tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/1656-arachni-handling-get-parameterArachni: Discussion 2013-10-10T19:26:14Ztag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-08-02T16:13:15Z2013-08-02T16:13:15ZArachni handling get parameter<div><p>Hey Shang,</p>
<p>The dir busting stuff are part of the audit not the crawl, the
crawl will indeed start from the URL you gave it.<br>
If you're seeing the crawl return immediately then that's a
different problem, make sure that the initial page doesn't redirect
to some other subdomain that's out of scope or something akin to
that.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-08-05T08:49:01Z2013-08-05T08:49:02ZArachni handling get parameter<div><p>Shang, if you are trying to do SQL injection, then i suggest you
try SQLMap.</p>
<p>Arachni is a superb product in a way it can guide you for
relevant weaknesses through automation.</p>
<p>At this point, based on my understanding you need to use the
proxy feature to guide it towards specific areas like places where
you want to authenticate etc.</p>
<p>To be frank with you it found more vulns than what Metasploit
Pro found out. I'm thoroughly impressed with arachni.</p>
<p>On the other hand, if you want to fuzz/SQL inject, if I were you
I would use more specific tools. Arachni is good in XSS though.
Results were amazing.</p>
<p>Hope this helps.</p></div>Hariharan Madhavantag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-08-05T12:29:44Z2013-08-05T12:29:44ZArachni handling get parameter<div><p>I don't disagree with you on any particular point, but, what
does this have to do with the question? Also, if you come across a
vuln that SQLmap identifies and Arachni doesn't please do let me
know so that I can sort it out.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-08-05T13:06:38Z2013-08-05T15:37:35ZArachni handling get parameter<div><p>I use SQLMap for SQL injection, when you pass a parameter to
SQLMap, it will apply injection straight on the specific parameter
supplied without fuzzing. .. so it clicked for me when he asked why
those two parameters were not used....</p>
<p>With regard to the your second question, now that you have
evinced your keen interest, I will post a separate thread in the
suggestion forum.</p></div>Hariharan Madhavantag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-08-05T15:41:27Z2013-08-05T15:41:27ZArachni handling get parameter<div><p>Arachni will do the same if you've only enabled the sqli module
(for instance) and limited the scope to that URL only. His
questions seems to be more related to the crawl than auditing a
specific vector.</p>
<p>And yeah of course I really want to know about that sort of
stuff, I can't improve everything on my own I need user
feedback.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/280834032013-09-17T18:01:04Z2013-09-17T18:01:04ZArachni handling get parameter<div><p>Is the issue clear now? May I close this discussion?</p></div>Tasos Laskos