api rest server doesn't end up

dave's Avatar

dave

10 May, 2017 09:50 AM

Hi,
I tried Arachni rest server against an application. I tried the Web GUI scan against the same application that finished in something like 30min.
The API REST scan doesn't end up. After couple of hours, the tmp directory still growing until it's full (13Go).
I tried different configurations to limitate the scan but nothing's working...

do you have any idea to solve my problem? i didn't find anything helpfull on the support pages :(

thanks,,.

Dave

  1. Support Staff 1 Posted by Tasos Laskos on 12 May, 2017 12:31 PM

    Tasos Laskos's Avatar

    Are you sure that you used the same configuration for both the WebUI and the REST API scans?

    Also, I'd like to tackle the disk-usage issue, any chance I can perform an identical scan against that website?

  2. 2 Posted by dave on 12 May, 2017 01:06 PM

    dave's Avatar

    i tried either without any configuration for the scan (just the url) and with a "json export" of the web_ui default configuration and "re import" this default json config to POST thru the rest server.
    I also tried alternatives configurations to limitate the scope but no success...
    i'm trying now with a windows machine hosting the rest server... The scan is started from 2 hours and reached 500000 requests but the temp directory seems to remain constant...

  3. 3 Posted by dave on 12 May, 2017 01:07 PM

    dave's Avatar

    the disk is full of those files :
    Arachni_Support_Database_Queue_8500_57257140_3313

  4. Support Staff 4 Posted by Tasos Laskos on 12 May, 2017 01:48 PM

    Tasos Laskos's Avatar

    A default scan is different on the WebUI and the REST API.
    On the WebUI it'll use the "Default" profile, on the REST API it'll just perform a crawl since no options were specified for the scan.

    As for the temp files, could I scan the same website to see what's going on?

  5. 5 Posted by dave on 12 May, 2017 02:20 PM

    dave's Avatar

    the site is not exposed on the internet :(
    I will search another application that can be exposed and try with it before...

    my test still running (650000 requests). "temp directory" on my windows host is contained... so far so good... (10Go)

  6. 6 Posted by Romain on 12 May, 2017 03:01 PM

    Romain's Avatar

    Hi,

    I'm working with dave. To complement the discussion, we export the default profile in json from Web-ui (that works good) and reuse it in the body of the post request to rest service.
    is the REST api always crawl all site ?
    If we can't share the site, is there any information that we can share with you to facilitate the analysis ?

    thanks

    regards,

  7. Support Staff 7 Posted by Tasos Laskos on 13 May, 2017 01:09 PM

    Tasos Laskos's Avatar

    If the JSON profile has scope restrictions they will be enforced, the system will do what you tell it.

    About debugging the disk usage, I'm afraid I can't do it with logs, I need to do a few scans myself.

  8. 8 Posted by dave on 15 May, 2017 09:11 AM

    dave's Avatar

    is it possible to have a brief exchange via private message? I think we can open an url to let you debug this issue but we have to secure this.

    thanks,

    Dave

  9. Support Staff 9 Posted by Tasos Laskos on 16 May, 2017 12:09 PM

    Tasos Laskos's Avatar

    Sure, you can reach me at: tasos.laskos[at]arachni-scaner.com

  10. Tasos Laskos closed this discussion on 11 Jun, 2017 10:38 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac