False positives with CSRF

Matt's Avatar


22 Nov, 2017 12:40 PM

I'm new to arachni and am kind of stumped. I'm scanning a login page (no auto-login, just trying stuff out). It contains a "forgot" link and a bunch of locale flags for switching language. Both the login page and the forgot page contain forms with nonces. The URLs are something like:

/login /login?locale=de_DE /login?locale=fr_FR /forgot /forgot?locale=de_DE

I'm getting false positives on some - but not all - of the forgot pages. Mostly the scan reports the same ones, but first run this morning I got a different page reported. The referring and affected pages shown in the report indeed show identical nonces. However I've added logging to the application and that is showing different nonces being generated for each request.

Has anyone seen anything similar? I'm running arachni 1.5.1-0.5.12 from macOS. The target is linux / php running on a docker container.

  1. 1 Posted by Matt on 22 Nov, 2017 01:09 PM

    Matt's Avatar

    Hrm... just tried the latest nightly and the problem has gone :)

    Thanks for the awesome project!

  2. Tasos Laskos closed this discussion on 19 Dec, 2017 04:37 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac