tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/3908-links-with-onclick-event-not-followedArachni: Discussion 2015-12-02T16:46:04Ztag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-12T10:30:44Z2015-11-13T09:59:36ZLinks with onclick event not followed<div><p>Hi,</p>
<p>I'm scanning a webapp with Arachni but it doesn't seem to follow
some links.</p>
<p>Here is an example of link which is not followed :</p>
<pre>
<code><a href="#"
onclick="mojarra.jsfcljs(document.getElementById('usersList:userListForm'),{'usersList:userListForm:usersTable:j_idt30':'usersList:userListForm:usersTable:j_idt30'},'');return false"
class="btn btn-success">
New user
</a></code>
</pre>
<p>It's a link generated by the jsf code :</p>
<pre>
<code><h:commandLink action="#{myBean.createNewUser()}" styleClass="btn btn-success"> #{msg['new_user']}</h:commandLink></code>
</pre>
<p>I know it's not followed because I got in the arachni logs :</p>
<pre>
<code>[-] BrowserCluster Worker#37948840: Job timed-out after 25 seconds: #<Arachni::BrowserCluster::Jobs::ResourceExploration::EventTrigger:32519920 @resource=#<Arachni::Page:18375440 @url="https://myserver/mywebapp/users/list.xhtml" @dom=#<Arachni::Page::DOM:18371360 @url="https://myserver/mywebapp/users/list.xhtml" @transitions=40 @data_flow_sinks=0 @execution_flow_sinks=0>> @event=:onclick @element=<a href="#" onclick="mojarra.jsfcljs(document.getElementById('usersList:userListForm'),{'usersList:userListForm:usersTable:j_idt30':'usersList:userListForm:usersTable:j_idt30'},'');return false" class="btn btn-success"> time=25.096439984 timed_out=true></code>
</pre>
<p>And because I don't see the
page-we-should-see-if-we-follow-the-link in the arachni report
"sitemap" page.</p>
<p>My webapp is using :<br>
Primefaces 4.1.0<br>
JSF 2.2.10<br>
Tomcat 7.0.64</p>
<p>I'm using Arachni 1.3.1, which I'm calling by the following
command line :</p>
<pre>
<code>arachni https://myserver/mywebapp/ --scope-dom-depth-limit=10 --scope-extend-paths="/path/to/arachni-paths.txt" --audit-links --audit-forms --audit-ui-inputs --audit-ui-forms --plugin=autologin:url=https://myserver/mywebapp/login.xhtml,parameters='j_username=myusername&j_password=mypassword,check='My account' --scope-exclude-pattern=logout --checks='sql_*,http_*,os_*,xss_*,insecure_*,allowed_methods,csrf,code_injection,directory_listing,emails,form_upload,session_fixation,xpath_injection' --platforms='linux,pgsql,oracle,tomcat,java,jsf' --report-save-path=pentest.afr && \
arachni_reporter pentest.afr --reporter=html:outfile=pentest.html.zip</code>
</pre>
<p>I don't know if there is something I forgot in order to tell
Arachni to follow this kind of links, or if it's a bug.<br>
We had some problems using PhantomJS for our Cucumber/Selenium
tests and we are finally using HtmlUnit instead. So maybe it's kind
of related to PhantomJS.</p>
<p>Did someone else have this problem ?<br>
Did I miss something in my arachni command-line ?<br>
Is it possible to configure Arachni to use another webdriver than
PhantomJS (HtmlUnit or FirefoxDriver, for example) ?</p>
<p>Thanks for your help,</p>
<p>Marie</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-12T19:30:21Z2015-11-12T19:30:21ZLinks with onclick event not followed<div><p>Hello,</p>
<p>No this isn't because of a misconfiguration, there may be a JS
error or something causing the page not to load.</p>
<p>Could you please try the <a href="http://downloads.arachni-scanner.com/nightlies/">nightlies</a> to
see if the issue has been fixed?<br>
If it's still there (or if you get a new issue, the nightles are
unstable after all) you can send me all the details in private and
I'll try to debug this.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-13T03:44:30Z2015-11-13T03:44:30ZLinks with onclick event not followed<div><p>Hello again,</p>
<p>I forgot to mention, you can't use an alternative browser, it's
PhantomJS 1.9.2 only.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-13T10:38:18Z2015-11-13T10:38:18ZLinks with onclick event not followed<div><p>Hello,</p>
<p>Thanks for your quick reply.</p>
<p>I tried with the nightlies : the result is quite the same (the
page I want is still not in the sitemap report).</p>
<p>I don't see this message (I got with Arachni 1.3.1) in the logs
anymore :</p>
<pre>
<code>[-] BrowserCluster Worker#37948840: Job timed-out after 25 seconds: #<Arachni::BrowserCluster::Jobs::ResourceExploration::EventTrigger:32519920 @resource=#<Arachni::Page:18375440 @url="https://myserver/mywebapp/users/list.xhtml" @dom=#<Arachni::Page::DOM:18371360 @url="https://myserver/mywebapp/users/list.xhtml" @transitions=40 @data_flow_sinks=0 @execution_flow_sinks=0>> @event=:onclick @element=<a href="#" onclick="mojarra.jsfcljs(document.getElementById('usersList:userListForm'),{'usersList:userListForm:usersTable:j_idt30':'usersList:userListForm:usersTable:j_idt30'},'');return false" class="btn btn-success"> time=25.096439984 timed_out=true></code>
</pre>
<p>I don't know if it's significant - maybe it doesn't try to click
on the link anymore (in this case it's "worst" than in 1.3.1), or
maybe you just don't display the "BrowserCluster Worker (...)
Arachni::BrowserCluster::Jobs::ResourceExploration::EventTrigger"
logs anymore (?).</p>
<p>But, for information, I still see<br></p>
<pre>
<code>[*] XSS in HTML element event attribute: Auditing form input 'usersList:userListForm:usersTable:j_idt30' pointing to: '"https://myserver/mywebapp//users/list.xhtml'</code>
</pre>
So I know my link is seen by Arachni. But it is not
clicked/followed by Arachni.
<p>I double-checked : manually I can click on the link and go to
the desired page, and I don't have any error in the Javascript
console (browser : Chrome).</p>
<p>Thanks a lot for offering to debug !<br>
I can't give you access to the webapp I'm scanning, but I will try
to reproduce the problem in a little project, and give you all the
informations you need to reproduce (if it's possible).</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-13T19:40:51Z2015-11-13T19:40:51ZLinks with onclick event not followed<div><p>Yes please, a small test case on its own would actually be
better than access to the full webapp.<br>
These JS issues are hard to troubleshoot so I need to have a look
at it myself.</p>
<p>Let me know once you've put something together.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-16T13:51:05Z2015-11-16T13:51:06ZLinks with onclick event not followed<div><p>Ok so here is my small test case :<br>
<a href="https://github.com/lebloism/link-not-followed-by-arachni">https://github.com/lebloism/link-not-followed-by-arachni</a></p>
<p>I tried to put enough information in the README, but tell me if
you need something else.<br>
(And thanks again for your support !)</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T01:16:18Z2015-11-17T01:16:18ZLinks with onclick event not followed<div><p>Best. Bug report. Ever.</p>
<p>I'm on it.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T04:38:02Z2015-11-17T04:38:02ZLinks with onclick event not followed<div><p>Hm, I just tried it and it worked:</p>
<pre>
<code>./bin/arachni http://127.0.0.2:8080/ --checks -</code>
</pre>
<p>Here's the relevant bit:</p>
<pre>
<code> [*] [HTTP: 200] http://127.0.0.2:8080/users/edit.xhtml
[~] Identified as: tomcat, java
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 2 (Limit: 5)
[~] Transitions:
[~] -- [0.3489s] load => page (http://127.0.0.2:8080/)
[~] * [0.0005s] request => http://127.0.0.2:8080/
[~] * [0.0395s] request => http://127.0.0.2:8080/javax.faces.resource/jsf.js.xhtml?ln=javax.faces&stage=Development
[~] -- [0.2326s] click => <a href="#" onclick="mojarra.jsfcljs(document.getElementById('j_idt8'),{'j_idt8:j_idt9':'j_idt8:j_idt9'},'');return false" class="btn btn-success">
[~] * [0.0077s] request => http://127.0.0.2:8080/users/list.xhtml
[~] * [0.0067s] request => http://127.0.0.2:8080/users/edit.xhtml</code>
</pre>
<p>I was using the code in the nightlies, are you getting different
results?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T06:12:45Z2015-11-17T06:12:47ZLinks with onclick event not followed<div><p>I am using the nightlies too, I committed the results on github
so you can see it (pentest.afr and pentest.html.zip). I read the
"html" report but normally it's the same, isn't it ?</p>
<p>The difference between you and me is the command line. I'm using
quite the same command line as before (except for the "login" part,
because my webapp is simpler, without login or HTTPS). This is the
command line I'm using for the small test case :</p>
<pre>
<code>arachni http://myhostname:8080/ --scope-dom-depth-limit=10 --scope-extend-paths="/path/to/arachni-paths.txt" --audit-links --audit-forms --audit-ui-inputs --audit-ui-forms --checks='sql_*,http_*,os_*,xss_*,insecure_*,allowed_methods,csrf,code_injection,directory_listing,emails,form_upload,session_fixation,xpath_injection' --platforms='linux,pgsql,oracle,tomcat,java,jsf' --report-save-path=pentest.afr && arachni_reporter pentest.afr --reporter=html:outfile=pentest.html.zip</code>
</pre>
<p>Can you try with this command line and see if you reproduce
?</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T06:17:56Z2015-11-17T06:17:56ZLinks with onclick event not followed<div><p>Maybe the problem is the "scope-extend-paths" option : I thought
it was "include these paths too", but maybe it is "include only
these paths" ?</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T06:27:54Z2015-11-17T06:27:54ZLinks with onclick event not followed<div><p>Not unless I somehow mixed it with the restrict-paths option
which isn't out of the question, but let's start simple.</p>
<p>Can you verify that you're getting to that page in the test app
by only using the <code>--checks -</code> option?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T06:35:44Z2015-11-17T06:35:45ZLinks with onclick event not followed<div><p>I will as soon as I am in my office (I don't have the correct
environment at home), so in 2-3 hours. I'll try with different
command lines "between" yours and mine, so we'll be able to
identify the option which raise the problem. I'll let you know.</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T06:48:07Z2015-11-17T06:48:07ZLinks with onclick event not followed<div><p>I actually managed to reproduce the issue so it's OK.</p>
<p>Turns out that it has to do with Arachni auditing the inputs of
the hidden form wrapped around that link, which are used to pass
viewstate tokens.<br>
That audit invalidatd the viewstate so when the browsers click the
link the application returns an error instead of redirecting to the
edit page.</p>
<p>You can skip auditing those input vectors with:</p>
<pre>
<code>--audit-exclude-vector=javax.faces.ViewState --audit-exclude-vector=j_idt</code>
</pre>
<p>The values to these options are treated as regular expressions,
so any input vector that includes them will be ignored (one of them
was <code>j_idt8</code>, not sure if the integer changes so I used
<code>j_idt</code> as a catch all).</p>
<p>I verified that it works on the sample webapp you setup (thanks
for that), let me know how it does against the real thing.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-17T17:29:02Z2015-11-17T17:29:04ZLinks with onclick event not followed<div><p>Thanks for the hint.</p>
<p>Indeed it works on the sample webapp with the
audit-exclude-vector options.<br>
But it doesn't work in my real webapp :<br>
1) I can't exclude all the inputs with "j_idt' in the 'name'
attribute because some of them should be scanned.<br>
2) On some pages, there is an ID defined for the form (h:form
id="myForm") and, in these cases, the generated hidden input has
for name "myForm" (= not containing "j_idt")<br>
3) There is probably others complications because I tried to run
the command line with<br></p>
<pre>
<code>--audit-exclude-vector=javax.faces.ViewState --audit-exclude-vector=j_idt --audit-exclude-vector="[Ff]orm$"</code>
</pre>
in order to exclude all the generated inputs (with and without an
ID defined in the h:form - all my IDs for the h:form tags end with
"form" or "Form") - even if I would have some interesting inputs
not scanned. But it doesn't work : Arachni still doesn't follow the
links.
<p>I'll try again tomorrow, and maybe give you an other sample
webapp, closer to the real webapp than the first one.</p>
<p>But I would like to know if it would be possible to change the
condition "regex on the 'name' attribute" ?<br>
For example, I would be very interested in excluding all the hidden
inputs (type=hidden), and someone else could be interested in a
condition like "regex on the 'id' attribute".<br>
Is it possible to have a more flexible condition for example with 2
options : --audit-exclude-vector-attribute and
--audit-exclude-vector-pattern.<br>
So they could be used like that :<br></p>
<pre>
<code>--audit-exclude-vector-attribute=name --audit-exclude-vector-pattern=javax.faces.ViewState</code>
</pre>
or like that<br>
<pre>
<code>--audit-exclude-vector-attribute=type --audit-exclude-vector-pattern=hidden</code>
</pre>
?</div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-18T00:23:02Z2015-11-18T00:23:02ZLinks with onclick event not followed<div><p>You can't do that via CLI options because the configuration
would get unworkable really fast, you can however write a simple
plugin that adds a global callback to determine which elements
should be skipped from the audit.</p>
<p>Do you want to push the new sample webapp first or shall I show
you an example of such a plugin?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-18T10:52:02Z2015-11-18T10:52:03ZLinks with onclick event not followed<div><p>I'm very interested in the plugin you're talking about, can you
give me an example ?</p>
<p>I created an other branch in my github project, with a similar
webapp but this time with 2 lists and 2 edit pages : <a href="https://github.com/lebloism/link-not-followed-by-arachni/tree/two-lists">
https://github.com/lebloism/link-not-followed-by-arachni/tree/two-l...</a></p>
<p>If I run Arachni with the audit-exclude-vector options : it
works when I have only 1 list and 1 edit pages (=branch "master"),
but not when I have 2 lists and 2 edit pages (= branch
"two-lists").</p>
<p>I don't understand why the viewState is still invalidated
despite the audit-exclude-vector options on the "two-lists" branch.
Do you have any idea ?<br>
I hope it will help me to understand what it doesn't work in my
real webapp.</p>
<p>(Thanks again for helping me)</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-18T12:03:47Z2015-11-18T12:04:21ZLinks with onclick event not followed<div><p>That was indeed a bug caused by a deduplication mixup. The DOM
events of the 2 links were identical so only one was followed,
luckily it was an easy fix.</p>
<p>And I also managed to reproduce the original time-out issue, not
sure why that happens yet though.</p>
<p>I need to do some more testing but I'll have some nightlies for
you tomorrow.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T06:53:03Z2015-11-19T06:53:03ZLinks with onclick event not followed<div><p>The fix is in the nightlies, if you exclude the vectors I had
mentioned is should work fine.<br>
If you still require the plugin let me know and I'll whip something
up.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T07:06:05Z2015-11-19T07:06:05ZLinks with onclick event not followed<div><p>Actually, I think I spoke too soon.<br>
The missing page in the sample app may have been appropriate
because the edit pages only differ in text nodes, from the
browser's perspective processing just one of them is enough,
there's nothing to be gained by including the second one in the
scan.</p>
<p>Can you add something "interesting" to at least one of them
please?<br>
Like an <code><input></code> field.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T07:17:45Z2015-11-19T07:17:45ZLinks with onclick event not followed<div><p>I added the following to <code>edit2.xhtml</code> :<br></p>
<pre>
<code><h:form>
<h:commandLink action="#{usersPage.createNew2()}"
styleClass="btn btn-success">
new user 2
</h:commandLink>
</h:form></code>
</pre>
<p>And the following to <code>edit1.xhtml</code> :<br></p>
<pre>
<code><h:form>
<h:commandLink action="#{usersPage.createNew1()}"
styleClass="btn btn-success">
new user 1
</h:commandLink>
</h:form></code>
</pre>
<p>In that case both pages were logged appropriately since they
were processed as they contained some useful workload.</p>
<p>So I'm guessing we're back to the invalidated viewstate, I'll
get working on a sample plugin to let you filter elements.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T10:10:26Z2015-11-19T10:10:27ZLinks with onclick event not followed<div><p>1 ---<br>
I got the nightlies, thanks !</p>
<p>2---<br>
What do you mean by "In that case both pages were logged
appropriately" ? Do you mean "with that code everything works now,
the both edit pages are scanned by Arachni" ? Because it's not the
case for me : I added your code in the edit pages (see updated
branch "two-lists"), but the pages edit1 and edit2 are still not
mentionned in the logs, nor in the report. (The list pages have now
both 500 status code)</p>
<p>So maybe I did'nt understand you correctly, or we have
differents results between you and me for the same code :S</p>
<p>3 ---<br>
I'm trying to understand what Arachni does (to undestand how the
viewstate is invalidated) by reading its logs.<br>
Can you explain me the following logs ?<br></p>
<pre>
<code>[*] Got new page from the browser-cluster: http://david-virtualbox:8080/users/list1.xhtml
[~] DOM depth: 2 (Limit: 10)
[~] Transitions:
[~] -- [0.8795s] load => page (http://david-virtualbox:8080/users/list1.xhtml)
[~] * [0.0004s] request => http://david-virtualbox:8080/users/list1.xhtml
[~] * [0.1706s] request => http://david-virtualbox:8080/javax.faces.resource/jsf.js.xhtml?ln=javax.faces
[~] -- [0.4127s] click => <a href="#" onclick="mojarra.jsfcljs(document.getElementById('j_idt8'),{'j_idt8:j_idt9':'j_idt8:j_idt9'},'');return false" class="btn btn-success">
[~] * [0.0126s] request => http://david-virtualbox:8080/users/list1.xhtml</code>
</pre>
<p>I understand these logs as :<br>
the "click" on</p>
<pre>
<code><a href="#" onclick="mojarra.jsfcljs(document.getElementById('j_idt8'),{'j_idt8:j_idt9':'j_idt8:j_idt9'},'');return false" class="btn btn-success"></code>
</pre>
generates a request for "list1.xhtml".<br>
This is OK because the network says, when I click on the link :<br>
POST list1 -> 302 Found location = "<a href="http://david-virtualbox:8080/users/edit1.xhtml&quot">http://david-virtualbox:8080/users/edit1.xhtml&quot</a>;
-> GET edit1.
<p>So the logs say "request for list1", OK, it's the POST part. But
what about the remaining part "302 -> redirection to edit1"
?<br>
Does Arachni read the "location" part of the 302 response, in order
to do the request to the provided location ?</p>
<p>(Sorry maybe I don't undestand how Arachni works at all, so my
questions would be totally stupid. Please be indulgent, I'm just
trying to understand ^^' )</p>
<p>4 ---<br>
I'm still interested by the plugin because I will need it for my
real webapp. But I don't think it will help for the sample webapp :
I'm already excluding all the hidden inputs generated by JSF (with
regex on their names). So it seems Arachni is invalidating the
ViewState but with something else than scanning the JSF generated
hidden inputs.<br>
Do you have an idea which other Arachni action could do that ?</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T10:25:17Z2015-11-19T10:25:17ZLinks with onclick event not followed<div><p>1, Better wait another half an hour or so for the new ones, the
nightlies worked temporarily for me because I broke them. The
original behavior was the correct one I think.<br>
2. Yeah with the changes in the edit pages both of them were in the
sitemap. Although right now I couldn't reproduce it either, instead
getting loads of 500 errors too (always happened with both branches
but intermittently). I'm pretty sure the test cases don't
accurately reflect the issue that you're getting from the real
webapp and we are instead chasing bugs in the sample ones.<br>
3. You got it right and redirects will be followed, but in this
case it's not the viewstate being invalidated but the sample app
exploding for some reason.<br>
4. We better focus on the real application and go from there, the
sample ones don't seem representative of it. I don't think that
it's about invalidated viewstates any more but rather these
errors:</p>
<pre>
<code>Nov 19, 2015 12:15:54 PM org.apache.catalina.core.StandardHostValve custom
SEVERE: Exception Processing ErrorPage[errorCode=500, location=/error.xhtml]
javax.servlet.ServletException
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:659)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:749)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:489)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:412)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:339)
at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:467)
at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:338)
at org.apache.catalina.core.StandardHostValve.throwable(StandardHostValve.java:428)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:201)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1041)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NullPointerException
at com.sun.faces.context.flash.ELFlash$FlashInfo.encode(ELFlash.java:1631)
at com.sun.faces.context.flash.ELFlash$PreviousNextFlashInfoManager.encode(ELFlash.java:1460)
at com.sun.faces.context.flash.ELFlash.doLastPhaseActions(ELFlash.java:717)
at com.sun.faces.context.flash.ELFlash.doPostPhaseActions(ELFlash.java:652)
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:458)
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:133)
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:120)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:219)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:647)</code>
</pre>
<p>I'll let you know once I've got a sample plugin ready.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-19T10:59:18Z2015-11-19T10:59:19ZLinks with onclick event not followed<div><p>Ok for stopping with the sample webapp which is maybe not
representative anymore.<br>
I'll wait for your sample plugin and then try again on the real
webapp !<br>
(Thx for your work)</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-20T07:19:25Z2015-11-20T07:19:25ZLinks with onclick event not followed<div><p>I'm afraid I've got some bad news, the forms are sometimes
extracted from browser requests instead of the HTML code of the
page, depending on which component gets there first.</p>
<p>This means that full context (like the HTML code, attribute
details etc) isn't always available.<br>
The only information that remains constant is the input data and
the action, so the only reliable way of filtering element audits
are the CLI scope and audit options.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-20T10:57:47Z2015-11-20T10:57:48ZLinks with onclick event not followed<div><p>Ok :-(</p>
<p>Actually, maybe we don't need to exclude these inputs from the
audit. What we need is Arachni to follow the links and discover the
other pages BEFORE auditing these inputs and invalidating the
viewstate.</p>
<p>Would it be possible for you to change the order of the actions
? (maybe through an option)<br>
I suppose, from the behaviour we saw, that the current order is
:<br>
find a page, auditing the page inputs, discover other pages through
the links present on the current page, auditing these pages and so
one.</p>
<p>Would it be possible to have :<br>
find a page, discover other pages through the links present on this
page (store it for later), auditing the current page inputs, and
then process the discovered pages<br>
?</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-20T11:22:05Z2015-11-20T11:22:05ZLinks with onclick event not followed<div><p>That won't work in the grand scheme of things but I think I
found another way around it.<br>
It's probably going to hurt performance when the server doesn't set
caching options for the response, so I'll try to enable it only
when necessary.</p>
<p>Whatever the case, if this solves the problem I'm OK with a
performance penalty if it means automatically taking care of these
types of issues.</p>
<p>I'll keep you posted on my progress.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-20T14:34:33Z2015-11-20T14:34:33ZLinks with onclick event not followed<div><p>Nightlies are up (except Windows), let me know how they
work.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-20T17:12:04Z2015-11-20T17:12:05ZLinks with onclick event not followed<div><p>It discovered one page which was not listed in the
scope-extend-paths file (users/edit.xhtml, accessible from a link
on users/list.xhtml which is a page listed in the
scope-extend-paths).<br>
But this edit page has a 500 status code. Maybe the data transfered
from the list to the edit page are not correctly transferred ?<br>
FYI we use the JSF Flash scope in order to transfer data from a
page to another : <a href="http://docs.oracle.com/javaee/6/api/javax/faces/context/Flash.html">
http://docs.oracle.com/javaee/6/api/javax/faces/context/Flash.html</a><br>
"Variables stored in the flash scope will survive a redirection and
they will be discarded afterwards. This is really useful when
implementing a Post-Redirect-Get pattern" "Flash scope survives
redirect, exactly once"</p>
<p>But, for every other similar situations (profiles/list.xhtml
-> profiles/edit.xhtml, entities/list.xhtml ->
entities/edit.xhtml, etc ), it didn't discover the edit pages.</p>
<p>And, regression : I have now 0 issues (which is not correct
since I hade some little issues in the previous reports, like
E-mail address disclosure)</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-11-21T06:58:12Z2015-11-21T06:58:12ZLinks with onclick event not followed<div><p>I don't think I can help without access to the web application
at this point, any chance you can arrange that?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-12-02T15:18:51Z2015-12-02T15:18:55ZLinks with onclick event not followed<div><p>Hi !</p>
<p>Sorry for the delay. I couldn't convince my team to give you
access. We finally chose to stop trying to launch the tests
automatically with Arachni, and we went back to our first try,
which we knew was working as we need : manual tests with ZAP.<br>
Maybe we will have more time later to give it a new try, but
currently we can't.</p>
<p>Thanks again for all the effort you made, it's very pleasant to
have such a support !</p></div>marie_lbltag:support.arachni-scanner.com,2012-07-01:Comment/384445362015-12-02T16:46:01Z2015-12-02T16:46:01ZLinks with onclick event not followed<div><p>That's too bad, I hate knowing that there's a simple bug
somewhere lurking around causing trouble.<br>
Still, I understand your team's reluctance to provide access.</p>
<p>If anything changes please do let me know.</p>
<p>Cheers</p></div>Tasos Laskos