tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/1399-no-results-against-dvwa-damn-vulnerable-web-application-and-mutillidaeArachni: Discussion 2014-05-09T17:06:35Ztag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-04-30T02:33:11Z2014-04-30T02:33:11ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>Hi,</p>
<p>Have you configured Arachni to login to these web
applications?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-04-30T17:27:11Z2014-04-30T17:27:13ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>Hi,</p>
<p>Yes, I have configured Arachni with these parameters :<br>
- I created a Profile from Default profile - I put into Exclude
section : *logout.php - I put into Cookies section : security=low;
PHPSESSID=iigcl7camrmjcg0rsjdihr9t22 - I check Fuzz methods:Audits
elements with both GET and POST requests.</p></div>cetomevytag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-04-30T17:59:13Z2014-04-30T17:59:13ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>Problem is that with those sites you must be very familiar with
both the scanner you're configuring and the web application.</p>
<p>You'll also have to exclude the resource that sets the security
level along with any other settings that may affect the integrity
of the scan.<br>
In addition, you'll also need to ensure that the session cookie you
provided is still valid.</p>
<p>If you want to test a scanner you better use something like
WAVSEP, siites like DVWA are aimed towards users, not scanners, and
as such are pretty much always a PITA to configure for an automated
scan.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-04-30T18:18:42Z2014-04-30T18:18:42ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>I change in my configuration the cookie to be valid when
scanning.<br>
During the scan, DVWA is configured with low security level.</p>
<p>I have used others scanners and they detect SQL injections.
Arachni seems to be a good product, is for this reason that I would
try to run it against DVWA.</p>
<p>Thanks in advance.</p></div>cetomevytag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-04-30T18:27:28Z2014-04-30T18:27:28ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>Arachni could be changing the security level during the scan as
part of the fuzzing process. I'll have a look at it to make sure
nothing is wrong in Arachni and get back to you.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-05-09T16:56:44Z2014-05-09T16:56:45ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>Hello,</p>
<p>I have found the solution. The problem comes from incorrect
configurations of Exclude, AutoLogin and Login Check. But there is
a little bug when you use AutoLogin. The bug is, when you use
AutoLogin, if you don’t put the last “/” at the
end of URL, AutoLogin fails.<br>
Exemple :<br>
<a href="http://www.victim.tld/dvwa">http://www.victim.tld/dvwa</a>
-> fail<br>
<a href=
"http://www.victim.tld/dvwa/">http://www.victim.tld/dvwa/</a> ->
success</p>
<p>With correct configurations, Arachni runs very well, it finds
vulnerabilities, it’s cool.</p>
<p>Regards.</p></div>cetomevytag:support.arachni-scanner.com,2012-07-01:Comment/327636672014-05-09T17:06:32Z2014-05-09T17:06:32ZNo results against DVWA (Damn Vulnerable Web Application) and Mutillidae<div><p>That's good news.</p>
<p>I wouldn't call that a bug though, the difference is important.
Without a trailing slash it means that <code>dvwa</code> is the
resource that contains the login form, with it it means that it's a
directory and the server thus sends in the default handler.</p>
<p>Since everything turned out fine I'll close this ticket, feel
free to re-open if you need further assistance on the matter.</p>
<p>Cheers</p></div>Tasos Laskos