Strange Browser Behavior w/ Arachni_Proxy
After reading a few other support messages related to scanning services, I believe I need to train Arachni via the proxy plugin. My target site uses TLSv1.2 w/ HSTS. When attempting to route my connections through the proxy (I'm running locally), I notice that Chrome doesn't prompt me to validate the cert, it's just doesn't seem to ever reach the site, and arachni proxy returns:
[~] Proxy: Ignoring, out of scope: http://127.0.0.1:8282/
[~] Proxy: Ignoring, out of scope: http://127.0.0.1:8282/
In Firefox, I use FoxyProxy, which doesn't prompt for the Arachni cert immediately, but eventually pulls it up and allows me to accept the Arachni Proxy's cert. When doing this, I can connect to the Proxy Panel, but I can't load the target site when I hit https://arachni.proxy or when I attempt to hit the target site directly. When I attempt to load the target site, routed through the proxy, I still get the "Ignoring, out of scope" errors for 127.0.0.1.
At this point, I haven't stored the Arachni PEM permanently, but I thought I'd open a support ticket while I'm progress of troubleshooting.
Here's my cli string:
arachni https://site.dev --scope-page-limit=0 --checks=*,-common_*,-directory_listing,-backup*,-backdoors --plugin=proxy --audit-jsons --audit-xmls
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Neha Chriss on 21 Aug, 2017 06:41 PM
Above, I am trying to connect to https://arachni.proxy:8282 as well, just FYI.
Support Staff 2 Posted by Tasos Laskos on 26 Aug, 2017 04:44 PM
Firstly, Arachni won't work over loopback interfaces like
localhost
or127.0.0.*
Secondly, your target is
https://site.dev
, nothttp://127.0.0.1:8282/
, so the latter is rightfully ignored.Also, you need to import the Arachni CA cert into your browser in order for the proxy to work over SSL/TLS.
3 Posted by Neha Chriss on 31 Aug, 2017 07:37 PM
Tasos,
I'm not quite sure how to get arachni to listen on anything other than 127.0.0.1 by default?
Support Staff 4 Posted by Tasos Laskos on 31 Aug, 2017 08:39 PM
Hello,
The proxy listening on
127.0.0.1
is not a problem, that's what's supposed to happen, but the target webapp cannot be on a loopback interface.The proxy messages you see refer to browser requests, if the browser requests anything other than an address that matches the target, the request will be considered out of scope and ignored.
The request will of course be served still, just like with any kind of proxy, but Arachni will not include any knowledge that's gained from it in the audit.
So:
https://site.dev
and is thusly ignored.I'm not quite sure if this answers your question, please let me know if you require further clarification.
Cheers
5 Posted by Neha Chriss on 01 Sep, 2017 02:53 PM
Thanks Tasos
That all makes sense. The problem at this point is certificate errrors, even after adding the arachni cert to my (OS X) system keychain. Chrome refuses to load the site based on a cert error (NET::ERR_CERT_COMMON_NAME_INVALID), and has a whole host of issues with the cert as it's been generated - Subject Alternative Name Missing, Sha-1 Cert, etc. Firefox at least allows me to create an exception, and prompts me to permit the certificate, but clicking "Get Certificate" causes Arachni to spit out the following:
[2017-09-01 07:28:28 -0700 - 0.0] [!!!] [http/proxy_server/connection#on_close:221] Connection: Closed because: [HTTP::Parser::Error] Could not parse data entirely (0 != 168) [2017-09-01 07:28:30 -0700 - 0.0] [!!!] [http/proxy_server/connection#on_close:221] Connection: Closed because: [HTTP::Parser::Error] Could not parse data entirely (0 != 168)
With these errors, I'm never able to load the certificate in FF, and so, can't create an exception. There's another case where I deselect SSL Proxy options, and load the target site. In this case, Firefox can get the certificate, but begins to loop with
"Error code: SEC_ERROR_UNKNOWN_ISSUER" after I create the exception. I know the target site uses strong ciphers and HSTS. I'm not sure how to get passed this point. I can clearly see the certificate itself is trusted as I've added it to the proper keychain.. but otherwise, perhaps I should generate my own cert for arachni proxy?
6 Posted by Neha Chriss on 01 Sep, 2017 02:57 PM
Here's more info from Firefox in the second case:
https://site.dev Peer’s Certificate issuer is not recognized.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: false
Certificate chain: -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----
Support Staff 7 Posted by Tasos Laskos on 06 Sep, 2017 03:18 PM
Hm, maybe newer browser versions are more strict with their cert requirements, I'll look into it.
8 Posted by Neha Chriss on 06 Sep, 2017 05:55 PM
Thanks Tasos. I was able to get this working on a coworkers machine, so my solution was that i needed um.. another browser. But you might want to generate a cert with a stronger cipher suite. Thanks so much!
Support Staff 9 Posted by Tasos Laskos on 12 Sep, 2017 04:31 PM
Thanks for the info Neha, I'll be looking into this.
Tasos Laskos closed this discussion on 12 Sep, 2017 04:31 PM.