tag:support.arachni-scanner.com,2012-07-01:/discussions/suggestions/3207-multi-domain-supportArachni: Discussion 2017-03-16T20:05:09Ztag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-15T07:36:47Z2017-03-15T07:36:48ZMulti-domain support<div><p>Hi</p>
<p>We would love to use Arachni but as far as I understand you can only have one domain name (plus subdomains) per scan at the moment. Do you have any plans to support multiple domain names for a single scan?</p>
<p>Our application has a single UI on one domain, but uses multiple back-end APIs on other domains names.</p>
<p>Thanks</p></div>Andytag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-15T10:54:45Z2017-03-15T10:54:45ZMulti-domain support<div><p>You make a fair point, although the current approach is much more tidy and to be honest, when testing APIs it's better to follow the approach laid out by this article: <a href="http://support.arachni-scanner.com/kb/general-use/service-scanning">http://support.arachni-scanner.com/kb/general-use/service-scanning</a></p>
<p>Would that work for you?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-15T23:32:40Z2017-03-15T23:32:44ZMulti-domain support<div><p>Thanks for the article link. My immediate concern would be that we change our APIs all the time, so we will need to re-train very often. As the article suggests though, we can automate this setup and run a UI test suite through the proxy without much manual intervention. More work than we had hoped for - but it should work!</p>
<p>If Arachni won't crawl through the "pages" created by our script, doesn't it potentially leave client-side vulnerabilities undetected? E.g. isn't it be possible for XSS/CSRF flaws to be present beyond the first screen that will now not be detected?</p></div>Andytag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-16T11:05:49Z2017-03-16T11:05:49ZMulti-domain support<div><p>I see what you mean, I guess the best approach would be a new scope option to serve as a domain whitelist, right?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-16T12:19:36Z2017-03-16T12:19:40ZMulti-domain support<div><p>Yes, that is exactly what I had in mind. It would allow us to define a target site as an entry point, but white-list other relevant domains to be considered as being part of the same application.</p></div>Andytag:support.arachni-scanner.com,2012-07-01:Comment/421592072017-03-16T20:05:08Z2017-03-16T20:05:08ZMulti-domain support<div><p>I'm not sure when I'll be able to get to it, but you can subscribe to <a href="https://github.com/Arachni/arachni/issues/853">this issue</a> for updates.</p>
<p>Thanks for the feedback.</p></div>Tasos Laskos