Sqli_blind_rdiff module FPs

user021's Avatar


24 Jul, 2013 07:45 AM

I was doing some tests yesterday/today and i think there are some issues with this module, until now i tested a few links and from the data i get from report did try to reproduce actual attack (incuding cookies ) but no success, even passed the affected link to another good scanner and there was no detection, so far it happened on link and headers.

  1. Support Staff 1 Posted by Tasos Laskos on 07 Aug, 2013 12:49 AM

    Tasos Laskos's Avatar
  2. Tasos Laskos closed this discussion on 07 Aug, 2013 12:49 AM.

  3. Tasos Laskos re-opened this discussion on 07 Aug, 2013 01:32 AM

  4. Support Staff 2 Posted by Tasos Laskos on 07 Aug, 2013 01:32 AM

    Tasos Laskos's Avatar

    I better say that I think that I fixed it as I didn't have the means to reproduce your issue.

  5. Tasos Laskos closed this discussion on 07 Aug, 2013 01:32 AM.

  6. user021 re-opened this discussion on 07 Aug, 2013 09:42 AM

  7. 3 Posted by user021 on 07 Aug, 2013 09:42 AM

    user021's Avatar

    I think something went wrong with the fix

    ./arachni --audit-link --link-count=1 --user-agent=Mozila --modules=sqli_blind_rdiff -v 'http://www.uniqlo.com/uk/store/search.do?fid=header_search&qstart=0&qtext=Silk&sort=goods_disp_priority&x=16'+and+'1&y=16'

    -with the fix:
    [~] Sent 4937 requests.
     [~] Received and analyzed 2410 responses.
     [~] In 00:18:47
     [~] Average: 2 requests/second.
    (and still goin)

    -before the fix:
    [~] Sent 2449 requests.
     [~] Received and analyzed 1369 responses.
     [~] In 00:00:52
     [~] Average: 25 requests/second.
    (and finished)

  8. Support Staff 4 Posted by Tasos Laskos on 07 Aug, 2013 02:21 PM

    Tasos Laskos's Avatar

    A few issues:

    1. Hm, I saw that before with the path_traversal module, the increased responses required for more accuracy/coverage end up killing the server. (I may have to reduce the default HTTP request concurrency to keep the servers responsive.)
    2. However, this takes a backseat to the more important issue of the fix not actually fixing the issue. So, I'll try again.
    3. That URL produces different results on each run (finished in 597 responses, then around 600, now 5385), so you can't use it to compare anything.
  9. 5 Posted by user021 on 07 Aug, 2013 03:06 PM

    user021's Avatar

    Yeah it does alot more requests but seems less likely to miss something (the blind rdiff module) just found a vuln on another site that wasn't detected without the fix

    Sent 1057 requests.
     [~] Received and analyzed 1057 responses.
     [~] In 00:14:09
     [~] Average: 1 requests/second.

    [~] Sent 290 requests.
     [~] Received and analyzed 290 responses.
     [~] In 00:01:24
     [~] Average: 3 requests/second.

    ps:with the old version ran the scan twice and had same number of requests (290) but sadly it failed to detect the vuln (confirmed with sqlmap)

  10. Support Staff 6 Posted by Tasos Laskos on 07 Aug, 2013 03:13 PM

    Tasos Laskos's Avatar

    That's great then. The site that behaves weirdly still yields the same FPs, but the coverage has increased in general, so it still comes out on top -- and I just managed to reduce the requests for the updated version too.

    I don't think that I'll be able to do anything for site with the FPs as it changes behavior with each request.

  11. Support Staff 7 Posted by Tasos Laskos on 07 Aug, 2013 09:32 PM

    Tasos Laskos's Avatar

    So, closing this since there's nothing more to be done.

  12. Tasos Laskos closed this discussion on 07 Aug, 2013 09:32 PM.

  13. user021 re-opened this discussion on 03 Sep, 2013 07:30 AM

  14. 8 Posted by user021 on 03 Sep, 2013 07:30 AM

    user021's Avatar

    Might found another fp, when i visit it for the second time without cleaning cookies, down on bottom appears "Recently Viewed " and the book name, also i was trying to repro the attack but without raw request data there's almost no chance since Arachni bruteforces the headers and when there are alooot of requests from the serv, hard to figure out where : ) anyway, from report. ignoring the "Recently Viewed ", one more thing changes, "Add to Bag" to "Add to Chart" .i ran the browser through burp when was trying to Render HTML response from report i seen no changes on User agent, why ?

  15. Support Staff 9 Posted by Tasos Laskos on 03 Sep, 2013 03:53 PM

    Tasos Laskos's Avatar

    Yeah that's a bit tricky, if the page shows recently viewed items these will always change and there's no way to baseline them while the go from none to any and from any to max.

    Will think about it, see if I can come up with something.

  16. 10 Posted by user021 on 21 Sep, 2013 04:30 PM

    user021's Avatar

    This might not be relayed exactly about above example but was reading about blind sqli and step over it " All scanners have capability to specify error page. If you can do that, it would eliminate some junk. " and i can't remember, do we have that feature?

  17. Support Staff 11 Posted by Tasos Laskos on 21 Sep, 2013 04:33 PM

    Tasos Laskos's Avatar

    Arachni doesn't need that but it's not relevant to this particular issue anyways.

  18. 12 Posted by user021 on 22 Sep, 2013 09:34 AM

    user021's Avatar

    Got new possible fp, and for some reason can't render HTML response from report

  19. Support Staff 13 Posted by Tasos Laskos on 22 Sep, 2013 11:53 AM

    Tasos Laskos's Avatar

    There must have been no response then, could you send me the AFR to make sure?

  20. Support Staff 14 Posted by Tasos Laskos on 22 Sep, 2013 02:08 PM

    Tasos Laskos's Avatar

    Btw, I haven't fixed this yet because this is not a straightforward bug, it only happens when the webapp behavior drastically changes between probes, much more than the algorithm can tolerate.

    So until we come across a case which allows me to reproduce this, there's not much I can do.

  21. 15 Posted by user021 on 22 Sep, 2013 03:07 PM

    user021's Avatar

    Well, the initial URL that i sent to be scanned by Arachni opened in browser was apparently no response, just white page, but while opening page source i could see something, the resulting audited URL was still same white page, so i have no idea what confused it. As for the blind rdiff module, id rather it be more comprehensive even if that means it takes longer to run and maybe get some fps than completely miss a vulnerability, anyway, here's the afr report

  22. Support Staff 16 Posted by Tasos Laskos on 25 Sep, 2013 06:30 PM

    Tasos Laskos's Avatar

    I just pushed an update to the RDiff analysis technique: https://github.com/Arachni/arachni/commit/c488d330df0a5e13fc144d25a...

    It should solve your problem, and if not, I should be able to tweak it to solve it.

  23. 17 Posted by user021 on 26 Sep, 2013 07:41 AM

    user021's Avatar

    Is fixed, in the way that doesn't audit it if the response is empty so im wondering, if we go that way can't miss smth more than before the fix in the future?

  24. Support Staff 18 Posted by Tasos Laskos on 26 Sep, 2013 09:22 AM

    Tasos Laskos's Avatar

    I don't think so, this isn't like a compromise I made to remove FPs, it's like a bug I fixed to prevent them.

  25. Tasos Laskos closed this discussion on 26 Sep, 2013 09:22 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac