Manually walking through an application
Hi,
I am evaluating abilities of Arachni. I use OWASP WebGoat 6.0.1,
because I have previously tested another similar framework W3af on
this application.
I do it like this:
1. I run Arachni with some checks enabled, proxy plugin enabled and
scope page limit se to 0. I do this because I scan one lesson at a
time to get exact information.
2. I set my browser to use Arachni's proxy and I submit severa
inputs to the lesson. Lessons usually contain some kind of form and
I submit several test values.
3. I start actual scan by visiting arachni.proxy/shutdown
My question is aimed at the page limit. If it is set to 0, do I
understand it right that Arachni audits everything what it is
served through the proxy, but does not crawl other pages? When I
review the scan log, Arachni seems to correctly probe forms for SQL
injections etc... But I am asking mainly because Arachni didn't
discover many vulnerabilities, compared to W3af. I want to be sure
that I am not doing any mistake, as this result will be a part of
my bachelor thesis. For example W3af correctly discovered SQL
injection in the lesson aimed at SQL injection. Arachni did not.
Any help is appreciated.
Thank you.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 22 Feb, 2016 11:33 AM
Hello,
Yes, if you set the page limit to 0 then only pages and input vectors seen via the proxy will be checked by the system.
Scanning these educational applications is a bad idea though unless you're really familiar with both the application and the scanner.
They usually require special configuration due to configurable security levels, authentication etc.
Better use an application that was meant to be a benchmark like WAVSEP.
Cheers
Tasos Laskos closed this discussion on 24 Feb, 2016 12:29 PM.