XST Result depending on order of url in scope-restrict-paths file

sebastien.aucouturier's Avatar

sebastien.aucouturier

08 Feb, 2016 06:58 AM

Hi,
i got this strange behaviour,
i know my website is vulnerable to XST on https, not on http.
I run arachni-1.3.2-0.5.9 (official linux Download) using this command line :

arachni --checks=xst https://172.16.151.135 --browser-cluster-pool-size=0 --scope-auto-redundant=1 --scope-restrict-paths=./urls

if urls files contains :
http://172.16.151.135/ https://172.16.151.135/

XST is not detected ,
[+] http://172.16.151.135/ [+] https://172.16.151.135/

[~] Total: 2 [+] Without issues: 2 [-] With issues: 0 ( 0% )

if urls files contains (only swap urls order)
https://172.16.151.135/ http://172.16.151.135/

XST is Detected:
[+] http://172.16.151.135/ [-] https://172.16.151.135/

[~] Total: 2 [+] Without issues: 1 [-] With issues: 1 ( 50% )

I can run again to provide you more logs if needed.
Thanks a lot.

  1. Support Staff 1 Posted by Tasos Laskos on 08 Feb, 2016 07:06 AM

    Tasos Laskos's Avatar

    That check only runs for the first page, hadn't considered the server switch upon protocol switch.

    Unfortunately, the fix for this won't make it into v1.4 as I've already started the release process.

    Thanks for the feedback.

  2. 2 Posted by sebastien.aucou... on 08 Feb, 2016 07:18 AM

    sebastien.aucouturier's Avatar

    Thanks for fast reply.

  3. Support Staff 3 Posted by Tasos Laskos on 15 Feb, 2016 01:56 PM

    Tasos Laskos's Avatar

    This should be fixed in the nightlies.

    Cheers

  4. Tasos Laskos closed this discussion on 15 Feb, 2016 01:56 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac