SQL injection, WAVSEP and arachni

TIOUR Anas's Avatar

TIOUR Anas

26 Apr, 2016 09:16 AM

Hi all,

I have been trying to run Arachni on a locally installed version of WAVSEP.
Arachni successfully finds many of the XSS vulnerabilities in WAVSEP but none of the vulnerabilities reported are SQL Injections.
I tried running a scan on a single page vulnerable to SQL Injection and Arachni did not detect it.

The first scan was run using this simple command : arachni http://127.0.0.2:8080/wavsep/index-full.jsp , while the second scan where i tried isolating a single page vulnerable to SQL Injection :
arachni http://127.0.0.1:8080/wavsep/SInjection-Detection-Evaluation-GET-20...

Wile running the aboce alst command, Arachni says in the very end of its response that "password isnt recognized as a command..." , so i thought about putting the link in double quotes and it worked without this error message. So do i need to include all links in double quotes?

Also another question, why does Arachni refuses to scan site in the 127.0.0.1 domain? Is it a securty issue, or related to performance maybe?

Thanks in advance :)

  1. Support Staff 1 Posted by Tasos Laskos on 26 Apr, 2016 09:25 AM

    Tasos Laskos's Avatar

    Hello,

    Every release is tested against WAVSEP so I'm fairly certain that it works, the "password isnt recognized as a command" bit looks like shell output and not something coming from Arachni.

    Can you please show me the exact command you're using?

    About scanning localhost or 127.0.0.1, it's neither, it's about controlling the browsers via proxy, they bypass Arachni's proxy and perform a direct connection.

    Cheers

  2. 2 Posted by TIOUR Anas on 26 Apr, 2016 09:33 AM

    TIOUR Anas's Avatar

    Thanks for your really quick response.

    Apparently i have a problem with MySQL installation and i was a little hasty posting this discussion. Ill try to solve the MySQL part of this problem and test it again, i have no doubt it will work as intended.

    :)

  3. Support Staff 3 Posted by Tasos Laskos on 26 Apr, 2016 09:34 AM

    Tasos Laskos's Avatar

    Phew, that's a relief. :)

    So, closing this for now but feel free to re-open if you get the same results.

    Cheers

  4. Tasos Laskos closed this discussion on 26 Apr, 2016 11:38 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac