Arachni nightlies does not scan AJAX request
Created by: b1ngz
I use Arachni nightlies (25-Sep-2016) to scan a vulnerable website which has XSS and SQL Injection vulnerabilities.
One of vulnerabilities is a AJAX request which has SQL injection problem, but Arachni nightlies does not scan it.
The AJAX request is sent by javascript code when we access the vulnerable website.
The AJAX request:
Request info:
POST: http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.9226153168443685
Parameters: id=1&t=0.9226153168443685The javascript code:
<script>
if(window.ActiveXObject) ajax=new ActiveXObject("Microsoft.XMLHTTP");
else ajax=new XMLHttpRequest();
ajax.open('post',"ajax_link.php?id=1&t="+Math.random(),false);
ajax.send();
document.write("ajax.ResponseText length:"+ajax.responseText.length);
</script>Command:
./bin/arachni http://demo.aisec.cn/demo/aisec --scope-include-pattern="demo/aisec" --checks=sql*,xss* --report-save-path=aisec.afr --output-debug 4> debug.log
Full output:
================================================================================
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2016-09-26 11:24:33 +0800
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 2.0dev
[~] Seed: 7915629ef64499345332a87569c19d8b
[~] Audit started on: 2016-09-26 11:23:39 +0800
[~] Audit finished on: 2016-09-26 11:24:33 +0800
[~] Runtime: 00:00:53
[~] URL: http://demo.aisec.cn/demo/aisec
[~] User agent: Arachni/v2.0dev
[*] Audited elements:
[~] * Links
[~] * Forms
[~] * Cookies
[~] * XMLs
[~] * JSONs
[~] * UI inputs
[~] * UI forms
[*] Checks: sql_injection, sql_injection_timing, sql_injection_differential, xss_dom, xss_tag, xss_path, xss, xss_script_context, xss_event, xss_dom_script_context
[*] Filters:
[~] Include:
[~] (?i-mx:demo\/aisec)
[~] ===========================
[+] 3 issues were detected.
[+] [1] Blind SQL Injection (differential analysis) (Trusted)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] Digest: 1932404419
[~] Severity: High
[~] Description:
[~]
Due to the requirement for dynamic content of today's web applications, many
rely on a database backend to store data that will be called upon and processed
by the web application (or other programs).
Web applications retrieve data from the database by using Structured Query Language
(SQL) queries.
To meet demands of many developers, database servers (such as MSSQL, MySQL,
Oracle etc.) have additional built-in functionality that can allow extensive
control of the database and interaction with the host operating system itself.
An SQL injection occurs when a value originating from the client's request is used
within a SQL query without prior sanitisation. This could allow cyber-criminals
to execute arbitrary SQL code and steal data or use the additional functionality
of the database server to take control of more server components.
The successful exploitation of a SQL injection can be devastating to an
organisation and is one of the most commonly exploited web application vulnerabilities.
This injection was detected as Arachni was able to inject specific SQL queries,
that if vulnerable, result in the responses for each injection being different.
This is known as a blind SQL injection vulnerability.
[~] Tags: sql, blind, differential, injection, database
[~] CWE: http://cwe.mitre.org/data/definitions/89.html
[~] References:
[~] OWASP - https://www.owasp.org/index.php/Blind_SQL_Injection
[~] MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html
[~] WASC - http://projects.webappsec.org/w/page/13246963/SQL%20Injection
[~] W3 Schools - http://www.w3schools.com/sql/sql_injection.asp
[~] URL: http://demo.aisec.cn/demo/aisec/click_link.php
[~] Element: link
[~] All inputs: id
[~] Method: GET
[~] Input name: id
[~] Seed: "-1839 or 1=2"
[~] Injected: "-1839 or 1=2"
[~] Referring page: http://demo.aisec.cn/demo/aisec/
[~] DOM transitions:
[~] -- [0.9810s] load => page (http://demo.aisec.cn/demo/aisec/)
[~] * [0.4018s] request => http://demo.aisec.cn/demo/aisec/
[~] * [0.1999s] request => http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.20359140587970614
[~] -- [0.1428s] click => <input type="button" id="1" onclick="abc.innerHTML ='<a href=click_link.php'+'?id=2>click_link.php?id=2</a>'" value="\u70B9\u51FB\u540E\u751F\u6210\u94FE\u63A5(click_link.php?id=1)">
[~] Affected page: http://demo.aisec.cn/demo/aisec/click_link.php?id=-1839%20or%201=2
[~] HTTP request
GET /demo/aisec/click_link.php?id=-1839%20or%201%3D2 HTTP/1.1
Host: demo.aisec.cn
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v2.0dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6
X-Arachni-Scan-Seed: 7915629ef64499345332a87569c19d8b
Cookie: u=guest
[~] Remarks
[~] -------
[~] By differential_analysis:
[~] * True expression: -1839 or 1=1
[~] * False expression: -1839 or 1=2
[~] * Control false expression: -1839
[+] [2] Cross-Site Scripting (XSS) in HTML tag (Trusted)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] Digest: 652046720
[~] Severity: High
[~] Description:
[~]
Client-side scripts are used extensively by modern web applications.
They perform from simple functions (such as the formatting of text) up to full
manipulation of client-side data and Operating System interaction.
Cross Site Scripting (XSS) allows clients to inject scripts into a request and
have the server return the script to the client in the response. This occurs
because the application is taking untrusted data (in this example, from the client)
and reusing it without performing any validation or sanitisation.
If the injected script is returned immediately this is known as reflected XSS.
If the injected script is stored by the server and returned to any client visiting
the affected page, then this is known as persistent XSS (also stored XSS).
Arachni has discovered that it is possible to insert content directly into an HTML
tag. For example `<INJECTION_HERE href=.......etc>` where `INJECTION_HERE`
represents the location where the Arachni payload was detected.
[~] Tags: xss, script, tag, regexp, dom, attribute, injection
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] References:
[~] Secunia - http://secunia.com/advisories/9716/
[~] WASC - http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
[~] OWASP - https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
[~] URL: http://demo.aisec.cn/demo/aisec/js_link.php
[~] Element: link
[~] All inputs: id, msg
[~] Method: GET
[~] Input name: msg
[~] Seed: "' arachni_xss_in_tag='7915629ef64499345332a87569c19d8b' blah='"
[~] Injected: "abc' arachni_xss_in_tag='7915629ef64499345332a87569c19d8b' blah='"
[~] Proof: "' arachni_xss_in_tag='7915629ef64499345332a87569c19d8b' blah='"
[~] Referring page: http://demo.aisec.cn/demo/aisec/
[~] DOM transitions:
[~] -- [0.7960s] load => page (http://demo.aisec.cn/demo/aisec/)
[~] * [0.4114s] request => http://demo.aisec.cn/demo/aisec/
[~] * [0.1999s] request => http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.4596339629497379
[~] Affected page: http://demo.aisec.cn/demo/aisec/js_link.php?id=2&msg=abc'%20arachni_xss_in_tag='7915629ef64499345332a87569c19d8b'%20blah='
[~] HTTP request
GET /demo/aisec/js_link.php?id=2&msg=abc%27%20arachni_xss_in_tag%3D%277915629ef64499345332a87569c19d8b%27%20blah%3D%27 HTTP/1.1
Host: demo.aisec.cn
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v2.0dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6
X-Arachni-Scan-Seed: 7915629ef64499345332a87569c19d8b
Cookie: u=guest
[+] [3] Blind SQL Injection (differential analysis) (Trusted)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] Digest: 4119380714
[~] Severity: High
[~] Description:
[~]
Due to the requirement for dynamic content of today's web applications, many
rely on a database backend to store data that will be called upon and processed
by the web application (or other programs).
Web applications retrieve data from the database by using Structured Query Language
(SQL) queries.
To meet demands of many developers, database servers (such as MSSQL, MySQL,
Oracle etc.) have additional built-in functionality that can allow extensive
control of the database and interaction with the host operating system itself.
An SQL injection occurs when a value originating from the client's request is used
within a SQL query without prior sanitisation. This could allow cyber-criminals
to execute arbitrary SQL code and steal data or use the additional functionality
of the database server to take control of more server components.
The successful exploitation of a SQL injection can be devastating to an
organisation and is one of the most commonly exploited web application vulnerabilities.
This injection was detected as Arachni was able to inject specific SQL queries,
that if vulnerable, result in the responses for each injection being different.
This is known as a blind SQL injection vulnerability.
[~] Tags: sql, blind, differential, injection, database
[~] CWE: http://cwe.mitre.org/data/definitions/89.html
[~] References:
[~] OWASP - https://www.owasp.org/index.php/Blind_SQL_Injection
[~] MITRE - CAPEC - http://capec.mitre.org/data/definitions/7.html
[~] WASC - http://projects.webappsec.org/w/page/13246963/SQL%20Injection
[~] W3 Schools - http://www.w3schools.com/sql/sql_injection.asp
[~] URL: http://demo.aisec.cn/demo/aisec/html_link.php
[~] Element: link
[~] All inputs: id
[~] Method: GET
[~] Input name: id
[~] Seed: "-1839' or '1'='2"
[~] Injected: "-1839' or '1'='2"
[~] Referring page: http://demo.aisec.cn/demo/aisec/
[~] Affected page: http://demo.aisec.cn/demo/aisec/html_link.php?id=-1839'%20or%20'1'='2
[~] HTTP request
GET /demo/aisec/html_link.php?id=-1839%27%20or%20%271%27%3D%272 HTTP/1.1
Host: demo.aisec.cn
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v2.0dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6
X-Arachni-Scan-Seed: 7915629ef64499345332a87569c19d8b
Cookie: u=guest
[~] Remarks
[~] -------
[~] By differential_analysis:
[~] * True expression: -1839' or '1'='1
[~] * False expression: -1839' or '1'='2
[~] * Control false expression: -1839
[+] Plugin data:
[~] ---------------
[*] Uniformity (Lack of central sanitization)
[~] ~~~~~~~~~~~~~~
[~] Description:
Analyzes the scan results and logs issues which persist across different pages.
This is usually a sign for a lack of a central/single point of input sanitization,
a bad coding practise.
[~] Relevant issues:
[~] --------------------
[+] Blind SQL Injection (differential analysis) in link input 'id' using GET at the following pages:
[~] * http://demo.aisec.cn/demo/aisec/click_link.php
[~] * http://demo.aisec.cn/demo/aisec/html_link.php
[*] Health map
[~] ~~~~~~~~~~~~~~
[~] Description: Generates a simple list of safe/unsafe URLs.
[~] Legend:
[+] No issues
[-] Has issues
[+] http://demo.aisec.cn/demo/aisec
[+] http://demo.aisec.cn/demo/aisec/
[-] http://demo.aisec.cn/demo/aisec/click_link.php
[-] http://demo.aisec.cn/demo/aisec/html_link.php
[+] http://demo.aisec.cn/demo/aisec/index.php
[-] http://demo.aisec.cn/demo/aisec/js_link.php
[+] http://demo.aisec.cn/demo/aisec/login.php
[+] http://demo.aisec.cn/demo/aisec/login2.php
[+] http://demo.aisec.cn/demo/aisec/other/
[+] http://demo.aisec.cn/demo/aisec/post_link.php
[~] Total: 10
[+] Without issues: 7
[-] With issues: 3 ( 30% )
[~] Report saved at: /root/software/arachni-2.0-0925/aisec.afr [0.01MB]
[~] Audited 32 page snapshots.
[~] Duration: 00:00:53
[~] Processed 2609/2609 HTTP requests.
[~] -- 52.405 requests/second.
[~] Processed 160/160 browser jobs.
[~] -- 0.938 second/job.
[~] Currently auditing http://demo.aisec.cn/demo/aisec/js_link.php
[~] Burst response time sum 3.157 seconds
[~] Burst response count 18
[~] Burst average response time 0.175 seconds
[~] Burst average 0.0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20I don't see url http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.20359140587970614 in the sitemap
[+] http://demo.aisec.cn/demo/aisec
[+] http://demo.aisec.cn/demo/aisec/
[-] http://demo.aisec.cn/demo/aisec/click_link.php
[-] http://demo.aisec.cn/demo/aisec/html_link.php
[+] http://demo.aisec.cn/demo/aisec/index.php
[-] http://demo.aisec.cn/demo/aisec/js_link.php
[+] http://demo.aisec.cn/demo/aisec/login.php
[+] http://demo.aisec.cn/demo/aisec/login2.php
[+] http://demo.aisec.cn/demo/aisec/other/
[+] http://demo.aisec.cn/demo/aisec/post_link.phpAnd In the first issue info, it shows that the request is caught.
[~] * [0.1999s] request => http://demo.aisec.cn/demo/aisec/ajax_link.php?id=1&t=0.20359140587970614Why does not arachni scan the url?