[!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 0 [!] HTTP: URL: http://localhost:81/mantisbt/login_page.php [!] HTTP: Method: get [!] HTTP: Params: [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 0 [!] HTTP: Status: 200 [!] HTTP: Error msg: No error [!] HTTP: URL: http://localhost:81/mantisbt/login_page.php [!] HTTP: Headers: HTTP/1.1 200 OK Date: Thu, 29 Nov 2012 03:17:25 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Set-Cookie: PHPSESSID=mcfl45uf6j1788umfe2gnlga66; path=/; HttpOnly Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:25 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:25 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 1424 Content-Type: text/html; charset=utf-8 [!] HTTP: Parsed headers: {"Date"=>"Thu, 29 Nov 2012 03:17:25 GMT", "Server"=>"Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1", "X-Powered-By"=>"PHP/5.3.8", "Set-Cookie"=>"PHPSESSID=mcfl45uf6j1788umfe2gnlga66; path=/; HttpOnly", "Cache-Control"=>"no-store, no-cache, must-revalidate", "Last-Modified"=>"Thu, 29 Nov 2012 03:17:25 GMT", "X-Content-Type-Options"=>"nosniff", "Expires"=>"Thu, 29 Nov 2012 03:17:25 GMT", "X-Frame-Options"=>"DENY", "X-Content-Security-Policy"=>"allow 'self'; options inline-script eval-script; frame-ancestors 'none'", "Content-Encoding"=>"gzip", "Vary"=>"Accept-Encoding", "Content-Length"=>"1424", "Content-Type"=>"text/html; charset=utf-8"} [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 1 [!] HTTP: URL: http://localhost:81/mantisbt/login.php [!] HTTP: Method: post [!] HTTP: Params: {"return"=>"index.php", "username"=>"administrator", "password"=>"root", "perm_login"=>"", "secure_session"=>""} [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 1 [!] HTTP: Status: 302 [!] HTTP: Error msg: No error [!] HTTP: URL: http://localhost:81/mantisbt/login.php [!] HTTP: Headers: HTTP/1.1 302 Found Date: Thu, 29 Nov 2012 03:17:25 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Set-Cookie: PHPSESSID=vaiap9fj5bfgq9v75hilug2104; path=/; HttpOnly Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:25 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:25 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Set-Cookie: MANTIS_secure_session=0; path=/; httponly Set-Cookie: MANTIS_STRING_COOKIE=f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6; path=/; httponly Location: http://localhost:81/mantisbt/login_cookie_test.php?return=index.php Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 26 Content-Type: text/html; charset=utf-8 [!] HTTP: Parsed headers: {"Date"=>"Thu, 29 Nov 2012 03:17:25 GMT", "Server"=>"Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1", "X-Powered-By"=>"PHP/5.3.8", "Set-Cookie"=>["PHPSESSID=vaiap9fj5bfgq9v75hilug2104; path=/; HttpOnly", "MANTIS_secure_session=0; path=/; httponly", "MANTIS_STRING_COOKIE=f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6; path=/; httponly"], "Cache-Control"=>"no-store, no-cache, must-revalidate", "Last-Modified"=>"Thu, 29 Nov 2012 03:17:25 GMT", "X-Content-Type-Options"=>"nosniff", "Expires"=>"Thu, 29 Nov 2012 03:17:25 GMT", "X-Frame-Options"=>"DENY", "X-Content-Security-Policy"=>"allow 'self'; options inline-script eval-script; frame-ancestors 'none'", "Location"=>"http://localhost:81/mantisbt/login_cookie_test.php?return=index.php", "Content-Encoding"=>"gzip", "Vary"=>"Accept-Encoding", "Content-Length"=>"26", "Content-Type"=>"text/html; charset=utf-8"} [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 2 [!] HTTP: URL: http://localhost:81/mantisbt/login_cookie_test.php?return=index.php [!] HTTP: Method: get [!] HTTP: Params: {"return"=>"index.php"} [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2", "Cookie"=>"PHPSESSID=vaiap9fj5bfgq9v75hilug2104;MANTIS_secure_session=0;MANTIS_STRING_COOKIE=f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 2 [!] HTTP: Status: 200 [!] HTTP: Error msg: No error [!] HTTP: URL: http://localhost:81/mantisbt/my_view_page.php [!] HTTP: Headers: HTTP/1.1 302 Found Date: Thu, 29 Nov 2012 03:17:25 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:25 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:25 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Location: http://localhost:81/mantisbt/index.php Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 26 Content-Type: text/html; charset=utf-8 HTTP/1.1 302 Found Date: Thu, 29 Nov 2012 03:17:25 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:25 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:25 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Location: http://localhost:81/mantisbt/my_view_page.php Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 26 Content-Type: text/html; charset=utf-8 HTTP/1.1 200 OK Date: Thu, 29 Nov 2012 03:17:25 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:25 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:25 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 1997 Content-Type: text/html; charset=utf-8 [!] HTTP: Parsed headers: {"Date"=>["Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT"], "Server"=>["Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1", "Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1", "Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1"], "X-Powered-By"=>["PHP/5.3.8", "PHP/5.3.8", "PHP/5.3.8"], "Cache-Control"=>["no-store, no-cache, must-revalidate", "no-store, no-cache, must-revalidate", "no-store, no-cache, must-revalidate"], "Last-Modified"=>["Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT"], "X-Content-Type-Options"=>["nosniff", "nosniff", "nosniff"], "Expires"=>["Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT", "Thu, 29 Nov 2012 03:17:25 GMT"], "X-Frame-Options"=>["DENY", "DENY", "DENY"], "X-Content-Security-Policy"=>["allow 'self'; options inline-script eval-script; frame-ancestors 'none'", "allow 'self'; options inline-script eval-script; frame-ancestors 'none'", "allow 'self'; options inline-script eval-script; frame-ancestors 'none'"], "Location"=>["http://localhost:81/mantisbt/index.php", "http://localhost:81/mantisbt/my_view_page.php"], "Content-Encoding"=>["gzip", "gzip", "gzip"], "Vary"=>["Accept-Encoding", "Accept-Encoding", "Accept-Encoding"], "Content-Length"=>["26", "26", "1997"], "Content-Type"=>["text/html; charset=utf-8", "text/html; charset=utf-8", "text/html; charset=utf-8"]} [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Queued request. [!] HTTP: ID#: 3 [!] HTTP: URL: http://localhost:81/mantisbt/index.php [!] HTTP: Method: get [!] HTTP: Params: [!] HTTP: Headers: {"Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "User-Agent"=>"Arachni/v0.4.1.2", "Cookie"=>"PHPSESSID=vaiap9fj5bfgq9v75hilug2104;MANTIS_secure_session=0;MANTIS_STRING_COOKIE=f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6"} [!] HTTP: Train?: false [!] HTTP: ------------ [!] HTTP: ------------ [!] HTTP: Got response for request ID#: 3 [!] HTTP: Status: 302 [!] HTTP: Error msg: No error [!] HTTP: URL: http://localhost:81/mantisbt/index.php [!] HTTP: Headers: HTTP/1.1 302 Found Date: Thu, 29 Nov 2012 03:17:26 GMT Server: Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 X-Powered-By: PHP/5.3.8 Cache-Control: no-store, no-cache, must-revalidate Last-Modified: Thu, 29 Nov 2012 03:17:26 GMT X-Content-Type-Options: nosniff Expires: Thu, 29 Nov 2012 03:17:26 GMT X-Frame-Options: DENY X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'none' Location: http://localhost:81/mantisbt/my_view_page.php Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 26 Content-Type: text/html; charset=utf-8 [!] HTTP: Parsed headers: {"Date"=>"Thu, 29 Nov 2012 03:17:26 GMT", "Server"=>"Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1", "X-Powered-By"=>"PHP/5.3.8", "Cache-Control"=>"no-store, no-cache, must-revalidate", "Last-Modified"=>"Thu, 29 Nov 2012 03:17:26 GMT", "X-Content-Type-Options"=>"nosniff", "Expires"=>"Thu, 29 Nov 2012 03:17:26 GMT", "X-Frame-Options"=>"DENY", "X-Content-Security-Policy"=>"allow 'self'; options inline-script eval-script; frame-ancestors 'none'", "Location"=>"http://localhost:81/mantisbt/my_view_page.php", "Content-Encoding"=>"gzip", "Vary"=>"Accept-Encoding", "Content-Length"=>"26", "Content-Type"=>"text/html; charset=utf-8"} [!] HTTP: ------------ [!] [!] Waiting on the following (10) plugins to finish: [!] autologin, content_types, profiler, healthmap, resolver, autothrottle, uniformity, discovery, manual_verification, timing_attacks [!] [!] [!] Waiting on the following (8) plugins to finish: [!] content_types, profiler, healthmap, resolver, uniformity, discovery, manual_verification, timing_attacks [!] Arachni - Web Application Security Scanner Framework v0.4.1.2 Author: Tasos "Zapotek" Laskos (With the support of the community and the Arachni Team.) Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki [~] No modules were specified. [~] -> Will run all mods. [~] No audit options were specified. [~] -> Will audit links, forms and cookies. [*] Initialising... [*] Waiting for plugins to settle... [~] AutoLogin: System paused. [*] AutoLogin: Found log-in form with name: login_form [+] AutoLogin: Form submitted successfully. [~] AutoLogin: Cookies set to: [~] AutoLogin: * PHPSESSID = vaiap9fj5bfgq9v75hilug2104 [~] AutoLogin: * MANTIS_secure_session = 0 [~] AutoLogin: * MANTIS_STRING_COOKIE = f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6 [*] Resolver: Resolving hostnames... [*] Resolver: Done!  [*] Dumping audit results in '2012-11-28 19.17.28 -0800.afr'. [*] Done! ================================================================================ [+] Web Application Security Report - Arachni Framework [~] Report generated on: 2012-11-28 19:17:28 -0800 [~] Report false positives at: http://github.com/Arachni/arachni/issues [+] System settings: [~] --------------- [~] Version: 0.4.1.2 [~] Revision: 0.2.7 [~] Audit started on: Wed Nov 28 19:17:25 2012 [~] Audit finished on: Wed Nov 28 19:17:26 2012 [~] Runtime: 00:00:01 [~] URL: http://localhost:81/mantisbt/index.php [~] User agent: Arachni/v0.4.1.2 [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies [*] Modules: common_directories, htaccess_limit, webdav, directory_listing, backup_files, interesting_responses, emails, http_only_cookies, unencrypted_password_forms, insecure_cookies, private_ip, ssn, captcha, credit_card, cvs_svn_users, html_objects, mixed_resource, http_put, xst, common_files, backdoors, allowed_methods, rfi, csrf, xpath, ldapi, sqli_blind_timing, unvalidated_redirect, session_fixation, os_cmd_injection_timing, xss_uri, sqli, os_cmd_injection, response_splitting, code_injection_timing, xss_script_tag, xss_path, trainer, xss, xss_event, code_injection, xss_tag, sqli_blind_rdiff, path_traversal [~] =========================== [+] 0 issues were detected. [+] Plugin data: [~] --------------- [*] AutoLogin [~] ~~~~~~~~~~~~~~ [~] Description: It looks for the login form in the user provided URL, merges its input fields with the user supplied parameters and sets the cookies of the response and request as framework-wide cookies to be used by the spider later on. [+] Form submitted successfully. [~] Cookies set to: [~] * PHPSESSID = vaiap9fj5bfgq9v75hilug2104 [~] * MANTIS_secure_session = 0 [~] * MANTIS_STRING_COOKIE = f842e9f9b8b1d5fd3bae15639cdfcb82cd9002809f22b346b37fb77c97997fd6  [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--  [~] Crawling, discovered 0 pages and counting.  [~] Sent 4 requests. [~] Received and analyzed 4 responses. [~] In 00:00:01 [~] Average: 3 requests/second.  [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20