No results against DVWA (Damn Vulnerable Web Application) and Mutillidae

cetomevy's Avatar

cetomevy

29 Apr, 2014 05:19 PM

Hello,

I'm using Arachni v0.4.6 and WebUI version v.0.4.3.

I'm trying Arachni against DVWA (Damn Vulnerable Web Application) and Mutillidae, but Arachni detect no vulnerabilities. This is not normal because DVWA and Mutillidae are two vulnerable web app.

Thanks in advance.

  1. Support Staff 1 Posted by Tasos Laskos on 30 Apr, 2014 02:33 AM

    Tasos Laskos's Avatar

    Hi,

    Have you configured Arachni to login to these web applications?

  2. 2 Posted by cetomevy on 30 Apr, 2014 05:27 PM

    cetomevy's Avatar

    Hi,

    Yes, I have configured Arachni with these parameters :
    - I created a Profile from Default profile - I put into Exclude section : *logout.php - I put into Cookies section : security=low; PHPSESSID=iigcl7camrmjcg0rsjdihr9t22 - I check Fuzz methods:Audits elements with both GET and POST requests.

  3. Support Staff 3 Posted by Tasos Laskos on 30 Apr, 2014 05:59 PM

    Tasos Laskos's Avatar

    Problem is that with those sites you must be very familiar with both the scanner you're configuring and the web application.

    You'll also have to exclude the resource that sets the security level along with any other settings that may affect the integrity of the scan.
    In addition, you'll also need to ensure that the session cookie you provided is still valid.

    If you want to test a scanner you better use something like WAVSEP, siites like DVWA are aimed towards users, not scanners, and as such are pretty much always a PITA to configure for an automated scan.

  4. 4 Posted by cetomevy on 30 Apr, 2014 06:18 PM

    cetomevy's Avatar

    I change in my configuration the cookie to be valid when scanning.
    During the scan, DVWA is configured with low security level.

    I have used others scanners and they detect SQL injections. Arachni seems to be a good product, is for this reason that I would try to run it against DVWA.

    Thanks in advance.

  5. Support Staff 5 Posted by Tasos Laskos on 30 Apr, 2014 06:27 PM

    Tasos Laskos's Avatar

    Arachni could be changing the security level during the scan as part of the fuzzing process. I'll have a look at it to make sure nothing is wrong in Arachni and get back to you.

    Cheers

  6. 6 Posted by cetomevy on 09 May, 2014 04:56 PM

    cetomevy's Avatar

    Hello,

    I have found the solution. The problem comes from incorrect configurations of Exclude, AutoLogin and Login Check. But there is a little bug when you use AutoLogin. The bug is, when you use AutoLogin, if you don’t put the last “/” at the end of URL, AutoLogin fails.
    Exemple :
    http://www.victim.tld/dvwa -> fail
    http://www.victim.tld/dvwa/ -> success

    With correct configurations, Arachni runs very well, it finds vulnerabilities, it’s cool.

    Regards.

  7. Support Staff 7 Posted by Tasos Laskos on 09 May, 2014 05:06 PM

    Tasos Laskos's Avatar

    That's good news.

    I wouldn't call that a bug though, the difference is important. Without a trailing slash it means that dvwa is the resource that contains the login form, with it it means that it's a directory and the server thus sends in the default handler.

    Since everything turned out fine I'll close this ticket, feel free to re-open if you need further assistance on the matter.

    Cheers

  8. Tasos Laskos closed this discussion on 09 May, 2014 05:06 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac