Francisco Amato Posted July 2, 2018 Share Posted July 2, 2018 Introduction We are pleased to announce the newest version of Faraday v3.0. In this new version we have made major architecture changes to adapt our software to the new challenges of cyber security. We focused on processing large data volumes and to making it easier for the user to interact with Faraday in its environment.To install it you can checkout the new version on github or if you are a customer access to the portal to download the beta ova. Faraday just got much faster Architecture changes and a new database (PostgreSQL) gives us a new and revamped structure that allows us to support new objects and a bigger data volume. This dramatically improves most of the backend services that directly impact your day-to-day use.. Big changes require time The total amount of work, in terms of commits, for the migration consisted of 29% of the total work done for the the project to this day. We changed and reviewed around 75440 lines of code, including the addition a lot of unit tests. Commits per week on faraday code repository from July 2017 to June 2018 What’s new on the Backend New Server: Implemented with Flask. New Database engine: PostgreSQL. New REST API: With complete support for CRUD for every object from Faraday. It makes it simpler to do queries for the DB and it opens up new ways for personalized integrations. Run python manage.py show_urls to see all our new API endpoints. Example usage for getting hosts from the new api: curl 'http://localhost:5985/_api/v2/ws/europe' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];' Better scalability and performance improvements. There’s a drastic reduction in time needed for searches in our API and with the new architecture it’s significantly easier to scale-up horizontally. What’s new on the front For this version we listened to feedback from our users to make Faraday friendlier with a major focus on making specific data more readily available and a faster interface. The new dashboard The new dashboard has been organized with a new layout to show relevant information first, helping users to find vulnerable spots in their workspace. Updated Status Report We changed and simplified the status report design: Redesign of the hosts list Now you can add and remove columns, plus see and filter by hostnames and services: Small improvements that make your day Imports Scan Outputs directly from the Web UI. Now you can import results from your scans directly on our Web UI: Import Scan Outputs via API. Here’s an example of the new API: curl 'http://127.0.0.1:5985/_api/v2/ws/test/upload_report' -H 'Content-Type: multipart/form-data' -H 'Cookie: AuthSession=[COOKIE]; session=[COOKIE];' --data-binary $’[FILE BINARY DATA]’ —compressed Dramatic performance upgrades. Simplification of the model we used. Say "adios" to the interface object. Access to the server using “/” instead of /_ui/ . Ability to edit the names of workspaces. New Plugins HP WebInspect IP360 More plugins: Sslyze Wfuzz Xsssniper Brutexss Recon-NG Sublist3r Dirsearch Full List of Changes Allow faraday-server to have multiple instances Add hostname to host Interface removed from model and from persistence server lib (fplugin) Performance improvements on the backend Add quick change workspace name (from all views) Allow user to change workspace New faraday styles in all Webui views Add search by id for vulnerabilities Add new plugin Sslyze Add new plugin Wfuzz Add xsssniper plugin Fix W3af, Zap plugins Add Brutexss plugin Allow to upload report file from external tools from the web Fix sshcheck import file from GTK Add reconng plugin Add sublist3r plugin Add HP Webinspect plugin Add dirsearch plugin Add ip360 plugin CouchDB was replaced by PostgreSQL :) Host object changed, now the name property is called ip Interface object was removed Note object was removed and replaced with Comment Communication object was removed and replaced with Comment Show credentials count in summarized report on the dashboard Remove vuln template CWE fields, join it with references Allow to search hosts by hostname, os and service name Allow the user to specify the desired fields of the host list table Add optional hostnames, services, MAC and description fields to the host list Workspace names can be changed from the Web UI Changed the scope field of a workspace from a free text input to a list of targets Exploitation and severity fields only allow certain values. CWE CVEs were fixed to be valid. A script to convert custom CSVs was added. Web UI path changed from /ui/ to / (ui has now a redirection to / for keeping backwards compatibility) dirb plugin should creates a vulnerability type information instead of a note. Add confirmed column to exported CSV from Webui Fixes in Arachni plugin Add new parameters --keep-old and --keep-new for faraday CLI Add new screenshot fplugin which takes a screenshot of the ip:ports of a given protocol Add fix for net sparker regular and cloud fix on severity Admin users can list and access all workspaces, even if they don't have permissions Removed Chat feature (data is kept inside notes) Plugin reports now can be imported in the server, from the Web UI Add CVSS score to reference field in Nessus plugin. Fix unicode characters bug in Netsparker plugin. Fix Qualys plugin. Fix bugs with MACOS and GTK. Add response field added to model in grouped report template. Add tooltip in WebUi with information about errors in executive report. Ldap now login is with user@domain.com, not user only anymore. Fix Jira bugs in WebUi We hope you enjoy it, and let us know if you have any questions or comments. https://www.faradaysec.comhttps://forum.faradaysec.com/https://www.faradaysec.com/ideashttps://github.com/infobyte/faradayhttps://twitter.com/faradaysec Quote Link to comment Share on other sites More sharing options...
Bigbiz Posted July 3, 2018 Share Posted July 3, 2018 awesome love Faraday. Learning curve right now. Any good user manuals out there. Quote Link to comment Share on other sites More sharing options...
r3plic4tor Posted July 8, 2018 Share Posted July 8, 2018 (edited) How do all these great user 'right-of-ways' help to reduce your attack surface? What controls do you have in place to protect your user integrity within the web application? Quote Admin users can list and access all workspaces, even if they don't have permissions mmmm.....yum! Edited July 8, 2018 by r3plic4tor Quote Link to comment Share on other sites More sharing options...
Francisco Amato Posted July 27, 2018 Author Share Posted July 27, 2018 Hi everyone! Just to notify that today was released Faraday V3.0 ! I hope you all like it! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.