Arachni - Web Application Security Scanner Framework v1.5.1 Author: Tasos "Zapotek" Laskos (With the support of the community and the Arachni Team.) Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki [~] No checks were specified, loading all. [~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs. [*] Initializing... [*] Preparing plugins... [~] Login script: Running the script. [-] [utilities#exception_jail:428] Session: [Watir::Exception::UnknownObjectException] unable to locate element, using {:xpath=>"//*[@id=\"g-recaptcha\"]/div/div/iframe"} [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `eval' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/watir-webdriver-0.8.0/lib/watir-webdriver/elements/element.rb:505:in `assert_exists' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/watir-webdriver-0.8.0/lib/watir-webdriver/elements/element.rb:114:in `click' [-] [utilities#exception_jail:428] Session: (eval):6:in `block in prepare' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `eval' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `block in prepare' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:47:in `call' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:47:in `block in prepare' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:322:in `call' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:322:in `login_from_sequence' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:245:in `block in login' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:57:in `prepare' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:69:in `block (2 levels) in run' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:68:in `block in run' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `each' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `run' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework/parts/state.rb:348:in `prepare' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework.rb:110:in `run' [-] [utilities#exception_jail:428] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/ui/cli/framework.rb:80:in `block in run' [-] [utilities#exception_jail:429] Session: [-] [utilities#exception_jail:430] Session: Parent: [-] [utilities#exception_jail:431] Session: Arachni::Session [-] [utilities#exception_jail:432] Session: [-] [utilities#exception_jail:433] Session: Block: [-] [utilities#exception_jail:434] Session: # [-] [utilities#exception_jail:435] Session: [-] [utilities#exception_jail:436] Session: Caller: [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:57:in `prepare' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:69:in `block (2 levels) in run' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:68:in `block in run' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `each' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `run' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework/parts/state.rb:348:in `prepare' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework.rb:110:in `run' [-] [utilities#exception_jail:437] Session: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/ui/cli/framework.rb:80:in `block in run' [-] [utilities#exception_jail:438] Session: -------------------------------------------------------------------------------- [-] [components/plugins/login_script#prepare:59] Login script: [Watir::Exception::UnknownObjectException] unable to locate element, using {:xpath=>"//*[@id=\"g-recaptcha\"]/div/div/iframe"} [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `eval' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/watir-webdriver-0.8.0/lib/watir-webdriver/elements/element.rb:505:in `assert_exists' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/watir-webdriver-0.8.0/lib/watir-webdriver/elements/element.rb:114:in `click' [-] [components/plugins/login_script#prepare:59] Login script: (eval):6:in `block in prepare' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `eval' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:29:in `block in prepare' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:47:in `call' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:47:in `block in prepare' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:322:in `call' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:322:in `login_from_sequence' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:245:in `block in login' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/components/plugins/login_script.rb:57:in `prepare' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:69:in `block (2 levels) in run' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:68:in `block in run' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `each' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `run' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework/parts/state.rb:348:in `prepare' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/lib/arachni/framework.rb:110:in `run' [-] [components/plugins/login_script#prepare:59] Login script: /home/ubuntu/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/ui/cli/framework.rb:80:in `block in run' [-] [components/plugins/login_script#set_status:99] Login script: An error was encountered while executing the login script. [~] Login script: Aborting the scan. [*] ... done. ================================================================================ [+] Web Application Security Report - Arachni Framework [~] Report generated on: 2019-06-24 17:21:08 +0000 [~] Report false positives at: http://github.com/Arachni/arachni/issues [+] System settings: [~] --------------- [~] Version: 1.5.1 [~] Seed: 5d26099f35a609ef3d600de7a8476242 [~] Audit started on: 2019-06-24 17:21:06 +0000 [~] Audit finished on: 2019-06-24 17:21:08 +0000 [~] Runtime: 00:00:01 [~] URL: https://staging.target.url/login [~] User agent: Arachni/v1.5.1 [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies [~] * XMLs [~] * JSONs [~] * UI inputs [~] * UI forms [*] Checks: common_files, interesting_responses, directory_listing, localstart_asp, xst, webdav, common_admin_interfaces, insecure_cross_domain_policy_headers, http_put, htaccess_limit, allowed_methods, backup_files, insecure_client_access_policy, insecure_cross_domain_policy_access, common_directories, x_frame_options, hsts, mixed_resource, captcha, unencrypted_password_forms, form_upload, http_only_cookies, ssn, html_objects, private_ip, cookie_set_for_parent_domain, emails, credit_card, insecure_cors_policy, insecure_cookies, password_autocomplete, cvs_svn_users, origin_spoof_access_restriction_bypass, backup_directories, backdoors, xxe, unvalidated_redirect, xss_script_context, xpath_injection, response_splitting, xss_path, xss_tag, no_sql_injection_differential, path_traversal, csrf, ldap_injection, code_injection_timing, xss_event, rfi, xss_dom_script_context, file_inclusion, code_injection, sql_injection_differential, xss, xss_dom, trainer, unvalidated_redirect_dom, os_cmd_injection_timing, no_sql_injection, os_cmd_injection, source_code_disclosure, code_injection_php_input_wrapper, session_fixation, sql_injection, sql_injection_timing [~] =========================== [+] 0 issues were detected. [+] Plugin data: [~] --------------- [*] Login script [~] ~~~~~~~~~~~~~~ [~] Description: Loads and sets an external script as the system's login sequence, to be executed prior to the scan and whenever a log-out is detected. The script needn't necessarily perform an actual login operation. If another process is used to manage sessions, the script can be used to communicate with that process and, for example, load and set cookies from a shared cookie-jar. # Ruby ## With browser (slow) If a [browser](http://watir.github.io/) is available, it will be exposed to the script via the `browser` variable. Otherwise, that variable will have a value of `nil`. browser.goto 'http://testfire.net/bank/login.aspx' form = browser.form( id: 'login' ) form.text_field( name: 'uid' ).set 'jsmith' form.text_field( name: 'passw' ).set 'Demo1234' form.submit # You can also configure the session check from the script, dynamically, # if you don't want to set static options via the user interface. framework.options.session.check_url = browser.url framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/ ## Without browser (fast) If a real browser environment is not required for the login operation, then using the system-wide HTTP interface is preferable, as it will be much faster and consume much less resources. response = http.post( 'http://testfire.net/bank/login.aspx', parameters: { 'uid' => 'jsmith', 'passw' => 'Demo1234' }, mode: :sync, update_cookies: true ) framework.options.session.check_url = to_absolute( response.headers.location, response.url ) framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/ ## From cookie-jar If an external process is used to manage sessions, you can keep Arachni in sync by loading cookies from a shared Netscape-style cookie-jar file. http.cookie_jar.load 'cookies.txt' ## Advanced session check configuration In addition to just settings the `check_url` and `check_pattern` options, you can also set arbitrary HTTP request options for the login check, to cover cases where extra tokens or a method other than `GET` must be used. session.check_options = { # :get, :post, :put, :delete method: :post, # URL query parameters. parameters: { 'param1' => 'value' }, # Request body parameters -- can also be a String instead of Hash. body: { 'body_param1' => 'value' }, cookies: { 'custom_cookie' => 'value' }, headers: { 'X-Custom-Header' => 'value' } } # Javascript When the given script has a `.js` file extension, it will be loaded and executed in the browser, within the page of the target URL. document.getElementById( 'uid' ).value = 'jsmith'; document.getElementById( 'passw' ).value = 'Demo1234'; document.getElementById( 'login' ).submit(); [+] An error was encountered while executing the login script. [~] Report saved at: /home/ubuntu/staging.afr [0.0MB] [~] The scan has logged errors: /home/ubuntu/arachni-1.5.1-0.5.12/bin/../system/logs/framework/error-18137.log [~] Audited 0 page snapshots. [~] Duration: 00:00:01 [~] Processed 4/4 HTTP requests. [~] -- 0.0 requests/second. [~] Processed 0/0 browser jobs. [~] -- 0.0 second/job. [~] Burst response time sum 0.148 seconds [~] Burst response count 4 [~] Burst average response time 0.037 seconds [~] Burst average 0.0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20