tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/2852-question-about-depth-settings-the-web-interface-graphstrends-and-profilesArachni: Discussion 2015-03-05T18:04:17Ztag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T09:23:17Z2013-09-18T09:23:17ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Another question:</p>
<ul>
<li>is there an ETA when the web based scheduler will be ready? I
want to schedule scans and let testers review the results and make
false positive results as false positive. is such possible via the
web interface or via the client?</li>
</ul></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T12:16:46Z2013-09-18T12:16:46ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hey Michiel,</p>
<ol>
<li>Yep, exactly.<br></li>
<li>Someone else recently <a href=
"http://support.arachni-scanner.com/discussions/problems/155-configure-arachni-behind-an-apache-proxy">
asked</a> this too. I had managed to scope all routes under
<code>/arachni/</code> except for the assets. I'll give it another
shot though and let you know.<br></li>
<li>No not yet. It's planned though. There are lots of fancy things
you can do with that interface but I haven't found the time yet.
Dev work for <a href=
"https://github.com/Arachni/arachni/issues?milestone=6">Framework
v0.5</a> takes precedence.<br></li>
<li>No. Profiles are UI abstractions, the Framework hasn't got a
unified construct for them. I could however updated the UIs to
export their profiles in each other's formats, although that'll
have to wait until v0.5 as most of the relevant code is scheduled
for a rewrite.<br></li>
<li>Sorry, that's a no, again. Like I mentioned, Framework v0.5 dev
takes precedence.</li>
</ol>
<p>Will keep this open till I have a final answer for #2 for
you.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:25:56Z2013-09-18T14:25:59ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hi Tasos!</p>
<p>Thanks for the time to answer and create such a nice web vuln
tool! :)</p>
<ol>
<li>Thanks for the confirmation!<br></li>
<li>This would be very nice since it would make it flexible to put
proxies or load balancers in front of it, I can not offer a SSL
interface to my colleagues now and all logins are plain
text<br></li>
<li>I understand, perhaps a nice to have for +0.5 releases<br></li>
<li>This would be very very very handy, as I created such a nice
profile via the clickable webui but want to automate scans (thus
need the terminal) and have to use the created profile, since it is
stored somewhere (I guess the SQLite DB?) can't I extract it one
way or another?<br></li>
<li>Ok</li>
</ol>
<p>Thank you again for the work and answers :)</p>
<p>Regards,</p>
<p>Michiel</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:44:48Z2013-09-18T14:44:48ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>You can easily extract profiles as JSON like so:<br>
<a href=
"http://webui-url/profiles/3.json">http://webui-url/profiles/3.json</a></p>
<p>It'd take some work to translate them to AFP files or
command-line options for the CLI interface though because the WebUI
profile options and the CLI and Framework options aren't mapped
1-1.<br>
The CLI and Framework options were created a long time ago and some
of my decisions weren't the best back then so I've got to wait till
v0.5 to rectify this as I'll have to break backwards
compatibility.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:47:21Z2013-09-18T14:47:21ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Ah no, scratch that, I was thinking of the Issue data. The
options are indeed mapped 1-1 so you can convert the JSON to YAML
and pass it to the CLI as an AFP file.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:49:35Z2013-09-18T14:49:36ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>How would I do that?<br>
I can grab the profile with <a href=
"http://URL:9292/profiles/5.json">http://URL:9292/profiles/5.json</a></p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:52:16Z2013-09-18T14:52:16ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>I'll update the WebUI Profiles with export functionality and
you'll be able to grab the nightlies to use it. I'll let you know
when it's ready.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T14:53:53Z2013-09-18T14:53:54ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Great and thanks! :)</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-18T19:03:58Z2013-09-18T19:03:58ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>OK I figured out how to mount the WebUI under a subdirectory
("arachni" in this case):</p>
<ol>
<li>Grab a <a href=
"http://downloads.arachni-scanner.com/nightlies/">nightly</a>.<br></li>
<li><code>system/arachni-web-ui/config/application.rb</code> --
<a href=
"https://gist.github.com/Zapotek/6612327">https://gist.github.com/Zapotek/6612327</a><br>
<ul>
<li><code>config.assets.prefix = '/arachni/assets'</code> (<a href=
"https://gist.github.com/Zapotek/6612327#file-application-rb-L51">Line</a>)</li>
</ul>
</li>
<li><code>system/arachni-web-ui/config/routes.rb</code> -- <a href=
"https://gist.github.com/Zapotek/6612310">https://gist.github.com/Zapotek/6612310</a><br>
<ul>
<li>All routes are scoped: <code>scope 'arachni'</code> (<a href=
"https://gist.github.com/Zapotek/6612310#file-routes-rb-L18">Line</a>)</li>
</ul>
</li>
<li><code>./bin/arachni_web_task assets:precompile</code></li>
</ol></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T07:46:57Z2013-09-19T07:46:59ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Keeping this discussion open for the 'I'll update the WebUI
Profiles with export functionality and you'll be able to grab the
nightlies to use it. I'll let you know when it's ready.' feature
:)</p>
<p>Please let me know when this will be ready or you have an ETA
(if possible of course).</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T07:47:46Z2013-09-19T07:47:47ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Thanks for the /arachni location in the app, step 2 + 3 mean
open the files with VI and edit?<br>
Since you closed the discussion/topic will I be able to see the
update where I can export the profile I created in the WebUI on
which you would try to create a fix for or is it embedded in the
same nightly for the /arachni fix?</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T07:53:00Z2013-09-19T07:53:00ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hy folks,</p>
<p>Greatest mind on the same topic, wonderfull ;-).<br>
What about this one : <a href=
"http://support.arachni-scanner.com/discussions/suggestions/947-options-imporvement">
http://support.arachni-scanner.com/discussions/suggestions/947-opti...</a><br>
It could solved the VI aspect.....<br>
I'ma also waiting the answer fo testing apache in front with SSL as
you</p>
<p>regards</p></div>mailinglisttag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T08:16:29Z2013-09-19T12:09:28ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hmm, when I grab the latest nightly these fixes are not in the
code? (18/09/2013 64 bit version).<br>
When I then add the lines that are missing and do the precompile I
get a Ruby error:</p>
<p><a href=
"http://pastebin.com/GuZ368w3">http://pastebin.com/GuZ368w3</a></p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T11:52:39Z2013-09-19T11:53:11ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>You just download the files from the gists and replace the ones
in the package. I marked the changes for you in case you wanna
change the subdirectory (which is <code>arachni</code> right now).
So, nope, you don't need to edit anything.</p>
<p>ETA about the other feature would be around this weekend and
yeah I'll let you know, or you can subscribe to the <a href=
"https://github.com/Arachni/arachni-ui-web/issues/36">feature
request</a> to get direct updates on its development.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T12:11:34Z2013-09-19T12:11:34ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>@Michiel: Just download and replace the files to avoid syntax
errors, seems like you forgot to close the <code>scope</code> block
with an <code>end</code>.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T13:58:34Z2013-09-19T13:58:36ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hi Tasos,</p>
<p>I can visit <a href=
"http://host:9292/arachni">http://host:9292/arachni</a> now but
directly after requesting the start page I am redirected to
d/users/sign_in which breaks the proxy and the /arachni link.<br>
Should d/users/sign_in also be rewrited in the app to
/arachni/d/users/sign_in ?</p>
<p>Michiel</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-19T16:50:27Z2013-09-19T16:50:27ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>I updated the <a href=
"https://gist.github.com/Zapotek/6612310#file-routes-rb-L71">routes</a>,
it should work now.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T07:15:53Z2013-09-20T07:15:54ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hi Tasos,</p>
<p>That seem to work, I noticed that after I login or perform an
action I am redirected to the HTTP link instead of the HTTPS
link.<br>
Are there any hard linked http links in de webui?</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T12:35:48Z2013-09-20T12:35:48ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>That makes a certain amount of sense, proper redirects have to
be full absolute URLs and Rails assumes it's over HTTP as it hasn't
been told otherwise.<br>
I'll look into this and let you know.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T12:46:51Z2013-09-20T12:46:51ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Looks like it's an Nginx conf thing: <a href=
"http://stackoverflow.com/a/10432596/1889337">http://stackoverflow.com/a/10432596/1889337</a></p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T13:30:12Z2013-09-20T13:30:13ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>You mean the fix proposed is only for Nginx?<br>
I am running Apache.<br>
I will give it a try with Nginx.</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T13:33:26Z2013-09-20T13:33:26ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Tbh, no idea, never tried to setup a reverse proxy myself. I'm
sure Apache has similar configuration options though.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-20T13:57:19Z2013-09-20T13:57:20ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Ok, will try to fix it with Apache and if it works will post my
config here so you can use it for others (it seems I am not the
only one wanting this config ;) )</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-22T13:23:16Z2013-09-22T13:23:16ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hooray, WebUI Profiles can now be imported and exported as YAML
and JSON.<br>
Grab a nightly and let me know how it works for you (and if that's
what you had in mind): <a href=
"http://downloads.arachni-scanner.com/nightlies/">http://downloads.arachni-scanner.com/nightlies/</a></p>
<p>If you come across any issues, or have further suggestions on
the subject, please post them at: <a href=
"https://github.com/Arachni/arachni-ui-web/issues/36">https://github.com/Arachni/arachni-ui-web/issues/36</a><br>
It will make tracking the development of the feature easier.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-23T07:35:58Z2013-09-23T07:36:01ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hi Tasos,</p>
<p>Thanks for the hard work!<br>
If I use this nightly, will it also have the /arachni webfolder
fixes in place or should I download them seperatly?</p>
<p>Regards,</p>
<p>Michiel</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-23T08:54:18Z2013-09-23T08:54:29ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>In regards of the HTTPS proxy:</p>
<ul>
<li>I rewrite everything to HTTPS: RedirectMatch /(.*) <a href=
"https://bnlimon13/$1">https://bnlimon13/$1</a></li>
<li>Then in de SSL vhost I proxy and set the correct X-Forward-For
header (if you don't do this correctly, all post information will
be posted over HTTP instead of HTTPS):</li>
</ul>
<p>RequestHeader set X-Forwarded-Proto "https"<br>
ProxyPass /arachni <a href=
"http://127.0.0.1:9292/arachni">http://127.0.0.1:9292/arachni</a><br>
ProxyPassReverse /arachni <a href=
"http://127.0.0.1:9292/arachni">http://127.0.0.1:9292/arachni</a><br>
ProxyPassReverseCookiePath / /arachni/</p>
<p>We do see that almost everything is now correctly posted to
HTTPS but some fonts are not working correctly (404):</p>
<p>/arachni/font/fontawesome-webfont.woff?v=3.0.1</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-23T11:11:38Z2013-09-23T11:11:38ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>No you'll have to re-apply the fixes, they aren't in the
nightlies. About the font thing, try the following:</p>
<ul>
<li>Open
<code>system/arachni-ui-web/app/assets/stylesheets/font-awesome.scss</code></li>
<li>Change <code>$fontAwesomePath: "/font" !default;</code> to
<code>$fontAwesomePath: "/arachni/font" !default;</code></li>
</ul>
<p>At this point however this is becoming quite annoying, I'll have
to find a way to automate this process.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-09-23T11:20:57Z2013-09-23T11:20:59ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Hi Tasos,</p>
<p>Hmm then I rather wait for the automated process build in the
next release.<br>
Otherwise my funcitonality breaks everytime I upgrade Arachni (if I
forget to get the separate fixes)</p></div>Michieltag:support.arachni-scanner.com,2012-07-01:Comment/288831882013-11-11T21:26:34Z2013-11-11T21:26:34ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>Just to let you know, with won't be on the upcoming release as
I'll need to investigate further and I don't want to hold
v0.4.6.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288831882015-03-05T18:04:17Z2015-03-05T18:04:17ZQuestion about depth settings, the web interface, graphs/trends and profiles<div><p>I've left this open as a reminder but truthfully I haven't had
the time to pay a lot of attention to the WebUI and I don't really
see that changing soon.</p>
<p>So, closing this discussion, sorry guys.</p></div>Tasos Laskos