False positives

John's Avatar

John

04 Feb, 2017 03:54 PM

Hello, testing nightlies (12-Jan-2017 10:50) on win 8.1 x64 platform. Problem: arachni finds FP(unexploitable) vulns in cookie parameters, everything but this seem to be ok. Is this arachni problem or i did something wrong? Hope for your help :)

  1. Support Staff 1 Posted by Tasos Laskos on 04 Feb, 2017 03:57 PM

    Tasos Laskos's Avatar

    I'm going to need more info, what types of FPs? What payloads are used?
    Having the entire AFR report would be most helpful.

  2. 2 Posted by John on 04 Feb, 2017 04:02 PM

    John's Avatar

    http://rgho.st/private/8YTdpWsPM/a40a35bdb5b5dbfdf10194ae7e9af299 will delete after you have downloaded it :)

  3. Support Staff 3 Posted by Tasos Laskos on 04 Feb, 2017 04:03 PM

    Tasos Laskos's Avatar

    Got it thanks.

  4. Support Staff 4 Posted by Tasos Laskos on 04 Feb, 2017 04:57 PM

    Tasos Laskos's Avatar

    Something really strange must have been going on for that FP to occur, I think CloudFlare interfered with the scan.

  5. 5 Posted by John on 04 Feb, 2017 05:09 PM

    John's Avatar

    i had such thought too, is there a chance to make arachni more friendly to cloudflare? It's really common to leave as it is.

  6. Support Staff 6 Posted by Tasos Laskos on 04 Feb, 2017 05:23 PM

    Tasos Laskos's Avatar

    Maybe if you reduce the HTTP request concurrency CF won't cut you off randomly.

  7. 7 Posted by John on 04 Feb, 2017 06:06 PM

    John's Avatar

    and there're no any software-side solution but reducing concurrency level?

  8. Support Staff 8 Posted by Tasos Laskos on 04 Feb, 2017 06:14 PM

    Tasos Laskos's Avatar

    Arachni is already doing a great many things behind the scenes to make the differential analysis accurate, but you can only do so much.
    If something interferes at the wrong time then you can get FPs.

    All of this is irrelevant however because Arachni isn't meant to scan things that are behind security measures. It's just meant to scan webapps.
    The moment you put a system behind a firewall (or IDS, or IPS, or anything) you stop testing that system and start testing the security measure instead, and that's not Arachni's purpose.

    My best advise would be to lower the concurrency level and the browser cluster pool size.

    Well, actually my best advise would be to ask your client to setup a testing version of the site for you to scan, or at least add a subdomain that does not go through CloudFlare, or anything else for that matter.

  9. 9 Posted by John on 04 Feb, 2017 06:28 PM

    John's Avatar

    oh, thanks a lot. I have one more question: "HTTP request concurrency limit: 20 " is meant per 1 browser of for all cluster ?

  10. Support Staff 10 Posted by Tasos Laskos on 04 Feb, 2017 06:40 PM

    Tasos Laskos's Avatar

    It's a bit different, the HTTP request concurrency applies to operations that don't involve browsers.

    For example, you see a lot of status messages (the blue ones) that say something like:

     [*] Path Traversal: Auditing cookie input 'username' pointing to: 'http://testhtml5.vulnweb.com/logout'
    

    And after a lot of these are shown, you then see a lot of messages like:

     [*] Path Traversal: Analyzing response #35462 for cookie input 'username' pointing to: 'http://testhtml5.vulnweb.com/logout'
    

    That's where the HTTP request concurrency applies.
    For efficiency, the browsers operate in parallel to the non-browser operations and are each allowed a fixed 4 requests at a time.

    So, at a given time with default settings the maximum amount of open connections to the site can be calculated as:

    http_request_concurrency + (browser_cluster_pool_size *4) => 20 + (6 * 4) => 44
    

    That's the absolute worst case scenario though and is highly unlikely, usually the browsers will only have one connection open at the most so it's more like:

        http_request_concurrency + browser_cluster_pool_size => 20 + 6 => 26
    

    Hence, if you lower the -http-request-concurrency and the --browser-cluster-pool-size defaults CloudFlare might leave you alone, although I doubt it, you'll still be attacking the site just not as fiercely so it'll probably raise flags again.

    For a reliable scan, you'll need direct access to the webapp.

  11. 11 Posted by John on 04 Feb, 2017 06:47 PM

    John's Avatar

    thanks, now it's clearer for me. Now started arachni again (same website) and it found same FP (2/4), musn't they be random(different) in case of cloudflare block? (bigger concurrency)

  12. Support Staff 12 Posted by Tasos Laskos on 04 Feb, 2017 07:02 PM

    Tasos Laskos's Avatar

    Either something else is the problem or CloudFlare cares more about that specific resource, which isn't unlikely since they cache assets and that URL points to a JS file.

    Excluding the __cfduid cookie from the scan may help: --audit-exclude-vector=__cfduid

  13. 13 Posted by John on 04 Feb, 2017 07:30 PM

    John's Avatar

    tried to exclude. Same link but 1 anouther parameter + 1 same (_ym_uid) - 12 concurrency instead of 20

  14. Support Staff 14 Posted by Tasos Laskos on 04 Feb, 2017 07:35 PM

    Tasos Laskos's Avatar

    I'll run some tests to see what's going on but I'm not very optimistic. I'll keep you updated.

  15. 15 Posted by John on 04 Feb, 2017 07:37 PM

    John's Avatar

    ok, waiting for response :)

  16. Support Staff 16 Posted by Tasos Laskos on 04 Feb, 2017 10:27 PM

    Tasos Laskos's Avatar

    CloudFlare isn't interfering due to security reasons, it tries to minify the JS file but it's not being consistent and the file has its JS formatting changed about 2-3% of the time.

    Again, Arachni takes measures against random server behavior, but if it happens at the wrong time it can still result in FPs. And it's almost impossible to identify random behavior when it happens so rarely.

    I'm closing this discussion and moving the issue to: https://github.com/Arachni/arachni/issues/836

    Thanks a lot for the feedback.

  17. Tasos Laskos closed this discussion on 04 Feb, 2017 10:27 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac