search

andresriancho / w3af

w3af: web application attack and audit framework, the open source web vulnerability scanner.
http://w3af.org/
4.58k stars 1.22k forks source link

pthread_cond_wait: Resource busy #15713

Open jagipas opened 7 years ago

jagipas commented 7 years ago

Hello, i am running the latest version of w3af agains the owasp benchmark (https://www.owasp.org/index.php/Benchmark) but only for XSS. So i only enabled xss audit with console script, like it follows:

#Configure HTTP settings
http-settings
set timeout 30
back
#Configure scanner global behaviors
misc-settings
set max_discovery_time 20
set fuzz_cookies True
set fuzz_form_files True
set fuzz_url_parts True
set fuzz_url_filenames True
back
plugins
#Configure entry point (CRAWLING) scanner, add into ignore_regex the test cases you don't want to audit
crawl web_spider
crawl config web_spider
set only_forward False
set ignore_regex (.*(cmdi).*|.*(crypto).*|.*(hash).*|.*(ldapi).*|.*(pathtraver).*|.*(securecookie).*|.*(sqli).*|.*(trustbound).*|.*(weakrand).*|.*(xpathi).*)
back
#Configure vulnerability scanners
##Specify list of AUDIT plugins type to use
audit xss
##Specify list of GREP plugins type to use (grep plugin is a type of plugin that can find also vulnerabilities or informations disclosure)
##Specify list of INFRASTRUCTURE plugins type to use (infrastructure plugin is a type of plugin that can find informations disclosure)
#Configure reporting in order to generate an HTML report
output console, xml_file
output config xml_file
set output_file /tmp/OwaspBenchmarkXssW3af.xml
set verbose False
back
output config console
set verbose False
back
back
#Set target informations, do a cleanup and run the scan
target 
set target https://localhost:8443/benchmark/xss-Index.html
set target_os unix
set target_framework java
back
cleanup
start

This benchmark have hundreds of test cases so it takes a long while to spider and start discovering new vulnerabilities. But there is a moment that suddenly show the message: pthread_cond_wait: Resource busy and it doesn't continue any more. Any guesses??

andresriancho commented 7 years ago

Uh, that's one ugly bug to identify the root cause.

Haven't seen anything like that in the past and nobody reported something similar either.

Usually I recommend disabling parts of the framework until understanding what might be causing the issue. In your case I would disable 50% of the plugins, run the scan, check if the issue is there, then disable more plugins, etc. until you can pinpoint the minimal configuration that triggers the issue.