Open Nishtha04 opened 6 years ago
sampathmende
commented
6 years ago @Nishtha04 I also did same thing. I installed jackhammer through docker and local setup also. In both enviroments when i gave the web applicaiton url in web scans. it is showing scan started and completed without any findings i raised issues in this forum but no use. I think they are wasting our valuable time.
Nishtha04
commented
6 years ago I have fixed few small issues by myself, but no use.
sampathmende
commented
6 years ago @Nishtha04 : What i found in docker build the issue is something which is related to selenium driver version . and seen the sidekiq logs it is unable to generate reports. in local setup what i observed is ,issue is different than that.Job raised exception. I am unable to figure it out. if you know any fixed issue can you tell me i will try that. thanks,
Nishtha04
commented
6 years ago I am setting it up in Mac os.. really don't know about local setup
kmadhusudhan
commented
6 years ago can you please let me know which scan your is running ? and what is status of scan ? . could you please share scan logs
Nishtha04
commented
6 years ago I have done multiple scans..Network, web and code review. Status was scanning started and then Re-scan was coming with no results. But if I run nmap or test web app manually, there are vulnerabilities.
Below is the scan log for network. The log file for web app scan is empty.
[2018-02-09 10:34:37 +0000] Loading scanner... [2018-02-09 10:34:46 +0000] Loading scanner... [2018-02-09 10:34:49 +0000] Mounting ... *.*.*.* [2018-02-09 10:34:49 +0000] Mounting target: *.*.*.* [2018-02-09 10:34:49 +0000] Checking about mounting *.*.*.* with #<Pipeline::DockerMounter:0x007fa3f0227bd0> [2018-02-09 10:34:49 +0000] In Docker mounter, target: *.*.*.* became: *.* ... wondering if it matched .docker [2018-02-09 10:34:49 +0000] Checking about mounting *.*.*.* with #<Pipeline::FileSystemMounter:0x007fa3f02277e8> [2018-02-09 10:34:49 +0000] Checking about mounting *.*.*.* with #<Pipeline::GitMounter:0x007fa3f0227568> [2018-02-09 10:34:49 +0000] Checking about mounting *.*.*.* with #<Pipeline::IPMounter:0x007fa3f02272c0> [2018-02-09 10:34:49 +0000] Mounting *.*.*.* with #<Pipeline::IPMounter:0x007fa3f02272c0> [2018-02-09 10:34:49 +0000] Mounted *.*.*.* with #<Pipeline::IPMounter:0x007fa3f02272c0> [2018-02-09 10:34:49 +0000] Processing target...*.*.*.* [2018-02-09 10:34:49 +0000] Running tasks in stage: wait [2018-02-09 10:34:49 +0000] Mounting ... *.*.*.* [2018-02-09 10:34:50 +0000] Mounting target: *.*.*.* [2018-02-09 10:34:50 +0000] Checking about mounting *.*.*.* with #<Pipeline::DockerMounter:0x007fa3f0224390> [2018-02-09 10:34:50 +0000] In Docker mounter, target: *.*.*.* became: *.* ... wondering if it matched .docker [2018-02-09 10:34:50 +0000] Checking about mounting *.*.*.* with #<Pipeline::FileSystemMounter:0x007fa3ec253f68> [2018-02-09 10:34:50 +0000] Checking about mounting *.*.*.* with #<Pipeline::GitMounter:0x007fa3ec253ce8> [2018-02-09 10:34:50 +0000] Checking about mounting *.*.*.* with #<Pipeline::IPMounter:0x007fa3ec253a40> [2018-02-09 10:34:50 +0000] Mounting *.*.*.* with #<Pipeline::IPMounter:0x007fa3ec253a40> [2018-02-09 10:34:50 +0000] Mounted *.*.*.* with #<Pipeline::IPMounter:0x007fa3ec253a40> [2018-02-09 10:34:50 +0000] Processing target...*.*.*.* [2018-02-09 10:34:50 +0000] Running tasks in stage: wait [2018-02-09 10:34:51 +0000] Running tasks in stage: mount [2018-02-09 10:34:51 +0000] Running tasks in stage: mount [2018-02-09 10:34:51 +0000] Running tasks in stage: file [2018-02-09 10:34:51 +0000] Running tasks in stage: file [2018-02-09 10:34:51 +0000] Running tasks in stage: code [2018-02-09 10:34:51 +0000] Running tasks in stage: code [2018-02-09 10:34:51 +0000] code - Nmap - #<Set:0x007fa41027b850> [2018-02-09 10:34:51 +0000] code - Nmap - #<Set:0x007fa4102796b8> [2018-02-09 10:35:34 +0000] Running tasks in stage: live [2018-02-09 10:35:34 +0000] Running tasks in stage: live [2018-02-09 10:35:34 +0000] Running tasks in stage: done [2018-02-09 10:35:34 +0000] Running tasks in stage: done [2018-02-09 10:35:34 +0000] Have 0 items pre ZAP filter. [2018-02-09 10:35:34 +0000] Have 0 items post ZAP filter. [2018-02-09 10:35:34 +0000] Generating report...[:to_s] [2018-02-09 10:35:34 +0000] Running base reoprt... [2018-02-09 10:35:34 +0000] Have 0 items pre ZAP filter. [2018-02-09 10:35:34 +0000] Have 0 items post ZAP filter. [2018-02-09 10:35:34 +0000] Generating report...[:to_s] [2018-02-09 10:35:34 +0000] Running base reoprt... [2018-02-09 10:36:15 +0000] Loading scanner... [2018-02-09 10:36:15 +0000] Mounting ... *.*.*.* [2018-02-09 10:36:15 +0000] Mounting target: *.*.*.* [2018-02-09 10:36:15 +0000] Checking about mounting *.*.*.* with #<Pipeline::DockerMounter:0x00559aee46f508> [2018-02-09 10:36:15 +0000] In Docker mounter, target: *.*.*.* became: *.* ... wondering if it matched .docker [2018-02-09 10:36:15 +0000] Checking about mounting *.*.*.* with #<Pipeline::FileSystemMounter:0x00559aee46f120> [2018-02-09 10:36:15 +0000] Checking about mounting *.*.*.* with #<Pipeline::GitMounter:0x00559aee46eea0> [2018-02-09 10:36:15 +0000] Checking about mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aee46eba8> [2018-02-09 10:36:15 +0000] Mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aee46eba8> [2018-02-09 10:36:15 +0000] Mounted *.*.*.* with #<Pipeline::IPMounter:0x00559aee46eba8> [2018-02-09 10:36:15 +0000] Processing target...*.*.*.* [2018-02-09 10:36:15 +0000] Running tasks in stage: wait [2018-02-09 10:36:15 +0000] Running tasks in stage: mount [2018-02-09 10:36:15 +0000] Running tasks in stage: mount [2018-02-09 10:36:16 +0000] Running tasks in stage: file [2018-02-09 10:36:16 +0000] Running tasks in stage: file [2018-02-09 10:36:16 +0000] Running tasks in stage: code [2018-02-09 10:36:16 +0000] Running tasks in stage: code [2018-02-09 10:36:16 +0000] code - Nmap - #<Set:0x00559aee432b30> [2018-02-09 10:36:16 +0000] code - Nmap - #<Set:0x00559aee427078> [2018-02-09 10:36:36 +0000] Running tasks in stage: live [2018-02-09 10:36:37 +0000] Running tasks in stage: done [2018-02-09 10:36:37 +0000] Have 0 items pre ZAP filter. [2018-02-09 10:36:37 +0000] Have 0 items post ZAP filter. [2018-02-09 10:36:37 +0000] Generating report...[:to_s] [2018-02-09 10:36:37 +0000] Running base reoprt... [2018-02-09 10:37:11 +0000] Loading scanner... [2018-02-09 10:37:11 +0000] Mounting ... *.*.*.* [2018-02-09 10:37:11 +0000] Mounting target: *.*.*.* [2018-02-09 10:37:11 +0000] Checking about mounting *.*.*.* with #<Pipeline::DockerMounter:0x00559aeda909b0> [2018-02-09 10:37:11 +0000] In Docker mounter, target: *.*.*.* became: *.*... wondering if it matched .docker [2018-02-09 10:37:11 +0000] Checking about mounting *.*.*.* with #<Pipeline::FileSystemMounter:0x00559aeda6fe68> [2018-02-09 10:37:11 +0000] Checking about mounting *.*.*.* with #<Pipeline::GitMounter:0x00559aeda6fbe8> [2018-02-09 10:37:11 +0000] Checking about mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aeda6f940> [2018-02-09 10:37:11 +0000] Mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aeda6f940> [2018-02-09 10:37:11 +0000] Mounted *.*.*.* with #<Pipeline::IPMounter:0x00559aeda6f940> [2018-02-09 10:37:11 +0000] Processing target...*.*.*.* [2018-02-09 10:37:11 +0000] Running tasks in stage: wait [2018-02-09 10:37:11 +0000] Running tasks in stage: mount [2018-02-09 10:37:11 +0000] Running tasks in stage: file [2018-02-09 10:37:11 +0000] Running tasks in stage: code [2018-02-09 10:37:11 +0000] code - Nmap - #<Set:0x00559aeda573b8> [2018-02-09 10:37:46 +0000] Loading scanner... [2018-02-09 10:37:46 +0000] Mounting ... *.*.*.* [2018-02-09 10:37:46 +0000] Mounting target: *.*.*.* [2018-02-09 10:37:46 +0000] Checking about mounting *.*.*.* with #<Pipeline::DockerMounter:0x00559aed55b300> [2018-02-09 10:37:46 +0000] In Docker mounter, target: *.*.*.* became: *.* ... wondering if it matched .docker [2018-02-09 10:37:46 +0000] Checking about mounting *.*.*.* with #<Pipeline::FileSystemMounter:0x00559aed55af40> [2018-02-09 10:37:46 +0000] Checking about mounting *.*.*.* with #<Pipeline::GitMounter:0x00559aed55acc0> [2018-02-09 10:37:46 +0000] Checking about mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aed55a9c8> [2018-02-09 10:37:46 +0000] Mounting *.*.*.* with #<Pipeline::IPMounter:0x00559aed55a9c8> [2018-02-09 10:37:46 +0000] Mounted *.*.*.* with #<Pipeline::IPMounter:0x00559aed55a9c8> [2018-02-09 10:37:46 +0000] Processing target...*.*.*.* [2018-02-09 10:37:46 +0000] Running tasks in stage: wait [2018-02-09 10:37:46 +0000] Running tasks in stage: mount [2018-02-09 10:37:46 +0000] Running tasks in stage: file [2018-02-09 10:37:46 +0000] Running tasks in stage: code [2018-02-09 10:37:46 +0000] code - Nmap - #<Set:0x00559aed53e9f8> [2018-02-09 10:37:48 +0000] Running tasks in stage: live [2018-02-09 10:37:48 +0000] Running tasks in stage: done [2018-02-09 10:37:48 +0000] Have 0 items pre ZAP filter. [2018-02-09 10:37:48 +0000] Have 0 items post ZAP filter. [2018-02-09 10:37:48 +0000] Generating report...[:to_s] [2018-02-09 10:37:48 +0000] Running base reoprt... [2018-02-09 10:38:19 +0000] Running tasks in stage: live [2018-02-09 10:38:19 +0000] Running tasks in stage: done [2018-02-09 10:38:19 +0000] Have 0 items pre ZAP filter. [2018-02-09 10:38:19 +0000] Have 0 items post ZAP filter. [2018-02-09 10:38:19 +0000] Generating report...[:to_s] [2018-02-09 10:38:19 +0000] Running base reoprt...
I have replaced IP address with *
Nishtha04
commented
6 years ago @KMadhuSudhan any update?
kmadhusudhan
commented
6 years ago where did you run the tools? inside docker or local system?
Nishtha04
commented
6 years ago inside docker only
Nishtha04
commented
6 years ago @KMadhuSudhan any update?
kmadhusudhan
commented
6 years ago @Nishtha04 i did not find any issues in logs . could please let me know with examples where i can identify problem with jackhammer scanning against manual scanning ?
sampathmende
commented
6 years ago @Nishtha04 jackhammer is working ?? is it scanning the application and showing any vulnarabilities in application??
Nishtha04
commented
6 years ago @sampathmende yeah it did for one app only and reported few issues, not all and for that also I am unable to find the reported vulnerabilities. I don't know if auto deletion is there or what :(
kmadhusudhan
commented
6 years ago @Nishtha04 if db docker instance destroyed , then only vulnerabilities can be deleted . there is no auto deletion of vulnerabilities in jackhammer
Nishtha04
commented
6 years ago I haven't even stopped my docker or did anything with the db instance. I dont know how it happened. The app name and everything is there but no vulnerabilities.
And I don't know what's wrong with the scans as well.
Nishtha04
commented
6 years ago Any update why it is happening?
Nishtha04
commented
6 years ago @sampathmende your issue is resolved?
sampathmende
commented
6 years ago For last two weeks i have not tested it and i have been working on some other. I will let you know may be nextweek. #76 follow this link it may help you . @vickybyou posted very detailed instructions about installation locally . Its better than developer group.
Nishtha04
commented
6 years ago Yeah I checked it but no use. I am installing it on my mac. Let me know if your issue gets resolved.
harie0x
commented
6 years ago Any update on this one ?
Nishtha04
commented
6 years ago No, I have stopped working on it as there was no solution. Cannot spend so much time on this by myself without support from developers.
sampathmende
commented
6 years ago I also stopped working on it. Developers are not providing any solution even though logs provided. They simply telling that jackhammer is working for them. I raised many issues but they have not provided any solution. Here main issue i found after spending 2 months to install the jackhammer that arachni plugins are incompatible with selinium plugins. I raised it but no solution.
So my suggestion is dont waste your valuable time on this.
kmadhusudhan
commented
6 years ago @harie0x @Nishtha04 We do not have any clue for solving this issues, As i can see logs which provided by by Nishtha04, Scan has done by Nmap , there was no issue with Nmap scanner , it has finished with success status . And we are not facing any issue like running manually and not working with jackhammer. it would be more helpfull to solve this if you can provide any examples for which we can also scan and verify results by running manually and by running with Jackhammer
sampathmende
commented
6 years ago Dear Madhusudhan, I have raised many issues regarding incompatibility of plugins with selenium and arachni. did you find any solution till now?? #81
kmadhusudhan
commented
6 years ago @sampathmende For #81, You need to change selenium-webdriver version from 2.8.0 to 2.7.0 and rebuild it jackhammer #78 duplicate of #81 . And i given solution for #80 #79
Nishtha04
commented
6 years ago @KMadhuSudhan Am still waiting for reply.
sampathmende
commented
6 years ago @KMadhuSudhan , i Have told u few times in the bug that selenium-webdriver version is 3.8.0 but you are saying change it to 2.7.0 from 2.8.0 but how?? its not wokring that i mentioned in the issues itself.
The below is your reply from that issue
kmadhusudhan
commented
6 years ago We have fixed this version change in our local and but did not move changes to here . soon we will move these changes to repository
harie0x
commented
6 years ago @KMadhuSudhan may i know, what changes i need to do to make it work ?
kmadhusudhan
commented
6 years ago @harie0x
Please analyze logs from log/scan/{scan_id.log} from web docker .
if you do not have logs , please verify Arachni tool is enabled/Disabled from admin configuration ,you can check jackhammer user guide for tools enable/disable . if tool is enabled and its not running you can add debug statements after every line , And understand it where it is getting stopped or failed . please add debug statements here
arachni => https://github.com/olacabs/jackhammer/blob/master/web/app/lib/pipeline/tasks/arachni.rb
Nmap => https://github.com/olacabs/jackhammer/blob/master/web/app/lib/pipeline/tasks/npm.rb
Steps to add debugs statements and analyze logs 1) Sequence of methods calling inside tool. initialize => run => analyze initialize => for initializing given target run => this is basically for runs the tool and write results in a file . analyze => This does the results parsing .
2) You can add debug statements with puts , please add debugs statement for every line inside run method . Refer http://ruby-for-beginners.rubymonstas.org/bonus/string_interpolation.html for putting debug statements . Another example => puts "writing report file variable => #{report_file.inspect}" Out put on the console will be => writing report file variable => /tmp/12345.json
3) Rebuild jackhammer and login to web docker after application started .
4) kill the sidekiq processors kill -15 sidekiq_process_id.
5) Restart sidekiq processors in foreground instead of background, you can not see debug staments if run on background Command to Run foreground RAILS_ENV=production bundle exec sidekiq -C config/sidekiq.yml
6) Now you add the target from UI and can analyse logs .
if your still not clear with above steps, we recorded clear steps in a video for adding new tool , and this present in jackhammer user guide.
you can overwrite current arachni implementation or for other tools, whichever is not working for you .
Jackhammer is not giving any result for any of the scans that I performed.
My redis server is already running and for sidekiq when I run this command sidekiq -c config/sidekiq.yml -d from web/app folder it says -bash: sidekiq: command not found
And also when I click on forgot password link it says We're sorry, but something went wrong.
If you are the application owner check the logs for more information.