[~] No audit options were specified. [~] -> Will audit links, forms and cookies. [*] Initialising... [~] AutoLogin: System paused. [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 0 [!] HTTP: URL: https://10.10.10.1/console/j_security_check [!] HTTP: Method: get [!] HTTP: Params: [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachn i/v0.4.1.2"} [!] HTTP: Train?: false [!] HTTP: ------------ [*] Waiting for plugins to settle... [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 0 [!] HTTP: Status: 200 [!] HTTP: Error msg: No error [!] HTTP: URL: https://10.10.10.1/console/j_security_check [!] HTTP: Headers: HTTP/1.1 200 OK Set-Cookie: JSESSIONID=C444A5A461767318E9B356F3F5CA9648; Path=/; Secure Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 15 Nov 2012 17:15:02 GMT Server: TEC [!] HTTP: Parsed headers: {"Set-Cookie"=>"JSESSIONID=C444A5A461767318E9B356F3F5CA9648; Path=/; Secure", "Pragma"=>"No-cache", "Cache-Control"=>"no-cache", "Expires"=>"Wed, 31 Dec 1969 16:00:00 PST", "Content-Type"=>"text/html;charset=UTF-8", "Transfer-Encoding"=>"chunked", "Date"=>"Thu, 15 Nov 2012 17:15:02 GMT", "Server"=>"TEC"} [!] HTTP: ------------ [*] AutoLogin: Found log-in form with name: [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 1 [!] HTTP: URL: https://10.10.10.1/console/j_security_check [!] HTTP: Method: post [!] HTTP: Params: {"loginCompId"=>"2", "j_username"=>"joebob", "j_password"=>"mypass", "locale"=>"en_US"} [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 1 [!] HTTP: Status: 302 [!] HTTP: Error msg: No error [!] HTTP: URL: https://10.10.10.1/console/j_security_check [!] HTTP: Headers: HTTP/1.1 302 Moved Temporarily Set-Cookie: JSESSIONID=2983620CCD7B79C3EA8D8E0EB4D39476; Path=/; Secure Set-Cookie: localeId=en_US; Expires=Wed, 10-Nov-2032 17:15:02 GMT; Path=/ Location: https://10.10.10.1/console/app.showApp.cmd;jsessionid=2983620CCD7B79C3EA8D8E0EB4D39476 Content-Length: 0 Date: Thu, 15 Nov 2012 17:15:02 GMT Server: TEC [!] HTTP: Parsed headers: {"Set-Cookie"=>["JSESSIONID=2983620CCD7B79C3EA8D8E0EB4D39476; Path=/; Secure", "localeId=en_US; Expires=Wed, 10-Nov-2032 17:15:02 GMT; Path=/"], "Location"=>"https://10.10.10.1/console/app.showApp.cmd;jsessionid=2983620CCD7B79C3EA8D8E0EB4D39476", "Content-Length"=>"0", "Date"=>"Thu, 15 Nov 2012 17:15:02 GMT", "Server"=>"TEC"} [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 2 [!] HTTP: URL: https://10.10.10.1/console/app.showApp.cmd;jsessionid=2983620CCD7B79C3EA8D8E0EB4D39476 [!] HTTP: Method: get [!] HTTP: Params: [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2", "Cookie"=>"JSESSIONID=2983620CCD7B79C3EA8D8E0EB4D39476;localeId=en_US"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 2 [!] HTTP: Status: 200 [!] HTTP: Error msg: No error [!] HTTP: URL: https://10.10.10.1/console/app.showApp.cmd;jsessionid=2983620CCD7B79C3EA8D8E0EB4D39476 [!] HTTP: Headers: HTTP/1.1 200 OK Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 16:00:00 PST Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 15 Nov 2012 17:15:02 GMT Server: TEC [!] HTTP: Parsed headers: {"Pragma"=>"No-cache", "Cache-Control"=>"no-cache", "Expires"=>"Wed, 31 Dec 1969 16:00:00 PST", "Content-Type"=>"text/html;charset=UTF-8", "Transfer-Encoding"=>"chunked", "Date"=>"Thu, 15 Nov 2012 17:15:02 GMT", "Server"=>"TEC"} [!] HTTP: ------------ [+] AutoLogin: Form submitted successfully. [~] AutoLogin: Cookies set to: [~] AutoLogin: * JSESSIONID = 2983620CCD7B79C3EA8D8E0EB4D39476 [~] AutoLogin: * localeId = en_US [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 3 [!] HTTP: URL: https://10.10.10.1/ [!] HTTP: Method: get [!] HTTP: Params: [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2", "Cookie"=>"JSESSIONID=2983620CCD7B79C3EA8D8E0EB4D39476;localeId=en_US"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 3 [!] HTTP: Status: 302 [!] HTTP: Error msg: No error [!] HTTP: URL: https://10.10.10.1/ [!] HTTP: Headers: HTTP/1.1 302 Moved Temporarily Location: https://10.10.10.1/console/app.showApp.cmd Content-Type: text/html;charset=UTF-8 Content-Length: 0 Date: Thu, 15 Nov 2012 17:15:02 GMT Server: TEC [!] HTTP: Parsed headers: {"Location"=>"https://10.10.10.1/console/app.showApp.cmd", "Content-Type"=>"text/html;charset=UTF-8", "Content-Length"=>"0", "Date"=>"Thu, 15 Nov 2012 17:15:02 GMT", "Server"=>"TEC"} [!] HTTP: ------------ [!] [!] Waiting on the following (10) plugins to finish: [!] autologin, healthmap, autothrottle, content_types, profiler, resolver, timing_attacks, manual_verification, discovery, uniformity [!] [*] Resolver: Resolving hostnames... [*] Resolver: Done! [!] [!] Waiting on the following (8) plugins to finish: [!] healthmap, content_types, profiler, resolver, timing_attacks, manual_verification, discovery, uniformity [!] [*] Dumping audit results in '2012-11-15 09.14.48 -0800.afr'. [*] Done! ================================================================================ [+] Web Application Security Report - Arachni Framework [~] Report generated on: 2012-11-15 09:14:48 -0800 [~] Report false positives at: http://github.com/Arachni/arachni/issues [+] System settings: [~] --------------- [~] Version: 0.4.1.2 [~] Revision: 0.2.7 [~] Audit started on: Thu Nov 15 09:14:45 2012 [~] Audit finished on: Thu Nov 15 09:14:46 2012 [~] Runtime: 00:00:01 [~] URL: https://10.10.10.1/ [~] User agent: Arachni/v0.4.1.2 [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies [*] Modules: interesting_responses, webdav, backup_files, directory_listing, htaccess_limit, xst, credit_card, captcha, html_objects, private_ip, unencrypted_password_forms, http_only_cookies, cvs_svn_users, insecure_cookies, mixed_resource, emails, ssn, backdoors, allowed_methods, common_files, common_directories, http_put, xss_tag, session_fixation, sqli, xss_uri, sqli_blind_timing, code_injection, xpath, path_traversal, unvalidated_redirect, xss_script_tag, xss, response_splitting, ldapi, csrf, xss_path, trainer, xss_event, os_cmd_injection_timing, os_cmd_injection, code_injection_timing, rfi, sqli_blind_rdiff [~] =========================== [+] 0 issues were detected. [+] Plugin data: [~] --------------- [*] AutoLogin [~] ~~~~~~~~~~~~~~ [~] Description: It looks for the login form in the user provided URL, merges its input fields with the user supplied parameters and sets the cookies of the response and request as framework-wide cookies to be used by the spider later on. [+] Form submitted successfully. [~] Cookies set to: [~] * JSESSIONID = 2983620CCD7B79C3EA8D8E0EB4D39476 [~] * localeId = en_US [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:-- [~] Crawling, discovered 0 pages and counting. [~] Sent 4 requests. [~] Received and analyzed 4 responses. [~] In 00:00:01 [~] Average: 3 requests/second. [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20