Different scan results for Web-UI and REST API

sudarshan.babu's Avatar

sudarshan.babu

19 Mar, 2018 02:39 PM

Hello,

We recently started using arachni for scanning couple of web applications using Web UI and REST Server options. The are seeing different results from these options. Scans initiated from the Web UI return findings for various severity (like high, medium, low etc.), but the scans via REST API return only the high severity findings.

Is there a way of making the REST option return all the findings (irrespective of the severity)?

Thanks,
Sudarshan Babu

  1. Support Staff 1 Posted by Tasos Laskos on 26 Mar, 2018 07:49 AM

    Tasos Laskos's Avatar

    Are you using the same configuration for the WebUI scan as for the REST API?
    Can you please show me both configs?

  2. 2 Posted by sudarshan.babu on 26 Mar, 2018 01:51 PM

    sudarshan.babu's Avatar

    Hello Tasos Laskos,

    Thanks for the reply. As far as I can tell, I am using the same configuration for both the options.

    I have enclosed the json of the profile from Web UI and see below for what I am posting to the REST endpoint. This is essentially built based on what I have in the profile.

    {
      "url" : "<url>",
      "http" : {
        "user_agent" : "Arachni/v2.0dev",
        "request_timeout" : 10000,
        "request_redirect_limit" : 5,
        "request_concurrency" : 20,
        "request_queue_size" : 100,
        "request_headers" : {},
        "response_max_size" : 500000,
        "cookies" : {}
      },
      "audit" : {
        "parameter_values" : true,
        "exclude_vector_patterns" : [],
        "include_vector_patterns" : [],
        "link_templates" : [],
        "links" : true,
        "forms" : true,
        "cookies" : true,
        "headers" : false,
        "with_both_http_methods" : false,
        "cookies_extensively" : false,
        "jsons" : true,
        "xmls" : true,
        "ui_forms" : true,
        "ui_inputs" : true  },
      "input" : {
        "values" : {},
        "default_values" : {
          "(?i-mx:name)" : "arachni_name",
          "(?i-mx:user)" : "arachni_user",
          "(?i-mx:usr)" : "arachni_user",
          "(?i-mx:pass)" : "5543!%arachni_secret",
          "(?i-mx:txt)" : "arachni_text",
          "(?i-mx:num)" : "132",
          "(?i-mx:amount)" : "100",
          "(?i-mx:mail)" : "[email blocked]",
          "(?i-mx:account)" : "12",
          "(?i-mx:id)" : "1"
        },
        "without_defaults" : false,
        "force" : false
      },
      "browser_cluster" : {
        "wait_for_elements" : {},
        "pool_size" : 6,
        "job_timeout" : 25,
        "worker_time_to_live" : 100,
        "ignore_images" : false,
        "screen_width" : 1600,
        "screen_height" : 1200
      },
      "scope" : {
        "redundant_path_patterns" : {},
        "dom_depth_limit" : 5,
        "exclude_path_patterns" : [],
        "exclude_content_patterns" : [],
        "include_path_patterns" : [],
        "restrict_paths" : [],
        "extend_paths" : [],
        "url_rewrites" : {},
        "include_subdomains" : false,
        "exclude_binaries" : true,
        "auto_redundant_paths" : 2,
        "https_only" : false
      },
      "session" : {},
      "checks" : [
        "code_injection",
        "code_injection_php_input_wrapper",
        "code_injection_timing",
        "csrf",
        "no_sql_injection",
        "no_sql_injection_differential",
        "os_cmd_injection",
        "sql_injection",
        "unvalidated_redirect",
        "unvalidated_redirect_dom",
        "xss",
        "xss_path",
        "xss_script_context",
        "xss_tag"  
    ],
      "platforms" : [
        "linux",
        "mongodb",
        "java"
    ],
      "plugins" : {
        "autologin" : {
          "url" : "<endpoint URL>",
          "parameters" : "username=<username>&password=<password>",
          "check" : "."
        }},
      "no_fingerprinting" : false,
      "authorized_by" : null
    }
    
  3. 3 Posted by sudarshan.babu on 18 Apr, 2018 02:45 PM

    sudarshan.babu's Avatar

    Hello Tasos Laskos,

    Did you get a chance to review what I supplied? should we stop using APIs then?

  4. Support Staff 4 Posted by Tasos Laskos on 04 May, 2018 08:46 AM

    Tasos Laskos's Avatar

    Those 2 JSON files obviously have many differences, the enabled checks first and foremost, which is basically the most important configuration in Arachni.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac