Faraday introduces a new concept – IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation, and analysis of the data generated during a security audit.
The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.
Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.
- Fix CSRF (Cross-Site Request Forgery) vulnerability in vulnerability attachments API.
This allowed an attacker to upload evidence to vulns. He/she required to know the
desired workspace name and vulnerability id so it complicated the things a bit. We
classified this vuln as a low impact one.
- Readonly and disabled workspaces
- Add fields ‘impact’, ‘easeofresolution’ and ‘policyviolations’ to vulnerability_template
- Add pagination in ‘Command history’, ‘Last Vulnerabilities’, ‘Activity logs’ into dashboard
- Add status_code field to web vulnerability
- Preserve selection after bulk edition of vulnerabilities in the Web UI
- Faraday’s database will be created using UTF-8 encoding
- Fix bug of “select a different workspace” from an empty list loop.
- Fix bug when creating duplicate custom fields
- Fix bug when loading in server.ini with extra configs
./manage.py command. It wasn’t working since the last schema migration
./manage.py createsuperusercommand renamed to
- Fix bug when non-numeric vulnerability IDs were passed to the attachments API
- Fix logic in search exploits
- Add ability to ‘Searcher’ to execute rules in loop with dynamic variables
- Send searcher alert with custom mail
- Add gitlab-ci.yml file to execute test and pylint on gitlab runner
- Fix 500 error when updating services and vulns with specific read-only parameters set
- Fix SQLMap plugin to support newer versions of the tool
- Improve service’s parser for Lynis plugin
- Fix bug when parsing URLs in Acunetix reports
- Fix and update NetSparker Plugin
- Fix bug in nessus plugin. It was trying to create a host without IP. Enabled logs on the server for plugin processing (use –debug)
- Fix bug when parsing hostnames in Nessus reports
- Fix SSLyze report automatic detection, so reports can be imported from the web ui
- Update Dnsmap Plugin
Don’t change the way you work today! Faraday plays well with others, right now it has more than 50 supported tools, among them you will find:
There is 3 kind of plugins:
- Plugins that intercept commands, fired directly when a command is detected in the console. These are transparent to you and no additional action on your part is needed.
- Plugins that import file reports. You have to copy the report to $HOME/.faraday/report/[workspacename] (replacing [workspacename] with the actual name of your Workspace) and Faraday will automatically detect, process and add it to the HostTree.
- Plugin connectors or online (BeEF, Metasploit, Burp), these connect to external APIs or databases or talk directly to Faraday’s RPC API.