lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 27 Jul 2018 16:06:50 -0300
From: Francisco Amato <>
Subject: [FD] Faraday V3.0 Released

Faraday helps you to host your own vulnerability management platform
now and streamline your team in one place.

We are pleased to announce the newest version of Faraday v3.0. In this
new version we have made major architecture changes to adapt our
software to the new challenges of cyber security. We focused on
processing large data volumes and to making it easier for the user to
interact with Faraday in its environment.

To install it you can checkout the new version on github:

Faraday just got much faster:
Architecture changes and a new database (PostgreSQL) gives us a new
and revamped structure that allows us to support new objects and a
bigger data volume. This dramatically improves most of the backend
services that directly impact your day-to-day use..

Big changes require time:
The total amount of work, in terms of commits, for the migration
consisted of 29% of the total work done for the the project to this
We changed and reviewed around 75440 lines of code, including the
addition a lot of unit tests.

What’s new on the Backend:
- New Server: Implemented with Flask.
- New Database engine: PostgreSQL.
- New REST API: With complete support for CRUD for every object from
Faraday. It makes it simpler to do queries for the DB and it opens up
new ways for personalized integrations. Run python show_urls
to see all our new API endpoints.

Example usage for getting hosts from the new api:
curl 'http://localhost:5985/_api/v2/ws/europe'  -H 'Cookie:
AuthSession=[COOKIE]; session=[COOKIE];'

- Better scalability and performance improvements. There’s a drastic
reduction in time needed for searches in our API and with the new
architecture it’s significantly easier to scale-up horizontally.

What’s new on the front:
For this version we listened to feedback from our users to make
Faraday friendlier with a major focus on making specific data more
readily available and a faster interface.

The new dashboard:
The new dashboard has been organized with a new layout to show
relevant information first, helping users to find vulnerable spots in
their workspace.

Updated Status Report:
We changed and simplified the status report design

Redesign of the hosts list:
Now you can add and remove columns, plus see and filter by hostnames
and services:

Small improvements that make your day:

-Now you can import results from your scans directly on our Web UI:

Here’s an example of the new API:
curl '' -H
'Content-Type: multipart/form-data' -H 'Cookie: AuthSession=[COOKIE];
session=[COOKIE];' --data-binary $’[FILE BINARY DATA]’ —compressed

Dramatic performance upgrades.
-Simplification of the model we used. Say "adios" to the interface object.
-Access to the server using “/” instead of /_ui/ .
-Ability to edit the names of workspaces.

New Plugins:
-HP WebInspect

Full List of Changes:
-Allow faraday-server to have multiple instances
-Add hostname to host
-Interface removed from model and from persistence server lib (fplugin)
-Performance improvements on the backend
-Add quick change workspace name (from all views)
-Allow user to change workspace
-New faraday styles in all Webui views
-Add search by id for vulnerabilities
-Add new plugin Sslyze
-Add new plugin Wfuzz
-Add xsssniper plugin
-Fix W3af, Zap plugins
-Add Brutexss plugin
-Allow to upload report file from external tools from the web
-Fix sshcheck import file from GTK
-Add reconng plugin
-Add sublist3r plugin
-Add HP Webinspect plugin
-Add dirsearch plugin
-Add ip360 plugin
-CouchDB was replaced by PostgreSQL :)
-Host object changed, now the name property is called ip
-Interface object was removed
-Note object was removed and replaced with Comment
-Communication object was removed and replaced with Comment
-Show credentials count in summarized report on the dashboard
-Remove vuln template CWE fields, join it with references
-Allow to search hosts by hostname, os and service name
-Allow the user to specify the desired fields of the host list table
-Add optional hostnames, services, MAC and description fields to the host list
-Workspace names can be changed from the Web UI
-Changed the scope field of a workspace from a free text input to a
list of targets
-Exploitation and severity fields only allow certain values.
-CWE CVEs were fixed to be valid. A script to convert custom CSVs was added.
-Web UI path changed from /ui/ to / (ui has now a redirection to / for
keeping backwards compatibility)
-dirb plugin should creates a vulnerability type information instead of a note.
-Add confirmed column to exported CSV from Webui
-Fixes in Arachni plugin
-Add new parameters --keep-old and --keep-new for faraday CLI
-Add new screenshot fplugin which takes a screenshot of the ip:ports
of a given protocol
-Add fix for net sparker regular and cloud fix on severity
-Admin users can list and access all workspaces, even if they don't
have permissions
-Removed Chat feature (data is kept inside notes)
-Plugin reports now can be imported in the server, from the Web UI
-Add CVSS score to reference field in Nessus plugin.
-Fix unicode characters bug in Netsparker plugin.
-Fix Qualys plugin.
-Fix bugs with MACOS and GTK.
-Add response field added to model in grouped report template.
-Add tooltip in WebUi with information about errors in executive report.
-Ldap now login is with, not user only anymore.
-Fix Jira bugs in WebUi

We hope you enjoy it, and let us know if you have any questions or comments.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists