Setting for scans

bgerardw's Avatar

bgerardw

03 Jul, 2017 10:27 AM

I wanted to get a scan that will do 6 request per second.

However, when I use my profile against different sites I get different requests per second. For the most part they fluctuate between 5 and 8 request per second which is ok but one of them is still doing 16 requests per second.

The only difference between the sites is that the ones with the higher request per second are also the quickest to respond,

What is happening?

I used the following settings:

---
audit:
  parameter_values: true
  exclude_vector_patterns: []
  include_vector_patterns: []
  link_templates: []
  links: true
  forms: true
  cookies: true
  headers: false
  with_both_http_methods: false
  cookies_extensively: false
  jsons: true
  xmls: true
  ui_forms: true
  ui_inputs: true
  nested_cookies: false
datastore: {}
session: {}
input:
  values:
    "(?i-mx:name)": arachni_name
    "(?i-mx:user)": arachni_user
    "(?i-mx:usr)": arachni_user
    "(?i-mx:pass)": 5543!%arachni_secret
    "(?i-mx:txt)": arachni_text
    "(?i-mx:num)": '132'
    "(?i-mx:amount)": '100'
    "(?i-mx:mail)": [email blocked]
    "(?i-mx:account)": '12'
    "(?i-mx:id)": '1'
  without_defaults: true
  force: false
http:
  user_agent: Arachni/v2.0dev
  request_timeout: 10000
  request_redirect_limit: 5
  request_concurrency: 10
  request_queue_size: 25
  request_headers: {}
  response_max_size: 500000
  cookies: {}
  authentication_type: auto
scope:
  redundant_path_patterns: {}
  dom_depth_limit: 5
  exclude_file_extensions:
  - pdf,
  - mp3,
  - ico,
  - woff2,
  - css,
  - js
  exclude_path_patterns:
  - logout
  - signout
  - setup
  - contact_us
  - logoff
  - contact-us
  exclude_content_patterns: []
  include_path_patterns: []
  restrict_paths: []
  extend_paths: []
  url_rewrites: {}
  include_subdomains: false
  exclude_binaries: false
  https_only: false
browser_cluster:
  local_storage: {}
  wait_for_elements: {}
  pool_size: 1
  job_timeout: 60
  worker_time_to_live: 100
  ignore_images: false
  screen_width: 1600
  screen_height: 1200
checks:
- code_injection
- code_injection_php_input_wrapper
- code_injection_timing
- csrf
- file_inclusion
- ldap_injection
- no_sql_injection
- no_sql_injection_differential
- os_cmd_injection
- os_cmd_injection_timing
- path_traversal
- response_splitting
- rfi
- session_fixation
- source_code_disclosure
- sql_injection
- sql_injection_differential
- sql_injection_timing
- trainer
- unvalidated_redirect
- unvalidated_redirect_dom
- xpath_injection
- xss
- xss_dom
- xss_dom_script_context
- xss_event
- xss_path
- xss_script_context
- xss_tag
- xxe
- allowed_methods
- backdoors
- backup_directories
- backup_files
- captcha
- common_admin_interfaces
- common_directories
- common_files
- cookie_set_for_parent_domain
- credit_card
- cvs_svn_users
- directory_listing
- emails
- form_upload
- hsts
- htaccess_limit
- html_objects
- http_only_cookies
- http_put
- insecure_client_access_policy
- insecure_cookies
- insecure_cors_policy
- insecure_cross_domain_policy_access
- insecure_cross_domain_policy_headers
- interesting_responses
- localstart_asp
- mixed_resource
- origin_spoof_access_restriction_bypass
- password_autocomplete
- private_ip
- ssn
- unencrypted_password_forms
- webdav
- x_frame_options
- xst
platforms: []
plugins:
  autothrottle: 
  discovery: 
  healthmap: 
  metrics: 
  rate_limiter:
    requests_per_second: '4'
  timing_attacks: 
  uniformity: 
no_fingerprinting: false
authorized_by: 
name: Default restricted
description: Default
  1. Support Staff 1 Posted by Tasos Laskos on 04 Jul, 2017 01:29 PM

    Tasos Laskos's Avatar

    There really is no way to control r/s that accurately.

  2. 2 Posted by bgeardw on 04 Jul, 2017 01:48 PM

    bgeardw's Avatar

    If the rate limiter plugin and the autothrottle are both used which gets precedence?

    Can the autothrottle increase as well as decrease the scan intensity?

  3. Support Staff 3 Posted by Tasos Laskos on 05 Jul, 2017 04:28 PM

    Tasos Laskos's Avatar

    The autothrottle plugin controls the amount of open connections at any given time and thus the amount of requests that can be performed concurrently at any given time.

    The rate_limiter plugin blocks the consumption of the responses in order to maintain the configured average.

    So they can both work together but limit different things.

    However, the autothrottle plugin won't just increase the HTTP concurrency without limit, the configured HTTP concurrency will never be exceeded, it can only be lowered based on HTTP response times to reduce server stress.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac