Arachni 2.0: Infinite loop while scanning
I have several problems scanning a website with arachni (version 2.0). The scan seems to hang in an infinite loop. The setup is using a crawl profile (trainer activated).
The arachni scan behaves a little bit strange:
1: The css and javascript files are downloaded each time a
html-page ist loaded even when the urls to these files are the same
in each html-page. I thought each of these files should be
downloaded only once because the url to a file is the same in each
html-page.
2: The scan seems to load a html-page in an infinite loop. After setting a redundant path pattern for this page another page is processed with an infinite loop. Arachni discovers 480 pages and has performed 140.000 requests when I stopped the scan run (after running for 3 hours).
The website is not accessible from the internet, but it's almost the same than http://gsb-sl.gsb.bund.de/DE/Home/home_node.html.
Is there a debugging configuration that could help to understand the strange scan behaviour?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 26 Dec, 2016 10:24 PM
Can you please show me the system output that lead you to believe there is an infinite loop?
Cheers
2 Posted by stefan on 27 Dec, 2016 07:14 PM
I set up a reduced profile that should scan only two html-pages and attached the output of my last arachni run (see also healthmap in attachment). Even with this scan configuration the scanner doesn't terminate and reloads both html-pages and the linked resources (css, js,...) in a loop.
In my arachni configuration burp-proxy was used so that I noticed that the different requests to the html-pages and other resources were all the same (URL, query-string, cookies). In my understanding each unique resource should be loaded only once or almost a few times. This doesn't work with my tested websites.
I attached the output of an arachni run with --output-verbose that was stopped after a while.
Thanks in advance
Support Staff 3 Posted by Tasos Laskos on 27 Dec, 2016 07:24 PM
The page must be generating an infinite number of DOM states, any chance I can access the site to see exactly what's going on?
4 Posted by stefan on 27 Dec, 2016 08:35 PM
Yes there is an option, but I would like to provide some information by private email cause they should not be available for anyone.
Support Staff 5 Posted by Tasos Laskos on 28 Dec, 2016 01:45 PM
Here you go: tasos[dot]laskos[at]arachni-scanner[dot]com
Tasos Laskos closed this discussion on 05 Feb, 2017 11:14 AM.