Arachni - Web Application Vulnerability Scanning Framework

Homepage: http://github.com/zapotek/arachni
Documentation: http://github.com/Zapotek/arachni/wiki
Code Documentation: http://zapotek.github.com/arachni/
Author: Anastasios "Zapotek" Laskos
Copyright: 2010
License: GNU General Public License v2

Synopsis

{Arachni} is a feature-full and modular Ruby framework that allows penetration testers and administrators to evaluate the security of web applications.

{Arachni} is smart, it trains itself with every HTTP response it receives during the audit process.
Unlike other scanners, Arachni takes into account the dynamic nature of web applications and can detect changes caused while travelling
through each path of a web application's cyclomatic complexity.
This way attack/input vectors that would otherwise be undetectable by non-humans are seamlessly handled by Arachni.

The project aims to:

1 Provide a stable and efficient framework
Developers should be allowed to easily and quickly create and deploy modules with the minimum amount of restrictions imposed upon them, while provided with the necessary infrastructure to accomplish their goals.
Module writers should be able to take full advantage of the Ruby language under a unified framework that will increase their productivity without stifling them or complicating their tasks.
Basically, give them the right tools for the job and get the hell out of their way.

2 Be simple
Well, not simple in general...some parts of the framework are fairly complex.
However, the module and report APIs are very similar and very simple.
There are only a couple of rules you should follow:

• Implement an abstract class
• Do your thing

That's pretty much all...

3 Be developer and user friendly
Users should be able to make the most out of Arachni without being confused or overwhelmed.
Developers unfamiliar with the framework should be able to write working modules and reports immediately after a small glance at an existing one.

Feature List

General

• Cookie-jar support
• SSL support.
• User Agent spoofing.
• Proxy support for SOCKS and HTTP(S).
  • SOCKS support is kindly provided by socksify.
• Proxy authentication.
• Site authentication.
• Local DNS cache limits name resolution queries.
• Custom output lib.
  • The system uses its own print wrappers to output messages.
    Will make it easier to implement other UIs in the future.
• Highlighted command line output, Metasploit style.
• Run mods last option.
  • Allows to run the modules after site analysis has concluded.
• UI abstraction.
  • Only {Arachni::UI::CLI} for the time being but WebUI & GUI are relatively easy to implement now.
• Traps Ctrl-C interrupt.
  • Interrupts pause the system, the user then has the option to either resume or exit.

Website Crawler ({Arachni::Spider})

The crawler is provided by Anemone with some slight modifications to accommodate extra features.

• Filters for redundant pages like galleries, catalogs, etc based on regular expressions and counters.
• URL exclusion filter based on regular expressions.
• URL inclusion filter based on regular expressions.
• Stays in domain by default and it'll probably stay that way.
• Can optionally follow subdomains.
• Multi-threaded with adjustable thread count.
• Adjustable depth limit.
• Adjustable link count limit.
• Adjustable redirect limit.

HTML Analyzer ({Arachni::Analyzer})

Can extract and analyze:

• Forms
• Links
• Cookies

The analyzer can graciously handle badly written HTML code due to the combination of regular expression analysis and Nokogiri HTML parser.

The analyzer serves as the first layer of HTML analysis.
More complex analysis, for JS, AJAX, Java Applets etc, can be achieved by adding data-mining/audit pairs of modules like:
- {Arachni::Modules::Recon::ExtractObjects}
- {Arachni::Modules::Audit::AuditObjects}

This way the system can be extended to be able to handle virtually anything.

Module Management ({Arachni::Module})

• Modular design
  • Very simple and easy to use module API providing access at multiple levels.
• Helper audit methods
  • For forms, links and cookies.
  • Writing RFI, SQL injection, XSS etc mods is a matter of minutes if not seconds.
• Helper {Arachni::Module::HTTP} interface
  • A pretty and easy to use Net::HTTP wrapper.
• Multi-threaded module execution with adjustable thread count.

You can find an tutorial module here: {Arachni::Modules::Audit::SimpleRFI}

Report Management ({Arachni::Report})

• Modular design
  • Very easy to add new reports.
  • Reports are similar to modules...but a lot simpler.

You can find an up-to-date sample report here: {Arachni::Reports::AP}
And a more complex HTML report here: {Arachni::Reports::HTML}

Good day to all,

I am in dire need of good question writer who can produce some of the new scenario based questions that have been showing up on the CISSP exam. It is the new type that present a large scenario (a paragraph or a few) and then ask you a few questions related to that scenario.

I would also need help from people who are CEH to develop questions for that certification as well. Those are the same style as we have in the quiz engine right now.

If you are interested I would like you to contact me at:
Clement [dot]Dupuis[at]Gmail[dot]com

As you know me, I prefer quality over quantity. Even if you can commit only to writing a few question it is fine. I prefer a few that really tests skills and knowledge than a whole bunch of bad ones.

Please send me an email and tell me if you are willing to write question for the CEH or the CISSP Scenario based questions and how much you would like to be paid per question.

Thanks in advance

Clement

2nd. OWASP Ibero-American Web-Applications Security conference 2010 (IBWAS’10)
ISCTE – Lisbon University Institute
25th – 26th November 2010
Lisboa, Portugal
http://www.ibwas.com

Call for Papers

Introduction
There is a change in the information systems development paradigm. The emergence of Web 2.0 technologies led to the extensive deployment and use of web-based applications and web services as a way to developed new and flexible information systems. Such systems are easy to develop, deploy and maintain and demonstrate impressive features for users, resulting in their current wide use.
As a result of this paradigm shift, the security requirements have also changed. These web-based information systems have different security requirements, when compared to traditional systems. Important security issues have been found and privacy concerns have also been raised recently. In addition, the emerging Cloud Computing paradigm promises even greater flexibility; however corresponding security and privacy issues still need to be examined. The security environment should involve not only the surrounding environment but also the application core.
This conference aims to bring together application security experts, researchers, educators and practitioners from the industry, academia and international communities such as OWASP, in order to discuss open problems and new solutions in application security. In the context of this track academic researchers will be able to combine interesting results with the experience of practitioners and software engineers.

Conference Topics
Suggested topics for papers submission include (but are not limited to):
• Secure application development
• Security of service oriented architectures
• Security of development frameworks
• Threat modelling of web applications
• Cloud computing security
• Web applications vulnerabilities and analysis (code review, pen-test, static analysis etc.)
• Metrics for application security
• Countermeasures for web application vulnerabilities
• Secure coding techniques
• Platform or language security features that help secure web applications
• Secure database usage in web applications
• Access control in web applications
• Web services security
• Browser security
• Privacy in web applications
• Standards, certifications and security evaluation criteria for web applications
• Application security awareness and education
• Security for the mobile web
• Attacks and Vulnerability Exploitation

Paper Submission Instructions
Authors should submit an original paper in English, carefully checked for correct grammar and spelling, using the on-line submission procedure (http://www.easychair.org/conferences/?conf=ibwas10). Please check the paper formats so you may be aware of the accepted paper page limits (12 pages, in accordance to a supplied template: ftp://ftp.springer.de/pub/tex/latex/llncs/word/LNCS-Office2007.zip).
The guidelines for paper formatting provided at the conference web site must be strictly used for all submitted papers. The submission format is the same as the camera-ready format. Please check and carefully follow the instructions and templates provided.
Each paper should clearly indicate the nature of its technical/scientific contribution, and the problems, domains or environments to which it is applicable.
Papers that are out of the conference scope or contain any form of plagiarism will be rejected without reviews.
Remarks about the on-line submission procedure:
1. A "double-blind" paper evaluation method will be used. To facilitate that, the authors are kindly requested to produce and provide the paper, WITHOUT any reference to any of the authors. This means that is necessary to remove the author’s personal details, the acknowledgements section and any reference that may disclose the authors identity
2. Papers in ODF, PDF, DOC, DOCX or RTF format are accepted
3. The web submission procedure automatically sends an acknowledgement, by e-mail, to the contact author.

Paper submission types

Regular Paper Submission
A regular paper presents a work where the research is completed or almost finished. It does not necessary means that the acceptance is as a full paper. It may be accepted as a "full paper" (30 min. oral presentation), a "short paper" (15 min. oral presentation) or a "poster".
Position Paper Submission
A position paper presents an arguable opinion about an issue. The goal of a position paper is to convince the audience that your opinion is valid and worth listening to, without the need to present completed research work and/or validated results. It is, nevertheless, important to support your argument with evidence to ensure the validity of your claims. A position paper may be a short report and discussion of ideas, facts, situations, methods, procedures or results of scientific research (bibliographic, experimental, theoretical, or other) focused on one of the conference topic areas. The acceptance of a position paper is restricted to the categories of "short paper" or "poster", i.e. a position paper is not a candidate to acceptance as "full paper".

Camera-ready
After the reviewing process is completed, the contact author (the author who submits the paper) of each paper will be notified of the result, by e-mail. The authors are required to follow the reviews in order to improve their paper before the camera-ready submission.

Publications
All accepted papers will be published in the conference proceedings, under an ISBN reference. Conference proceedings will be published by Springer in the Communications in Computer and Information Science (CCIS) series.

Web-site:  http://www.ibwas.com

Secretariat:  E-mail: secretariat@ibwas.com

Important Dates
Submission of papers and all other contributions due: 8th October 2010
Notification of acceptance: 22nd October 2010
Camera-ready version of accepted contributions: 29th October 2010
Conference: 25th – 26th November 2010

Conference Chairs
Vicente Aguilera Días, Internet Security Auditors, OWASP Spain, Spain
Carlos Serrão, ISCTE-IUL Instituto Universitário de Lisboa, OWASP Portugal, Portugal

Organization Committee
Fabio Cerullo, OWASP Global Education Committee, Ireland
Dinis Cruz, OWASP Board Member, UK
Paulo Coimbra, OWASP Project Manager, UK
Miguel Correia, Universidade de Lisboa, Portugal
Paulo Sousa, Universidade de Lisboa, Portugal
Lucas C. Ferreira, Câmara dos Deputados, Brasil
Arturo Busleiman, OWASP Argentina, Argentina
Martin Tartarelli, OWASP Argentina, Argentina
Paulo Querido, Portugal

Conference Program Committee
André Zúquete, Universidade De Aveiro, Portugal
Candelaria Hernández-Goya, Universidad De La Laguna, Spain
Carlos Costa, Universidade De Aveiro, Portugal
Carlos Ribeiro, Instituto Superior Técnico, Portugal
Eduardo Neves, OWASP Education Committee, OWASP Brazil, Brazil
Francesc Rovirosa i Raduà, Universitat Oberta de Catalunya (UOC), Spain
Gonzalo Álvarez Marañón, Consejo Superior de Investigaciones Científicas (CSIC), Spain
Isaac Agudo, University of Malaga, Spain
Jaime Delgado, Universitat Politecnica De Catalunya, Spain
Javier Hernando, Universitat Politecnica De Catalunya, Spain
Javier Rodríguez Saeta, Herta Security, Spain
Joaquim Castro Ferreira, Universidade de Lisboa, Portugal
Joaquim Marques, Instituto Politécnico de Castelo Branco, Portugal
Jorge Dávila Muro, Universidad Politécnica de Madrid (UPM), Spain
Jorge E. López de Vergara, Universidad Autónoma de Madrid, Spain
José Carlos Metrôlho, Instituto Politécnico de Castelo Branco, Portugal
José Luis Oliveira, Universidade De Aveiro, Portugal
Kuai Hinojosa, OWASP Global Education Committee, New York University, United States
Leonardo Chiariglione, Cedeo, Italy
Leonardo Lemes, Unisinos, Brasil
Manuel Sequeira, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Marco Vieira, Universidade de Coimbra, Portugal
Mariemma I. Yagüe, University of Málaga, Spain
Miguel Correia, Universidade de Lisboa, Portugal
Miguel Dias, Microsoft, Portugal
Nuno Neves, Universidade de Lisboa, Portugal
Osvaldo Santos, Instituto Politécnico de Castelo Branco, Portugal
Panos Kudumakis, Queen Mary University of London, United Kingdom
Paulo Sousa, Universidade de Lisboa, Portugal
Rodrigo Roman, University of Malaga, Spain
Rui Cruz, Instituto Superior Técnico, Portugal
Rui Marinheiro, ISCTE-IUL Instituto Universitário de Lisboa, Portugal
Sérgio Lopes, Universidade do Minho, Portugal
Tiejun Huang, Pekin University, China
Víctor Villagrá, Universidad Politécnica de Madrid (UPM), Spain
Vitor Filipe, Universidade de Trás-os-Montes e Alto Douro, Portugal
Vitor Santos, Microsoft, Portugal
Vitor Torres, Universitat Pompeu Fabra, Spain
Wagner Elias, OWASP Brazil Chapter Leader, Brazil

As seen Published on threatpost (http://threatpost.com):

New Cyber Security Certifications from NBISE Will Set High Bar for IT Security Pros

[1]A new non-profit group is developing certifications for information technology security professionals that will set a high bar for IT security practitioners in areas like penetration testing, code auditing and control systems operation.

The National Board of Information Security Examiners (NBISE) [2] is a new, not-for-profit corporation headed by former NERC (North American Electric Reliability Corporation) CSO Mike Assante and overseen by a board of luminaries in the world of information security and critical infrastructure.  The group will be designing certification exams to test the knowledge, practical skill and professionalism of IT security practitioners, with an eye to weeding out the information technology world’s equivalent of quacks and hucksters.

The new tests are designed to supplant a hodge podge of private and industry certifications for IT security practitioners, including the CISSP and certificate programs run by the SANS Institute and other industry and private groups. NBISE claims that too many of those tests test knowledge, rather than hands-on skills required of practitioners.

“This is about a higher level of testing,” said NBISE Director and SANS Institute Director of Research Alan Paller. “Its about having confidence that the person you hired doesn’t just know the answer, but can do the job.”

NBISE Chief Operating Officer Kelly Ziegler likens the exams to those required by the National Board of Medical Examiners for aspiring physicians.

Paller said that the group is working with top practitioners in a variety of disciplines to design exams that test practical knowledge, not just book knowledge. Scenario testing – akin to the now famous “Capture the Flag” tournaments at DEFCON and other hacking conferences -- will be an important component of the NBISE exams, he said.

“If you look at (penetration) testing, you can have multiple choice questions about the correct approach when pen testing, but that’s very different than having an actual set of systems and having to find a flag, rather than just answer questions about how to find it,” Paller said.

NBISE plans to release its first exam in the next 30 days. That test will be an adaptation of the UK’s Council of Registered Ethical Security Testers (CREST) [3] exam for penetration testing. The group is working with the UK government’s CESG – the British equivalent of the U.S.’s National Security Agency – to adapt that exam for use in North America, according to Ziegler.

In other areas, such as the operation of control systems and secure coding, computer forensics and incident response and handling, NBISE is forming national boards of experts to get to work developing exams. The group is also being advised by the National Board of Medical Examiners on ways to devise certification exams that test practical knowledge.

Paller said the new emphasis on certification is a response to an aching skills gap in the IT security space [4]. That gap has been underscored by a series of studies and reports that have pointed to the need to develop IT security expertise within the public and private sectors. Most recently, in June, the Center for Strategic and International Studies issued a report warning of a “human capital crisis” in cyber security.

Paller said that the profusion of different certifications has allowed legions of poorly trained IT professionals to falsely claim expertise in cyber security. Often, their lack of training only becomes evident once they’ve been hired.  

NBISE will also provide more focused instruction than initiatives like the U.S. Departments of Defense’s Directive 8570 (DOD 8570), which provides training and certification guidance for government employees who work in Information Assurance, but give employees a menu of different certifications to choose from in fulfilling the directive, say NBISE organizers.

The NBISE exams, once instituted, will serve as a threshold exam for work in areas like government and financial services, separating those with technical knowledge of a subject from those with both knowledge and hands on experience to perform a job. Paller said that the exams, once adopted, could take business away from certification organizations like The SANS Institute, but that those organizations might merely shift to fulfill a role similar to that of medical schools today: teaching students a body of material and hands on skills necessary to pass the NBISE certification exam.

Links:
[1] http://threatpost.com/en_us/blogs/new-certification-group-aims-set-high-bar-it-security-pros-080510
[2] http://www.nbise.org/
[3] http://www.crest-approved.org/
[4] http://threatpost.com/en_us/blogs/new-cybersecurity-czar-faces-tough-road-060209
[5] http://www.twitter.com/home?status=New Certifications Will Set High Bar for IT Security Pros http://threatpost.com/en_us/c4B

(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics.

DOWNLOAD ISSUE 27 HERE(September 2010)

Issue 27 has just been released. Download it from:
http://www.insecuremag.com

The covered topics include:

- Review: BlockMaster SafeStick secure USB flash drive
- The devil is in the details: Securing the enterprise against the cloud
- Cybercrime may be on the rise, but authentication evolves to defeat it
- Learning from bruteforcers
- PCI DSS v1.3: Vital to the emerging demand for virtualization and cloud security
- Security testing - the key to software quality
- A brief history of security and the mobile enterprise
- Payment card security: Risk and control assessments
- Security as a process: Does your security team fuzz?
- Book review: Designing Network Security, 2nd Edition
- Intelligent security: Countering sophisticated fraud
____________________________________________________

(IN)SECURE Magazine is supporting the following industry events:

SOURCE Barcelona 2010
Barcelona, Spain, 21-22 September 2010.
Use discount code SOURCEHN10 to get 15% off your ticket price.
http://www.sourceconference.com

Brucon 2010
Brussels, Belgium. 24-25 September 2010.
http://www.brucon.org

InfoSecurity Russia 2010
Moscow, Russia. 17-19 November 2010.
http://www.infosecurityrussia.ru

RSA Conference Europe 2010
London, United Kingdom. 12-14 October 2010.
http://bit.ly/rsa2010eu

__________________________________________________

Visit the (IN)SECURE Magazine web site at:
http://www.insecuremag.com

Subscribe to our RSS feed at:
http://feeds2.feedburner.com/insecuremagazine

Daily security news RSS feed:
http://feeds2.feedburner.com/HelpNetSecurity

Help Net Security on Twitter:
http://twitter.com/helpnetsecurity

Contact:

- For information on contributing to (IN)SECURE Magazine, please contact Chief Editor Mirko Zorz at editor( at )insecuremag.com
- For marketing inquiries do contact Marketing Director Berislav Kucan at marketing( at )insecuremag.com

NOTE FROM CLEMENT:

GOA is a magical place with amazing beaches in the North.  You have miles and miles of beaches to yourself.  Not to mention that GOA is a hub for tourism and it is very inexpensive.   A great place at great price,  do entend your stay a bit to visit the area.  February is one of the best month of the year to visit as well.

nullcon Dwitiya (2.0)
The Jugaad(hacking) Conference

nullcon is an initiative by null - The open security community.

Website:  http://nullcon.net

Calling all Jugaadus(hackers)
It's the time of the year when we welcome research done by the community as paper submissions for nullcon.  So, sip your coffee, dust your debuggers, fire your tools, challenge your grey cells and shoot us an email.

Tracks:
---------------
- Bakkar:         1 Hr Talks
- Tez:              5-30 min Talks
- Karyashala:    2-4 Hrs Workshop
- Desi Jugaad    (Local Hack): 1 Hr

Submition Topics:
------------------------------
1. One of the topics of interest to us is "Desi Jugaad"(Local Hack) and has a separate track of it's own. Submissions can be any kind of local hacks that you have worked on (hints: electronic/mechanical meters, automobile hacking,  Hardware, mobile phones, lock-picking, bypassing procedures and processes, etc, Be creative  :-D)

2. The topics pertaining to security and Hacking in the following domains(but not limited to)
- Hardware (ex: RFID, Magnetic Strips, Card Readers, Mobile Devices, Electronic Devices)
- Tools (open source)
- Programming/Software Development
- Networks
- Information Warfare
- Botnets, Malware
- Web
- New attack vectors
- Mobile, VOIP and Telecom
- VM
- Cloud
- Critical Infrastructure
- Satellite
- Wireless
- Forensics
- Cyber Laws

Submission Format:
------------------------------
Email the cfp to: cfp(_at_)nullcon.net
Subject should be: CFP Dwitiya
Email Body:
- Name
- Handle
- Track & Time required
- Paper Title
- Country of residence
- Organization
- Contact no.
- Have you presented/submitted this talk at any other conference(s)?
- Why do you think your paper is different/innovative?
- Brief Profile ( <= 500 Words)
- Paper Abstract ( <= 3000 Words)

NOTE: The Abstract should clearly mention the techniques and hacks in
detail and merely mentioning that it works will not help in
understanding the research to it's full extent.


Important Dates:
------------------------------
CFP End Date:         30th November 2010
Speakers List Online: 10th December 2010
Conference Dates:     25th - 26th February 2011


Venue:
----------------
Goa, India
(Exact Venue TBD)


Speaker Benefits:
------------------------------

FREE Cisco CCNP TSHOOT Webcast August 31st, 2010 with expert trainer and best-selling Cisco Press author Kevin Wallace, see more info about Kevin and register now at:

hhttp://promo.pearsonitcertification.com/pages/start/plp-webcast-home/index.html?Campaign_Id=262&Activity_Id=212

Kevin Wallace, expert trainer and best-selling author of the CCNP TSHOOT 642-832 Official Certification Guide and Network Troubleshooting Video Mentor, takes you on a tour of a troubleshooting scenario that is typical of what you might see on the CCNP TSHOOT exam. Kevin walks you through an HSRP trouble ticket. You will review the theory of HSRP followed by a live troubleshooting demonstration and concluding with a Q&A session.

Join us for this Free Pearson IT Certification / Cisco Press Webcast to gain unique insight into what you can expect on the CCNP TSHOOT exam!  Register Now. Hope you can attend!

~Jamie

Jamie Adams, Senior Publicist

Representing technical brands of Pearson in networking technologies (IP Com, network security, storage), and all certifications including Cisco®, Microsoft and CompTIA.

Office: 317-428-3012

Twitter: @ciscopress, @pearsonitcert, and @jamieadams76

Facebook: facebook.com/ciscopress and other Pearson brands at informit.com/socialconnect.

LinkedIn: www.linkedin.com/in/msjamieadams.

A New Advanced Security Certification is on the way!

To Security Professionals – Important Request:

In case you did not know, I am a Founding Member of the CompTIA Security+ Cornerstone Committee.  I am writing this blog to ask if you would complete an important survey because of your expertise in information security. CompTIA is developing a new advanced security certification exam to follow CompTIA Security+ (or equivalent experience) and we are seeking your input on the exam objectives. We hope you’ll appreciate how important your input is to the development of this certification, and ultimately to those who follow you in their security careers.  Personally, I am excited by the cutting-edge objective set of the intended certification:  It is up-to-date and pragmatic.  It includes (speak of the devil) objectives related to:

• Security and Social Media
• Virtualized Desktops (VDI)
• Insider Threat
• 802.1x
• Fuzzing
• And a plethora of deep, technical, scary stuff!

To begin this approximately ten-minute survey, please go here:  https://s-xut5m-345723.sgizmo.com
In appreciation for your time and participation, CompTIA is giving away a CompTIA T-shirt to every 10th person who completes the survey.

CompTIA values your privacy. Results are completely anonymous and the data will only be viewed in the aggregate. Please complete by September 8, 2010.
Thank you very much for your participation.

Please contact research_at_comptia.org if you experience any technical difficulties with the survey.

Go ahead:  support the community and get a free T-Shirt!

Barry Kaufman, CISSP, CEH, MCSE, ITILv3