or Create a profile

Home Problems

No browser jobs when running scan with vector_feed plugin

rgutie01's Avatar

rgutie01

Jun 16, 2017 @ 02:46 AM

I'm running a scan using the vector feed plugin with a vector.yml file created from a manual crawl of the application. During the scan, I'm noticing that no browser jobs are being kicked off which would mean no DOM based checks are being done? Any idea why this would happen?

Sample Command:

./arachni --scope-include-pattern ".*<URL>.*" --scope-exclude-binaries --scope-exclude-pattern ".*sign_(out|in)" --scope-auto-redundant 1 --http-cookie-string "_session_id=<SESSIONID>" --platforms-no-fingerprinting --platforms "linux,sql,pgsql,nginx,ruby,rack,rails" --snapshot-save-path "/tmp" --checks "code_injection,code_injection_timing,file_inclusion,ldap_injection,os_cmd_injection,os_cmd_injection_timing,path_traversal,rfi,source_code_disclosure,sql_injection*,trainer,unvalidated_redirect,unvalidated_redirect_dom,xpath_injection,xss*,xxe,directory_listing,cookie_set_for_parent_domain,hsts,html_objects,http_only_cookies,insecure_cookies,insecure_cors_policy,mixed_resource,private_ip,ssn,x_frame_options,insecure_client_access_policy,insecure_cross_domain_policy_access,origin_spoof_access_restriction_bypass" --http-request-concurrency 5 --audit-links --audit-forms --audit-jsons --audit-ui-forms --audit-ui-inputs --http-request-redirect-limit 2 --plugin=vector_feed:yaml_file="/Users/ron.gutierrez/tools/arachni-1.5.1-0.5.12/vectors.yml" --browser-cluster-pool-size 6 "https://<URL>"

  1. Support Staff 1 Posted by Tasos Laskos on Jun 18, 2017 @ 10:33 AM

    Tasos Laskos's Avatar

    The vector_feed plugin files don't include context that is necessary for DOM operations.

  2. 2 Posted by rgutie01 on Jun 19, 2017 @ 01:45 PM

    rgutie01's Avatar

    Thats a shame. I was using the vector_feed plugin to feed in valid POST data for the various actions within our application. I was noticing that when scanning using the crawling mode, it wasn't testing a good chunk of non-GET requests and if it did it wouldn't be able to set valid for data.

    Do you have another approach I can take with this so that I can perform a scan that includes DOM checks and also utilizes my input data?

  3. Support Staff 3 Posted by Tasos Laskos on Jun 19, 2017 @ 03:42 PM

    Tasos Laskos's Avatar

    DOM checks should still be performed, just not based on the vector_feed data, same as if you hadn't used that plugin.

Reply to this discussion

Internal reply

        Formatting help / Preview (switch to plain text)

          You can attach files up to 10MB

            If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

              • New Issue

              • Conversation Started

                A conversation has been started with the Arachni staff to resolve this discussion.

              • Close the discussion

              Private Permissions

              This discussion is private. Only you and Arachni support staff can see and reply to it.

              Public Permissions

              This discussion is public. Everyone can see and reply to it.

              Keyboard shortcuts

              Generic

              ? Show this help
              ESC Blurs the current field

              Comment Form

              r Focus the comment reply box
              ^ + ↩ Submit the comment

              You can use Command ⌘ instead of Control ^ on Mac

              Recent Discussions

              29 Jul 06:44 Dear arachni-scanner.com Owner.
              15 Feb 09:48 Arachni download
              12 Jan 00:01 We're sorry, but something went wrong.
              19 Oct 18:03 Error - Not able Scan /ruby/lib/ruby/gems/2.7.0/gems/arachni-1.6.1.3/lib/arachni/rpc/server/framework.rb:156:in `block in run'
              12 Aug 11:04 Error when launching arachni_web

              Recent Articles

              Optimizing for faster scans
              Service scanning
              Software as a Service (Saas)