Cloud application Scanning

naveesharma's Avatar

naveesharma

26 May, 2016 07:25 AM

hi tasos,

i have few application over cloud environment . where i need to login with some credentials first and then click on that web application and it will open up a new url.

now my problem is that, when i login over cloud using login script, then it start scan the cloud portal and not the exact portal on which this scanner should run.

can you give me the steps on how i can run scanner over cloud applications .

  1. Support Staff 1 Posted by Tasos Laskos on 26 May, 2016 08:35 AM

    Tasos Laskos's Avatar

    You're talking about an SSO login right?
    That shouldn't be a problem, just perform the login as usual via the login script but set the target URL to the site you want to scan.

  2. 2 Posted by naveesharma on 02 Jun, 2016 04:47 AM

    naveesharma's Avatar

    Hi Tasos,

    i am facing an issue while scanning a cloud application. Every time i scan it gives me different results. i am using the same profile during cli scan. once it show 10 issues where 2 issues are of source file disclosure and at that time it was find private IPs. and another scan shows only 5 issues and no high risk vulnerabilities. scan the number of pages. this is losing my confidence that it scan properly or not.

    can you tell me what is wrong ?

    i am using below profile.

    arachni http://pricxxxxxx/pricingQueryxxxxProduct.htm? --plugin=login_script:script=login_w.rb --session-check-url=https://xxxxx.oxxx.com/app/UserHome --session-check-pattern= /xxxxx/ --scope-exclude-pattern /staging-xxxxx1.pxxxxxxxxxx.com/ --scope-exclude-pattern /app/

    if you need i will mail both the reports.

  3. Support Staff 3 Posted by Tasos Laskos on 02 Jun, 2016 07:35 AM

    Tasos Laskos's Avatar

    The patterns won't work, you shouldn't be enclosing them in "/" and you shouldn't be leaving spaces when assigning them (i.e. after the =), see: https://github.com/Arachni/arachni/wiki/Command-line-user-interface...

  4. 4 Posted by naveesharma on 02 Jun, 2016 10:57 AM

    naveesharma's Avatar

    after making these changes and scanner is not working.

    [-] [components/plugins/login_script#set_status:99] Login script: The script was executed successfully, but the login check failed.

  5. 5 Posted by naveesharma on 02 Jun, 2016 11:04 AM

    naveesharma's Avatar

    run again by making some changes into pattern. now running. waiting for report to generate

  6. Tasos Laskos closed this discussion on 09 Jun, 2016 08:54 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac