tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/4222-fp-in-cookie-2Arachni: Discussion 2017-03-27T14:19:20Ztag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-21T17:35:12Z2017-03-21T17:35:12ZFP in cookie #2<div><p>vuln:</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-22T05:08:10Z2017-03-22T05:08:10ZFP in cookie #2<div><p>Can you attach the full issue data rather than just the vector please?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-22T11:27:43Z2017-03-22T11:27:43ZFP in cookie #2<div><p>of course, sent it via email :)</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-22T13:41:47Z2017-03-22T13:41:47ZFP in cookie #2<div><p>Got it, thanks.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T13:44:44Z2017-03-24T13:44:44ZFP in cookie #2<div><p>I tried to reproduce a few but I couldn't and I don't want to run a full scan against a production server.<br>
I'll leave this issue open so if you come across any more such cases please let me know, I hope the new cases will be more clear-cut.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T13:50:40Z2017-03-24T13:50:40ZFP in cookie #2<div><p>i've got two more already, they are same - in cookie with strange vector</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T13:51:38Z2017-03-24T13:51:38ZFP in cookie #2<div><p>Same site?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T13:58:13Z2017-03-24T13:58:42ZFP in cookie #2<div><p>no, anouther. I need some time to find scan logs, will send as soon as i find them</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T13:58:58Z2017-03-24T13:58:58ZFP in cookie #2<div><p>Great, thanks.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-24T16:03:44Z2017-03-24T16:03:44ZFP in cookie #2<div><p>sent via email</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-25T13:24:23Z2017-03-25T13:26:38ZFP in cookie #2<div><p>You seem to be killing the DB and at some point during the gathering of the responses for the differential analysis the sites return errors and this leads to the data being corrupted and to the FP.</p>
<p>Problem is that you can't get around this. There are safeguard in place to prevent this to an extent, but if the error occurs at precisely the right time in the right way then you'll get an FP.</p>
<p>The only way to fix this issue is to lower the HTTP concurrency setting to a level that doesn't stress the server.<br>
Also, since the DB gets shot, this can not only lead to FPs but to FNs too, since you're basically disabling the sites for a short while.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-26T17:31:01Z2017-03-26T17:31:01ZFP in cookie #2<div><p>It can't be server stress because:<br>
1. Reposnes are stable during whole scan<br>
2. FP appear at same place every time i tried to rescan (all websites)<br>
So it seems for me to be arachni-side problem still. Do you have any other ideas about such cases?</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-26T17:43:04Z2017-03-26T17:43:04ZFP in cookie #2<div><ol>
<li>That's not relevant, I said the DB server got stressed not the HTTP one. In fact, response times would be better if the DB server had died or stopped responding due to some usage allotment being exceeded, because you'd get an immediate error.<br></li>
<li>If a usage limited was indeed exceeded it would happen at the same time, wouldn't it? Same amount of requests would be made after which you'd get the error.</li>
</ol>
<p>Also, one of the pages in the JSON report you provided actually was for a DB error page, so I'm fairly certain I'm right.<br>
In addition, the issues couldn't be reproduced individually so that also points to Arachni not being the issue, but to the server changing its behavior at some point during the scan.</p>
<p>If you get more such issues I would love to see them, but so far everything points to the problem being server-side rather than Arachni.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-26T17:46:15Z2017-03-26T17:46:15ZFP in cookie #2<div><p>ok, i'll try tomorrow with lower concurrency level (what should i use? how much browsers in cluster?)</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-26T17:47:51Z2017-03-26T17:47:51ZFP in cookie #2<div><p>I'd say play it safe and set HTTP concurrency to 5 and browsers to 2. It'll take a long time but could prevent the errors. It may not though, I can't know for sure.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-26T17:49:58Z2017-03-26T17:49:58ZFP in cookie #2<div><p>ok, will send you results tomorrow</p></div>Johntag:support.arachni-scanner.com,2012-07-01:Comment/422030392017-03-27T14:19:16Z2017-03-27T14:19:16ZFP in cookie #2<div><p>Summary of e-mail discussion for posterity: Verified as a server issue, the DB started refusing connections and thus results for such scans are meaningless.</p></div>Tasos Laskos