Setting for scans
I wanted to get a scan that will do 6 request per second.
However, when I use my profile against different sites I get different requests per second. For the most part they fluctuate between 5 and 8 request per second which is ok but one of them is still doing 16 requests per second.
The only difference between the sites is that the ones with the higher request per second are also the quickest to respond,
What is happening?
I used the following settings:
---
audit:
parameter_values: true
exclude_vector_patterns: []
include_vector_patterns: []
link_templates: []
links: true
forms: true
cookies: true
headers: false
with_both_http_methods: false
cookies_extensively: false
jsons: true
xmls: true
ui_forms: true
ui_inputs: true
nested_cookies: false
datastore: {}
session: {}
input:
values:
"(?i-mx:name)": arachni_name
"(?i-mx:user)": arachni_user
"(?i-mx:usr)": arachni_user
"(?i-mx:pass)": 5543!%arachni_secret
"(?i-mx:txt)": arachni_text
"(?i-mx:num)": '132'
"(?i-mx:amount)": '100'
"(?i-mx:mail)": [email blocked]
"(?i-mx:account)": '12'
"(?i-mx:id)": '1'
without_defaults: true
force: false
http:
user_agent: Arachni/v2.0dev
request_timeout: 10000
request_redirect_limit: 5
request_concurrency: 10
request_queue_size: 25
request_headers: {}
response_max_size: 500000
cookies: {}
authentication_type: auto
scope:
redundant_path_patterns: {}
dom_depth_limit: 5
exclude_file_extensions:
- pdf,
- mp3,
- ico,
- woff2,
- css,
- js
exclude_path_patterns:
- logout
- signout
- setup
- contact_us
- logoff
- contact-us
exclude_content_patterns: []
include_path_patterns: []
restrict_paths: []
extend_paths: []
url_rewrites: {}
include_subdomains: false
exclude_binaries: false
https_only: false
browser_cluster:
local_storage: {}
wait_for_elements: {}
pool_size: 1
job_timeout: 60
worker_time_to_live: 100
ignore_images: false
screen_width: 1600
screen_height: 1200
checks:
- code_injection
- code_injection_php_input_wrapper
- code_injection_timing
- csrf
- file_inclusion
- ldap_injection
- no_sql_injection
- no_sql_injection_differential
- os_cmd_injection
- os_cmd_injection_timing
- path_traversal
- response_splitting
- rfi
- session_fixation
- source_code_disclosure
- sql_injection
- sql_injection_differential
- sql_injection_timing
- trainer
- unvalidated_redirect
- unvalidated_redirect_dom
- xpath_injection
- xss
- xss_dom
- xss_dom_script_context
- xss_event
- xss_path
- xss_script_context
- xss_tag
- xxe
- allowed_methods
- backdoors
- backup_directories
- backup_files
- captcha
- common_admin_interfaces
- common_directories
- common_files
- cookie_set_for_parent_domain
- credit_card
- cvs_svn_users
- directory_listing
- emails
- form_upload
- hsts
- htaccess_limit
- html_objects
- http_only_cookies
- http_put
- insecure_client_access_policy
- insecure_cookies
- insecure_cors_policy
- insecure_cross_domain_policy_access
- insecure_cross_domain_policy_headers
- interesting_responses
- localstart_asp
- mixed_resource
- origin_spoof_access_restriction_bypass
- password_autocomplete
- private_ip
- ssn
- unencrypted_password_forms
- webdav
- x_frame_options
- xst
platforms: []
plugins:
autothrottle:
discovery:
healthmap:
metrics:
rate_limiter:
requests_per_second: '4'
timing_attacks:
uniformity:
no_fingerprinting: false
authorized_by:
name: Default restricted
description: Default
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 04 Jul, 2017 01:29 PM
There really is no way to control r/s that accurately.
2 Posted by bgeardw on 04 Jul, 2017 01:48 PM
If the rate limiter plugin and the autothrottle are both used which gets precedence?
Can the autothrottle increase as well as decrease the scan intensity?
Support Staff 3 Posted by Tasos Laskos on 05 Jul, 2017 04:28 PM
The autothrottle plugin controls the amount of open connections at any given time and thus the amount of requests that can be performed concurrently at any given time.
The rate_limiter plugin blocks the consumption of the responses in order to maintain the configured average.
So they can both work together but limit different things.
However, the autothrottle plugin won't just increase the HTTP concurrency without limit, the configured HTTP concurrency will never be exceeded, it can only be lowered based on HTTP response times to reduce server stress.