SQL injection, WAVSEP and arachni
Hi all,
I have been trying to run Arachni on a locally installed version
of WAVSEP.
Arachni successfully finds many of the XSS vulnerabilities in
WAVSEP but none of the vulnerabilities reported are SQL
Injections.
I tried running a scan on a single page vulnerable to SQL Injection
and Arachni did not detect it.
The first scan was run using this simple command : arachni
http://127.0.0.2:8080/wavsep/index-full.jsp
, while the second scan where i tried isolating a single page
vulnerable to SQL Injection :
arachni
http://127.0.0.1:8080/wavsep/SInjection-Detection-Evaluation-GET-20...
Wile running the aboce alst command, Arachni says in the very end of its response that "password isnt recognized as a command..." , so i thought about putting the link in double quotes and it worked without this error message. So do i need to include all links in double quotes?
Also another question, why does Arachni refuses to scan site in the 127.0.0.1 domain? Is it a securty issue, or related to performance maybe?
Thanks in advance :)
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 26 Apr, 2016 09:25 AM
Hello,
Every release is tested against WAVSEP so I'm fairly certain that it works, the "password isnt recognized as a command" bit looks like shell output and not something coming from Arachni.
Can you please show me the exact command you're using?
About scanning
localhost
or127.0.0.1
, it's neither, it's about controlling the browsers via proxy, they bypass Arachni's proxy and perform a direct connection.Cheers
2 Posted by TIOUR Anas on 26 Apr, 2016 09:33 AM
Thanks for your really quick response.
Apparently i have a problem with MySQL installation and i was a little hasty posting this discussion. Ill try to solve the MySQL part of this problem and test it again, i have no doubt it will work as intended.
:)
Support Staff 3 Posted by Tasos Laskos on 26 Apr, 2016 09:34 AM
Phew, that's a relief. :)
So, closing this for now but feel free to re-open if you get the same results.
Cheers
Tasos Laskos closed this discussion on 26 Apr, 2016 11:38 AM.