Backup file check
Hi,
Is there a reason why Arachni is flagging jpg files as a "backup file in server"? (e.g. http://www..com/img/gallery/london/image_15.jpg)
thanks!
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 14 Feb, 2016 07:56 AM
Hello,
Is it actually mydomain.com or did you use that as a placeholder? (mydomain.com actually exists).
Cheers
2 Posted by corelanc0d3r on 14 Feb, 2016 08:02 AM
heh sorry, placeholder :)
Support Staff 3 Posted by Tasos Laskos on 14 Feb, 2016 08:06 AM
OK, I'm guessing there's an image at http://www.mydomain.com/img/gallery/london/image_1.jpg (probably listed as the "referring page" in the report), one of the backup filename formats is appending numbers, thus
image_1
becomesimage_15
and if it exists then it gets logged.By default, Arachni considers all resources as being within the scan scope, you can however configure it to your liking.
Does that sound like your situation?
4 Posted by corelanc0d3r on 14 Feb, 2016 08:11 AM
yep - pretty common scenario actually with image galleries :-) ...
the 'problem' with setting the exclude scope is that it requires a lot of manual work first, to go through the website tree and find those cases.
Maybe it would make sense to only flag files that have an number appended, when they are not images ?
Support Staff 5 Posted by Tasos Laskos on 14 Feb, 2016 08:19 AM
Sounds like a bit of a hassle, but this check is ultimately up to the user. Like there could be a legitimate reason for
index.php.bak
to exist, it's impossible to actually tell if something truly is a backup.And I don't like messing with the scope, so this check utilizes some enumeration and that should apply to all resources within the scope, and by default everything is within scope.
Now if the logged resource was something like a custom-404 or something that would be unacceptable and outright an FP and a bug, in these cases however it's up to the user to either configure Arachni appropriately or use their judgement afterwards.
I do however think that it would be a good idea to add a remark to these issues, letting the user know of how Arachni came to check for the logged resource, how the filename was manipulated, that should help clear things up.
6 Posted by corelanc0d3r on 14 Feb, 2016 08:22 AM
ok, fair enough. I understand the difficult balance between finding too much (and finding the one case that is actually legit) vs reducing false positives.
A remark would definitely help, especially when images are involved. (i.e. image_1.jpg, image_11.jpg, etc), as those are almost always FP. image_1.jpg.bak or anyfile.ext.bak would almost always trigger my attention. Images not so much.
7 Posted by corelanc0d3r on 14 Feb, 2016 09:38 AM
FYI, I played with the "Scope exclude path patterns" field and noticed that a scan won't even start when using
*.jpg
as the exclude pattern. (In fact, I can save/edit the profile, but I can't export the profile either).Support Staff 8 Posted by Tasos Laskos on 14 Feb, 2016 10:08 AM
The patterns are not wildcards, they're regular expressions and the one you provided is invalid, you can instead use
\.jpg$
, that'll matchjpg
extensions.You should have gotten a nice error message telling you the above when you tried to save the profile though, I'll fix this asap and push a bugfix release.
And I also see that I didn't add the new
--scope-exclude-file-extensions
option to the WebUI, I'll take care of this too.Support Staff 9 Posted by Tasos Laskos on 14 Feb, 2016 10:55 AM
Pushing nightlies now, I'll let you know once they're up so that you can verify the fixes.
Cheers
10 Posted by corelanc0d3r on 14 Feb, 2016 12:27 PM
okay, thanks !
Support Staff 11 Posted by Tasos Laskos on 14 Feb, 2016 02:11 PM
I messed up the first build, pushing again now.
I'll probably fall asleep soon but check the nightlies in a couple of hours, they'll have finished uploading by then (you can also check for the "last modified" date to change).
12 Posted by corelanc0d3r on 14 Feb, 2016 05:32 PM
ok, upgraded to latest build, will continue to play with it - thanks !
Tasos Laskos closed this discussion on 15 Feb, 2016 01:13 AM.
Tasos Laskos re-opened this discussion on 15 Feb, 2016 01:42 AM
Support Staff 13 Posted by Tasos Laskos on 15 Feb, 2016 01:42 AM
How does that look?
Remarks are on the bottom, the first one is the new one.
14 Posted by corelanc0d3r on 15 Feb, 2016 06:44 AM
great !!! but I still have mixed feelings - perhaps it would make sense to add a specific note regarding images (original is an image and new file is an image too), as those are the ones causing most of the FPs... in any case, the remarks will help
Support Staff 15 Posted by Tasos Laskos on 15 Feb, 2016 06:47 AM
I don't much like this idea, if I'm to go down that road then I'd rather ignore images completely and be done with it.
And given that this discussion is indeed taking place then I have to go down this road so images are getting the boot.
Will let you know once fresh nightlies are up.
Thanks for the feedback. :)
Support Staff 16 Posted by Tasos Laskos on 15 Feb, 2016 06:55 AM
Better yet, I'll ignore all media, image, audio and video, makes sense, right?
17 Posted by corelanc0d3r on 15 Feb, 2016 07:12 AM
it does - but you could leave it up to the tester. A small option "ignore media" in the backup file check would make this quite easy :) thanks !
Support Staff 18 Posted by Tasos Laskos on 15 Feb, 2016 07:36 AM
Checks don't have options, they just check whatever is in scope.
At this point ignoring all media would be best I think, you turned me around on the subject.
19 Posted by corelanc0d3r on 15 Feb, 2016 08:06 AM
cool, thumbs up from my side :)
Support Staff 20 Posted by Tasos Laskos on 15 Feb, 2016 11:56 AM
I've pushed nightlies for this and it should take care of the issue, it'll ignore image, audio, video and font files.
Tasos Laskos closed this discussion on 15 Feb, 2016 11:56 AM.