Client server model

Vishal's Avatar

Vishal

07 Oct, 2015 01:06 PM

Hi

I am new to arachni. I want to implement arachni in following way. Basically it is a client-server model. A remote client submits url (to be scanned) to the scanner server and server will scan the requested url and notify client once the scan is over. So i would like to know how can i use Arachni for this scenario?

Thanks for your time.

  1. Support Staff 1 Posted by Tasos Laskos on 07 Oct, 2015 01:28 PM

    Tasos Laskos's Avatar

    Hello,

    You can do this, except for the server notifying the client, the client will need to poll for scan progress, see: https://github.com/Arachni/arachni/wiki/RPC-API

    Cheers

  2. Tasos Laskos closed this discussion on 07 Oct, 2015 01:28 PM.

  3. Vishal re-opened this discussion on 07 Oct, 2015 01:40 PM

  4. 2 Posted by Vishal on 07 Oct, 2015 01:40 PM

    Vishal's Avatar

    Thank you Tascos and you have done amazing work. Congratulations for that. I went through RPC API and i am wondering if there is any way to authenticate client?

  5. Support Staff 3 Posted by Tasos Laskos on 07 Oct, 2015 01:49 PM

    Tasos Laskos's Avatar

    You can setup auth using SSL certificates; SSL will be used regardless, but without any sort of peer verification by default.

    Client -> Dispatcher communications are not restricted, hence if you need to authN/authZ you'll need to go the SSL way.
    Client -> Instance communications are authenticated by specifying a token for each request; that token is provided by the Dispatcher along with the other Instance info as a response to the #dispatch call.

    If you're interested in something more conventional like username/password type auth I'm afraid you'll have to RYO.

  6. 4 Posted by Vishal on 07 Oct, 2015 01:58 PM

    Vishal's Avatar

    In that case , i should go with SSL way. Can you throw some light on that?

  7. Support Staff 5 Posted by Tasos Laskos on 07 Oct, 2015 02:21 PM

    Tasos Laskos's Avatar

    The handling of the SSL files is pretty generic, you basically need to focus on the following options for the Dispatcher:

    --ssl-ca FILE           Location of the CA certificate (.pem).
    
    --server-ssl-private-key FILE
                            Location of the server SSL private key (.pem).
    
    --server-ssl-certificate FILE
                            Location of the server SSL certificate (.pem).
    

    (Forget the --ssl-client-* options, those are used when setting up the Dispatchers as a Grid, because in that case they'll also need to be able to communicate with each other.)

    Then the client will need to provide the appropriate SSL info (client-side key and cert etc.) when connecting, the way to do this depends on the client, are you planning on writing your own or will you be using the provided Ruby libs?

  8. 6 Posted by Vishal on 07 Oct, 2015 02:25 PM

    Vishal's Avatar

    I don't know Ruby programming.

  9. Support Staff 7 Posted by Tasos Laskos on 07 Oct, 2015 02:30 PM

    Tasos Laskos's Avatar

    How are you interested in utilizing the client-server model?
    Are you looking to integrate (i.e. do this programatically) or just offload the workload to other machines (i.e. a CLI RPC client utility like arachni_rpc covers you)?

  10. 8 Posted by Vishal on 07 Oct, 2015 02:43 PM

    Vishal's Avatar

    Second option covers me.

  11. Support Staff 9 Posted by Tasos Laskos on 07 Oct, 2015 02:47 PM

    Tasos Laskos's Avatar

    These are the options you'll need to set for arachni_rpc:

    --ssl-ca FILE           Location of the CA certificate (.pem).
    
    --ssl-private-key FILE  Location of the client SSL private key (.pem).
    
    --ssl-certificate FILE  Location of the client SSL certificate (.pem).
    

    There is plenty of documentation online about creating SSL keys and certs, personally I prefer the tinyca2 utility.

  12. 10 Posted by Vishal on 07 Oct, 2015 02:55 PM

    Vishal's Avatar

    Thanks a lot. I will try to implement this and get back to you.

  13. Support Staff 11 Posted by Tasos Laskos on 07 Oct, 2015 02:56 PM

    Tasos Laskos's Avatar

    No problem, closing this for now, feel free to re-open if you need more help.

    Cheers

  14. Tasos Laskos closed this discussion on 07 Oct, 2015 02:56 PM.

  15. Vishal re-opened this discussion on 13 Oct, 2015 03:50 PM

  16. 12 Posted by Vishal on 13 Oct, 2015 03:50 PM

    Vishal's Avatar

    Hi

    I have a question about rpc implementation. I haven't worked on RPC previously, so it might be a silly question. Can i program php client and have rpc server in ruby(if i am not wrong,you already created in ruby)? And is there php implementation for Arachni RPC?

    Thanks

  17. Support Staff 13 Posted by Tasos Laskos on 13 Oct, 2015 06:17 PM

    Tasos Laskos's Avatar

    Yes you can, although there's no PHP client.

    Here's the reference Ruby implementation if you'd like to write your own: https://github.com/Arachni/arachni-rpc

    A REST API will be available for v1.4 so that will make things simpler.

    Btw, since you're integrating, you might want to have a look at the license.

  18. 14 Posted by Vishal on 13 Oct, 2015 07:03 PM

    Vishal's Avatar

    So I will wait for v1.4. And yes I will look at the license also. Any planned date when 1.4 is coming?

  19. Support Staff 15 Posted by Tasos Laskos on 13 Oct, 2015 07:05 PM

    Tasos Laskos's Avatar

    Not yet, it's too early.
    You can help speed it up though by testing the nightlies.

  20. Support Staff 16 Posted by Tasos Laskos on 13 Oct, 2015 11:21 PM

    Tasos Laskos's Avatar

    You can stay updated on the REST API progress at: https://github.com/Arachni/arachni/issues/624

  21. Tasos Laskos closed this discussion on 13 Oct, 2015 11:21 PM.

  22. Vishal re-opened this discussion on 20 Oct, 2015 01:04 PM

  23. 17 Posted by Vishal on 20 Oct, 2015 01:04 PM

    Vishal's Avatar

    Hi

    I have installed arachni framework with webui. I am successfully running scans from web ui and also cli. Now can i submit url for scanning programmatically by using php script?Or should i go the RPC way by having RPC server and client installed on the same server?

    Thanks

  24. Support Staff 18 Posted by Tasos Laskos on 20 Oct, 2015 10:59 PM

    Tasos Laskos's Avatar

    You will need to wait for the REST API for that.

  25. 19 Posted by Vishal on 22 Oct, 2015 12:58 AM

    Vishal's Avatar

    Ok. Thanks.

  26. 20 Posted by Vishal on 28 Oct, 2015 03:20 PM

    Vishal's Avatar

    HI

    I have decided to go for rpc implementation till the your api comes out. I already installed RPC framework with webui. Now to implement RPC , do i have to have RPC server or the existing installation is good?Also I am writing client in php. And i was going through RPC pure client's code. You have "instance.call( 'service.scan' )" in your example code. And you also mentioned it should be in the form of "handler.method". So where do i see/find these handlers and methods ?

    Regards
    Vishal

  27. Support Staff 21 Posted by Tasos Laskos on 28 Oct, 2015 03:37 PM

    Tasos Laskos's Avatar

    You basically follow the RPC API instructions from the wiki but using your own client instead of the Ruby ones.

  28. 22 Posted by Vishal on 28 Oct, 2015 04:25 PM

    Vishal's Avatar

    Thanks

  29. Support Staff 23 Posted by Tasos Laskos on 30 Oct, 2015 10:14 AM

    Tasos Laskos's Avatar

    REST service can now be found in the nightlies: https://github.com/Arachni/arachni/issues/624#issuecomment-152437926

  30. Tasos Laskos closed this discussion on 30 Oct, 2015 03:38 PM.

  31. Vishal re-opened this discussion on 05 Nov, 2015 04:23 AM

  32. 24 Posted by Vishal on 05 Nov, 2015 04:23 AM

    Vishal's Avatar

    Hi Tasos

    Thanks for the rest api. I installed the latest nighties and started rest server as per the documentation. Now i am using Guzzle http client in php to perform scanning. But i am getting server error 500 when sending POST request to http://localhost:7331 . I tried sending post request to other url and it's working but got error for localhost. The snippet of code is attached here. Your any kind of support will be very helpful for me .

    Thanks

  33. Support Staff 25 Posted by Tasos Laskos on 05 Nov, 2015 04:25 AM

    Tasos Laskos's Avatar

    Can you show me the response data please?

  34. 26 Posted by Vishal on 05 Nov, 2015 04:28 AM

    Vishal's Avatar

    This is what i get when i run php script.

  35. Support Staff 27 Posted by Tasos Laskos on 05 Nov, 2015 04:33 AM

    Tasos Laskos's Avatar

    That's the backtrace of your HTTP client and doesn't tell me anything about the server error.
    The HTTP response data should help, although I'm not sure how to retrieve it, you'll need to check the documentation of your client.

    Also, I didn't hear back from you regarding your compliance with the license, please verify that you are operating within the specified terms and let me know.

    Cheers

  36. 28 Posted by Vishal on 05 Nov, 2015 04:48 AM

    Vishal's Avatar

    I will check documentation to get HTTP response data and will let you know. And also i am discussing with higher authority of my company for licence . I assure you that i will complete all licence related things once i successfully run scan from api server.

  37. Support Staff 29 Posted by Tasos Laskos on 05 Nov, 2015 04:54 AM

    Tasos Laskos's Avatar

    Btw, check the output of the REST server, if an error occurred it should have been printed to its console.

  38. 30 Posted by Vishal on 05 Nov, 2015 04:55 AM

    Vishal's Avatar

    I am not sure following will be helpful for debugging or not but it is screenshot of what's happening on the server side as soon as i run the client script .

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac