Inconsistent crawler and CSRF results
Created by: bjasspa
Inconsistent crawler and CSRF results
To reproduce:
-
In the submitted crawler_bug.zip copy the crawl folder into an IIS server with classic ASP enabled and check that the test site (i.e. https:///crawl/atest2.asp) works okay.
-
Run arachni with the test site URL and using the Crawl_profile.afp included in the zip file - see Crawl_run.bat for an example of how I have been running Arachni. Store the results.
-
Edit the atest2.asp page and change the order of the links, i.e. change:
Response.Write " <a href=""atest2b.asp"">Nonce broken Name " Response.Write " <a href=""atest2b2.asp"">Nonce broken Email " Response.Write " <a href=""atest2d.asp"">Nonce right Name " Response.Write " <a href=""atest2d2.asp"">Nonce right Email " Response.Write " <a href=""atest2s.asp"">Session based Name " Response.Write " <a href=""atest2s2.asp"">Session based Email "
To say:
Response.Write " <a href=""atest2d.asp"">Nonce right Name</a> "
Response.Write " <a href=""atest2d2.asp"">Nonce right Email</a> "
Response.Write " <a href=""atest2s.asp"">Session based Name</a> "
Response.Write " <a href=""atest2s2.asp"">Session based Email</a> "
Response.Write " <a href=""atest2b.asp"">Nonce broken Name</a> "
Response.Write " <a href=""atest2b2.asp"">Nonce broken Email</a> "And rerun.
- Compare the results - the order of the links seems to effect not only the number of CSRF issues found but also the sitemap, i.e. the files found by the crawler.
For example when changed to:
Response.Write " <a href=""atest2d.asp"">Nonce right Name</a> "
Response.Write " <a href=""atest2d2.asp"">Nonce right Email</a> "
Response.Write " <a href=""atest2b.asp"">Nonce broken Name</a> "
Response.Write " <a href=""atest2b2.asp"">Nonce broken Email</a> "
Response.Write " <a href=""atest2s.asp"">Session based Name</a> "
Response.Write " <a href=""atest2s2.asp"">Session based Email</a> "The crawler fails to find the crawl/setNameBEx.asp file but does identify a CSRF issue with crawl/setNameS2Ex.asp (but not with crawl/setNameSEx.asp which has the same issue).
If Arachni was to function perfectly, given it does not verify the anti-CSRF token is actually used (purpose of 'Nonce broken Name' & 'Nonce broken Email' pages), Arachni should find all 14 files and report CSRF issues with the 2 'Session based' links. And the order of the links would make no difference!