Custom Script 'Initializing broswer cluster' Infinite Loop

Kam's Avatar

Kam

11 Jul, 2016 05:34 PM

Tasos,

I have been working on a custom script using the Arachni REST API (based off of the example client given on the Github page) to scan against WebGoat, but whenever I run it it continues to output the message value as "Initializing the browser cluster".

...
Scan 134: scanning
Messages: Initialising the browser cluster.
Scan 135: scanning
Messages: Initialising the browser cluster.
Scan 136: scanning
Messages: Initialising the browser cluster.
Scan 137: scanning
Messages: Initialising the browser cluster.

Even if I let it run for thousands of scans, it continues to output this message. Find my script attached in this post.

Another thing I was curious about was when you run a normal scan using a login_script plugin, the application displays in the console that the plugin has started, and the login was successful as well as the cookie value that was set and if the session logs out it will display re-login attempt happening. I was wondering how to add this feature to a custom script with the REST API.

  1. Support Staff 1 Posted by Tasos Laskos on 14 Jul, 2016 09:09 AM

    Tasos Laskos's Avatar

    Can you try scanning the application via the CLI (arachni) and see if that makes a difference?

  2. 2 Posted by Kam on 14 Jul, 2016 10:12 AM

    Kam's Avatar

    Do you mean running the application normally rather than a custom script? All works fine when I run through CLI.

    Update**
    I have tweaked the script slightly and it is now outputting the proper information, but there is 2 final things that I can not seem to get working:
    1. How to add the login_script plugin output to the terminal via a custom script. It does not print_info like it does when running a normal CLI scan with the plugin.
    2. When I specify a URL to scan https://test.example.com/test/test2, how do I force the script to only scan URLs containing /test/test2. Right now it scans everything in the test.example.com domain which is not what I want it to do.

  3. Support Staff 3 Posted by Tasos Laskos on 14 Jul, 2016 11:32 AM

    Tasos Laskos's Avatar
    1. You can't get the output of the print_* methods because that would result in GB of data. You'll need to do your own logging to a file or something.
    2. You need to set the scope include_path_patterns option to /test/test2.
  4. 4 Posted by Kam on 14 Jul, 2016 12:34 PM

    Kam's Avatar

    So it is not possible to output the login_script plugin outputs information like "Executing script", "Script executed successfully", and the setting of the session cookie with a custom script?

  5. Support Staff 5 Posted by Tasos Laskos on 14 Jul, 2016 12:36 PM

    Tasos Laskos's Avatar

    You can but you won't see them over the REST API only the CLI, and you'll need to do that yourself.

  6. 6 Posted by Kam on 14 Jul, 2016 12:38 PM

    Kam's Avatar

    Ah, okay. Thanks for the assistance, Tasos. Loving the Arachni Framework so far!

  7. Support Staff 7 Posted by Tasos Laskos on 14 Jul, 2016 12:41 PM

    Tasos Laskos's Avatar

    No problem. :)

  8. Tasos Laskos closed this discussion on 14 Jul, 2016 12:41 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac