No browser jobs when running scan with vector_feed plugin

rgutie01's Avatar

rgutie01

16 Jun, 2017 02:46 AM

I'm running a scan using the vector feed plugin with a vector.yml file created from a manual crawl of the application. During the scan, I'm noticing that no browser jobs are being kicked off which would mean no DOM based checks are being done? Any idea why this would happen?

Sample Command:

./arachni --scope-include-pattern ".*<URL>.*" --scope-exclude-binaries --scope-exclude-pattern ".*sign_(out|in)" --scope-auto-redundant 1 --http-cookie-string "_session_id=<SESSIONID>" --platforms-no-fingerprinting --platforms "linux,sql,pgsql,nginx,ruby,rack,rails" --snapshot-save-path "/tmp" --checks "code_injection,code_injection_timing,file_inclusion,ldap_injection,os_cmd_injection,os_cmd_injection_timing,path_traversal,rfi,source_code_disclosure,sql_injection*,trainer,unvalidated_redirect,unvalidated_redirect_dom,xpath_injection,xss*,xxe,directory_listing,cookie_set_for_parent_domain,hsts,html_objects,http_only_cookies,insecure_cookies,insecure_cors_policy,mixed_resource,private_ip,ssn,x_frame_options,insecure_client_access_policy,insecure_cross_domain_policy_access,origin_spoof_access_restriction_bypass" --http-request-concurrency 5 --audit-links --audit-forms --audit-jsons --audit-ui-forms --audit-ui-inputs --http-request-redirect-limit 2 --plugin=vector_feed:yaml_file="/Users/ron.gutierrez/tools/arachni-1.5.1-0.5.12/vectors.yml" --browser-cluster-pool-size 6 "https://<URL>"
  1. Support Staff 1 Posted by Tasos Laskos on 18 Jun, 2017 10:33 AM

    Tasos Laskos's Avatar

    The vector_feed plugin files don't include context that is necessary for DOM operations.

  2. 2 Posted by rgutie01 on 19 Jun, 2017 01:45 PM

    rgutie01's Avatar

    Thats a shame. I was using the vector_feed plugin to feed in valid POST data for the various actions within our application. I was noticing that when scanning using the crawling mode, it wasn't testing a good chunk of non-GET requests and if it did it wouldn't be able to set valid for data.

    Do you have another approach I can take with this so that I can perform a scan that includes DOM checks and also utilizes my input data?

  3. Support Staff 3 Posted by Tasos Laskos on 19 Jun, 2017 03:42 PM

    Tasos Laskos's Avatar

    DOM checks should still be performed, just not based on the vector_feed data, same as if you hadn't used that plugin.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac