Manually walking through an application

Vojta's Avatar


22 Feb, 2016 11:25 AM

I am evaluating abilities of Arachni. I use OWASP WebGoat 6.0.1, because I have previously tested another similar framework W3af on this application.
I do it like this:
1. I run Arachni with some checks enabled, proxy plugin enabled and scope page limit se to 0. I do this because I scan one lesson at a time to get exact information.
2. I set my browser to use Arachni's proxy and I submit severa inputs to the lesson. Lessons usually contain some kind of form and I submit several test values.
3. I start actual scan by visiting arachni.proxy/shutdown
My question is aimed at the page limit. If it is set to 0, do I understand it right that Arachni audits everything what it is served through the proxy, but does not crawl other pages? When I review the scan log, Arachni seems to correctly probe forms for SQL injections etc... But I am asking mainly because Arachni didn't discover many vulnerabilities, compared to W3af. I want to be sure that I am not doing any mistake, as this result will be a part of my bachelor thesis. For example W3af correctly discovered SQL injection in the lesson aimed at SQL injection. Arachni did not. Any help is appreciated.
Thank you.

  1. Support Staff 1 Posted by Tasos Laskos on 22 Feb, 2016 11:33 AM

    Tasos Laskos's Avatar


    Yes, if you set the page limit to 0 then only pages and input vectors seen via the proxy will be checked by the system.

    Scanning these educational applications is a bad idea though unless you're really familiar with both the application and the scanner.
    They usually require special configuration due to configurable security levels, authentication etc.

    Better use an application that was meant to be a benchmark like WAVSEP.


  2. Tasos Laskos closed this discussion on 24 Feb, 2016 12:29 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac