FP in cookie #2

John's Avatar

John

21 Mar, 2017 05:33 PM

Hello, arachni found few sql-i on different websites (cookies) and all of them are FP, one of them:

Is there anything for change to avoid such FP ?

  1. 1 Posted by John on 21 Mar, 2017 05:35 PM

    John's Avatar

    vuln:

  2. Support Staff 2 Posted by Tasos Laskos on 22 Mar, 2017 05:08 AM

    Tasos Laskos's Avatar

    Can you attach the full issue data rather than just the vector please?

  3. 3 Posted by John on 22 Mar, 2017 11:27 AM

    John's Avatar

    of course, sent it via email :)

  4. Support Staff 4 Posted by Tasos Laskos on 22 Mar, 2017 01:41 PM

    Tasos Laskos's Avatar

    Got it, thanks.

  5. Support Staff 5 Posted by Tasos Laskos on 24 Mar, 2017 01:44 PM

    Tasos Laskos's Avatar

    I tried to reproduce a few but I couldn't and I don't want to run a full scan against a production server.
    I'll leave this issue open so if you come across any more such cases please let me know, I hope the new cases will be more clear-cut.

  6. 6 Posted by John on 24 Mar, 2017 01:50 PM

    John's Avatar

    i've got two more already, they are same - in cookie with strange vector

  7. Support Staff 7 Posted by Tasos Laskos on 24 Mar, 2017 01:51 PM

    Tasos Laskos's Avatar

    Same site?

  8. 8 Posted by John on 24 Mar, 2017 01:58 PM

    John's Avatar

    no, anouther. I need some time to find scan logs, will send as soon as i find them

  9. Support Staff 9 Posted by Tasos Laskos on 24 Mar, 2017 01:58 PM

    Tasos Laskos's Avatar

    Great, thanks.

  10. 10 Posted by John on 24 Mar, 2017 04:03 PM

    John's Avatar

    sent via email

  11. Support Staff 11 Posted by Tasos Laskos on 25 Mar, 2017 01:24 PM

    Tasos Laskos's Avatar

    You seem to be killing the DB and at some point during the gathering of the responses for the differential analysis the sites return errors and this leads to the data being corrupted and to the FP.

    Problem is that you can't get around this. There are safeguard in place to prevent this to an extent, but if the error occurs at precisely the right time in the right way then you'll get an FP.

    The only way to fix this issue is to lower the HTTP concurrency setting to a level that doesn't stress the server.
    Also, since the DB gets shot, this can not only lead to FPs but to FNs too, since you're basically disabling the sites for a short while.

  12. 12 Posted by John on 26 Mar, 2017 05:31 PM

    John's Avatar

    It can't be server stress because:
    1. Reposnes are stable during whole scan
    2. FP appear at same place every time i tried to rescan (all websites)
    So it seems for me to be arachni-side problem still. Do you have any other ideas about such cases?

  13. Support Staff 13 Posted by Tasos Laskos on 26 Mar, 2017 05:43 PM

    Tasos Laskos's Avatar
    1. That's not relevant, I said the DB server got stressed not the HTTP one. In fact, response times would be better if the DB server had died or stopped responding due to some usage allotment being exceeded, because you'd get an immediate error.
    2. If a usage limited was indeed exceeded it would happen at the same time, wouldn't it? Same amount of requests would be made after which you'd get the error.

    Also, one of the pages in the JSON report you provided actually was for a DB error page, so I'm fairly certain I'm right.
    In addition, the issues couldn't be reproduced individually so that also points to Arachni not being the issue, but to the server changing its behavior at some point during the scan.

    If you get more such issues I would love to see them, but so far everything points to the problem being server-side rather than Arachni.

  14. 14 Posted by John on 26 Mar, 2017 05:46 PM

    John's Avatar

    ok, i'll try tomorrow with lower concurrency level (what should i use? how much browsers in cluster?)

  15. Support Staff 15 Posted by Tasos Laskos on 26 Mar, 2017 05:47 PM

    Tasos Laskos's Avatar

    I'd say play it safe and set HTTP concurrency to 5 and browsers to 2. It'll take a long time but could prevent the errors. It may not though, I can't know for sure.

  16. 16 Posted by John on 26 Mar, 2017 05:49 PM

    John's Avatar

    ok, will send you results tomorrow

  17. Support Staff 17 Posted by Tasos Laskos on 27 Mar, 2017 02:19 PM

    Tasos Laskos's Avatar

    Summary of e-mail discussion for posterity: Verified as a server issue, the DB started refusing connections and thus results for such scans are meaningless.

  18. Tasos Laskos closed this discussion on 27 Mar, 2017 02:19 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac