search

proabiral / inception

A highly configurable Framework for easy automated web scanning
364 stars 65 forks source link

/metrics #43

Closed eugui closed 4 years ago

eugui commented 4 years ago

Hi,

I do not know why I do not have result in my script:

    {
      "vulnerability": "Metrics",
      "sendIn": "url",
      "payload": [
        "/metrics"
      ],
      "checkIn": "responseBody",
      "checkFor": "http_request_duration_seconds||||_reputation_requests_duration_",
      "color": "blue"
    }

the response in browser is:

# HELP http_request_duration_seconds duration histogram of http responses labeled with: status_code, method
# TYPE http_request_duration_seconds histogram
http_request_duration_seconds_bucket{le="0.003",status_code="200",method="GET"} 541149
http_request_duration_seconds_bucket{le="0.03",status_code="200",method="GET"} 563538
http_request_duration_seconds_bucket{le="0.1",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="0.3",status_code="200",method="GET"} 563726
http_request_duration_seconds_bucket{le="1.5",status_code="200",method="GET"} 563727

but the inception do not detect this /metrics.

geeknik commented 4 years ago

It could be that you're missing a "method" for fetching said resource. Try this:

 {
      "vulnerability": "Metrics",
      "method": "GET",
      "sendIn": "url",
      "payload": [
        "/metrics"
      ],
      "checkIn": "responseBody",
      "checkFor": "http_request_duration_seconds||||_reputation_requests_duration_",
      "color": "blue"
    }
eugui commented 4 years ago

tried with "method": "GET", and nothing.

I used: -timeout 25 -t 2

in my list only 5 urls.

geeknik commented 4 years ago

I'm currently unable to reproduce your issue locally. Maybe someone else has insight.

proabiral commented 4 years ago

Hi @eugui , Can you check if you are receiving the same response with inception as in browser by setting environment variable GOREQUEST_DEBUB as 1 and running the tool ?

eugui commented 4 years ago

Hi @proabiral and @geeknik ,

It was my fault and the correct code is:

    {
      "vulnerability": "Metrics",
      "method": "GET",
      "color": "blue",
      "body": "",
      "endpoint": [
        "/metrics"
      ],
        "headers": [],
        "checkIn": "responseBody",
        "checkFor": "http_request_duration_seconds||||_reputation_requests_duration_"
    }

Issue detected - Metrics Endpoint - http://xxx.xxx/metrics

Thank you