scope-page-limit does not restrict max pages
When launching a scan with the following options on the latest
nightly build:
/opt/arachni/bin/arachni http://192.168.24.173/ \
--checks=*,-sql_injection_timing,-code_injection_timing,-os_cmd_injection_timing \
--scope-directory-depth-limit=6 \
--scope-page-limit=1000 \
--scope-dom-depth-limit=2 \
--scope-exclude-pattern='\/server_privileges.php|logout' \
--scope-auto-redundant=2 \
--browser-cluster-ignore-images \
--browser-cluster-job-timeout=0 \
--http-request-timeout=5000 \
--audit-with-raw-payloads \
--http-user-agent='Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'
The scan surpasses the max page limit set with
--scope-page-limit: [~] Audited 3235 pages.
[~] Audit limited to a max of 1000 pages.
Shouldn't the scan stop at "Audited 1000 pages"?Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on Jan 21, 2016 @ 08:55 PM
The limit is enforced on the sitemap (i.e. unique URLs) rather than the DOM snapshots of a page.
For example, a single-page app (that doesn't use URL fragments) will have multiple states that need to be audited but will be reported as just one page.
I should make this clearer in the CLI output though, the current phrasing is there from before the addition of a browser environment.
Does that explain your situation or shall I start looking for bugs?
2 Posted by wspires on Jan 21, 2016 @ 09:13 PM
Ok. I think I get what you are saying. I have multiple apps on this target and I know of at least one that is a single-page app that could be causing what you describe. Just to be clear, "Audited xyz pages" doesn't mean just unique pages in the sitemap and includes any additional page state changes (DOM snapshots) that need to be audited per actual page? Is there a way to limit how many DOM snapshots are audited per page or in total per scan?
Support Staff 3 Posted by Tasos Laskos on Jan 21, 2016 @ 09:25 PM
Yeah you got the right idea.
There are no such options but they're worth considering, you can open a feature request on GitHub if you'd like.
Tasos Laskos closed this discussion on Jan 21, 2016 @ 10:18 PM.