Update information
Latest Release Version 3.0 - 02/10/2022
- FEATURE Directory scanner replaced with an interactive website map. Map includes all files linked on a website.
- FEATURE Major framework detection has been added, this is a passive feature that causes no additional requests.
- FEATURE Multithreading added to the directory fuzzer, configurable within the application settings.
- FEATURE Request time added to the URL crawler, displayed next to the status code.
- FEATURE Basic and advanced scan preferences tabs have in introduced to allow arctil to be more inclusive.
- FEATURE Scope items have been added to advanced scan preferences.
- FEATURE File upload form detections has been added.
- FEATURE Page response inspector added the the website map, this allows users to view the code of individual files.
- FEATURE Detection for basic authentication over HTTP added to the URL crawler, this is a passive feature.
- CHANGE With the release of arctil version 3 you'll get to experience a brand new user interface.
- CHANGE Like always arctil 3 includes a brand new report design.
- CHANGE Specific information is now provided for missing security headers, additionally arctil will now check for more headers.
- CHANGE Improvements made to local file inclusion testing, arctil will now test for both Windows and Linux based vulnerabilities.
- CHANGE New identifiers added to full path disclosure detection.
- CHANGE Open directory listing is now checked on each found directory.
- CHANGE Updates made to default error page detection, now includes options for DJango, Ruby on Rails and more.
- CHANGE New about dialog added to the "help" menu.
- CHANGE URL crawler now filters out anchor links as these are essentially duplicate URL's.
- CHANGE Improvments made for WAF detections (inc. mod_security)
- CHANGE Various code improvments to improve efficiancy, maintainability and decrease filesize.
- CHANGE Points of interest now link to relevant arctil articles, CVE links removed from software versions.
- CHANGE HTTP request system has been re-written to be much more efficient and maintainable.
- CHANGE Changes made to the request limiting and queued scanning to randomize the delay between requests.
- CHANGE Updates made to URL redirect detection, feature now has a larger detection success rate.
- CHANGE Directory fuzzer now runs after the URL crawler and vulnerability scanner have complete, found directories are added to the website map.
- CHANGE Changes have been made to the way arctil handles directory traversal, ../ will now step up a directory.
- BUG FIX Tweaks have been made to the way arctil opens config files as to prevent errors during report creation.
- BUG FIX Fix added for same host URL's being marked as not local resulting in fewer URL's found.
- BUG FIX Issue relating to POST requests returning 400 status code has been resolved.
- BUG FIX Change made to cookie inspector to prevent segmentation faults.
- BUG FIX Issue resolved with the injection engine not detecting input fields.
- BUG FIX Fix added to the URL crawler to help prevent target URL's and files being incorrectly appended.
Previous Release Version 2.1.1 - 08/07/2022
- FEATURE Multi-language Support - Select or make your own language profile to use within the arctil application.
- FEATURE Scan With Cookie - Scan deeper into your target website by setting authentication cookies.
- FEATURE Cookie Inspector - Examine cookie contents using the built in cookie list and inspector.
- FEATURE LDAP Injection has been added to the injection engine allowing to test for common LDAP injection errors.
- FEATURE Settings Window - Introduction of a settings window to handle language and theme selction. More controls will come in future.
- FEATURE Information Leakage - arctil will now check web page HTML comments for common words such as username and password etc.
- FEATURE Queued Scanning - Crawl a site using the queued scanning profile, this helps prevent WAF detection as it reduces arctil to one scan at a time.
- FEATURE Scanning Profiles - 3 default scanning profiles added to arctil, see Scanning Profiles for more information.
- CHANGE Improvements to the way arctil tests for unvalidate redirect vulnerabilities.
- CHANGE Improved WAF detection built into the requests, now utilises waf.json file. "waf.json" filename cannot be altered anymore.
- CHANGE Increased the number of automatically detected JS libraries.
- CHANGE arctil has implemented the software package browser to open urls from the crawler list.
- CHANGE Improvements made to the ways arctil detacts SQL injections buy testing multiple ways to break the query.
- CHANGE A UNIX timestamp has been added to all application errors which are logged in error.log allowing for easier debugging.
- CHANGE Changes made to software detector allowing users to add custom software, currently does not support version detection.
- CHANGE Error 404 and 500 links are reported during the initial web crawl rather than during the scan.
- CHANGE Timestamp has been added to export files preventing file overwriting.
- CHANGE Max file size for scanned links lowered to 3MB to speed up scans and increase the chance of scanning relevant files.
- CHANGE Changes made to how arctil loads config.json should result in improved performance and requre less memory.
- BUG FIX Page request can now handle redirects set by Set-Cookie, if redirected arctil will try again once.
- BUG FIX JSON Escape string implemented to avoid parse errors resulting from XSS vulnerable URL's.
- BUG FIX Result export issue relating to directoies not being exported has now been resolved.
- BUG FIX Directory scanner has bee updated to help avoid duplicate directories being added to the directory scanner list.
- BUG FIX Changes have been made to the URL crawler to prevent files with URL parameters being excluded.
- BUG FIX Javascript Library Detection bug fixed relating to json file not being added to config.json during setup.
Previous Release Version 2.0.2 - 19/04/2022
- FEATURE Website Structure directory tree - Directories list changes to a treeview to simulate a file browser.
- FEATURE Scan Robots.txt for Directories - Check through the robots.txt file to check for directories, these directories are then added to the directory scanner.
- FEATURE JS Library Detection - Arctil will now check .js (javascript) files for common javascript libraries such as jQuery and Angular..
- FEATURE Blind SQL Injection - Arctil now checks for SQL injection using "Blind" testing methods. This does not rely on common SQL injection errors.
- FEATURE Missing Security Headers - Checks to see if industry security headers are in use. Checks look for: Strict-Transport-Security, Content-Security-Policy and X-Frame-Options.
- FEATURE Added CVE when version detected - When version numbers are detected on software arctil will add a CVE link.
- CHANGE WAF detection - Detector is now built into the page requests.
- CHANGE Scan Preview Dialog - When a new scan is started the user is presented with a dialog box confirming the scan preferences they have selected.
- CHANGE Preferences Window -> Dialog Window - Preferences window is changed to a dialog box box.
- CHANGE UI Tweaks - Found urls now have a background colour on alternative links.
- CHANGE Imporved SQLi Testing - Increased number of detection markers. Each url parameter is tested individually.
- CHANGE Improved Expose Phone Number Detection - Changes made to how the exposed numbers are detected, increase detection probability.
- CHANGE Improved vulnerability feedback - Display vulnerable parameter and payload (SQL Injection, Reflected XSS) XSS returns the vulnerable parameter and payload.
- CHANGE Basic WAF bypass added to LFI scanner - LFI scanner will only traverse 7 directories and has WAF detections and bypass built into the core.
- BUG FIX URL crawler bug fix relating to www. domain prefix. Simple fix to allow to detect different urls with www. prefix.
- BUG FIX URL duplicate same page different parameter Bug fix implemented for urls when the file is the same but the parameter value is different. e.g. index.php?id=1 and index.php?id=2
- BUG FIX LFI url request issue with incorrect url being passed has been fixed.
Release Version 2.0.1 - 26/03/2022
- No information is available.
Release Version 1.0.1 - 21/02/2022
- No information is available.