search

Arachni / arachni

Web Application Security Scanner Framework
http://www.arachni-scanner.com
Other
3.77k stars 761 forks source link

--http-response-max-size keeps erroring #865

Closed bgerardw closed 7 years ago

bgerardw commented 7 years ago

I was using the ui to scan the site http://zero.webappsecurity.com/

The scan found 18 vulnerabilites and finished without any errors. I taught this was susppiciously low so i scanned it again with the CLI.

It then threw me an error.

[2017-04-03 15:50:05 +0100] [framework/parts/audit#audit_page:89] [HTTP: 200] http://zero.webappsecurity.com/search.html?searchTerm= [2017-04-03 15:50:05 +0100] [framework/parts/audit#audit_page:90] [filesize_exceeded] Maximum file size exceeded

I increased the max file size to 5 gigs and I got another fail.

[2017-04-03 16:10:50 +0100] [framework/parts/audit#audit_page:89] [HTTP: 200] http://zero.webappsecurity.com/search.html?searchTerm=1 [2017-04-03 16:10:50 +0100] [framework/parts/audit#audit_page:90] [filesize_exceeded] Maximum file size exceeded

Is the scan failing silently for the web interface when file size is not specified or have I misconfigured somewhere.

I find it strange that the CLI had an error when I had set it to 5 gigs

./arachni http://zero.webappsecurity.com/ --http-response-max-size=50000000000

The error log for that scan was 


2017-04-03 16:10:50 +0100 --------------------------------------------------------------------------------
ENV:
---
CPLUS_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
XDG_VTNR: '7'
MANPATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/kramdown-1.4.1/man:/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
XDG_SESSION_ID: c2
CLUTTER_IM_MODULE: xim
VIRTUALENVWRAPPER_SCRIPT: "/usr/local/bin/virtualenvwrapper.sh"
VIRTUALENVWRAPPER_PROJECT_FILENAME: ".project"
XDG_GREETER_DATA_DIR: "/var/lib/lightdm-data/brian"
rvm_bin_path: "/home/brian/.rvm/bin"
GPG_AGENT_INFO: "/home/brian/.gnupg/S.gpg-agent:0:1"
NVM_CD_FLAGS: ''
GEM_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems"
SHELL: "/bin/bash"
VTE_VERSION: '4205'
TERM: xterm-256color
IRBRC: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/.irbrc"
LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_LINUX_ACCESSIBILITY_ALWAYS_ON: '1'
NVM_PATH: "/home/brian/.nvm/versions/node/v5.5.0/lib/node"
WINDOWID: '72078983'
GNOME_KEYRING_CONTROL: ''
UPSTART_SESSION: unix:abstract=/com/ubuntu/upstart-session/1000/3520
MY_RUBY_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby"
GTK_MODULES: gail:atk-bridge:unity-gtk-module
USER: brian
NVM_DIR: "/home/brian/.nvm"
LD_LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_ACCESSIBILITY: '1'
LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:'
_system_type: Linux
XDG_SESSION_PATH: "/org/freedesktop/DisplayManager/Session0"
XDG_SEAT_PATH: "/org/freedesktop/DisplayManager/Seat0"
rvm_path: "/home/brian/.rvm"
SSH_AUTH_SOCK: "/run/user/1000/keyring/ssh"
DEFAULTS_PATH: "/usr/share/gconf/ubuntu.default.path"
WORKON_HOME: "/home/brian/.virtualenvs"
XDG_CONFIG_DIRS: "/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg"
PROJECT_HOME: "/home/brian/Devel"
rvm_prefix: "/home/brian"
FONTCONFIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni/.fonts"
PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/"
DESKTOP_SESSION: ubuntu
QT_QPA_PLATFORMTHEME: appmenu-qt5
VIRTUALENVWRAPPER_HOOK_DIR: "/home/brian/.virtualenvs"
QT_IM_MODULE: ibus
C_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
NVM_NODEJS_ORG_MIRROR: https://nodejs.org/dist
JOB: gnome-session
PWD: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin"
XDG_SESSION_TYPE: x11
XMODIFIERS: "@im=ibus"
ARACHNI_WEBUI_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/webui"
LANG: en_IE.UTF-8
GNOME_KEYRING_PID: ''
MANDATORY_PATH: "/usr/share/gconf/ubuntu.mandatory.path"
GDM_LANG: en_US
ARACHNI_FRAMEWORK_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/framework"
IM_CONFIG_PHASE: '1'
COMPIZ_CONFIG_PROFILE: ubuntu
_system_arch: x86_64
_system_version: '16.04'
GDMSESSION: ubuntu
GTK2_MODULES: overlay-scrollbar
SESSIONTYPE: gnome-session
rvm_version: 1.27.0 (latest)
XDG_SEAT: seat0
HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni"
SHLVL: '1'
LANGUAGE: en_IE:en
RAILS_ENV: production
GNOME_DESKTOP_SESSION_ID: this-is-deprecated
UPSTART_INSTANCE: ''
LOGNAME: brian
XDG_SESSION_DESKTOP: ubuntu
UPSTART_EVENTS: started starting
QT4_IM_MODULE: xim
XDG_DATA_DIRS: "/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop"
DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-qTgdNUjIwk
GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
LESSOPEN: "| /usr/bin/lesspipe %s"
NVM_BIN: "/home/brian/.nvm/versions/node/v5.5.0/bin"
VIRTUALENVWRAPPER_WORKON_CD: '1'
NVM_IOJS_ORG_MIRROR: https://iojs.org/dist
UPSTART_JOB: unity-settings-daemon
INSTANCE: Unity
DISPLAY: ":0"
XDG_RUNTIME_DIR: "/run/user/1000"
GTK_IM_MODULE: ibus
XDG_CURRENT_DESKTOP: Unity
RUBYLIB: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/lib:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0/x86_64-linux:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0/x86_64-linux"
LESSCLOSE: "/usr/bin/lesspipe %s %s"
RUBY_VERSION: ruby-2.2.3
_system_name: Ubuntu
XAUTHORITY: "/home/brian/.Xauthority"
BUNDLE_GEMFILE: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/arachni-ui-web/Gemfile"
BUNDLER_ORIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/:/home/brian/.rvm/bin"
BUNDLER_ORIG_GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
BUNDLE_BIN_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/exe/bundle"
BUNDLER_VERSION: 1.14.6
RUBYOPT: "-rbundler/setup"
BUNDLER_ORIG_MANPATH: "/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
--------------------------------------------------------------------------------
OPTIONS:
---
scope:
  redundant_path_patterns: {}
  dom_depth_limit: 5
  exclude_file_extensions: []
  exclude_path_patterns: []
  exclude_content_patterns: []
  include_path_patterns: []
  restrict_paths: []
  extend_paths: []
  url_rewrites: {}
input:
  values: {}
  default_values:
    name: arachni_name
    user: arachni_user
    usr: arachni_user
    pass: 5543!%arachni_secret
    txt: arachni_text
    num: '132'
    amount: '100'
    mail: arachni@email.gr
    account: '12'
    id: '1'
  without_defaults: false
  force: false
datastore:
  report_path: 
http:
  user_agent: Arachni/v2.0dev
  request_timeout: 10000
  request_redirect_limit: 5
  request_concurrency: 20
  request_queue_size: 100
  request_headers: {}
  response_max_size: 5000000000
  cookies: {}
  authentication_type: auto
audit:
  parameter_values: true
  exclude_vector_patterns: []
  include_vector_patterns: []
  link_templates: []
  links: true
  forms: true
  cookies: true
  ui_inputs: true
  ui_forms: true
  jsons: true
  xmls: true
browser_cluster:
  local_storage: {}
  wait_for_elements: {}
  pool_size: 6
  job_timeout: 10
  worker_time_to_live: 100
  ignore_images: false
  screen_width: 1600
  screen_height: 1200
session: {}
checks:
- insecure_cross_domain_policy_access
- allowed_methods
- common_admin_interfaces
- insecure_cross_domain_policy_headers
- backup_files
- xst
- backup_directories
- interesting_responses
- common_directories
- backdoors
- cookie_set_for_parent_domain
- x_frame_options
- private_ip
- password_autocomplete
- ssn
- insecure_cookies
- hsts
- html_objects
- mixed_resource
- emails
- form_upload
- http_only_cookies
- cvs_svn_users
- credit_card
- captcha
- unencrypted_password_forms
- insecure_cors_policy
- localstart_asp
- insecure_client_access_policy
- directory_listing
- webdav
- origin_spoof_access_restriction_bypass
- http_put
- htaccess_limit
- common_files
- path_traversal
- response_splitting
- unvalidated_redirect
- file_inclusion
- xss_dom
- code_injection_php_input_wrapper
- xss_dom_script_context
- xss_tag
- session_fixation
- sql_injection_differential
- xxe
- rfi
- xss
- csrf
- sql_injection
- no_sql_injection
- code_injection_timing
- os_cmd_injection_timing
- xss_script_context
- ldap_injection
- xss_event
- sql_injection_timing
- trainer
- unvalidated_redirect_dom
- no_sql_injection_differential
- source_code_disclosure
- xss_path
- xpath_injection
- os_cmd_injection
- code_injection
platforms: []
plugins: {}
no_fingerprinting: false
authorized_by: 
url: http://zero.webappsecurity.com/
--------------------------------------------------------------------------------
[2017-04-03 16:10:50 +0100] [framework/parts/audit#audit_page:89] [HTTP: 200] http://zero.webappsecurity.com/search.html?searchTerm=1
[2017-04-03 16:10:50 +0100] [framework/parts/audit#audit_page:90] [filesize_exceeded] Maximum file size exceeded
bgerardw commented 7 years ago

I ran

./arachni http://zero.webappsecurity.com/ --http-response-max-size=5000000000000

got 


2017-04-03 16:36:12 +0100 --------------------------------------------------------------------------------
ENV:
---
CPLUS_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
XDG_VTNR: '7'
MANPATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/kramdown-1.4.1/man:/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
XDG_SESSION_ID: c2
CLUTTER_IM_MODULE: xim
VIRTUALENVWRAPPER_SCRIPT: "/usr/local/bin/virtualenvwrapper.sh"
VIRTUALENVWRAPPER_PROJECT_FILENAME: ".project"
XDG_GREETER_DATA_DIR: "/var/lib/lightdm-data/brian"
rvm_bin_path: "/home/brian/.rvm/bin"
GPG_AGENT_INFO: "/home/brian/.gnupg/S.gpg-agent:0:1"
NVM_CD_FLAGS: ''
GEM_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems"
SHELL: "/bin/bash"
VTE_VERSION: '4205'
TERM: xterm-256color
IRBRC: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/.irbrc"
LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_LINUX_ACCESSIBILITY_ALWAYS_ON: '1'
NVM_PATH: "/home/brian/.nvm/versions/node/v5.5.0/lib/node"
WINDOWID: '72078983'
GNOME_KEYRING_CONTROL: ''
UPSTART_SESSION: unix:abstract=/com/ubuntu/upstart-session/1000/3520
MY_RUBY_HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby"
GTK_MODULES: gail:atk-bridge:unity-gtk-module
USER: brian
NVM_DIR: "/home/brian/.nvm"
LD_LIBRARY_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
QT_ACCESSIBILITY: '1'
LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:'
_system_type: Linux
XDG_SESSION_PATH: "/org/freedesktop/DisplayManager/Session0"
XDG_SEAT_PATH: "/org/freedesktop/DisplayManager/Seat0"
rvm_path: "/home/brian/.rvm"
SSH_AUTH_SOCK: "/run/user/1000/keyring/ssh"
DEFAULTS_PATH: "/usr/share/gconf/ubuntu.default.path"
WORKON_HOME: "/home/brian/.virtualenvs"
XDG_CONFIG_DIRS: "/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg"
PROJECT_HOME: "/home/brian/Devel"
rvm_prefix: "/home/brian"
FONTCONFIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni/.fonts"
PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/"
DESKTOP_SESSION: ubuntu
QT_QPA_PLATFORMTHEME: appmenu-qt5
VIRTUALENVWRAPPER_HOOK_DIR: "/home/brian/.virtualenvs"
QT_IM_MODULE: ibus
C_INCLUDE_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/include"
NVM_NODEJS_ORG_MIRROR: https://nodejs.org/dist
JOB: gnome-session
PWD: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin"
XDG_SESSION_TYPE: x11
XMODIFIERS: "@im=ibus"
ARACHNI_WEBUI_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/webui"
LANG: en_IE.UTF-8
GNOME_KEYRING_PID: ''
MANDATORY_PATH: "/usr/share/gconf/ubuntu.mandatory.path"
GDM_LANG: en_US
ARACHNI_FRAMEWORK_LOGDIR: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/logs/framework"
IM_CONFIG_PHASE: '1'
COMPIZ_CONFIG_PROFILE: ubuntu
_system_arch: x86_64
_system_version: '16.04'
GDMSESSION: ubuntu
GTK2_MODULES: overlay-scrollbar
SESSIONTYPE: gnome-session
rvm_version: 1.27.0 (latest)
XDG_SEAT: seat0
HOME: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/home/arachni"
SHLVL: '1'
LANGUAGE: en_IE:en
RAILS_ENV: production
GNOME_DESKTOP_SESSION_ID: this-is-deprecated
UPSTART_INSTANCE: ''
LOGNAME: brian
XDG_SESSION_DESKTOP: ubuntu
UPSTART_EVENTS: started starting
QT4_IM_MODULE: xim
XDG_DATA_DIRS: "/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop"
DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-qTgdNUjIwk
GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
LESSOPEN: "| /usr/bin/lesspipe %s"
NVM_BIN: "/home/brian/.nvm/versions/node/v5.5.0/bin"
VIRTUALENVWRAPPER_WORKON_CD: '1'
NVM_IOJS_ORG_MIRROR: https://iojs.org/dist
UPSTART_JOB: unity-settings-daemon
INSTANCE: Unity
DISPLAY: ":0"
XDG_RUNTIME_DIR: "/run/user/1000"
GTK_IM_MODULE: ibus
XDG_CURRENT_DESKTOP: Unity
RUBYLIB: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/lib:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/2.2.0/x86_64-linux:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/lib/ruby/site_ruby/2.2.0/x86_64-linux"
LESSCLOSE: "/usr/bin/lesspipe %s %s"
RUBY_VERSION: ruby-2.2.3
_system_name: Ubuntu
XAUTHORITY: "/home/brian/.Xauthority"
BUNDLE_GEMFILE: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/arachni-ui-web/Gemfile"
BUNDLER_ORIG_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/../bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/usr/bin:/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems/bin:/home/brian/.rvm/gems/ruby-2.3.0/bin:/home/brian/.rvm/gems/ruby-2.3.0@global/bin:/home/brian/.rvm/rubies/ruby-2.3.0/bin:/home/brian/.nvm/versions/node/v5.5.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/brian/.rvm/bin:/snap/bin:/home/brian/.rvm/bin:PATH=/home/brian/.nvm/versions/node/v5.5.0/bin/:/home/brian/.rvm/bin"
BUNDLER_ORIG_GEM_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/bin/../system/gems"
BUNDLE_BIN_PATH: "/home/brian/Projects/arachni-2.0dev-1.0dev/system/gems/gems/bundler-1.14.6/exe/bundle"
BUNDLER_VERSION: 1.14.6
RUBYOPT: "-rbundler/setup"
BUNDLER_ORIG_MANPATH: "/home/brian/.nvm/versions/node/v5.5.0/share/man:/usr/local/man:/usr/local/share/man:/usr/share/man:/home/brian/.rvm/man"
--------------------------------------------------------------------------------
OPTIONS:
---
scope:
  redundant_path_patterns: {}
  dom_depth_limit: 5
  exclude_file_extensions: []
  exclude_path_patterns: []
  exclude_content_patterns: []
  include_path_patterns: []
  restrict_paths: []
  extend_paths: []
  url_rewrites: {}
input:
  values: {}
  default_values:
    name: arachni_name
    user: arachni_user
    usr: arachni_user
    pass: 5543!%arachni_secret
    txt: arachni_text
    num: '132'
    amount: '100'
    mail: arachni@email.gr
    account: '12'
    id: '1'
  without_defaults: false
  force: false
datastore:
  report_path: 
http:
  user_agent: Arachni/v2.0dev
  request_timeout: 10000
  request_redirect_limit: 5
  request_concurrency: 20
  request_queue_size: 100
  request_headers: {}
  response_max_size: 5000000000000
  cookies: {}
  authentication_type: auto
audit:
  parameter_values: true
  exclude_vector_patterns: []
  include_vector_patterns: []
  link_templates: []
  links: true
  forms: true
  cookies: true
  ui_inputs: true
  ui_forms: true
  jsons: true
  xmls: true
browser_cluster:
  local_storage: {}
  wait_for_elements: {}
  pool_size: 6
  job_timeout: 10
  worker_time_to_live: 100
  ignore_images: false
  screen_width: 1600
  screen_height: 1200
session: {}
checks:
- insecure_cross_domain_policy_access
- allowed_methods
- common_admin_interfaces
- insecure_cross_domain_policy_headers
- backup_files
- xst
- backup_directories
- interesting_responses
- common_directories
- backdoors
- cookie_set_for_parent_domain
- x_frame_options
- private_ip
- password_autocomplete
- ssn
- insecure_cookies
- hsts
- html_objects
- mixed_resource
- emails
- form_upload
- http_only_cookies
- cvs_svn_users
- credit_card
- captcha
- unencrypted_password_forms
- insecure_cors_policy
- localstart_asp
- insecure_client_access_policy
- directory_listing
- webdav
- origin_spoof_access_restriction_bypass
- http_put
- htaccess_limit
- common_files
- path_traversal
- response_splitting
- unvalidated_redirect
- file_inclusion
- xss_dom
- code_injection_php_input_wrapper
- xss_dom_script_context
- xss_tag
- session_fixation
- sql_injection_differential
- xxe
- rfi
- xss
- csrf
- sql_injection
- no_sql_injection
- code_injection_timing
- os_cmd_injection_timing
- xss_script_context
- ldap_injection
- xss_event
- sql_injection_timing
- trainer
- unvalidated_redirect_dom
- no_sql_injection_differential
- source_code_disclosure
- xss_path
- xpath_injection
- os_cmd_injection
- code_injection
platforms: []
plugins: {}
no_fingerprinting: false
authorized_by: 
url: http://zero.webappsecurity.com/
--------------------------------------------------------------------------------
[2017-04-03 16:36:12 +0100] [framework/parts/audit#audit_page:89] [HTTP: 200] http://zero.webappsecurity.com/search.html?searchTerm=
[2017-04-03 16:36:12 +0100] [framework/parts/audit#audit_page:90] [filesize_exceeded] Maximum file size exceeded

Looking at the site map generated, not all of the admin paths are scanned.

http://zero.webappsecurity.com/admin/ does appear.

Zapotek commented 7 years ago

I'm not getting any of that. Trying a full scan now, can you reproduce it when scanning just the page that presented the error?

Zapotek commented 7 years ago

No errors after a full scan either.

bgerardw commented 7 years ago

I will rescan that page alone. How may vulnerabilities did the full scan find?

Zapotek commented 7 years ago

19

bgerardw commented 7 years ago

Ii get the same.

However there are more on that app. For instance there are other issues.

This vector highlights a vulnerability. http://zero.webappsecurity.com/faq.html;<video><source onerror="javascript:alert(9042)">

Also it does not seem to detect the following on the site map.

http://zero.webappsecurity.com/admin/users.html http://zero.webappsecurity.com/admin/currencies.html

Zapotek commented 7 years ago

Hm, I hadn't considered Java apps that return an XSS in an error page triggered by ; in the path.

Also, I'll look into the missing paths and let you know.

Zapotek commented 7 years ago

The admin path is identified via a directory discovery check, not by crawling the application because there's no path to the admin page. Because of that, it's not included in the crawl but simply logged as an issue.

There are times where those findings would be crawled further but not in this case.

As for the max size error, I'm still not getting it.

bgerardw commented 7 years ago

I am pretty sure max size error will vanish if I move to postgres. Do now worry about it.

Zapotek commented 7 years ago

Not really, the DB is only for the WebUI, the Framework doesn't use it for anything.

bgerardw commented 7 years ago

I ran ./arachni http://zero.webappsecurity.com/ --http-response-max-size=50000000000 on the latest nightly build just now.

i worked ok.

As an aside I tried to import the resulting scan and got the following error.

Report could not be imported because: [RangeError] 50000000000 is out of range for ActiveRecord::ConnectionAdapters::PostgreSQL::OID::Integer with limit 4

bgerardw commented 7 years ago

I ran it with a few less zeros and it finished and imported just fine.

Zapotek commented 7 years ago

I'll close the issue since it went away, but truthfully I'm not fully satisfied. That page didn't exceed even the default limit on my machine, something strange must be going on.

I'll keep an eye out.