tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/2872-auditorArachni: Discussion 2013-11-11T21:23:28Ztag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-18T15:58:44Z2013-09-18T15:59:46ZAuditor<div><p>Yeah no forms will be submitted at all if you disable that
option.<br>
But, you can exclude resources using exclusion filters (regular
expressions basically), so you can add filters to match the
<code>action</code> attributes of the forms you want to be
skipped.<br>
Those exclusion filters are global though, meaning that those
resources won't be touched at all during the scan.</p>
<p>Would that work for you?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-18T16:08:42Z2013-09-20T14:36:59ZAuditor<div><p>Thanks a lot for clarifying!</p>
<p>If adding e.g. <code><form class="donttouchme"</code> to the
<em>Exclude Vectors</em> list in the Auditor is all I have to do,
to keep Arachni from firing that form, this will definitely
help!<br>
Will the rest of the page be touched, or does this mean, the whole
page is off limits?</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-18T16:21:16Z2013-09-18T16:21:16ZAuditor<div><p><em>Exclude vectors</em> refers to input vectors. If the form
has a <code>name</code> input field for example and you added
<code>name</code> as a vector to be excluded, the <code>name</code>
input wouldn't be audited.</p>
<p>For the exclusion of resources by URL (like I was mentioning
before) you'll have to use the <em>Exclude</em> option under the
<em>Spider</em> options. You can use that to avoid auditing the
page to which the form's <code>action</code> attribute is set.
Meaning that any forms pointing to that sensitive resource will be
skipped.</p>
<p>To achieve something closer to what you described, you can
update the <code>action</code> of the form with something like
<code>/sensitive-page?some=params&do_not_audit</code> and then
add <code>do_not_audit</code> to the exclusion patterns.</p>
<p>If that doesn't work for you and you have to mark the forms to
be skipped in a different way, with like a <code>class</code>
attribute or something, I could write you a very simple plugin for
that.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-19T08:02:31Z2013-09-20T14:37:00ZAuditor<div><p>Good morning Tasos,</p>
<p>again, thank you so much for clarifying these things: Now I
understand!<br>
Unfortunately, the <code>action</code>-attributes of our forms
usually are empty strings. Form-submits will be handled by the
MVC-Framework we're using. I guess there's no other way than using
such a plugin you described above.<br>
Thanks for your generous offer - such a plugin would be really
helpful and highly appreciated.</p>
<p>Best regards,<br>
Thomas</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-19T11:48:16Z2013-09-19T11:48:16ZAuditor<div><p>No problem man.<br>
But, hold up, are the forms submitted via JS? If so Arachni won't
be able to help you until v0.5 comes out.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-19T15:51:51Z2013-09-20T14:37:00ZAuditor<div><p>That's the case here: Some of the forms (ironically exactly
those which have to be excluded) are submitted via javascript
:-/<br>
Seems like we'll have to wait until then with automated form
audits.</p>
<p>Thank you so much for your excellent support!</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-19T15:54:44Z2013-09-19T15:54:44ZAuditor<div><p>Ah, so you don't have to exclude anything then, since Arachni
can't submit those forms anyways.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-20T14:48:20Z2013-09-20T14:48:20ZAuditor<div><p>Hey Tasos,</p>
<p>sorry for bothering again!</p>
<p>I talked to the head-developer, who clarified some facts:<br>
It turns out, those forms are not submitted via JavaScript
(although they appeared to be). They are actually posted to the
origin page, where the MVC-Controller checks for POST.</p>
<p>Cheers,<br>
Thomas</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-20T17:52:27Z2013-09-20T17:52:27ZAuditor<div><p>You can add an action with just <code>?do_not_audit</code> then,
this will make things simpler for you. Otherwise I can write you a
plugin.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-23T09:38:58Z2013-09-23T09:39:00ZAuditor<div><p>Unfortunately, I can't change the actions, since the software is
already live and the project manager is a bit concerned.<br>
If you could write that plugin, it would be of great help to
us!</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-23T13:01:53Z2013-09-23T13:01:53ZAuditor<div><p>Sure thing, I'm a bit swamped today but I'll try to have it
ready for you by tomorrow night.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-23T13:27:39Z2013-09-23T13:27:39ZAuditor<div><p>You're planning to go with the <code>class</code> in the
<code><form></code> as the identifier, right?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-23T13:44:19Z2013-09-23T15:47:45ZAuditor<div><p>Sure! No hurries! :-)</p>
<p>Exactly:<br>
We're using multiple forms on certain pages. The particular
<code>form</code> tags we need to exclude use <code>class</code>
attributes.</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-09-24T17:15:39Z2013-09-24T17:15:39ZAuditor<div><p>Ok, give this a try and let me know how it works.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-10-08T15:06:29Z2013-10-08T15:06:30ZAuditor<div><p>Hi Tasos,</p>
<p>totally overlooked your answer! I was able to get it to show up
in the plugin list and to enable it. Currently, there's a scan
running.</p>
<p>Apropos scan:<br>
Is there a log, which requests are being fired against a target
website? Our Firewall-Team asked if I could give them a little
presentation of Arachni and I'd like to show them some of the
malicious requests.</p>
<p>Thanks so much for this script - I'll give you feedback, as soon
as the scan is finished.</p>
<p>Thomas</p></div>thomas.reusstag:support.arachni-scanner.com,2012-07-01:Comment/288894952013-10-08T15:09:35Z2013-10-08T15:09:35ZAuditor<div><p>Hey Thomas,</p>
<p>You can enable the <code>--debug</code> flag and perform a brief
scan, this will show you exactly what's going on HTTP-wise.</p>
<p>Cheers</p></div>Tasos Laskos