False positives with CSRF
I'm new to arachni and am kind of stumped. I'm scanning a login page (no auto-login, just trying stuff out). It contains a "forgot" link and a bunch of locale flags for switching language. Both the login page and the forgot page contain forms with nonces. The URLs are something like:
/login /login?locale=de_DE /login?locale=fr_FR /forgot /forgot?locale=de_DE
I'm getting false positives on some - but not all - of the forgot pages. Mostly the scan reports the same ones, but first run this morning I got a different page reported. The referring and affected pages shown in the report indeed show identical nonces. However I've added logging to the application and that is showing different nonces being generated for each request.
Has anyone seen anything similar? I'm running arachni 1.5.1-0.5.12 from macOS. The target is linux / php running on a docker container.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by Matt on 22 Nov, 2017 01:09 PM
Hrm... just tried the latest nightly and the problem has gone :)
Thanks for the awesome project!
Tasos Laskos closed this discussion on 19 Dec, 2017 04:37 PM.