or Create a profile

Home Questions

Can arachni damaged a website?

Max's Avatar

Max

Jun 16, 2014 @ 01:21 PM

Hi,

I'm quite new using arachni and I've been told that arachni could defaced/modified the tested website (I've been told that arachni could put a banner "hacked by arachni" or something like that).
I'm quite surprise because I've seen nothing about that on the internet or on your website.
When I used arachni on personal VM I didn't see anything changed on my website.

As I want to be careful on that topic I would like to know if it's true or not?

If it is, what configuration should I use to limit as mush as possible the damage on the scanned website?

Thank you for the answer and have a nice day :)

  1. Support Staff 1 Posted by Tasos Laskos on Jun 16, 2014 @ 01:42 PM

    Tasos Laskos's Avatar

    Hi there,

    It won't deface your website but as it will fuzz as many inputs as it can find, it may create a hefty amount of spam.

    If, for example, you've got a comments section, it will post the associated form using a lot of different payloads.

    As for generic damage, it's generally understood that you shouldn't scan production servers with any tool. Scanners are, in essence, used to discover bugs, so if you've got a bug in your web application which can, say, corrupt your DB, then it stands to reason that the scanner could trigger that behaviour.

    This sort of issue lies mainly with SQL injections. Let's say you've got an SQL query to delete an entry by id and that query can be manipulated, there could be a scenario where the injected payload could alter that query in a way that ignores the id restriction and deletes all entries.

    The only way to limit the risk would be to disable a lot of the security checks, but that won't leave you with much coverage.
    In general, it's best to scan a test server instead.

    Does that answer your question?

    Cheers

  2. 2 Posted by Max on Jun 16, 2014 @ 02:56 PM

    Max's Avatar

    Yeah, thank you for the answer.
    That's what I was looking for.

    Cheers :)

  3. Tasos Laskos closed this discussion on Jun 16, 2014 @ 02:58 PM.

Comments are currently closed for this discussion. You can start a new one.

  • New Issue

  • Conversation Started

  • The discussion is closed

    No more actions from Arachni or the discussion starter are required.

  • Re-open the discussion

Private Permissions

This discussion is private. Only you and Arachni support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

29 Jul 06:44 Dear arachni-scanner.com Owner.
15 Feb 09:48 Arachni download
12 Jan 00:01 We're sorry, but something went wrong.
19 Oct 18:03 Error - Not able Scan /ruby/lib/ruby/gems/2.7.0/gems/arachni-1.6.1.3/lib/arachni/rpc/server/framework.rb:156:in `block in run'
12 Aug 11:04 Error when launching arachni_web

Recent Articles

Optimizing for faster scans
Service scanning
Software as a Service (Saas)