of this software.

Copying

--------------

For the Arachni license please see the LICENSE file.

The bundled PhantomJS (http://phantomjs.org/) executable is distributed

under the BSD license:

https://github.com/ariya/phantomjs/blob/master/LICENSE.BSD

tdcqma:arachni-1.5.1-0.5.12 $

浏览器访问http://localhost:9292，进入登录页面

登录后点击右上角的Administrator-》Edit account进行修改默认密码

新建扫描，Scans-》+New并配置扫描选项，安全策略包括XSS、SQL注入等，默认情况下选Default即可。

扫描结果分析，检出弱点总数及漏洞分类一览

点击awaiting review进入漏洞详细说明界面

报告导出，以HTML格式为例

查看报告，包括总结图表及漏洞详细说明

Arachni是基于Ruby的开源，功能全面，高性能的漏洞扫描框架。它可以通过分析在扫描过程中获得的信息，来评估漏洞识别的准确性和避免误判。Arachni功能强大，本文只针对基本的使用方法做一些介绍，希望能够在大家建立自动化漏洞测试平台时提供一些参考，具体内容请大家自己去实践和发现。

五、参考资料

http://www.arachni-scanner.com/

http://www.arachni-scanner.com/blog/