scope-page-limit does not restrict max pages

wspires's Avatar

wspires

Jan 21, 2016 @ 08:32 PM

When launching a scan with the following options on the latest nightly build:

/opt/arachni/bin/arachni http://192.168.24.173/ \
--checks=*,-sql_injection_timing,-code_injection_timing,-os_cmd_injection_timing \
--scope-directory-depth-limit=6 \
--scope-page-limit=1000 \
--scope-dom-depth-limit=2 \
--scope-exclude-pattern='\/server_privileges.php|logout' \
--scope-auto-redundant=2 \
--browser-cluster-ignore-images \
--browser-cluster-job-timeout=0 \
--http-request-timeout=5000 \
--audit-with-raw-payloads \
--http-user-agent='Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'
The scan surpasses the max page limit set with --scope-page-limit:
 [~] Audited 3235 pages.
 [~] Audit limited to a max of 1000 pages.
Shouldn't the scan stop at "Audited 1000 pages"?
  1. Support Staff 1 Posted by Tasos Laskos on Jan 21, 2016 @ 08:55 PM

    Tasos Laskos's Avatar

    The limit is enforced on the sitemap (i.e. unique URLs) rather than the DOM snapshots of a page.
    For example, a single-page app (that doesn't use URL fragments) will have multiple states that need to be audited but will be reported as just one page.

    I should make this clearer in the CLI output though, the current phrasing is there from before the addition of a browser environment.

    Does that explain your situation or shall I start looking for bugs?

  2. 2 Posted by wspires on Jan 21, 2016 @ 09:13 PM

    wspires's Avatar

    Ok. I think I get what you are saying. I have multiple apps on this target and I know of at least one that is a single-page app that could be causing what you describe. Just to be clear, "Audited xyz pages" doesn't mean just unique pages in the sitemap and includes any additional page state changes (DOM snapshots) that need to be audited per actual page? Is there a way to limit how many DOM snapshots are audited per page or in total per scan?

  3. Support Staff 3 Posted by Tasos Laskos on Jan 21, 2016 @ 09:25 PM

    Tasos Laskos's Avatar

    Yeah you got the right idea.
    There are no such options but they're worth considering, you can open a feature request on GitHub if you'd like.

  4. Tasos Laskos closed this discussion on Jan 21, 2016 @ 10:18 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac