FvdL
commented
13 years ago Ok, I did not know I could use HTML here, so here are the suggestions again without HTML:
- only one input is used at a time, while in some cases (e.g. password and repeat password) it is required that both fields contain the same value, because only one input is used Arachni will miss an SQL injection if the password is inserted into the database unvalidated
- some sites place the content of headers like Referrer and User-agent on a page, this behavior is vulnerable to XSS that is not detected by Arachni
- when the content of an input is used in a link (e.g. a href="index.php?page=XSS-test_here...) or as value in a text field (e.g. input type="text" value="XSS-test_here"...) this is detected as an XSS vulnerability while it is in fact harmless, it should be checked where the content of the input is and if it is parsed by the browser
- related to the above suggestion, if the input is preceded by "> any HTML-tag the input may be present in will be closed, "ensuring" the text does not appear in a tag and is thus parsed by the browser (it should still be checked if the text is in a tag, because if the web application escapes or removes quotes, or replaces them by HTML entities this does not work).
- Arachni tests for SQL injection by entering '--;' in an input, however this does not result in an SQL injection for all SQL servers (e.g. the SQL server used by WebGoat, I'm not sure which server this is exactly but it is some java SQL server that can be used with the tomcat webserver)
Zapotek
Hi,
I wrote my master's thesis on penetration testing tools/vulnerability scanners and I noticed some problems with Arachni (version 0.2.1 64bit) that cause false positives and false negatives. Unfortunately, I don't have the time nor the Ruby skills required to fix these myself, or I would have sent a patch.