tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/14839-different-scan-results-for-web-ui-and-rest-apiArachni: Discussion 2018-05-04T08:46:49Ztag:support.arachni-scanner.com,2012-07-01:Comment/449315402018-03-26T07:49:31Z2018-03-26T07:49:31ZDifferent scan results for Web-UI and REST API<div><p>Are you using the same configuration for the WebUI scan as for the REST API?<br>
Can you please show me both configs?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/449315402018-03-26T13:51:23Z2018-05-04T08:44:31ZDifferent scan results for Web-UI and REST API<div><p>Hello Tasos Laskos,</p>
<p>Thanks for the reply. As far as I can tell, I am using the same configuration for both the options.</p>
<p>I have enclosed the json of the profile from Web UI and see below for what I am posting to the REST endpoint. This is essentially built based on what I have in the profile.</p>
<pre>
<code>{
"url" : "<url>",
"http" : {
"user_agent" : "Arachni/v2.0dev",
"request_timeout" : 10000,
"request_redirect_limit" : 5,
"request_concurrency" : 20,
"request_queue_size" : 100,
"request_headers" : {},
"response_max_size" : 500000,
"cookies" : {}
},
"audit" : {
"parameter_values" : true,
"exclude_vector_patterns" : [],
"include_vector_patterns" : [],
"link_templates" : [],
"links" : true,
"forms" : true,
"cookies" : true,
"headers" : false,
"with_both_http_methods" : false,
"cookies_extensively" : false,
"jsons" : true,
"xmls" : true,
"ui_forms" : true,
"ui_inputs" : true },
"input" : {
"values" : {},
"default_values" : {
"(?i-mx:name)" : "arachni_name",
"(?i-mx:user)" : "arachni_user",
"(?i-mx:usr)" : "arachni_user",
"(?i-mx:pass)" : "5543!%arachni_secret",
"(?i-mx:txt)" : "arachni_text",
"(?i-mx:num)" : "132",
"(?i-mx:amount)" : "100",
"(?i-mx:mail)" : "arachni@email.gr",
"(?i-mx:account)" : "12",
"(?i-mx:id)" : "1"
},
"without_defaults" : false,
"force" : false
},
"browser_cluster" : {
"wait_for_elements" : {},
"pool_size" : 6,
"job_timeout" : 25,
"worker_time_to_live" : 100,
"ignore_images" : false,
"screen_width" : 1600,
"screen_height" : 1200
},
"scope" : {
"redundant_path_patterns" : {},
"dom_depth_limit" : 5,
"exclude_path_patterns" : [],
"exclude_content_patterns" : [],
"include_path_patterns" : [],
"restrict_paths" : [],
"extend_paths" : [],
"url_rewrites" : {},
"include_subdomains" : false,
"exclude_binaries" : true,
"auto_redundant_paths" : 2,
"https_only" : false
},
"session" : {},
"checks" : [
"code_injection",
"code_injection_php_input_wrapper",
"code_injection_timing",
"csrf",
"no_sql_injection",
"no_sql_injection_differential",
"os_cmd_injection",
"sql_injection",
"unvalidated_redirect",
"unvalidated_redirect_dom",
"xss",
"xss_path",
"xss_script_context",
"xss_tag"
],
"platforms" : [
"linux",
"mongodb",
"java"
],
"plugins" : {
"autologin" : {
"url" : "<endpoint URL>",
"parameters" : "username=<username>&password=<password>",
"check" : "."
}},
"no_fingerprinting" : false,
"authorized_by" : null
}</code>
</pre></div>sudarshan.babutag:support.arachni-scanner.com,2012-07-01:Comment/449315402018-04-18T14:45:56Z2018-04-18T14:45:56ZDifferent scan results for Web-UI and REST API<div><p>Hello Tasos Laskos,</p>
<p>Did you get a chance to review what I supplied? should we stop using APIs then?</p></div>sudarshan.babutag:support.arachni-scanner.com,2012-07-01:Comment/449315402018-05-04T08:46:47Z2018-05-04T08:46:47ZDifferent scan results for Web-UI and REST API<div><p>Those 2 JSON files obviously have many differences, the enabled checks first and foremost, which is basically the most important configuration in Arachni.</p></div>Tasos Laskos