Excluding URLs in WebGUI problem/not working
Hi,
I try to learn and study Arachni by scanning DVWA (Damn
Vulnerable Web Application).
Also I tried to scan two of my PHP apps... My problem is that I
can't force Arachni to exclude some URLs that I don't want to
scan.
For instances URL including "CSS" or "logout".
What format should the patter have, when entered into WebGUI? Do I make something wrong?
I am posting screenshots of the Profile created in WebGUI and also example of apache Logs that are showing, that arachni is still accessing "logout.php" or crawling /css/ or /docs/ directories and files.
Thanks,
Tomas
Snímka_obrazovky_2015-06-13_o 17.35.48.png
Snímka_obrazovky_2015-06-13_o 17.24.07.png
Snímka_obrazovky_2015-06-13_o 17.23.45.png
Snímka_obrazovky_2015-06-13_o 17.20.27.png
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
Support Staff 1 Posted by Tasos Laskos on 13 Jun, 2015 09:12 PM
Hello,
I do see "login.php" being included, which it shouldn't have been, but it's only that. I don't see "docs" specified in the excluded patterns list nor do I see anything matching "css" being included.
My best guess is that the configuration works but you're getting redirected to the login page due to an invalid session. Some operations automatically follow redirects and those redirects override the scope.
Can this be the case?
Cheers
2 Posted by Tomas on 14 Jun, 2015 06:18 PM
Hi,
Thank you for your reply.
I am using predefined cookies with existing session. That's why I try to avoid calling the logout.php. Anyway I played with it and maybe something is wrong on my box that is running Arachni.
For instance, when I set the scope pattern to "vulnerabilities", then no test are done on http://host/DVWAP/vulnerabilities/.... And that is strange. I think, all logs I provided are only part of crawling, but no active scanning.
When I use the "default" profile, then anything is working fine. As long as I clone the profile and edit scope patterns, to optimize the scan, then it behaves with the exact opposite, what I would expect or wanted to do :)
That's Why, I just wanted to ask, if the patters As I use them, have the right format. If for example : vulnerabilities, should match http://host/DVWAP/vulnerabilities/sqli or maybe I should use some other format.
I think I will dig deeper with using CLI .. Thanks for support. Have a great day. Bye
Please don't spend your time with my thread! Please :)!
I will check it again. No problem. Arachni is a cool and power tool, that did showed me a lot. I just have to spend more time with it.
Thanks, Bye.
Support Staff 3 Posted by Tasos Laskos on 14 Jun, 2015 11:00 PM
Hahaha fair enough, I'll let you have the joy of discovery.
If you get stuck re-open this discussion and we'll sort it out.
The patterns are correct in their format though.
Do keep in mind, those educational webapps make terrible targets because they require a slew of special configuration.
I'd suggest trying out the command-line interface to familiarize yourself with Arachni, as that'll give you enough feedback on the scanner's behavior to debug your configuration.
Cheers
Tasos Laskos closed this discussion on 14 Jun, 2015 11:00 PM.