[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7792":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":18,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":21,"archived":22,"fork":23,"defaultBranch":24,"hasWiki":22,"hasPages":23,"topics":25,"createdAt":10,"pushedAt":10,"updatedAt":44,"readmeContent":45,"aiSummary":46,"trendingCount":16,"starSnapshotCount":16,"syncStatus":47,"lastSyncTime":48,"discoverSource":49},7792,"arachni","Arachni\u002Farachni","Arachni","Web Application Security Scanner Framework","http:\u002F\u002Fwww.arachni-scanner.com",null,"Ruby",4029,783,197,124,0,1,3,13,30.68,"Other",true,false,"master",[26,5,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43],"analysis","audit","crawler","detection","dom","hack","hacking","javascript","modular","penetration-testing","ruby","scanner","scanners","security-audit","sql-injection","vulnerability-detection","web-application","xss","2026-06-12 02:01:44","# Notice\n\nArachni has become obsolete, try out its next-gen successor \n[Ecsypno](https:\u002F\u002Fwww.ecsypno.com\u002F) [Spectre Scan](https:\u002F\u002Fecsypno.com\u002Fpages\u002Fcodename-scnr)!\n\n# Arachni - Web Application Security Scanner Framework\n\n\u003Ctable>\n \u003Ctr>\n \u003Cth>Version\u003C\u002Fth>\n \u003Ctd>1.6.1.3\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Homepage\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"http:\u002F\u002Fwww.arachni-scanner.com\">http:\u002F\u002Farachni-scanner.com\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Blog\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"http:\u002F\u002Fwww.arachni-scanner.com\u002Fblog\">http:\u002F\u002Farachni-scanner.com\u002Fblog\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctr>\n \u003Cth>Github\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\">http:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctr\u002F>\n \u003Ctr>\n \u003Cth>Documentation\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\">https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Code Documentation\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"http:\u002F\u002Frubydoc.info\u002Fgithub\u002FArachni\u002Farachni\">http:\u002F\u002Frubydoc.info\u002Fgithub\u002FArachni\u002Farachni\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Support\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"http:\u002F\u002Fsupport.arachni-scanner.com\">http:\u002F\u002Fsupport.arachni-scanner.com\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Author\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"mailto:tasos.laskos@arachni-scanner.com\">Tasos Laskos\u003C\u002Fa> (\u003Ca href=\"http:\u002F\u002Ftwitter.com\u002FZap0tek\">@Zap0tek\u003C\u002Fa>)\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Twitter\u003C\u002Fth>\n \u003Ctd>\u003Ca href=\"http:\u002F\u002Ftwitter.com\u002FArachniScanner\">@ArachniScanner\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>Copyright\u003C\u002Fth>\n \u003Ctd>2010-2022 \u003Ca href=\"http:\u002F\u002Fwww.ecsypno.com\">Ecsypno\u003C\u002Fa>\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Cth>License\u003C\u002Fth>\n \u003Ctd>Arachni Public Source License v1.0 - (see LICENSE file)\u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003C\u002Ftable>\n\n![Arachni logo](http:\u002F\u002Fwww.arachni-scanner.com\u002Flarge-logo.png)\n\n## Synopsis\n\nArachni is a feature-full, modular, high-performance Ruby framework aimed towards\nhelping penetration testers and administrators evaluate the security of web applications.\n\nIt is smart, it trains itself by monitoring and learning from the web application's\nbehavior during the scan process and is able to perform meta-analysis using a number of\nfactors in order to correctly assess the trustworthiness of results and intelligently\nidentify (or avoid) false-positives.\n\nUnlike other scanners, it takes into account the dynamic nature of web applications,\ncan detect changes caused while travelling through the paths of a web application’s\ncyclomatic complexity and is able to adjust itself accordingly. This way, attack\u002Finput\nvectors that would otherwise be undetectable by non-humans can be handled seamlessly.\n\nMoreover, due to its integrated browser environment, it can also audit and inspect\nclient-side code, as well as support highly complicated web applications which make\nheavy use of technologies such as JavaScript, HTML5, DOM manipulation and AJAX.\n\nFinally, it is versatile enough to cover a great deal of use cases, ranging from\na simple command line scanner utility, to a global high performance grid of\nscanners, to a Ruby library allowing for scripted audits, to a multi-user\nmulti-scan web collaboration platform.\n\n**Note**: Despite the fact that Arachni is mostly targeted towards web application\nsecurity, it can easily be used for general purpose scraping, data-mining, etc.\nwith the addition of custom components.\n\n### Arachni offers:\n\n#### A stable, efficient, high-performance framework\n\n`Check`, `report` and `plugin` developers are allowed to easily and quickly create and\ndeploy their components with the minimum amount of restrictions imposed upon them,\nwhile provided with the necessary infrastructure to accomplish their goals.\n\nFurthermore, they are encouraged to take full advantage of the Ruby language under\na unified framework that will increase their productivity without stifling them\nor complicating their tasks.\n\nMoreover, that same framework can be utilized as any other Ruby library and lead\nto the development of brand new scanners or help you create highly customized\nscan\u002Faudit scenarios and\u002For scripted scans.\n\n#### Simplicity\n\nAlthough some parts of the Framework are fairly complex you will never have to deal them directly.\nFrom a user’s or a component developer’s point of view everything appears simple\nand straight-forward all the while providing power, performance and flexibility.\n\nFrom the simple command-line utility scanner to the intuitive and user-friendly\nWeb interface and collaboration platform, Arachni follows the principle of least\nsurprise and provides you with plenty of feedback and guidance.\n\n#### In simple terms\n\nArachni is designed to automatically detect security issues in web applications.\nAll it expects is the URL of the target website and after a while it will present\nyou with its findings.\n\n## Features\n\n### General\n\n- Cookie-jar\u002Fcookie-string support.\n- Custom header support.\n- SSL support with fine-grained options.\n- User Agent spoofing.\n- Proxy support for SOCKS4, SOCKS4A, SOCKS5, HTTP\u002F1.1 and HTTP\u002F1.0.\n- Proxy authentication.\n- Site authentication (SSL-based, form-based, Cookie-Jar, Basic-Digest, NTLMv1, Kerberos and others).\n- Automatic log-out detection and re-login during the scan (when the initial\n login was performed via the `autologin`, `login_script` or `proxy` plugins).\n- Custom 404 page detection.\n- UI abstraction:\n - [Command-line Interface](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FExecutables).\n - [Web User Interface](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni-ui-web).\n- Pause\u002Fresume functionality.\n- Hibernation support -- Suspend to and restore from disk.\n- High performance asynchronous HTTP requests.\n - With adjustable concurrency.\n - With the ability to auto-detect server health and adjust its concurrency\n automatically.\n- Support for custom default input values, using pairs of patterns (to be matched\n against input names) and values to be used to fill in matching inputs.\n\n### Integrated browser environment\n\nArachni includes an integrated, real browser environment in order to provide\nsufficient coverage to modern web applications which make use of technologies\nsuch as HTML5, JavaScript, DOM manipulation, AJAX, etc.\n\nIn addition to the monitoring of the vanilla DOM and JavaScript environments,\nArachni's browsers also hook into popular frameworks to make the logged data\neasier to digest:\n\n- [JQuery](http:\u002F\u002Fjquery.com\u002F)\n- [AngularJS](https:\u002F\u002Fangularjs.org\u002F)\n- More to come...\n\nIn essence, this turns Arachni into a DOM and JavaScript debugger, allowing it to\nmonitor DOM events and JavaScript data and execution flows. As a result, not only\ncan the system trigger and identify DOM-based issues, but it will accompany them\nwith a great deal of information regarding the state of the page at the time.\n\nRelevant information include:\n\n- Page DOM, as HTML code.\n - With a list of DOM transitions required to restore the state of the\n page to the one at the time it was logged.\n- Original DOM (i.e. prior to the action that caused the page to be logged),\n as HTML code.\n - With a list of DOM transitions.\n- Data-flow sinks -- Each sink is a JS method which received a tainted argument.\n - Parent object of the method (ex.: `DOMWindow`).\n - Method signature (ex.: `decodeURIComponent()`).\n - Arguments list.\n - With the identified taint located recursively in the included objects.\n - Method source code.\n - JS stacktrace.\n- Execution flow sinks -- Each sink is a successfully executed JS payload,\n as injected by the security checks.\n - Includes a JS stacktrace.\n- JavaScript stack-traces include:\n - Method names.\n - Method locations.\n - Method source codes.\n - Argument lists.\n\nIn essence, you have access to roughly the same information that your favorite\ndebugger (for example, FireBug) would provide, as if you had set a breakpoint to\ntake place at the right time for identifying an issue.\n\n#### Browser-cluster\n\nThe browser-cluster is what coordinates the browser analysis of resources and\nallows the system to perform operations which would normally be quite time\nconsuming in a high-performance fashion.\n\nConfiguration options include:\n\n- Adjustable pool-size, i.e. the amount of browser workers to utilize.\n- Timeout for each job.\n- Worker TTL counted in jobs -- Workers which exceed the TTL have their browser\n process respawned.\n- Ability to disable loading images.\n- Adjustable screen width and height.\n - Can be used to analyze responsive and mobile applications.\n- Ability to wait until certain elements appear in the page.\n- Configurable local storage data.\n\n### Coverage\n\nThe system can provide great coverage to modern web applications due to its\nintegrated browser environment. This allows it to interact with complex applications\nthat make heavy use of client-side code (like JavaScript) just like a human would.\n\nIn addition to that, it also knows about which browser state changes the application\nhas been programmed to handle and is able to trigger them programatically in\norder to provide coverage for a full set of possible scenarios.\n\nBy inspecting all possible pages and their states (when using client-side code)\nArachni is able to extract and audit the following elements and their inputs:\n\n- Forms\n - Along with ones that require interaction via a real browser due to DOM events.\n- User-interface Forms\n - Input and button groups which don't belong to an HTML `\u003Cform>` element but\n are instead associated via JS code.\n- User-interface Inputs\n - Orphan `\u003Cinput>` elements with associated DOM events.\n- Links\n - Along with ones that have client-side parameters in their fragment, i.e.:\n `http:\u002F\u002Fexample.com\u002F#\u002F?param=val¶m2=val2`\n - With support for rewrite rules.\n- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths,\n based on user-supplied templates -- useful when rewrite rules are not available.\n - Along with ones that have client-side parameters in their URL fragments, i.e.:\n `http:\u002F\u002Fexample.com\u002F#\u002Fparam\u002Fval\u002Fparam2\u002Fval2`\n- Cookies\n - Also supports nested cookies, containing key-value pairs inside individual cookies.\n- Headers\n- Generic client-side elements which have associated DOM events.\n- AJAX-request parameters.\n- JSON request data.\n- XML request data.\n\n### Open [distributed architecture](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FDistributed-components)\n\nArachni is designed to fit into your workflow and easily integrate with your\nexisting infrastructure.\n\nDepending on the level of control you require over the process, you can either\nchoose the REST service or the custom RPC protocol.\n\nBoth approaches allow you to:\n\n- Remotely monitor and manage scans.\n- Perform multiple scans at the same time -- Each scan is compartmentalized to\n its own OS process to take advantage of:\n - Multi-core\u002FSMP architectures.\n - OS-level scheduling\u002Frestrictions.\n - Sandboxed failure propagation.\n- Communicate over a secure channel.\n\n#### [REST API](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FREST-API)\n\n- Very simple and straightforward API.\n- Easy interoperability with non-Ruby systems.\n - Operates over HTTP.\n - Uses JSON to format messages.\n- Stateful scan monitoring.\n - Unique sessions automatically only receive updates when polling for progress,\n rather than full data.\n\n#### [RPC API](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FRPC-API)\n\n- High-performance\u002Flow-bandwidth [communication protocol](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni-rpc).\n - `MessagePack` serialization for performance, efficiency and ease of\n integration with 3rd party systems.\n- Grid:\n - Self-healing.\n - Scale up\u002Fdown by hot-plugging\u002Fhot-unplugging nodes.\n - Can scale up infinitely by adding nodes to increase scan capacity.\n - _(Always-on)_ Load-balancing -- All Instances are automatically provided\n by the least burdened Grid member.\n - With optional per-scan opt-out\u002Foverride.\n - _(Optional)_ High-Performance mode -- Combines the resources of\n multiple nodes to perform multi-Instance scans.\n - Enabled on a per-scan basis.\n\n### Scope configuration\n\n- Filters for redundant pages like galleries, catalogs, etc. based on regular\n expressions and counters.\n - Can optionally detect and ignore redundant pages automatically.\n- URL exclusion filters using regular expressions.\n- Page exclusion filters based on content, using regular expressions.\n- URL inclusion filters using regular expressions.\n- Can be forced to only follow HTTPS paths and not downgrade to HTTP.\n- Can optionally follow subdomains.\n- Adjustable page count limit.\n- Adjustable redirect limit.\n- Adjustable directory depth limit.\n- Adjustable DOM depth limit.\n- Adjustment using URL-rewrite rules.\n- Can read paths from multiple user supplied files (to both restrict and extend\n the scope).\n\n### Audit\n\n- Can audit:\n - Forms\n - Can automatically refresh nonce tokens.\n - Can submit them via the integrated browser environment.\n - User-interface Forms\n - Input and button groups which don't belong to an HTML `\u003Cform>` element\n but are instead associated via JS code.\n - User-interface Inputs\n - Orphan `\u003Cinput>` elements with associated DOM events.\n - Links\n - Can load them via the integrated browser environment.\n - LinkTemplates\n - Can load them via the integrated browser environment.\n - Cookies\n - Can load them via the integrated browser environment.\n - Headers\n - Generic client-side DOM elements.\n - JSON request data.\n - XML request data.\n- Can ignore binary\u002Fnon-text pages.\n- Can audit elements using both `GET` and `POST` HTTP methods.\n- Can inject both raw and HTTP encoded payloads.\n- Can submit all links and forms of the page along with the cookie\n permutations to provide extensive cookie-audit coverage.\n- Can exclude specific input vectors by name.\n- Can include specific input vectors by name.\n\n### Components\n\nArachni is a highly modular system, employing several components of distinct\ntypes to perform its duties.\n\nIn addition to enabling or disabling the bundled components so as to adjust the\nsystem's behavior and features as needed, functionality can be extended via the\naddition of user-created components to suit almost every need.\n\n#### Platform fingerprinters\n\nIn order to make efficient use of the available bandwidth, Arachni performs\nrudimentary platform fingerprinting and tailors the audit process to the server-side\ndeployed technologies by only using applicable payloads.\n\nCurrently, the following platforms can be identified:\n\n- Operating systems\n - BSD\n - Linux\n - Unix\n - Windows\n - Solaris\n- Web servers\n - Apache\n - IIS\n - Nginx\n - Tomcat\n - Jetty\n - Gunicorn\n- Programming languages\n - PHP\n - ASP\n - ASPX\n - Java\n - Python\n - Ruby\n- Frameworks\n - Rack\n - CakePHP\n - Rails\n - Django\n - ASP.NET MVC\n - JSF\n - CherryPy\n - Nette\n - Symfony\n\nThe user also has the option of specifying extra platforms (like a DB server)\nin order to help the system be as efficient as possible. Alternatively, fingerprinting\ncan be disabled altogether.\n\nFinally, Arachni will always err on the side of caution and send all available\npayloads when it fails to identify specific platforms.\n\n#### Checks\n\n_Checks_ are system components which perform security checks and log issues.\n\n##### Active\n\nActive checks engage the web application via its inputs.\n\n- SQL injection (`sql_injection`) -- Error based detection.\n - Oracle\n - InterBase\n - PostgreSQL\n - MySQL\n - MSSQL\n - EMC\n - SQLite\n - DB2\n - Informix\n - Firebird\n - SaP Max DB\n - Sybase\n - Frontbase\n - Ingres\n - HSQLDB\n - MS Access\n- Blind SQL injection using differential analysis (`sql_injection_differential`).\n- Blind SQL injection using timing attacks (`sql_injection_timing`).\n - MySQL\n - PostgreSQL\n - MSSQL\n- NoSQL injection (`no_sql_injection`) -- Error based vulnerability detection.\n - MongoDB\n- Blind NoSQL injection using differential analysis (`no_sql_injection_differential`).\n- CSRF detection (`csrf`).\n- Code injection (`code_injection`).\n - PHP\n - Ruby\n - Python\n - Java\n - ASP\n- Blind code injection using timing attacks (`code_injection_timing`).\n - PHP\n - Ruby\n - Python\n - Java\n - ASP\n- LDAP injection (`ldap_injection`).\n- Path traversal (`path_traversal`).\n - *nix\n - Windows\n - Java\n- File inclusion (`file_inclusion`).\n - *nix\n - Windows\n - Java\n - PHP\n - Perl\n- Response splitting (`response_splitting`).\n- OS command injection (`os_cmd_injection`).\n - *nix\n - *BSD\n - IBM AIX\n - Windows\n- Blind OS command injection using timing attacks (`os_cmd_injection_timing`).\n - Linux\n - *BSD\n - Solaris\n - Windows\n- Remote file inclusion (`rfi`).\n- Unvalidated redirects (`unvalidated_redirect`).\n- Unvalidated DOM redirects (`unvalidated_redirect_dom`).\n- XPath injection (`xpath_injection`).\n - Generic\n - PHP\n - Java\n - dotNET\n - libXML2\n- XSS (`xss`).\n- Path XSS (`xss_path`).\n- XSS in event attributes of HTML elements (`xss_event`).\n- XSS in HTML tags (`xss_tag`).\n- XSS in script context (`xss_script_context`).\n- DOM XSS (`xss_dom`).\n- DOM XSS script context (`xss_dom_script_context`).\n- Source code disclosure (`source_code_disclosure`)\n- XML External Entity (`xxe`).\n - Linux\n - *BSD\n - Solaris\n - Windows\n\n##### Passive\n\nPassive checks look for the existence of files, folders and signatures.\n\n- Allowed HTTP methods (`allowed_methods`).\n- Back-up files (`backup_files`).\n- Backup directories (`backup_directories`)\n- Common administration interfaces (`common_admin_interfaces`).\n- Common directories (`common_directories`).\n- Common files (`common_files`).\n- HTTP PUT (`http_put`).\n- Insufficient Transport Layer Protection for password forms (`unencrypted_password_form`).\n- WebDAV detection (`webdav`).\n- HTTP TRACE detection (`xst`).\n- Credit Card number disclosure (`credit_card`).\n- CVS\u002FSVN user disclosure (`cvs_svn_users`).\n- Private IP address disclosure (`private_ip`).\n- Common backdoors (`backdoors`).\n- .htaccess LIMIT misconfiguration (`htaccess_limit`).\n- Interesting responses (`interesting_responses`).\n- HTML object grepper (`html_objects`).\n- E-mail address disclosure (`emails`).\n- US Social Security Number disclosure (`ssn`).\n- Forceful directory listing (`directory_listing`).\n- Mixed Resource\u002FScripting (`mixed_resource`).\n- Insecure cookies (`insecure_cookies`).\n- HttpOnly cookies (`http_only_cookies`).\n- Auto-complete for password form fields (`password_autocomplete`).\n- Origin Spoof Access Restriction Bypass (`origin_spoof_access_restriction_bypass`)\n- Form-based upload (`form_upload`)\n- localstart.asp (`localstart_asp`)\n- Cookie set for parent domain (`cookie_set_for_parent_domain`)\n- Missing `Strict-Transport-Security` headers for HTTPS sites (`hsts`).\n- Missing `X-Frame-Options` headers (`x_frame_options`).\n- Insecure CORS policy (`insecure_cors_policy`).\n- Insecure cross-domain policy (allow-access-from) (`insecure_cross_domain_policy_access`)\n- Insecure cross-domain policy (allow-http-request-headers-from) (`insecure_cross_domain_policy_headers`)\n- Insecure client-access policy (`insecure_client_access_policy`)\n\n#### Reporters\n\n- Standard output\n- [HTML](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.html\u002F)\n ([zip](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.html.zip)) (`html`).\n- [XML](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.xml) (`xml`).\n- [Text](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.txt) (`text`).\n- [JSON](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.json) (`json`)\n- [Marshal](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.marshal) (`marshal`)\n- [YAML](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.yml) (`yaml`)\n- [AFR](http:\u002F\u002Fwww.arachni-scanner.com\u002Freports\u002Freport.afr) (`afr`)\n - The default Arachni Framework Report format.\n\n#### Plugins\n\nPlugins add extra functionality to the system in a modular fashion, this way the\ncore remains lean and makes it easy for anyone to add arbitrary functionality.\n\n- Passive Proxy (`proxy`) -- Analyzes requests and responses between the web app and\n the browser assisting in AJAX audits, logging-in and\u002For restricting the scope of the audit.\n- Form based login (`autologin`).\n- Script based login (`login_script`).\n- Dictionary attacker for HTTP Auth (`http_dicattack`).\n- Dictionary attacker for form based authentication (`form_dicattack`).\n- Cookie collector (`cookie_collector`) -- Keeps track of cookies while establishing a timeline of changes.\n- WAF (Web Application Firewall) Detector (`waf_detector`) -- Establishes a baseline of\n normal behavior and uses rDiff analysis to determine if malicious inputs cause any behavioral changes.\n- BeepNotify (`beep_notify`) -- Beeps when the scan finishes.\n- EmailNotify (`email_notify`) -- Sends a notification (and optionally a report) over SMTP at\n the end of the scan.\n- VectorFeed (`vector_feed`) -- Reads in vector data from which it creates elements to be\n audited. Can be used to perform extremely specialized\u002Fnarrow audits on a per vector\u002Felement basis.\n Useful for unit-testing or a gazillion other things.\n- Script (`script`) -- Loads and runs an external Ruby script under the scope of a plugin,\n used for debugging and general hackery.\n- Uncommon headers (`uncommon_headers`) -- Logs uncommon headers.\n- Content-types (`content_types`) -- Logs content-types of server responses aiding in the\n identification of interesting (possibly leaked) files.\n- Vector collector (`vector_collector`) -- Collects information about all seen input vectors\n which are within the scan scope.\n- Headers collector (`headers_collector`) -- Collects response headers based on specified criteria.\n- Exec (`exec`) -- Calls external executables at different scan stages.\n- Metrics (`metrics`) -- Captures metrics about multiple aspects of the scan and the web application.\n- Restrict to DOM state (`restrict_to_dom_state`) -- Restricts the audit to a single page's DOM\n state, based on a URL fragment.\n- Webhook notify (`webhook_notify`) -- Sends a webhook payload over HTTP at the end of the scan.\n- Rate limiter (`rate_limiter`) -- Rate limits HTTP requests.\n- Page dump (`page_dump`) -- Dumps page data to disk as YAML.\n\n##### Defaults\n\nDefault plugins will run for every scan and are placed under `\u002Fplugins\u002Fdefaults\u002F`.\n\n- AutoThrottle (`autothrottle`) -- Dynamically adjusts HTTP throughput during the scan for\n maximum bandwidth utilization.\n- Healthmap (`healthmap`) -- Generates sitemap showing the health of each crawled\u002Faudited URL\n\n###### Meta\n\nPlugins under `\u002Fplugins\u002Fdefaults\u002Fmeta\u002F` perform analysis on the scan results\nto determine trustworthiness or just add context information or general insights.\n\n- TimingAttacks (`timing_attacks`) -- Provides a notice for issues uncovered by timing attacks\n when the affected audited pages returned unusually high response times to begin with.\n It also points out the danger of DoS attacks against pages that perform heavy-duty processing.\n- Discovery (`discovery`) -- Performs anomaly detection on issues logged by discovery\n checks and warns of the possibility of false positives where applicable.\n- Uniformity (`uniformity`) -- Reports inputs that are uniformly vulnerable across a number\n of pages hinting to the lack of a central point of input sanitization.\n\n### Trainer subsystem\n\nThe Trainer is what enables Arachni to learn from the scan it performs and\nincorporate that knowledge, on the fly, for the duration of the audit.\n\nChecks have the ability to individually force the Framework to learn from the\nHTTP responses they are going to induce.\n\nHowever, this is usually not required since Arachni is aware of which requests\nare more likely to uncover new elements or attack vectors and will adapt itself\naccordingly.\n\nStill, this can be an invaluable asset to Fuzzer checks.\n\n## [Installation](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FInstallation)\n\n## [Usage](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fwiki\u002FUser-guide)\n\n## Running the specs\n\nYou can run `rake spec` to run **all** specs or you can run them selectively using the following:\n\n rake spec:core # for the core libraries\n rake spec:checks # for the checks\n rake spec:plugins # for the plugins\n rake spec:reports # for the reports\n rake spec:path_extractors # for the path extractors\n\n**Please be warned**, the core specs will require a beast of a machine due to the\nnecessity to test the Grid\u002Fmulti-Instance features of the system.\n\n**Note**: _The check specs will take many hours to complete due to the timing-attack tests._\n\n## Bug reports\u002FFeature requests\n\nSubmit bugs using [GitHub Issues](http:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Fissues) and\nget support via the [Support Portal](http:\u002F\u002Fsupport.arachni-scanner.com).\n\n## Contributing\n\n(Before starting any work, please read the [instructions](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Ftree\u002Fexperimental#source)\nfor working with the source code.)\n\nWe're happy to accept help from fellow code-monkeys and these are the steps you\nneed to follow in order to contribute code:\n\n* Fork the project.\n* Start a feature branch based on the [experimental](https:\u002F\u002Fgithub.com\u002FArachni\u002Farachni\u002Ftree\u002Fexperimental)\n branch (`git checkout -b \u003Cfeature-name> experimental`).\n* Add specs for your code.\n* Run the spec suite to make sure you didn't break anything (`rake spec:core`\n for the core libs or `rake spec` for everything).\n* Commit and push your changes.\n* Issue a pull request and wait for your code to be reviewed.\n\n## License\n\nArachni Public Source License v1.0 -- please see the _LICENSE_ file for more information.\n","Arachni 是一个用于评估Web应用程序安全性的扫描框架。它采用Ruby语言编写,具备全面的功能和模块化设计,能够智能地学习和适应被扫描应用的行为模式,从而有效减少误报并提高检测精度。Arachni 支持对动态内容(如JavaScript、HTML5等)的深入分析,特别适用于复杂且高度交互式的现代Web应用的安全审计。此外,该工具还提供了从命令行工具到分布式部署等多种使用场景的支持。尽管官方推荐了新的替代产品Ecsypno [Spectre Scan],但Arachni 仍然为需要进行细致网络安全检查的专业人士提供了一个强大的选择。",2,"2026-06-11 03:14:25","top_language"]