Zapotek
commented
12 years ago It also misses the cookies... Looking into it.
Closed ChrisJohnRiley closed 12 years ago
Zapotek
commented
12 years ago It also misses the cookies... Looking into it.
ChrisJohnRiley
commented
12 years ago Out of interest, is this the correct way to limit Arachni to only scan what you specifically visited in the browser (--link-count=0 --depth=0 --redirect-limit=0) or is there some more intelligent method? #OneOfTHOSEDays
Zapotek
commented
12 years ago --link-count=0 would suffice.
Zapotek
commented
12 years ago One of those things for one of those days...Embarrassing...
ChrisJohnRiley
commented
12 years ago did another 'git pull' this end and getting pretty much the same output.
arachni http://192.168.29.131 --mods=,-common --link-count=0 --report=html:outfile=my_html_report_repeat_low_proxy.html --plugin=proxy:port=8282,bind_address=127.0.0.1
[~] No audit options were specified. [~] -> Will audit links, forms and cookies. /usr/lib/ruby/site_ruby/1.9.1/rubygems/customrequire.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead. [] Initing... [] Waiting for plugins to settle... [~] Proxy: System paused. [] Proxy: Listening on: http://127.0.0.1:8282 [] Proxy: Shutdown URL: http://arachni.proxy.shutdown/ [~] Proxy: The scan will resume once you visit the shutdown URL. [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 1 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/index.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [_] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/?id=1&Submit=Submit [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies
It picks up the Login.php only after you fill it out and submit it. Doesn't seem to show the cookie it's set. Again, no change on the SQLi page (form not detected even after submitting it).
Zapotek
commented
12 years ago Not sure on which branch you're on but switch to both master and experimental and pull from both.
ChrisJohnRiley
commented
12 years ago ~/arachni git checkout master && git pull Switched to branch 'master' Already up-to-date.
~/arachni git checkout experimental && git pull Switched to branch 'experimental' Already up-to-date.
~/arachni arachni http://192.168.29.131 --mods=,-common --link-count=0 --report=html:outfile=my_html_report_repeat_low_proxy.html --plugin=proxy:port=8282,bind_address=127.0.0.1 Arachni - Web Application Security Scanner Framework v0.4.1 [0.2.5] Author: Tasos "Zapotek" Laskos tasos.laskos@gmail.com zapotek@segfault.gr (With the support of the community and the Arachni Team.)
Website: http://arachni.segfault.gr - http://github.com/Zapotek/arachni
Documentation: http://github.com/Zapotek/arachni/wiki[~] No audit options were specified. [~] -> Will audit links, forms and cookies. /usr/lib/ruby/site_ruby/1.9.1/rubygems/customrequire.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead. [] Initing... [] Waiting for plugins to settle... [~] Proxy: System paused. [] Proxy: Listening on: http://127.0.0.1:8282 [] Proxy: Shutdown URL: http://arachni.proxy.shutdown/ [~] Proxy: The scan will resume once you visit the shutdown URL. [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 1 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/index.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [_] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/?id=1&Submit=Submit [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies
Zapotek
commented
12 years ago Just to make completely sure.
Did you rake install after pulling in order to install the updated code?
You either need to rake install the code or run the arachni scripts from your local repo ./bin/arachni.
ChrisJohnRiley
commented
12 years ago Hangs his head in shame
Ok, so now it's picking up the Cookies when set, and the forms. However for some reason even with --link-count=0 and only login.php, index.php and /vulnerabilities/sqli/ visited through the proxy, it still checks /vulnerabilities/fi/ ??? Very odd
Zapotek
commented
12 years ago Something in the pages you visited must be pointing to 'fi/' in one way or another. Anyways, glad you got it working.
ChrisJohnRiley
commented
12 years ago Not that I can see... Used Burp to proxy every request (setup to forward all requests sent to http://127.0.0.1:8181 to the test web app on http://192.168.29.131:80).
Requests from the browser, through Arachni proxy plugin, through Burp are only to /login.php, index.php, and vulnerabilities/sql (and favicon, css, etc..). Both index.php and sql have links that point to vulnerabilities/fi but with --link-count=0 shouldn't that exclude them (plus, no other pages href'd from index.php are scanned).
Can provide Burp output, or anything else you might need.. or we chalk it up to oddness and move on with our lives!
I'm trying to use the proxy plugin to restrict Arachni to specific resources using the following command .:
arachni http://192.168.29.131 --mods=,-common --link-count=0 --depth=0 --redirect-limit=0 --report=html:outfile=my_html_report_repeat_low_proxy.html --plugin=proxy:port=8282,bind_address=127.0.0.1
However in testing with DVWA, the proxy doesn't seem to pickup the presense of a FORM on the page.
Example Output:
Arachni - Web Application Security Scanner Framework v0.4.1 [0.2.5] Author: Tasos "Zapotek" Laskos tasos.laskos@gmail.com zapotek@segfault.gr (With the support of the community and the Arachni Team.)
[~] No audit options were specified. [~] -> Will audit links, forms and cookies. /usr/lib/ruby/site_ruby/1.9.1/rubygems/customrequire.rb:36:in `require': iconv will be deprecated in the future, use String#encode instead. [] Initing... [] Waiting for plugins to settle... [~] Proxy: System paused. [] Proxy: Listening on: http://127.0.0.1:8282 [] Proxy: Shutdown URL: http://arachni.proxy.shutdown/ [~] Proxy: The scan will resume once you visit the shutdown URL. [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [_] Proxy: Requesting: http://192.168.29.131/dvwa/images/login_logo.png [] Proxy: Requesting: http://192.168.29.131/dvwa/css/login.css [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/login.php [~] Proxy: * 1 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/index.php [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/ [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies [] Proxy: Requesting: http://192.168.29.131/vulnerabilities/sqli/?id=1&Submit=Submit [~] Proxy: * 0 forms [~] Proxy: * 0 links [~] Proxy: * 0 cookies
The http://192.168.29.131/vulnerabilities/sqli/ resource has a form present, but when loading the page through the proxy it doesn't pick it up. Even when you submit a value to the form through the proxy it still doesn't detect it ( [~] Proxy: * 0 forms). The Login.php is however detected ([~] Proxy: * 1 forms). Could this be because the form is only a single entry field?
source-code snippet: