Faraday v3.0 - Collaborative Penetration Test and Vulnerability Management Platform


This new version has made major architectural changes to adapt the software to the new challenges of cybersecurity. It focuses on processing large volumes of data and facilitating user interaction with Faraday in their environment.

Faraday just got much faster

Architecture changes and a new database (PostgreSQL) gives us a new and revamped structure that allows us to support new objects and a bigger data volume. This dramatically improves most of the backend services that directly impact your day-to-day use...

Big changes require time

The total amount of work, in terms of commits, for the migration consisted of 29% of the total work done for the the project to this day. We changed and reviewed around 75440 lines of code, including the addition a lot of unit tests.

Commits per week on faraday code repository from July 2017 to June 2018

 What’s new on the Backend
  • New Server: Implemented with Flask.
  • New Database engine: PostgreSQL.
  • New REST API: With complete support for CRUD for every object from Faraday. It makes it simpler to do queries for the DB and it opens up new ways for personalized integrations. Run python manage.py show_urls to see all our new API endpoints.
Example usage for getting hosts from the new api:
curl 'http://localhost:5985/_api/v2/ws/europe/hosts'  -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];'
  • Better scalability and performance improvements. There’s a drastic reduction in time needed for searches in our API and with the new architecture it’s significantly easier to scale-up horizontally.

What’s new on the front

For this version we listened to feedback from our users to make Faraday friendlier with a major focus on making specific data more readily available and a faster interface.

The new dashboard

The new dashboard has been organized with a new layout to show relevant information first, helping users to find vulnerable spots in their workspace.


Updated Status Report

Changed and simplified the status report design:


Redesign of the hosts list

Now you can add and remove columns, plus see and filter by hostnames and services:


Small improvements that make your day

  • Imports Scan Outputs directly from the Web UI.
    • Now you can import results from your scans directly on our Web UI:



Check here a video about report upload from WebGUI:


  • Import Scan Outputs via API.
Here’s an example of the new API:

curl 'http://127.0.0.1:5985/_api/v2/ws/test/upload_report' -H 'Content-Type: multipart/form-data' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];' --data-binary $’[FILE BINARY DATA]’ --compressed
  • Dramatic performance upgrades.
  • Simplification of the model we used. Say "adios" to the interface object.
  • Access to the server using “/” instead of /_ui/ .
  • Ability to edit the names of workspaces.

New Plugins
  • HP WebInspect
  • IP360
  • Sslyze
  • Wfuzz
  • Xsssniper
  • Brutexss
  • Recon-NG
  • Sublist3r
  • Dirsearch

Full List of Changes
  • Allow faraday-server to have multiple instances
  • Add hostname to host
  • Interface removed from model and from persistence server lib (fplugin)
  • Performance improvements on the backend
  • Add quick change workspace name (from all views)
  • Allow user to change workspace
  • New faraday styles in all Webui views
  • Add search by id for vulnerabilities
  • Add new plugin Sslyze
  • Add new plugin Wfuzz
  • Add xsssniper plugin
  • Fix W3af, Zap plugins
  • Add Brutexss plugin
  • Allow to upload report file from external tools from the web
  • Fix sshcheck import file from GTK
  • Add reconng plugin
  • Add sublist3r plugin
  • Add HP Webinspect plugin
  • Add dirsearch plugin
  • Add ip360 plugin
  • CouchDB was replaced by PostgreSQL :)
  • Host object changed, now the name property is called ip
  • Interface object was removed
  • Note object was removed and replaced with Comment
  • Communication object was removed and replaced with Comment
  • Show credentials count in summarized report on the dashboard
  • Remove vuln template CWE fields, join it with references
  • Allow to search hosts by hostname, os and service name
  • Allow the user to specify the desired fields of the host list table
  • Add optional hostnames, services, MAC and description fields to the host list
  • Workspace names can be changed from the Web UI
  • Changed the scope field of a workspace from a free text input to a list of targets
  • Exploitation and severity fields only allow certain values. 
  • CWE CVEs were fixed to be valid. A script to convert custom CSVs was added.
  • Web UI path changed from /ui/ to / (ui has now a redirection to / for keeping backwards compatibility)
  • dirb plugin should creates a vulnerability type information instead of a note.
  • Add confirmed column to exported CSV from Webui
  • Fixes in Arachni plugin
  • Add new parameters --keep-old and --keep-new for faraday CLI
  • Add new screenshot fplugin which takes a screenshot of the ip:ports of a given protocol
  • Add fix for net sparker regular and cloud fix on severity
  • Admin users can list and access all workspaces, even if they don't have permissions
  • Removed Chat feature (data is kept inside notes)
  • Plugin reports now can be imported in the server, from the Web UI
  • Add CVSS score to reference field in Nessus plugin.
  • Fix unicode characters bug in Netsparker plugin.
  • Fix Qualys plugin.
  • Fix bugs with MACOS and GTK.
  • Add response field added to model in grouped report template.
  • Add tooltip in WebUi with information about errors in executive report.
  • Ldap now login is with [email protected], not user only anymore.
  • Fix Jira bugs in WebUi

https://www.faradaysec.com
https://forum.faradaysec.com/
https://www.faradaysec.com/ideas
https://github.com/infobyte/faraday
https://twitter.com/faradaysec

Faraday v3.0 - Collaborative Penetration Test and Vulnerability Management Platform Faraday v3.0 - Collaborative Penetration Test and Vulnerability Management Platform Reviewed by Zion3R on 10:12 AM Rating: 5