tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/12711-backup-file-checkArachni: Discussion 2016-02-15T11:56:24Ztag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T07:56:26Z2016-02-14T07:56:26ZBackup file check<div><p>Hello,</p>
<p>Is it actually mydomain.com or did you use that as a
placeholder? (mydomain.com actually exists).</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T08:02:25Z2016-02-14T08:02:25ZBackup file check<div><p>heh sorry, placeholder :)</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T08:06:29Z2016-02-14T08:06:29ZBackup file check<div><p>OK, I'm guessing there's an image at <a href="http://www.mydomain.com/img/gallery/london/image_1.jpg">http://www.mydomain.com/img/gallery/london/image_1.jpg</a>
(probably listed as the "referring page" in the report), one of the
backup filename formats is appending numbers, thus
<code>image_1</code> becomes <code>image_15</code> and if it exists
then it gets logged.</p>
<p>By default, Arachni considers all resources as being within the
scan scope, you can however <a href="https://github.com/Arachni/arachni/wiki/Command-line-user-interface#scope">
configure</a> it to your liking.</p>
<p>Does that sound like your situation?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T08:11:49Z2016-02-14T08:15:49ZBackup file check<div><p>yep - pretty common scenario actually with image galleries :-)
...</p>
<p>the 'problem' with setting the exclude scope is that it requires
a lot of manual work first, to go through the website tree and find
those cases.</p>
<p>Maybe it would make sense to only flag files that have an number
appended, when they are not images ?</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T08:19:48Z2016-02-14T08:19:48ZBackup file check<div><p>Sounds like a bit of a hassle, but this check is ultimately up
to the user. Like there could be a legitimate reason for
<code>index.php.bak</code> to exist, it's impossible to actually
tell if something truly is a backup.</p>
<p>And I don't like messing with the scope, so this check utilizes
some enumeration and that should apply to all resources within the
scope, and by default everything is within scope.</p>
<p>Now if the logged resource was something like a custom-404 or
something that would be unacceptable and outright an FP and a bug,
in these cases however it's up to the user to either configure
Arachni appropriately or use their judgement afterwards.</p>
<p>I do however think that it would be a good idea to add a remark
to these issues, letting the user know of how Arachni came to check
for the logged resource, how the filename was manipulated, that
should help clear things up.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T08:22:11Z2016-02-14T08:26:38ZBackup file check<div><p>ok, fair enough. I understand the difficult balance between
finding too much (and finding the one case that is actually legit)
vs reducing false positives.<br>
A remark would definitely help, especially when images are
involved. (i.e. image_1.jpg, image_11.jpg, etc), as those are
almost always FP. image_1.jpg.bak or anyfile.ext.bak would almost
always trigger my attention. Images not so much.</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T09:38:46Z2016-02-14T09:38:46ZBackup file check<div><p>FYI, I played with the "Scope exclude path patterns" field and
noticed that a scan won't even start when using <code>*.jpg</code>
as the exclude pattern. (In fact, I can save/edit the profile, but
I can't export the profile either).</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T10:08:07Z2016-02-14T10:08:07ZBackup file check<div><p>The patterns are not wildcards, they're regular expressions and
the one you provided is invalid, you can instead use
<code>\.jpg$</code>, that'll match <code>jpg</code> extensions.</p>
<p>You should have gotten a nice error message telling you the
above when you tried to save the profile though, I'll fix this asap
and push a bugfix release.<br>
And I also see that I didn't add the new
<code>--scope-exclude-file-extensions</code> option to the WebUI,
I'll take care of this too.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T10:55:49Z2016-02-14T10:55:49ZBackup file check<div><p>Pushing nightlies now, I'll let you know once they're up so that
you can verify the fixes.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T12:27:08Z2016-02-14T12:27:08ZBackup file check<div><p>okay, thanks !</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T14:11:31Z2016-02-14T14:11:31ZBackup file check<div><p>I messed up the first build, pushing again now.<br>
I'll probably fall asleep soon but check the <a href="http://downloads.arachni-scanner.com/nightlies/">nightlies</a> in
a couple of hours, they'll have finished uploading by then (you can
also check for the "last modified" date to change).</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-14T17:32:35Z2016-02-14T17:32:35ZBackup file check<div><p>ok, upgraded to latest build, will continue to play with it -
thanks !</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T01:42:43Z2016-02-15T01:42:43ZBackup file check<div><p>How does that look?<br>
Remarks are on the bottom, the first one is the new one.</p>
<pre>
<code> [+] [1] Backup file (Untrusted)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] Digest: 909131573
[~] Severity: Medium
[~] Description:
[~]
A common practice when administering web applications is to create a copy/backup
of a particular file or directory prior to making any modification to the file.
Another common practice is to add an extension or change the name of the original
file to signify that it is a backup (examples include `.bak`, `.orig`, `.backup`,
etc.).
During the initial recon stages of an attack, cyber-criminals will attempt to
locate backup files by adding common extensions onto files already discovered on
the webserver. By analysing the response headers from the server they are able to
determine if the backup file exists.
These backup files can then assist in the compromise of the web application.
By utilising the same method, Arachni was able to discover a possible backup file.
[~] Tags: path, backup, file, discovery
[~] CWE: http://cwe.mitre.org/data/definitions/530.html
[~] References:
[~] WebAppSec - http://www.webappsec.org/projects/threat/classes/information_leakage.shtml
[~] URL: http://testfire.net/feedback.exe
[~] Element: server
[~] Proof: "HTTP/1.1 200 OK"
[~] Referring page: http://testfire.net/feedback.aspx
[~] Affected page: http://testfire.net/feedback.exe
[~] HTTP request
GET /feedback.exe HTTP/1.1
Host: testfire.net
Accept-Encoding: gzip, deflate
User-Agent: Arachni/v2.0dev
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,he;q=0.6
Cookie: ASP.NET_SessionId=ft3tdtqoozcbsrjykt3je145;amSessionId=193910181084
[~] Remarks
[~] -------
[~] By check:
[~] * Identified by converting the original filename of 'feedback.aspx' to
'feedback.exe' using format '[name].exe'.
[~] By meta_analysis:
[~] * This issue was logged by a discovery check but the response for the resource it
identified is very similar to responses for other resources of similar type.
This is a strong indication that the logged issue is a false positive.</code>
</pre></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T06:44:20Z2016-02-15T06:44:20ZBackup file check<div><p>great !!! but I still have mixed feelings - perhaps it would
make sense to add a specific note regarding images (original is an
image and new file is an image too), as those are the ones causing
most of the FPs... in any case, the remarks will help</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T06:47:18Z2016-02-15T06:47:18ZBackup file check<div><p>I don't much like this idea, if I'm to go down that road then
I'd rather ignore images completely and be done with it.<br>
And given that this discussion is indeed taking place then I have
to go down this road so images are getting the boot.</p>
<p>Will let you know once fresh nightlies are up.</p>
<p>Thanks for the feedback. :)</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T06:55:35Z2016-02-15T06:55:35ZBackup file check<div><p>Better yet, I'll ignore all media, image, audio and video, makes
sense, right?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T07:12:44Z2016-02-15T07:12:44ZBackup file check<div><p>it does - but you could leave it up to the tester. A small
option "ignore media" in the backup file check would make this
quite easy :) thanks !</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T07:36:48Z2016-02-15T07:36:48ZBackup file check<div><p>Checks don't have options, they just check whatever is in
scope.<br>
At this point ignoring all media would be best I think, you turned
me around on the subject.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T08:06:01Z2016-02-15T08:06:01ZBackup file check<div><p>cool, thumbs up from my side :)</p></div>corelanc0d3rtag:support.arachni-scanner.com,2012-07-01:Comment/391651632016-02-15T11:56:22Z2016-02-15T11:56:22ZBackup file check<div><p>I've pushed nightlies for this and it should take care of the
issue, it'll ignore image, audio, video and font files.</p></div>Tasos Laskos