Arachni 2.0: Infinite loop while scanning

stefan's Avatar

stefan

25 Dec, 2016 10:41 PM

I have several problems scanning a website with arachni (version 2.0). The scan seems to hang in an infinite loop. The setup is using a crawl profile (trainer activated).

The arachni scan behaves a little bit strange:
1: The css and javascript files are downloaded each time a html-page ist loaded even when the urls to these files are the same in each html-page. I thought each of these files should be downloaded only once because the url to a file is the same in each html-page.

2: The scan seems to load a html-page in an infinite loop. After setting a redundant path pattern for this page another page is processed with an infinite loop. Arachni discovers 480 pages and has performed 140.000 requests when I stopped the scan run (after running for 3 hours).

The website is not accessible from the internet, but it's almost the same than http://gsb-sl.gsb.bund.de/DE/Home/home_node.html.

Is there a debugging configuration that could help to understand the strange scan behaviour?

  1. Support Staff 1 Posted by Tasos Laskos on 26 Dec, 2016 10:24 PM

    Tasos Laskos's Avatar

    Can you please show me the system output that lead you to believe there is an infinite loop?

    Cheers

  2. 2 Posted by stefan on 27 Dec, 2016 07:14 PM

    stefan's Avatar

    I set up a reduced profile that should scan only two html-pages and attached the output of my last arachni run (see also healthmap in attachment). Even with this scan configuration the scanner doesn't terminate and reloads both html-pages and the linked resources (css, js,...) in a loop.

    In my arachni configuration burp-proxy was used so that I noticed that the different requests to the html-pages and other resources were all the same (URL, query-string, cookies). In my understanding each unique resource should be loaded only once or almost a few times. This doesn't work with my tested websites.

    I attached the output of an arachni run with --output-verbose that was stopped after a while.

    Thanks in advance

  3. Support Staff 3 Posted by Tasos Laskos on 27 Dec, 2016 07:24 PM

    Tasos Laskos's Avatar

    The page must be generating an infinite number of DOM states, any chance I can access the site to see exactly what's going on?

  4. 4 Posted by stefan on 27 Dec, 2016 08:35 PM

    stefan's Avatar

    Yes there is an option, but I would like to provide some information by private email cause they should not be available for anyone.

  5. Support Staff 5 Posted by Tasos Laskos on 28 Dec, 2016 01:45 PM

    Tasos Laskos's Avatar

    Here you go: tasos[dot]laskos[at]arachni-scanner[dot]com

  6. Tasos Laskos closed this discussion on 05 Feb, 2017 11:14 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac