Zapotek
commented
7 years ago I'll have a look at it when I get a chance, in the meantime can you please give the nightlies a try and see if that makes any difference?
Closed bkimminich closed 7 years ago
Zapotek
commented
7 years ago I'll have a look at it when I get a chance, in the meantime can you please give the nightlies a try and see if that makes any difference?
bkimminich
commented
7 years ago Sure thing, will do! To avoid another 14 hours scan on Heroku: How can I run it against a local server (http://localhost:3000)? It fails for that as well as http://127.0.0.1:3000 and http://127.0.0.2:3000 with same error:
Loopback interfaces (like 127.0.0.1) are nor supported, please use a different IP address or hostname. (Arachni::Options::Error::ReservedHostname)You can give the machine's hostname or the IP address of some other interface, like eth0 etc.
bkimminich
commented
7 years ago Here's the scan result of v2.0-dev:
Again did fire-and-forget scan with vanilla unpacked Arachni distribution. Didn't find any vulnerabilities either.
Zapotek
commented
7 years ago Sorry for the late reply, I'll have a look at this soon.
Cheers
Zapotek
commented
7 years ago The DOM XSS for the search field worked for me. As for the SQL injection, I was missing an error string which I've now added and currently testing.
Zapotek
commented
7 years ago I just spotted another issue, the JSON data from the login form wasn't being extracted because the form needs the submit button to be clicked, rather than have the submit event get triggered (which is what the system was doing).
I'll update it to click the button if there is one and fallback to triggering the submit event if not.
Zapotek
commented
7 years ago SQL injection and XSS issues are now detected. The unvalidated redirect payloads miss your case but I'm updating them now.
Zapotek
commented
7 years ago Unvalidated redirect is now also being detected, I'm pushing nightlies so you can test it.
FYI, the improvements in coverage resulted in substantially increased workload, against the docker image of the test site the scan took almost 7 hours. I'll need to look into that because the average browser job took 14s, which shouldn't have happened in an intranet hosted site; from what I can tell so far some browser HTTP requests seemed to take an unusually long time to complete for some reason.
bkimminich
commented
7 years ago I suppose it's so slow because it is a single threaded application with one server instance only. Scanners overwhelmed it completely in the past several times, so I'm actually very happy it at least "survived" the scan! 😁
Zapotek
commented
7 years ago Not sure yet but I'll look into it just the same to be safe. Linux and OSX nightlies are up if you want to give it a try, Windows ones are uploading now.
wickett
commented
6 years ago Running arachni against juice shop and I don't see it picking up XSS in the search field. Is this working? I am using
Arachni - Web Application Security Scanner Framework v1.5.1
🕸 I just had Arachni scan the Heroku demo instance of OWASP Juice Shop in "fire & forget"-mode (i.e. default run with no prior config whatsoever) and this is the report:
📄 Arachni seems to have performed all kinds of XSS, SQL Injection and a myriad of other tests - but the report doesn't contain any of the real vulnerabilities. Even the XSS in the Search box and the SQLI in the Login screen were missed.
🕷 I have never used Arachni before, so there might be some mistakes on my end. This is why I'd like to encourage you to try running it on OWASP Juice Shop yourself and see what you missed. You can find a file with exptected keywords in a scanner report for all intented vulnerabilities here: https://github.com/bkimminich/juice-shop/blob/develop/__vulns.json.
🆘 Feel free to contact me with any questions about individual vulnerabilities or when there are problems setting up the application!
juice-shop.herokuapp.com 2016-11-21 11_54_07 +0100.afr.zip