Arachni nightlies crawl problem
Created by: b1ngz
I use Arachni nightlies REST API to scan DVWA 1.9 XSS vulnerability.
that's my scan configuration.
POST http://172.16.1.111/scans
{
"url": "http://172.16.1.112/dvwa/vulnerabilities",
"checks": [
"xss*"
],
"audit": {
"links": true,
"forms": true,
"cookies": false,
"headers": false,
"jsons": true,
"xmls": true,
"ui_inputs": true,
"ui_forms": true
},
"scope": {
"exclude_path_patterns": [
"logout",
"security",
"login",
"setup"
]
},
"http": {
"cookies": {
"security": "low",
"PHPSESSID": "d9lg9j3baj27r8tv3faug2nti6"
}
}
}I set cookies manually and also set exclude_path_patterns in order to keep the session valid during the scan.
the scan report (json):
{
"version" : "2.0dev",
"seed" : "78f2e978261faf552e2fcd47a1dab989",
"options" : {
"session" : {},
"http" : {
"user_agent" : "Arachni/v2.0dev",
"request_timeout" : 10000,
"request_redirect_limit" : 5,
"request_concurrency" : 20,
"request_queue_size" : 100,
"request_headers" : {},
"response_max_size" : 500000,
"cookies" : {
"security" : "low",
"PHPSESSID" : "d9lg9j3baj27r8tv3faug2nti6"
},
"authentication_type" : "auto"
},
"input" : {
"values" : {},
"default_values" : {
"name" : "arachni_name",
"user" : "arachni_user",
"usr" : "arachni_user",
"pass" : "5543!%arachni_secret",
"txt" : "arachni_text",
"num" : "132",
"amount" : "100",
"mail" : "arachni@email.gr",
"account" : "12",
"id" : "1"
},
"without_defaults" : false,
"force" : false
},
"scope" : {
"redundant_path_patterns" : {},
"dom_depth_limit" : 5,
"exclude_file_extensions" : [],
"exclude_path_patterns" : [
"logout",
"security",
"login",
"setup"
],
"exclude_content_patterns" : [],
"include_path_patterns" : [],
"restrict_paths" : [],
"extend_paths" : [],
"url_rewrites" : {}
},
"datastore" : {
"report_path" : null,
"token" : "6705633931ca668bae835323a0f4c949"
},
"browser_cluster" : {
"local_storage" : {},
"wait_for_elements" : {},
"pool_size" : 6,
"job_timeout" : 10,
"worker_time_to_live" : 100,
"ignore_images" : false,
"screen_width" : 1600,
"screen_height" : 1200
},
"audit" : {
"parameter_values" : true,
"exclude_vector_patterns" : [],
"include_vector_patterns" : [],
"link_templates" : [],
"links" : true,
"forms" : true,
"cookies" : false,
"headers" : false,
"jsons" : true,
"xmls" : true,
"ui_inputs" : true,
"ui_forms" : true
},
"checks" : [
"xss_tag",
"xss_dom",
"xss_path",
"xss_script_context",
"xss_event",
"xss",
"xss_dom_script_context"
],
"platforms" : [],
"plugins" : {},
"no_fingerprinting" : false,
"authorized_by" : null,
"url" : "http://172.16.1.112/dvwa/vulnerabilities"
},
"sitemap" : {
"http://172.16.1.112/dvwa/vulnerabilities" : 301,
"http://172.16.1.112/dvwa/vulnerabilities/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/?C=N;O=D" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/?C=S;O=A" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/?C=D;O=A" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/?C=M;O=A" : 200,
"http://172.16.1.112/dvwa/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/brute/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/captcha/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/csrf/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/exec/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/fi/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/sqli/" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/view_source.php" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/xss_r/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/xss_s/" : 302,
"http://172.16.1.112/dvwa/dvwa/css/main.css" : 200,
"http://172.16.1.112/dvwa/favicon.ico" : 200,
"http://172.16.1.112/dvwa/vulnerabilities/sqli_blind/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/upload/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/view_help.php" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/view_source_all.php" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/fi/?page=include.php" : 302,
"http://172.16.1.112/dvwa/dvwa/js/dvwaPage.js" : 200,
"http://172.16.1.112/dvwa/phpinfo.php" : 302,
"http://172.16.1.112/dvwa/about.php" : 200,
"http://172.16.1.112/dvwa/instructions.php" : 200,
"http://172.16.1.112/dvwa/instructions.php?doc=PHPIDS-license" : 200,
"http://172.16.1.112/dvwa/docs/DVWA_v1.3.pdf" : 200,
"http://172.16.1.112/dvwa/instructions.php?doc=readme" : 200,
"http://172.16.1.112/dvwa/instructions.php?doc=PDF" : 200,
"http://172.16.1.112/dvwa/instructions.php?doc=changelog" : 200,
"http://172.16.1.112/dvwa/instructions.php?doc=copying" : 200
},
"start_datetime" : "2016-09-29 10:50:28 +0800",
"finish_datetime" : "2016-09-29 10:50:44 +0800",
"delta_time" : "00:00:16",
"issues" : [],
"plugins" : {}
}The report shows there are not any issues. But it's not correct. I'm confirmed that following urls are vulnerable to XSS.
http://172.16.1.112/dvwa/vulnerabilities/xss_r/
http://172.16.1.112/dvwa/vulnerabilities/xss_s/And i also notice some strange part in sitemap. The response code is 302 while it's 200 if i access the page directly.
"http://172.16.1.112/dvwa/vulnerabilities/xss_r/" : 302,
"http://172.16.1.112/dvwa/vulnerabilities/xss_s/" : 302,
And then i scan one of the urls to check if Arachni can find XSS.
scan configuration, there i set page_limit to 1.
POST http://172.16.1.111/scans
{
"url": "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"checks": [
"xss*"
],
"audit": {
"links": true,
"forms": true,
"cookies": false,
"headers": false,
"jsons": true,
"xmls": true,
"ui_inputs": true,
"ui_forms": true
},
"scope": {
"page_limit": 1,
"exclude_path_patterns": ["logout", "security", "login", "setup"]
},
"http": {
"cookies": {
"security": "low",
"PHPSESSID": "d9lg9j3baj27r8tv3faug2nti6"
}
}
}scan report (i delete something to make report more readable ):
{
"version" : "2.0dev",
"seed" : "654371aeb2ecfcccdf64450ddf74f6d8",
"options" : {
"session" : {},
"http" : {
"user_agent" : "Arachni/v2.0dev",
"request_timeout" : 10000,
"request_redirect_limit" : 5,
"request_concurrency" : 20,
"request_queue_size" : 100,
"request_headers" : {},
"response_max_size" : 500000,
"cookies" : {
"security" : "low",
"PHPSESSID" : "d9lg9j3baj27r8tv3faug2nti6"
},
"authentication_type" : "auto"
},
"input" : {
"values" : {},
"default_values" : {
"name" : "arachni_name",
"user" : "arachni_user",
"usr" : "arachni_user",
"pass" : "5543!%arachni_secret",
"txt" : "arachni_text",
"num" : "132",
"amount" : "100",
"mail" : "arachni@email.gr",
"account" : "12",
"id" : "1"
},
"without_defaults" : false,
"force" : false
},
"scope" : {
"redundant_path_patterns" : {},
"dom_depth_limit" : 5,
"exclude_file_extensions" : [],
"exclude_path_patterns" : [
"logout",
"security",
"login",
"setup"
],
"exclude_content_patterns" : [],
"include_path_patterns" : [],
"restrict_paths" : [],
"extend_paths" : [],
"url_rewrites" : {},
"page_limit" : 1
},
"datastore" : {
"report_path" : null,
"token" : "45b78c8c3a7ebca90127a7fdef17fbac"
},
"browser_cluster" : {
"local_storage" : {},
"wait_for_elements" : {},
"pool_size" : 6,
"job_timeout" : 10,
"worker_time_to_live" : 100,
"ignore_images" : false,
"screen_width" : 1600,
"screen_height" : 1200
},
"audit" : {
"parameter_values" : true,
"exclude_vector_patterns" : [],
"include_vector_patterns" : [],
"link_templates" : [],
"links" : true,
"forms" : true,
"cookies" : false,
"headers" : false,
"jsons" : true,
"xmls" : true,
"ui_inputs" : true,
"ui_forms" : true
},
"checks" : [
"xss_tag",
"xss_dom",
"xss_path",
"xss_script_context",
"xss_event",
"xss",
"xss_dom_script_context"
],
"platforms" : [],
"plugins" : {},
"no_fingerprinting" : false,
"authorized_by" : null,
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/"
},
"sitemap" : {
"http://172.16.1.112/dvwa/vulnerabilities/xss_r/" : 200
},
"start_datetime" : "2016-09-29 11:26:06 +0800",
"finish_datetime" : "2016-09-29 11:26:17 +0800",
"delta_time" : "00:00:10",
"issues" : [
{
"name" : "Cross-Site Scripting (XSS) in script context",
"description" : "...",
"references" : {
},
"tags" : [
"xss",
"script",
"dom",
"injection"
],
"cwe" : 79,
"severity" : "high",
"remedy_guidance" : "...",
"check" : {
"name" : "XSS in script context",
"description" : "\nInjects JS taint code and check to see if it gets executed as proof of vulnerability.\n",
"elements" : [
"form",
"link",
"cookie",
"header",
"link_template"
],
"author" : "Tasos \"Zapotek\" Laskos <tasos.laskos@arachni-scanner.com> ",
"version" : "0.2.5",
"shortname" : "xss_script_context"
},
"vector" : {
"class" : "Arachni::Element::Form",
"type" : "form",
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"source" : "<form name=\"XSS\" action=\"#\" method=\"GET\">\n <input type=\"text\" name=\"name\">\n </input>\n <input type=\"submit\" value=\"Submit\">\n </input>\n</form>",
"inputs" : {
"name" : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>"
},
"raw_inputs" : [],
"default_inputs" : {
"name" : ""
},
"action" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"method" : "get",
"affected_input_name" : "name",
"affected_input_value" : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>",
"seed" : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>"
},
"proof" : "</script><script>window.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()</script>",
"referring_page" : {
"body" : "...",
"dom" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"transitions" : [],
"digest" : null,
"data_flow_sinks" : [],
"execution_flow_sinks" : []
}
},
"platform_name" : null,
"platform_type" : null,
"page" : {
"body" : "...",
"dom" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E",
"transitions" : [
{
"element" : "page",
"event" : "load",
"options" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E",
"cookies" : {}
},
"time" : 0.462338063
},
{
"element" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E",
"event" : "request",
"options" : {},
"time" : 0.100021394
}
],
"digest" : null,
"data_flow_sinks" : [],
"execution_flow_sinks" : [
{
"data" : [],
"trace" : [
{
"function" : {
"name" : "global code"
},
"line" : 93,
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E"
}
]
}
]
}
},
"remarks" : {},
"trusted" : true,
"cwe_url" : "http://cwe.mitre.org/data/definitions/79.html",
"digest" : 733435024,
"response" : {
"headers" : {
"Date" : "Thu, 29 Sep 2016 03:26:09 GMT",
"Server" : "Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3",
"X-Powered-By" : "PHP/5.6.24",
"Expires" : "Tue, 23 Jun 2009 12:00:00 GMT",
"Cache-Control" : "no-cache, must-revalidate",
"Pragma" : "no-cache",
"Content-Length" : "6812",
"Content-Type" : "text/html;charset=utf-8"
},
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E",
"code" : 200,
"ip_address" : "172.16.1.112",
"headers_string" : "HTTP/1.1 200 OK\r\nDate: Thu, 29 Sep 2016 03:26:09 GMT\r\nServer: Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3\r\nX-Powered-By: PHP/5.6.24\r\nExpires: Tue, 23 Jun 2009 12:00:00 GMT\r\nCache-Control: no-cache, must-revalidate\r\nPragma: no-cache\r\nContent-Length: 5064\r\nContent-Type: text/html;charset=utf-8\r\n\r\n",
"body" : "...",
"time" : 0.004459,
"total_time" : 0.004459,
"return_code" : "ok",
"return_message" : "No error"
},
"request" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=%3C/script%3E%3Cscript%3Ewindow.top._arachni_js_namespace_taint_tracer.log_execution_flow_sink()%3C/script%3E",
"parameters" : {},
"headers" : {
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"User-Agent" : "Mozilla/5.0 AppleWebKit/538.1 (KHTML, like Gecko) Arachni/2.0dev Safari/538.1",
"Cookie" : "security=low; PHPSESSID=d9lg9j3baj27r8tv3faug2nti6",
"Accept-Language" : "zh-CN,en,*",
"Host" : "172.16.1.112"
},
"headers_string" : null,
"effective_body" : null,
"body" : "",
"method" : "get"
}
},
{
"name" : "Cross-Site Scripting (XSS)",
"description" : "...",
"references" : {
},
"tags" : [
"xss",
"regexp",
"injection",
"script"
],
"cwe" : 79,
"severity" : "high",
"remedy_guidance" : "...",
"check" : {
"name" : "XSS",
"description" : "\nInjects an HTML element into page inputs and then parses the HTML markup of\ntainted responses to look for proof of vulnerability.\n",
"elements" : [
"form",
"link",
"cookie",
"header",
"link_template"
],
"author" : "Tasos \"Zapotek\" Laskos <tasos.laskos@arachni-scanner.com> ",
"version" : "0.4.9",
"shortname" : "xss"
},
"vector" : {
"class" : "Arachni::Element::Form",
"type" : "form",
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"source" : "<form name=\"XSS\" action=\"#\" method=\"GET\">\n <input type=\"text\" name=\"name\">\n </input>\n <input type=\"submit\" value=\"Submit\">\n </input>\n</form>",
"inputs" : {
"name" : "arachni_name<xss_654371aeb2ecfcccdf64450ddf74f6d8/>"
},
"raw_inputs" : [],
"default_inputs" : {
"name" : ""
},
"action" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"method" : "get",
"affected_input_name" : "name",
"affected_input_value" : "arachni_name<xss_654371aeb2ecfcccdf64450ddf74f6d8/>",
"seed" : "<xss_654371aeb2ecfcccdf64450ddf74f6d8/>"
},
"proof" : "<xss_654371aeb2ecfcccdf64450ddf74f6d8/>",
"referring_page" : {
"body" : "...",
"dom" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"transitions" : [],
"digest" : null,
"data_flow_sinks" : [],
"execution_flow_sinks" : []
}
},
"platform_name" : null,
"platform_type" : null,
"page" : {
"body" : "...",
"dom" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=arachni_name%3Cxss_654371aeb2ecfcccdf64450ddf74f6d8/%3E",
"transitions" : [],
"digest" : null,
"data_flow_sinks" : [],
"execution_flow_sinks" : []
}
},
"remarks" : {},
"trusted" : true,
"cwe_url" : "http://cwe.mitre.org/data/definitions/79.html",
"digest" : 3432277987,
"response" : {
"headers" : {
"Date" : "Thu, 29 Sep 2016 03:26:09 GMT",
"Server" : "Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3",
"X-Powered-By" : "PHP/5.6.24",
"Expires" : "Tue, 23 Jun 2009 12:00:00 GMT",
"Cache-Control" : "no-cache, must-revalidate",
"Pragma" : "no-cache",
"Content-Length" : "5018",
"Content-Type" : "text/html;charset=utf-8"
},
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/?name=arachni_name%3Cxss_654371aeb2ecfcccdf64450ddf74f6d8/%3E",
"code" : 200,
"ip_address" : "172.16.1.112",
"headers_string" : "HTTP/1.1 200 OK\r\nDate: Thu, 29 Sep 2016 03:26:09 GMT\r\nServer: Apache/2.4.23 (Unix) OpenSSL/1.0.2h PHP/5.6.24 mod_perl/2.0.8-dev Perl/v5.16.3\r\nX-Powered-By: PHP/5.6.24\r\nExpires: Tue, 23 Jun 2009 12:00:00 GMT\r\nCache-Control: no-cache, must-revalidate\r\nPragma: no-cache\r\nContent-Length: 5018\r\nContent-Type: text/html;charset=utf-8\r\n\r\n",
"body" : "...",
"time" : 0.004533,
"app_time" : 0.004164,
"total_time" : 0.004533,
"return_code" : "ok",
"return_message" : "No error"
},
"request" : {
"url" : "http://172.16.1.112/dvwa/vulnerabilities/xss_r/",
"parameters" : {
"name" : "arachni_name<xss_654371aeb2ecfcccdf64450ddf74f6d8/>"
},
"headers" : {
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"User-Agent" : "Arachni/v2.0dev",
"Accept-Language" : "en-US,en;q=0.8,he;q=0.6",
"X-Arachni-Scan-Seed" : "654371aeb2ecfcccdf64450ddf74f6d8",
"Cookie" : "security=low;PHPSESSID=d9lg9j3baj27r8tv3faug2nti6"
},
"headers_string" : "GET /dvwa/vulnerabilities/xss_r/?name=arachni_name%3Cxss_654371aeb2ecfcccdf64450ddf74f6d8%2F%3E HTTP/1.1\r\nHost: 172.16.1.112\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Arachni/v2.0dev\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8,he;q=0.6\r\nX-Arachni-Scan-Seed: 654371aeb2ecfcccdf64450ddf74f6d8\r\nCookie: security=low;PHPSESSID=d9lg9j3baj27r8tv3faug2nti6\r\n\r\n",
"effective_body" : null,
"body" : null,
"method" : "get"
}
}
],
"plugins" : {}
}It shows there are two XSS issues. And url's response code is 200 in sitemap.
"sitemap" : {
"http://172.16.1.112/dvwa/vulnerabilities/xss_r/" : 200
}So why the response code is different (302 vs 200) with the same url , and why Arachni can not find XSS in crawl way?
Is there something wrong while Arachni crawling the page?