Closed bgerardw closed 7 years ago
I ran
./arachni http://zero.webappsecurity.com/ --http-response-max-size=5000000000000
got
2017-04-03 16:36:12 +0100 --------------------------------------------------------------------------------
ENV:
---
CPLUS_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
XDG_VTNR: '7'
MANPATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/kramdown-1.4.1/man:/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
XDG_SESSION_ID: c2
CLUTTER_IM_MODULE: xim
VIRTUALENVWRAPPER_SCRIPT: "/usr/local/bin/virtualenvwrapper.sh"
VIRTUALENVWRAPPER_PROJECT_FILENAME: ".project"
XDG_GREETER_DATA_DIR: "/var/lib/lightdm-data/brian"
rvm_bin_path: "/home/brian/.rvm/bin"
GPG_AGENT_INFO: "/home/brian/.gnupg/S.gpg-agent:0:1"
NVM_CD_FLAGS: ''
GEM_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems"
SHELL: "/bin/bash"
VTE_VERSION: '4205'
TERM: xterm-256color
IRBRC: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/.irbrc"
LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_LINUX_ACCESSIBILITY_ALWAYS_ON: '1'
NVM_PATH: "/home/brian/.nvm/versions/node/v5.5.0/lib/node"
WINDOWID: '72078983'
GNOME_KEYRING_CONTROL: ''
UPSTART_SESSION: unix:abstract=/com/ubuntu/upstart-session/1000/3520
MY_RUBY_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby"
GTK_MODULES: gail:atk-bridge:unity-gtk-module
USER: brian
NVM_DIR: "/home/brian/.nvm"
LD_LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_ACCESSIBILITY: '1'
LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:'
_system_type: Linux
XDG_SESSION_PATH: "/org/freedesktop/DisplayManager/Session0"
XDG_SEAT_PATH: "/org/freedesktop/DisplayManager/Seat0"
rvm_path: "/home/brian/.rvm"
SSH_AUTH_SOCK: "/run/user/1000/keyring/ssh"
DEFAULTS_PATH: "/usr/share/gconf/ubuntu.default.path"
WORKON_HOME: "/home/brian/.virtualenvs"
XDG_CONFIG_DIRS: "/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg"
PROJECT_HOME: "/home/brian/Devel"
rvm_prefix: "/home/brian"
FONTCONFIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni/.fonts"
PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/"
DESKTOP_SESSION: ubuntu
QT_QPA_PLATFORMTHEME: appmenu-qt5
VIRTUALENVWRAPPER_HOOK_DIR: "/home/brian/.virtualenvs"
QT_IM_MODULE: ibus
C_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
NVM_NODEJS_ORG_MIRROR: https://nodejs.org/dist
JOB: gnome-session
PWD: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin"
XDG_SESSION_TYPE: x11
XMODIFIERS: "@im=ibus"
ARACHNI_WEBUI_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/webui"
LANG: en_IE.UTF-8
GNOME_KEYRING_PID: ''
MANDATORY_PATH: "/usr/share/gconf/ubuntu.mandatory.path"
GDM_LANG: en_US
ARACHNI_FRAMEWORK_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/framework"
IM_CONFIG_PHASE: '1'
COMPIZ_CONFIG_PROFILE: ubuntu
_system_arch: x86_64
_system_version: '16.04'
GDMSESSION: ubuntu
GTK2_MODULES: overlay-scrollbar
SESSIONTYPE: gnome-session
rvm_version: 1.27.0 (latest)
XDG_SEAT: seat0
HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni"
SHLVL: '1'
LANGUAGE: en_IE:en
RAILS_ENV: production
GNOME_DESKTOP_SESSION_ID: this-is-deprecated
UPSTART_INSTANCE: ''
LOGNAME: brian
XDG_SESSION_DESKTOP: ubuntu
UPSTART_EVENTS: started starting
QT4_IM_MODULE: xim
XDG_DATA_DIRS: "/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop"
DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-qTgdNUjIwk
GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
LESSOPEN: "| /usr/bin/lesspipe %s"
NVM_BIN: "/home/brian/.nvm/versions/node/v5.5.0/bin"
VIRTUALENVWRAPPER_WORKON_CD: '1'
NVM_IOJS_ORG_MIRROR: https://iojs.org/dist
UPSTART_JOB: unity-settings-daemon
INSTANCE: Unity
DISPLAY: ":0"
XDG_RUNTIME_DIR: "/run/user/1000"
GTK_IM_MODULE: ibus
XDG_CURRENT_DESKTOP: Unity
RUBYLIB: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/lib:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0/x86_64-linux:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0/x86_64-linux"
LESSCLOSE: "/usr/bin/lesspipe %s %s"
RUBY_VERSION: ruby-2.2.3
_system_name: Ubuntu
XAUTHORITY: "/home/brian/.Xauthority"
BUNDLE_GEMFILE: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/arachni-ui-web/Gemfile"
BUNDLER_ORIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/:/home/brian/.rvm/bin"
BUNDLER_ORIG_GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
BUNDLE_BIN_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/exe/bundle"
BUNDLER_VERSION: 1.14.6
RUBYOPT: "-rbundler/setup"
BUNDLER_ORIG_MANPATH: "/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
--------------------------------------------------------------------------------
OPTIONS:
---
scope:
redundant_path_patterns: {}
dom_depth_limit: 5
exclude_file_extensions: []
exclude_path_patterns: []
exclude_content_patterns: []
include_path_patterns: []
restrict_paths: []
extend_paths: []
url_rewrites: {}
input:
values: {}
default_values:
name: arachni_name
user: arachni_user
usr: arachni_user
pass: 5543!%arachni_secret
txt: arachni_text
num: '132'
amount: '100'
mail: arachni@email.gr
account: '12'
id: '1'
without_defaults: false
force: false
datastore:
report_path:
http:
user_agent: Arachni/v2.0dev
request_timeout: 10000
request_redirect_limit: 5
request_concurrency: 20
request_queue_size: 100
request_headers: {}
response_max_size: 5000000000000
cookies: {}
authentication_type: auto
audit:
parameter_values: true
exclude_vector_patterns: []
include_vector_patterns: []
link_templates: []
links: true
forms: true
cookies: true
ui_inputs: true
ui_forms: true
jsons: true
xmls: true
browser_cluster:
local_storage: {}
wait_for_elements: {}
pool_size: 6
job_timeout: 10
worker_time_to_live: 100
ignore_images: false
screen_width: 1600
screen_height: 1200
session: {}
checks:
- insecure_cross_domain_policy_access
- allowed_methods
- common_admin_interfaces
- insecure_cross_domain_policy_headers
- backup_files
- xst
- backup_directories
- interesting_responses
- common_directories
- backdoors
- cookie_set_for_parent_domain
- x_frame_options
- private_ip
- password_autocomplete
- ssn
- insecure_cookies
- hsts
- html_objects
- mixed_resource
- emails
- form_upload
- http_only_cookies
- cvs_svn_users
- credit_card
- captcha
- unencrypted_password_forms
- insecure_cors_policy
- localstart_asp
- insecure_client_access_policy
- directory_listing
- webdav
- origin_spoof_access_restriction_bypass
- http_put
- htaccess_limit
- common_files
- path_traversal
- response_splitting
- unvalidated_redirect
- file_inclusion
- xss_dom
- code_injection_php_input_wrapper
- xss_dom_script_context
- xss_tag
- session_fixation
- sql_injection_differential
- xxe
- rfi
- xss
- csrf
- sql_injection
- no_sql_injection
- code_injection_timing
- os_cmd_injection_timing
- xss_script_context
- ldap_injection
- xss_event
- sql_injection_timing
- trainer
- unvalidated_redirect_dom
- no_sql_injection_differential
- source_code_disclosure
- xss_path
- xpath_injection
- os_cmd_injection
- code_injection
platforms: []
plugins: {}
no_fingerprinting: false
authorized_by:
url: http://zero.webappsecurity.com/
--------------------------------------------------------------------------------
[2017-04-03 16:36:12 +0100] [framework/parts/audit#audit_page:89] [HTTP: 200] http://zero.webappsecurity.com/search.html?searchTerm=
[2017-04-03 16:36:12 +0100] [framework/parts/audit#audit_page:90] [filesize_exceeded] Maximum file size exceeded
Looking at the site map generated, not all of the admin paths are scanned.
http://zero.webappsecurity.com/admin/ does appear.
I'm not getting any of that. Trying a full scan now, can you reproduce it when scanning just the page that presented the error?
No errors after a full scan either.
I will rescan that page alone. How may vulnerabilities did the full scan find?
19
Ii get the same.
However there are more on that app. For instance there are other issues.
This vector highlights a vulnerability.
http://zero.webappsecurity.com/faq.html;<video><source onerror="javascript:alert(9042)">
Also it does not seem to detect the following on the site map.
http://zero.webappsecurity.com/admin/users.html http://zero.webappsecurity.com/admin/currencies.html
Hm, I hadn't considered Java apps that return an XSS in an error page triggered by ;
in the path.
Also, I'll look into the missing paths and let you know.
The admin path is identified via a directory discovery check, not by crawling the application because there's no path to the admin page. Because of that, it's not included in the crawl but simply logged as an issue.
There are times where those findings would be crawled further but not in this case.
As for the max size error, I'm still not getting it.
I am pretty sure max size error will vanish if I move to postgres. Do now worry about it.
Not really, the DB is only for the WebUI, the Framework doesn't use it for anything.
I ran ./arachni http://zero.webappsecurity.com/ --http-response-max-size=50000000000
on the latest nightly build just now.
i worked ok.
As an aside I tried to import the resulting scan and got the following error.
Report could not be imported because: [RangeError] 50000000000 is out of range for ActiveRecord::ConnectionAdapters::PostgreSQL::OID::Integer with limit 4
I ran it with a few less zeros and it finished and imported just fine.
I'll close the issue since it went away, but truthfully I'm not fully satisfied. That page didn't exceed even the default limit on my machine, something strange must be going on.
I'll keep an eye out.
I was using the ui to scan the site http://zero.webappsecurity.com/
The scan found 18 vulnerabilites and finished without any errors. I taught this was susppiciously low so i scanned it again with the CLI.
It then threw me an error.
I increased the max file size to 5 gigs and I got another fail.
Is the scan failing silently for the web interface when file size is not specified or have I misconfigured somewhere.
I find it strange that the CLI had an error when I had set it to 5 gigs
The error log for that scan was