Jump to content

Faraday Beta V3.0 Released

Francisco Amato

Recommended Posts



We are pleased to announce the newest version of Faraday v3.0. In this new version we have made major architecture changes to adapt our software to the new challenges of cyber security. We focused on processing large data volumes and to making it easier for the user to interact with Faraday in its environment.

To install it you can checkout the new version on github or if you are a customer access to the portal to download the beta ova.

Faraday just got much faster

Architecture changes and a new database (PostgreSQL) gives us a new and revamped structure that allows us to support new objects and a bigger data volume. This dramatically improves most of the backend services that directly impact your day-to-day use..

Big changes require time

The total amount of work, in terms of commits, for the migration consisted of 29% of the total work done for the the project to this day. We changed and reviewed around 75440 lines of code, including the addition a lot of unit tests.
Commits per week on faraday code repository from July 2017 to June 2018

What’s new on the Backend

  • New Server: Implemented with Flask.
  • New Database engine: PostgreSQL.
  • New REST API: With complete support for CRUD for every object from Faraday. It makes it simpler to do queries for the DB and it opens up new ways for personalized integrations. Run python manage.py show_urls to see all our new API endpoints.

         Example usage for getting hosts from the new api:

curl 'http://localhost:5985/_api/v2/ws/europe' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];'
  • Better scalability and performance improvements. There’s a drastic reduction in time needed for searches in our API and with the new architecture it’s significantly easier to scale-up horizontally.

What’s new on the front

For this version we listened to feedback from our users to make Faraday friendlier with a major focus on making specific data more readily available and a faster interface.

The new dashboard

The new dashboard has been organized with a new layout to show relevant information first, helping users to find vulnerable spots in their workspace.


Updated Status Report

We changed and simplified the status report design:


Redesign of the hosts list

Now you can add and remove columns, plus see and filter by hostnames and services:

Small improvements that make your day

  • Imports Scan Outputs directly from the Web UI.

                Now you can import results from your scans directly on our Web UI:

  • Import Scan Outputs via API.
Here’s an example of the new API:
curl '' -H 'Content-Type: multipart/form-data' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];' --data-binary $’[FILE BINARY DATA]’ —compressed
  • Dramatic performance upgrades.
  • Simplification of the model we used. Say "adios" to the interface object.
  • Access to the server using “/” instead of /_ui/ .
  • Ability to edit the names of workspaces.


New Plugins

HP WebInspect    
More plugins:
  • Sslyze
  •  Wfuzz
  •  Xsssniper
  •  Brutexss
  •  Recon-NG
  •  Sublist3r
  •  Dirsearch

Full List of Changes

  • Allow faraday-server to have multiple instances
  • Add hostname to host
  • Interface removed from model and from persistence server lib (fplugin)
  • Performance improvements on the backend
  • Add quick change workspace name (from all views)
  • Allow user to change workspace
  • New faraday styles in all Webui views
  • Add search by id for vulnerabilities
  • Add new plugin Sslyze
  • Add new plugin Wfuzz
  • Add xsssniper plugin
  • Fix W3af, Zap plugins
  • Add Brutexss plugin
  • Allow to upload report file from external tools from the web
  • Fix sshcheck import file from GTK
  • Add reconng plugin
  • Add sublist3r plugin
  • Add HP Webinspect plugin
  • Add dirsearch plugin
  • Add ip360 plugin
  • CouchDB was replaced by PostgreSQL :)
  • Host object changed, now the name property is called ip
  • Interface object was removed
  • Note object was removed and replaced with Comment
  • Communication object was removed and replaced with Comment
  • Show credentials count in summarized report on the dashboard
  • Remove vuln template CWE fields, join it with references
  • Allow to search hosts by hostname, os and service name
  • Allow the user to specify the desired fields of the host list table
  • Add optional hostnames, services, MAC and description fields to the host list
  • Workspace names can be changed from the Web UI
  • Changed the scope field of a workspace from a free text input to a list of targets
  • Exploitation and severity fields only allow certain values.
  • CWE CVEs were fixed to be valid. A script to convert custom CSVs was added.
  • Web UI path changed from /ui/ to / (ui has now a redirection to / for keeping backwards compatibility)
  • dirb plugin should creates a vulnerability type information instead of a note.
  • Add confirmed column to exported CSV from Webui
  • Fixes in Arachni plugin
  • Add new parameters --keep-old and --keep-new for faraday CLI
  • Add new screenshot fplugin which takes a screenshot of the ip:ports of a given protocol
  • Add fix for net sparker regular and cloud fix on severity
  • Admin users can list and access all workspaces, even if they don't have permissions
  • Removed Chat feature (data is kept inside notes)
  • Plugin reports now can be imported in the server, from the Web UI
  • Add CVSS score to reference field in Nessus plugin.
  • Fix unicode characters bug in Netsparker plugin.
  • Fix Qualys plugin.
  • Fix bugs with MACOS and GTK.
  • Add response field added to model in grouped report template.
  • Add tooltip in WebUi with information about errors in executive report.
  • Fix Jira bugs in WebUi

We hope you enjoy it, and let us know if you have any questions or comments.

Link to comment
Share on other sites

How do all these great user 'right-of-ways' help to reduce your attack surface?

What controls do you have in place to protect your user integrity within the web application?


Admin users can list and access all workspaces, even if they don't have permissions


Edited by r3plic4tor
Link to comment
Share on other sites

  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...