Passive checks (emails)
I'm currently running the Arachni Scanner against a development environment where i'm purposely exposing email addresses. I'm running the following command against my development environment.
./bin/arachni https://arachni.testdevenv.box.pub/find/users?query=john+smith --checks=emails --plugin=autologin:url=https://arachni.testdevenv.box.pub/signin,parameters="login=my... Out" --scope-exclude-pattern=signout --http-authentication-username="basic_auth_username" --http-authentication-password="basic_auth_password" --scope-page-limit=1 --output-debug=4
In the debug output I see:
[~] Analysis resulted in 0 usable paths.
[~] DOM depth: 0 (Limit: 5)
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
[~] E-mail address: Verifying: [email blocked]
The report returns:
[+] https://arachni.testdevenv.box.pub/find/users
[~] Total: 1
[+] Without issues: 1
[-] With issues: 0 ( 0% )
I feel like the scanner is working and crawling properly, as it finds the exposed emails in the source code of the /find/users query url. But why is the Arachni Scanner not reporting these as issues?
Overall, I feel there is either a misunderstanding on my part or there is a missing command.
Any help would be greatly appreciated. Thank you!
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 19 Dec, 2017 04:37 PM
Hello,
Any chance I can be given access to that page?
Just the HTML would suffice in this case.
Cheers
PS. Sorry for the excessively late reply, I've been working on something.