Tasos Laskos · 31a75715
--- a/guides/user/Command-line-user-interface.md
+++ b/guides/user/Command-line-user-interface.md
@@ -64,12 +64,15 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).

 [Command Line Interface help output](#cli_help_output)

-* [General](#general)
+* [Generic](#generic)
    * [Version (--version)](#version)
-    * [Verbosity (-v)](#verbosity)
-        * [Example](#verbosity_example)
-    * [Debug mode (--debug)](#debug)
+    * [Authorized by (--authorized-by)](#authorized-by)
+* [Output](#output)
+    * [Verbose (--verbose)](#verbose)
+        * [Example](#verbose_example)
+    * [Debug (--debug)](#debug)
    * [Only positives (--only-positives)](#only-positives)
+* [HTTP](#http)
    * [HTTP request limit (--http-req-limit)](#http-req-limit)
    * [HTTP request queue size (--http-queue-size)](#http-queue-size)
    * [HTTP request timeout (--http-timeout)](#http-timeout)
@@ -79,8 +82,6 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).
    * [User agent (--user-agent)](#user-agent)
    * [Custom header (--custom-header)](#custom-header)
        * [Example](#custom-header_example)
-    * [Authorized by (--authed-by)](#authed-by)
-        * [Example](#authed-by_example)
    * [Login check URL (--login-check-url)](#login-check-url)
    * [Login check pattern (--login-check-pattern)](#login-check-pattern)
 * [Profiles](#profiles)
@@ -90,7 +91,7 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).
        * [Example](#load-profile_example)
    * [Show profile (--show-profile)](#show-profile)
        * [Example](#show-profile_example)
-* [Crawler](#crawler)
+* [Scope](#scope)
    * [Exclude (--exclude/-e)](#exclude)
        * [Example](#exclude_example)
    * [Exclude page by content (--exclude-page)](#exclude-page)
@@ -143,7 +144,7 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).
    * [Proxy authentication (--proxy-auth)](#proxy-auth)
    * [Proxy type (--proxy-type)](#proxy-type)

-<h2 id='general'><a href='#general'>General</a></h2>
+<h2 id='generic'><a href='#generic'>Generic</a></h2>

 <h3 id='version'><a href='#version'>Version (--version)</a></h3>

@@ -153,32 +154,43 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).

 **Multiple invocations?**: `no`

-
 Outputs the Arachni banner and version information.

-<h3 id='verbosity'><a href='#verbosity'>Verbosity (-v)</a></h3>
+<h3 id='authorized-by'><a href='#authorized-by'>Authorized by (--authorized-by)</a></h3>

-**Expects**: `<n/a>`
+**Expects**: `string`

 **Default**: `disabled`

 **Multiple invocations?**: `no`

+The string passed to this option will be used as the value for the `From` HTTP reuest header field.
+The option value should be the e-mail address of the person who authorized the scan.
+
+<h2 id='output'><a href='#output'>Output</a></h2>
+
+<h3 id='verbose'><a href='#verbose'>Verbose (--verbose)</a></h3>
+
+**Expects**: `<n/a>`
+
+**Default**: `disabled`
+
+**Multiple invocations?**: `no`

-When verbosity is enabled Arachni will give you detailed information about what's going on during the whole process.
+When verbose messages are enabled, Arachni will give you detailed information about what's going on during the whole process.

-<h4 id='verbosity_example'><a href='#verbosity_example'>Example</a></h4>
+<h4 id='verbose_example'><a href='#verbose_example'>Example</a></h4>

 Let's give this a try:

-    arachni --audit-forms --modules=xss http://testfire.net/ --link-count=1
+    arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1


-This will load the XSS module and audit all the forms in "http://testfire.net/".
+This will load the XSS checks and audit all the forms in `http://testfire.net/`.

 **Verbose mode disabled**

-Observe that there's no `-v` flag in the following run.
+Observe that there's no `--verbose` flag in the previous run.

 _Don't worry about the rest of the parameters right now._

@@ -188,16 +200,15 @@ Arachni's output messages are classified into several categories, each of them p

 * `[*]` are status messages.
 * `[~]` are informational messages.
-* `[+]` are "ok" messages - positive matches.
+* `[+]` are sucess messages.
 * `[v]` are verbose messages.
 * `[!]` are debug messages.
 * `[-]` are error messages.

 _I won't bother with coloring during the examples._

-
 ```
-Arachni - Web Application Security Scanner Framework v0.4.2
+Arachni - Web Application Security Scanner Framework v1.0
   Author: Tasos "Zapotek" Laskos <[email protected]>

           (With the support of the community and the Arachni Team.)
@@ -206,44 +217,43 @@ Arachni - Web Application Security Scanner Framework v0.4.2
   Documentation: http://arachni-scanner.com/wiki


- [*] Initialising...
+ [*] Initializing...
 [*] Waiting for plugins to settle...
- [*] [HTTP: 200] http://testfire.net/
- [*] Harvesting HTTP responses...
- [~] Depending on server responsiveness and network conditions this may take a while.
+ [*] BrowserCluster: Initializing 6 browsers...
+ [*] BrowserCluster: Initialization completed with 6 browsers in the pool.

- [*] Auditing: [HTTP: 200] http://testfire.net/
- [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
- [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
+ [*] [HTTP: 200] http://testfire.net/
+ [~] Identified as: windows, iis, asp, aspx
+ [~] Analysis resulted in 0 usable paths.
+ [~] DOM depth: 0 (Limit: 10)
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
+ [*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
+ [*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
- [*] Profiler: Analyzing response #3...
- [~] Trainer: Found 1 new links.
- [*] Profiler: Analyzing response #4...
- [*] Profiler: Analyzing response #5...
+ [*] XSS: Analyzing response #2...
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
+ [*] XSS: Analyzing response #3...
+ [*] XSS: Analyzing response #4...
+ [*] XSS: Analyzing response #5...
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 [*] XSS: Analyzing response #6...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
- [*] XSS: Analyzing response #7...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
- [*] XSS: Analyzing response #8...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
 ```
 **Verbose mode enabled**

-See the extra information in this example.
+Observe the extra information in this run.

 `[v]` messages are verbose messages.

-In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.
-
-
 ```
-$ arachni -v --audit-forms --modules=xss http://testfire.net/ --link-count=1
-Arachni - Web Application Security Scanner Framework v0.4.2
+$ arachni --audit-forms --checks=xss http://testfire.net/ --scope-page-limit=1 --verbose
+Arachni - Web Application Security Scanner Framework v1.0
   Author: Tasos "Zapotek" Laskos <[email protected]>

           (With the support of the community and the Arachni Team.)
@@ -252,37 +262,69 @@ Arachni - Web Application Security Scanner Framework v0.4.2
   Documentation: http://arachni-scanner.com/wiki


- [*] Initialising...
+ [*] Initializing...
 [*] Waiting for plugins to settle...
- [*] [HTTP: 200] http://testfire.net/
- [*] Harvesting HTTP responses...
- [~] Depending on server responsiveness and network conditions this may take a while.
+ [*] BrowserCluster: Initializing 6 browsers...
+ [*] BrowserCluster: Initialization completed with 6 browsers in the pool.

- [*] Auditing: [HTTP: 200] http://testfire.net/
- [*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
- [*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
- [*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
+ [*] [HTTP: 200] http://testfire.net/
+ [~] Identified as: windows, iis, asp, aspx
+ [~] Analysis resulted in 0 usable paths.
+ [~] DOM depth: 0 (Limit: 10)
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
+ [v] XSS: --> With: "<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>" -> "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
+ [*] XSS: Submitting form with original values for txtSearch at 'http://testfire.net/search.aspx'.
+ [v] XSS: --> With: nil -> ""
+ [*] XSS: Submitting form with sample values for txtSearch at 'http://testfire.net/search.aspx'.
+ [v] XSS: --> With: nil -> ""
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
+ [v] XSS: --> With: "()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'" -> "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
+ [*] XSS: Auditing form input 'txtSearch' pointing to: 'http://testfire.net/search.aspx'
+ [v] XSS: --> With: "--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--" -> "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
 [*] Harvesting HTTP responses...
 [~] Depending on server responsiveness and network conditions this may take a while.
- [*] Profiler: Analyzing response #3...
- [~] Trainer: Found 1 new links.
- [*] Profiler: Analyzing response #4...
- [*] Profiler: Analyzing response #5...
+ [*] XSS: Analyzing response #2...
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
+ [v] XSS: Injected:  "arachni_text<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>"
+ [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
+ [v] XSS: Request:
+GET /search.aspx?txtSearch=arachni_text%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E HTTP/1.1
+Host: testfire.net
+Accept-Encoding: gzip, deflate
+User-Agent: Arachni/v1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
+
+
+ [*] XSS: Analyzing response #3...
+ [*] XSS: Analyzing response #4...
 [*] XSS: Analyzing response #6...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
- [v] XSS: Injected string:  <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
- [v] XSS: Verified string:  <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
- [*] XSS: Analyzing response #7...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
- [v] XSS: Injected string:  '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
- [v] XSS: Verified string:  '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
- [*] XSS: Analyzing response #8...
- [+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
- [v] XSS: Injected string:  --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
- [v] XSS: Verified string:  --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
+ [v] XSS: Injected:  "arachni_text--><some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/><!--"
+ [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
+ [v] XSS: Request:
+GET /search.aspx?txtSearch=arachni_text--%3E%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%3C%21-- HTTP/1.1
+Host: testfire.net
+Accept-Encoding: gzip, deflate
+User-Agent: Arachni/v1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
+
+
+ [*] XSS: Analyzing response #5...
+ [~] XSS: Response is tainted, looking for proof of vulnerability.
+ [+] XSS: In form input 'txtSearch' with action http://testfire.net/search.aspx
+ [v] XSS: Injected:  "arachni_text()\"&%1'-;<some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>'"
+ [v] XSS: Proof:     <some_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714/>
+ [v] XSS: Request:
+GET /search.aspx?txtSearch=arachni_text%28%29%22%26%251%27-%3B%3Csome_dangerous_input_b2816f222dd9fce0ce8f0cda12aaf714%2F%3E%27 HTTP/1.1
+Host: testfire.net
+Accept-Encoding: gzip, deflate
+User-Agent: Arachni/v1.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Cookie: ASP.NET_SessionId=e4h4wy45jmb5vkrg0wl1rj45;amSessionId=15420499882
 ```


@@ -414,6 +456,8 @@ $ cat debug.log

 This will suppress all messages except for positive matches -- vulnerabilities.

+<h2 id='http'><a href='#http'>HTTP</a></h2>
+
 <h3 id='http-req-limit'><a href='#http-req-limit'>HTTP request limit (--http-req-limit)</a></h3>

 **Expects**: `integer`
@@ -528,25 +572,6 @@ Allows you to specify custom headers in the form of key-value pairs.
    --custom-header='field_name=field value'


-<h3 id='authed-by'><a href='#authed-by'>Authorized by (--authed-by)</a></h3>
-
-**Expects**: `string`
-
-**Default**: `disabled`
-
-**Multiple invocations?**: `no`
-
-
-The string passed to this option will be included in the user-agent string and be the value of the _From_ HTTP header field.
-
-The `--authed-by` value should contain information about the person who authorized the scan, his name and e-mail.
-
-<h4 id='authed-by_example'><a href='#authed-by_example'>Example</a></h4>
-
-
-    --authed-by='John Doe <[email protected]>'
-
-
 <h3 id='login-check-url'><a href='#login-check-url'>Login check URL (--login-check-url)</a></h3>

 **Expects**: `string`