Strange Browser Behavior w/ Arachni_Proxy

Neha Chriss's Avatar

Neha Chriss

21 Aug, 2017 06:40 PM

After reading a few other support messages related to scanning services, I believe I need to train Arachni via the proxy plugin. My target site uses TLSv1.2 w/ HSTS. When attempting to route my connections through the proxy (I'm running locally), I notice that Chrome doesn't prompt me to validate the cert, it's just doesn't seem to ever reach the site, and arachni proxy returns:

[~] Proxy: Ignoring, out of scope: http://127.0.0.1:8282/
[~] Proxy: Ignoring, out of scope: http://127.0.0.1:8282/

In Firefox, I use FoxyProxy, which doesn't prompt for the Arachni cert immediately, but eventually pulls it up and allows me to accept the Arachni Proxy's cert. When doing this, I can connect to the Proxy Panel, but I can't load the target site when I hit https://arachni.proxy or when I attempt to hit the target site directly. When I attempt to load the target site, routed through the proxy, I still get the "Ignoring, out of scope" errors for 127.0.0.1.

At this point, I haven't stored the Arachni PEM permanently, but I thought I'd open a support ticket while I'm progress of troubleshooting.

Here's my cli string:

arachni https://site.dev --scope-page-limit=0 --checks=*,-common_*,-directory_listing,-backup*,-backdoors --plugin=proxy --audit-jsons --audit-xmls
  1. 1 Posted by Neha Chriss on 21 Aug, 2017 06:41 PM

    Neha Chriss's Avatar

    Above, I am trying to connect to https://arachni.proxy:8282 as well, just FYI.

  2. Support Staff 2 Posted by Tasos Laskos on 26 Aug, 2017 04:44 PM

    Tasos Laskos's Avatar

    Firstly, Arachni won't work over loopback interfaces like localhost or 127.0.0.*
    Secondly, your target is https://site.dev, not http://127.0.0.1:8282/, so the latter is rightfully ignored.

    Also, you need to import the Arachni CA cert into your browser in order for the proxy to work over SSL/TLS.

  3. 3 Posted by Neha Chriss on 31 Aug, 2017 07:37 PM

    Neha Chriss's Avatar

    Tasos,

    I'm not quite sure how to get arachni to listen on anything other than 127.0.0.1 by default?

  4. Support Staff 4 Posted by Tasos Laskos on 31 Aug, 2017 08:39 PM

    Tasos Laskos's Avatar

    Hello,

    The proxy listening on 127.0.0.1 is not a problem, that's what's supposed to happen, but the target webapp cannot be on a loopback interface.

    The proxy messages you see refer to browser requests, if the browser requests anything other than an address that matches the target, the request will be considered out of scope and ignored.
    The request will of course be served still, just like with any kind of proxy, but Arachni will not include any knowledge that's gained from it in the audit.

    So:

    1. You can use a loopback interface for the proxy, but not for the scan.
    2. The proxy messages you see refer to the scan, something (you or the webapp itself, I can't know without access) is requesting a resource over something other than https://site.dev and is thusly ignored.

    I'm not quite sure if this answers your question, please let me know if you require further clarification.

    Cheers

  5. 5 Posted by Neha Chriss on 01 Sep, 2017 02:53 PM

    Neha Chriss's Avatar

    Thanks Tasos

    That all makes sense. The problem at this point is certificate errrors, even after adding the arachni cert to my (OS X) system keychain. Chrome refuses to load the site based on a cert error (NET::ERR_CERT_COMMON_NAME_INVALID), and has a whole host of issues with the cert as it's been generated - Subject Alternative Name Missing, Sha-1 Cert, etc. Firefox at least allows me to create an exception, and prompts me to permit the certificate, but clicking "Get Certificate" causes Arachni to spit out the following:

    [2017-09-01 07:28:28 -0700 - 0.0] [!!!] [http/proxy_server/connection#on_close:221] Connection: Closed because: [HTTP::Parser::Error] Could not parse data entirely (0 != 168) [2017-09-01 07:28:30 -0700 - 0.0] [!!!] [http/proxy_server/connection#on_close:221] Connection: Closed because: [HTTP::Parser::Error] Could not parse data entirely (0 != 168)

    With these errors, I'm never able to load the certificate in FF, and so, can't create an exception. There's another case where I deselect SSL Proxy options, and load the target site. In this case, Firefox can get the certificate, but begins to loop with
    "Error code: SEC_ERROR_UNKNOWN_ISSUER" after I create the exception. I know the target site uses strong ciphers and HSTS. I'm not sure how to get passed this point. I can clearly see the certificate itself is trusted as I've added it to the proper keychain.. but otherwise, perhaps I should generate my own cert for arachni proxy?

  6. 6 Posted by Neha Chriss on 01 Sep, 2017 02:57 PM

    Neha Chriss's Avatar

    Here's more info from Firefox in the second case:

    https://site.dev Peer’s Certificate issuer is not recognized.
    HTTP Strict Transport Security: false
    HTTP Public Key Pinning: false

    Certificate chain: -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----

  7. Support Staff 7 Posted by Tasos Laskos on 06 Sep, 2017 03:18 PM

    Tasos Laskos's Avatar

    Hm, maybe newer browser versions are more strict with their cert requirements, I'll look into it.

  8. 8 Posted by Neha Chriss on 06 Sep, 2017 05:55 PM

    Neha Chriss's Avatar

    Thanks Tasos. I was able to get this working on a coworkers machine, so my solution was that i needed um.. another browser. But you might want to generate a cert with a stronger cipher suite. Thanks so much!

  9. Support Staff 9 Posted by Tasos Laskos on 12 Sep, 2017 04:31 PM

    Tasos Laskos's Avatar

    Thanks for the info Neha, I'll be looking into this.

  10. Tasos Laskos closed this discussion on 12 Sep, 2017 04:31 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac