Multi-domain support
Hi
We would love to use Arachni but as far as I understand you can only have one domain name (plus subdomains) per scan at the moment. Do you have any plans to support multiple domain names for a single scan?
Our application has a single UI on one domain, but uses multiple back-end APIs on other domains names.
Thanks
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 15 Mar, 2017 10:54 AM
You make a fair point, although the current approach is much more tidy and to be honest, when testing APIs it's better to follow the approach laid out by this article: http://support.arachni-scanner.com/kb/general-use/service-scanning
Would that work for you?
2 Posted by Andy on 15 Mar, 2017 11:32 PM
Thanks for the article link. My immediate concern would be that we change our APIs all the time, so we will need to re-train very often. As the article suggests though, we can automate this setup and run a UI test suite through the proxy without much manual intervention. More work than we had hoped for - but it should work!
If Arachni won't crawl through the "pages" created by our script, doesn't it potentially leave client-side vulnerabilities undetected? E.g. isn't it be possible for XSS/CSRF flaws to be present beyond the first screen that will now not be detected?
Support Staff 3 Posted by Tasos Laskos on 16 Mar, 2017 11:05 AM
I see what you mean, I guess the best approach would be a new scope option to serve as a domain whitelist, right?
4 Posted by Andy on 16 Mar, 2017 12:19 PM
Yes, that is exactly what I had in mind. It would allow us to define a target site as an entry point, but white-list other relevant domains to be considered as being part of the same application.
Support Staff 5 Posted by Tasos Laskos on 16 Mar, 2017 08:05 PM
I'm not sure when I'll be able to get to it, but you can subscribe to this issue for updates.
Thanks for the feedback.
Tasos Laskos closed this discussion on 16 Mar, 2017 08:05 PM.