Home → Questions →

Arachni Detection Coverage versus OWASP Top-10

• Edit

Lyle swanson

30 Oct, 2015 08:22 PM

I am looking for clarification on Arachni's detection coverage relative to the OWASP Top-10. From what I have read, Arachni detection covers items A1, A3, A5, A8, and A10 (see list below).

So the question: Does Arachni have any detection ability for the remaining 5 threats in the OWASP top-10 (A2, A4, A6, A7, and A9)? Or must a person write his own custom penetration tests for these remaining threats?

OWASP Top-10:

A1 - Injection: YES

A2 - Broken Authentication and Session Management: ??

A3 - Cross-Site Scripting (XSS): YES

A4 - Insecure Direct Object References: ??

A5 - Security Misconfiguration: YES

A6 - Sensitive Data Exposure: ??

A7 - Missing Function Level Access Control: ??

A8 - Cross-Site Request Forgery (CSRF): YES

A9 - Using Components with Known Vulnerabilities: ??

A10 - Unvalidated Redirects and Forwards: YES

1. Support Staff 1 Posted by Tasos Laskos on 30 Oct, 2015 08:28 PM

   
   • A2: There's a session_fixation check, other than that I don't think you can check for these issues automatically.
   • A4: Impossible to tell. I know people claim to do it, but it's a brochure thing. A scanner doesn't know which resources should or should not be considered insecure in that sense.
   • A6: US SSNs, credit cards, leaked usernames etc. will be identified.
   • A7: Same as A4.
   • A9: Arachni is focused on black-box testing rather than fingerprinting so it's not supported.
   • Edit

2. Tasos Laskos closed this discussion on 03 Nov, 2015 06:38 PM.