Archery, perform scans and manage vulnerabilities with this tool

Share this…

An information security expert explains that, Archery is an open source vulnerability management and evaluation tool that helps developers and evaluators perform scans and manage vulnerabilities. Archery uses open source tools to perform a complete scan of the web application and the network. In the same way, this tool performs the dynamic authenticated scanning of the web application and covers the applications through the use of selenium. This tool can also be used for the implementation of a DevOps CI / CD environment.

archery

This is a small list of what the tool can do:

  • Perform network and network vulnerability scans using open source tools.
  • Correlates and collaborates all the data of scans without format, shows them in a consolidated way.
  • Perform an authenticated web scan.
  • Perform the exploration of the web application using selenium.
  • Vulnerability Management.
  • Enable the REST API for developers to perform vulnerability analysis and management.
  • JIRA ticket sales system.
  • Discovery and scanning of subdomains.
  • Periodic scans
  • Concurrent scans
  • Useful for DevOps teams for vulnerability management.

The professional gave us a list of requirements:

  • Python 2.7
  • OpenVas 8
  • OWASP ZAP 2.7.0
  • Selenium Python Firefox Web driver

You must enable the REST API Burp. You can manage and trigger scans using Archery once the REST API is enabled.

archery 1

Setup Setting

ZAP running daemon mode

For Windows: zap.bat -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

For other:  zap.sh -daemon -host 0.0.0.0 -port 8080 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true

The information security professional gives us directions for configuring Zap.

  • Go to the configuration page
  • Edit the ZAP settings or browse the URL: https: // host: port / setting_edit /
  • Fill in the required information.
    • Zap API key: leave it blank if you use ZAP as daemon api.disablekey = true
    • Zap API Host: your host API zap IP or system IP ex. 127.0.0.1 or 192.168.0.2
    • Zap API port: ZAP execution port

Now, for the OpenVAS configuration.

  • Go to the configuration page
  • Edit the OpenVAS configuration or browse the URL: https: // host: port / networkscanners / openvas_setting
  • Fill in the required information and save.

Road Map

Scanners parser & Plugin

  • Nessus
  • Netsparker

Popular Tools plugin support.

  • SSL Analysis
  • Nikto

Reporting

  • PDF

API Automated vulnerability scanning.

Vulnerability POC pictures.

Cloud Security scanning.

Is important to notice that currently the project is in the development phase and there is still a lot of work going on.