Auto_redundant option implies a limitation of scan

Frederic's Avatar

Frederic

12 Jan, 2015 11:13 AM

Hi,

I noticed that the auto_redundant option implies a limitation on scans. I was testing Arachni on http://testfire.net when I noticed that it did not come out with the same number of vulnerabilities by running it with two different configurations.

First, I tried to launch Arachni with checks=xss*. The results was 3 vulnerabilities (3 XSS obviously).
Secondly, I tried to launch Arachni with all checks. The results was 1 XSS and some other vulnerabilities. Where is the 2 other XSS ?

So I checked the debug and saw that, in "full mode", Arachni stop to audit some forms because of that :

XSS: audit: Element is out of scope, skipping: Arachni::Checks::Xss:http://testfire.net/search.aspx:form:["tx...:

So I looked why this happen in your code and I noticed it was due to auto_redundant that increment at each component. Therefore, when it reaches the XSS audit , the counter has already exceeded 10.

Is this a desired behaviour or is it a problem in my configuration ?

Thank you in advance.

  1. Support Staff 1 Posted by Tasos Laskos on 12 Jan, 2015 11:23 AM

    Tasos Laskos's Avatar

    Hello there,

    It's actually a bit of both. Auto-redundant sets a limit for each resource based on its parameters, once that limit is reached, further similar resources will be ignored.
    In full mode the resource is hit more times so the allowance is exhausted quicker.

    However, it was behaving somewhat aggressively, so I've modified the way it's applied.
    Still, now that you brought it up again, I think I should make it a bit more lax still, I'll let you know once I update the nightlies so that you can have a go at it.

    Cheers

  2. 2 Posted by Frederic on 12 Jan, 2015 12:07 PM

    Frederic's Avatar

    Thank you for your reply. I will follow the progress closely and make you a feedback on it.

    Cheers.

  3. Support Staff 3 Posted by Tasos Laskos on 13 Jan, 2015 05:16 AM

    Tasos Laskos's Avatar

    I've updated the system so that redundancy filters are respected in the same places, but only the Framework gets to update their counters.

    Unfortunately, I've got no nightlies for this as I've decided to place the update to the v1.1 branch so that it'll get some decent testing before it gets released.

    See: https://github.com/Arachni/arachni/commit/98862cf8a6993d801b86d734f...

    Cheers

  4. Tasos Laskos closed this discussion on 13 Jan, 2015 05:16 AM.

  5. Frederic re-opened this discussion on 13 Jan, 2015 08:01 AM

  6. 4 Posted by Frederic on 13 Jan, 2015 08:01 AM

    Frederic's Avatar

    This seems perfect. No problem for the nightlies, this is understandable. I'll test the v1.1 branch.

    Cheers

  7. Support Staff 5 Posted by Tasos Laskos on 13 Jan, 2015 08:15 AM

    Tasos Laskos's Avatar

    That's great, I could use more testers for v1.1, please see: http://www.arachni-scanner.com/blog/help-us-test-windows-support-xm...

    Cheers

  8. Tasos Laskos closed this discussion on 13 Jan, 2015 01:49 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac