Sqli_blind_rdiff module FPs
I was doing some tests yesterday/today and i think there are some issues with this module, until now i tested a few links and from the data i get from report did try to reproduce actual attack (incuding cookies ) but no success, even passed the affected link to another good scanner and there was no detection, so far it happened on link and headers.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 07 Aug, 2013 12:49 AM
Fixed: https://github.com/Arachni/arachni/commit/38ed28d4f3eef6d559be905a3...
Tasos Laskos closed this discussion on 07 Aug, 2013 12:49 AM.
Tasos Laskos re-opened this discussion on 07 Aug, 2013 01:32 AM
Support Staff 2 Posted by Tasos Laskos on 07 Aug, 2013 01:32 AM
I better say that I think that I fixed it as I didn't have the means to reproduce your issue.
Tasos Laskos closed this discussion on 07 Aug, 2013 01:32 AM.
user021 re-opened this discussion on 07 Aug, 2013 09:42 AM
3 Posted by user021 on 07 Aug, 2013 09:42 AM
I think something went wrong with the fix
./arachni --audit-link --link-count=1 --user-agent=Mozila --modules=sqli_blind_rdiff -v 'http://www.uniqlo.com/uk/store/search.do?fid=header_search&qstart=0&qtext=Silk&sort=goods_disp_priority&x=16'+and+'1&y=16'
-with the fix:
[~] Sent 4937 requests.
[~] Received and analyzed 2410 responses.
[~] In 00:18:47
[~] Average: 2 requests/second.
(and still goin)
-before the fix:
[~] Sent 2449 requests.
[~] Received and analyzed 1369 responses.
[~] In 00:00:52
[~] Average: 25 requests/second.
(and finished)
Support Staff 4 Posted by Tasos Laskos on 07 Aug, 2013 02:21 PM
A few issues:
path_traversal
module, the increased responses required for more accuracy/coverage end up killing the server. (I may have to reduce the default HTTP request concurrency to keep the servers responsive.)5 Posted by user021 on 07 Aug, 2013 03:06 PM
Yeah it does alot more requests but seems less likely to miss something (the blind rdiff module) just found a vuln on another site that wasn't detected without the fix
Sent 1057 requests.
[~] Received and analyzed 1057 responses.
[~] In 00:14:09
[~] Average: 1 requests/second.
[~] Sent 290 requests.
[~] Received and analyzed 290 responses.
[~] In 00:01:24
[~] Average: 3 requests/second.
ps:with the old version ran the scan twice and had same number of requests (290) but sadly it failed to detect the vuln (confirmed with sqlmap)
Support Staff 6 Posted by Tasos Laskos on 07 Aug, 2013 03:13 PM
That's great then. The site that behaves weirdly still yields the same FPs, but the coverage has increased in general, so it still comes out on top -- and I just managed to reduce the requests for the updated version too.
I don't think that I'll be able to do anything for site with the FPs as it changes behavior with each request.
Support Staff 7 Posted by Tasos Laskos on 07 Aug, 2013 09:32 PM
So, closing this since there's nothing more to be done.
Tasos Laskos closed this discussion on 07 Aug, 2013 09:32 PM.
user021 re-opened this discussion on 03 Sep, 2013 07:30 AM
8 Posted by user021 on 03 Sep, 2013 07:30 AM
Might found another fp, when i visit it for the second time without cleaning cookies, down on bottom appears "Recently Viewed " and the book name, also i was trying to repro the attack but without raw request data there's almost no chance since Arachni bruteforces the headers and when there are alooot of requests from the serv, hard to figure out where : ) anyway, from report. ignoring the "Recently Viewed ", one more thing changes, "Add to Bag" to "Add to Chart" .i ran the browser through burp when was trying to Render HTML response from report i seen no changes on User agent, why ?
Support Staff 9 Posted by Tasos Laskos on 03 Sep, 2013 03:53 PM
Yeah that's a bit tricky, if the page shows recently viewed items these will always change and there's no way to baseline them while the go from none to any and from any to max.
Will think about it, see if I can come up with something.
10 Posted by user021 on 21 Sep, 2013 04:30 PM
This might not be relayed exactly about above example but was reading about blind sqli and step over it " All scanners have capability to specify error page. If you can do that, it would eliminate some junk. " and i can't remember, do we have that feature?
Support Staff 11 Posted by Tasos Laskos on 21 Sep, 2013 04:33 PM
Arachni doesn't need that but it's not relevant to this particular issue anyways.
12 Posted by user021 on 22 Sep, 2013 09:34 AM
Got new possible fp, and for some reason can't render HTML response from report
Support Staff 13 Posted by Tasos Laskos on 22 Sep, 2013 11:53 AM
There must have been no response then, could you send me the AFR to make sure?
Support Staff 14 Posted by Tasos Laskos on 22 Sep, 2013 02:08 PM
Btw, I haven't fixed this yet because this is not a straightforward bug, it only happens when the webapp behavior drastically changes between probes, much more than the algorithm can tolerate.
So until we come across a case which allows me to reproduce this, there's not much I can do.
15 Posted by user021 on 22 Sep, 2013 03:07 PM
Well, the initial URL that i sent to be scanned by Arachni opened in browser was apparently no response, just white page, but while opening page source i could see something, the resulting audited URL was still same white page, so i have no idea what confused it. As for the blind rdiff module, id rather it be more comprehensive even if that means it takes longer to run and maybe get some fps than completely miss a vulnerability, anyway, here's the afr report
Support Staff 16 Posted by Tasos Laskos on 25 Sep, 2013 06:30 PM
I just pushed an update to the RDiff analysis technique: https://github.com/Arachni/arachni/commit/c488d330df0a5e13fc144d25a...
It should solve your problem, and if not, I should be able to tweak it to solve it.
17 Posted by user021 on 26 Sep, 2013 07:41 AM
Is fixed, in the way that doesn't audit it if the response is empty so im wondering, if we go that way can't miss smth more than before the fix in the future?
Support Staff 18 Posted by Tasos Laskos on 26 Sep, 2013 09:22 AM
I don't think so, this isn't like a compromise I made to remove FPs, it's like a bug I fixed to prevent them.
Tasos Laskos closed this discussion on 26 Sep, 2013 09:22 AM.