... | @@ -150,9 +150,9 @@ When verbosity is enabled Arachni will give you detailed information about what' |
... | @@ -150,9 +150,9 @@ When verbosity is enabled Arachni will give you detailed information about what' |
|
h4(#verbosity_example). "Example":#verbosity_example
|
|
h4(#verbosity_example). "Example":#verbosity_example
|
|
|
|
|
|
Let's give this a try:
|
|
Let's give this a try:
|
|
<pre><code>arachni -p --modules=xss http://localhost/zapotek/tests/forms/xss.php</code></pre>
|
|
<pre><code>arachni --audit-forms --modules=xss http://testfire.net/ --link-count=1</code></pre>
|
|
|
|
|
|
This will load the XSS module and audit all the forms (-p) in "http://localhost/zapotek/tests/forms/xss.php".
|
|
This will load the XSS module and audit all the forms in "http://testfire.net/".
|
|
|
|
|
|
*Verbose mode disabled*
|
|
*Verbose mode disabled*
|
|
|
|
|
... | @@ -166,27 +166,40 @@ Arachni's output messages are classified into several categories, each of them p |
... | @@ -166,27 +166,40 @@ Arachni's output messages are classified into several categories, each of them p |
|
_I won't bother with coloring during the examples._
|
|
_I won't bother with coloring during the examples._
|
|
|
|
|
|
<pre><code>
|
|
<pre><code>
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
[*] Initing...
|
|
[*] Initialising...
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] [HTTP: 200] http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Auditing form variable 'xss' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] Harvesting HTTP responses...
|
|
[*] Harvesting HTTP responses...
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[*] XSS: Analyzing response #0...
|
|
[*] Profiler: Analyzing response #3...
|
|
[*] XSS: Analyzing response #1...
|
|
[~] Trainer: Found 1 new links.
|
|
[*] XSS: Analyzing response #2...
|
|
[*] Profiler: Analyzing response #4...
|
|
[+] XSS: In form var 'xss' ( http://localhost/~zapotek/tests/forms/xss.php )
|
|
[*] Profiler: Analyzing response #5...
|
|
|
|
[*] XSS: Analyzing response #6...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #7...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #8...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
*Verbose mode enabled*
|
|
*Verbose mode enabled*
|
... | @@ -196,31 +209,47 @@ See the extra information in this example. |
... | @@ -196,31 +209,47 @@ See the extra information in this example. |
|
In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.
|
|
In this case the verbose messages give information about the inputs that discovered the XSS vulnerability.
|
|
|
|
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni -pv --mods=xss http://localhost/zapotek/tests/forms/xss.php
|
|
$ arachni -v --audit-forms --modules=xss http://testfire.net/ --link-count=1
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
[*] Initing...
|
|
[*] Initialising...
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
|
|
[*] [HTTP: 200] http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Auditing form variable 'xss' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] Harvesting HTTP responses...
|
|
[*] Harvesting HTTP responses...
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[*] XSS: Analyzing response #1...
|
|
[*] Profiler: Analyzing response #3...
|
|
[*] XSS: Analyzing response #0...
|
|
[~] Trainer: Found 1 new links.
|
|
[*] XSS: Analyzing response #2...
|
|
[*] Profiler: Analyzing response #4...
|
|
[+] XSS: In form var 'xss' ( http://localhost/~zapotek/tests/forms/xss.php )
|
|
[*] Profiler: Analyzing response #5...
|
|
[v] XSS: Injected string: 1<arachni_xss_6b2d88aad3eb1e606ee4814b39cc36bfb4f11146309edb4a580f6847acef1224
|
|
[*] XSS: Analyzing response #6...
|
|
[v] XSS: Verified string: <arachni_xss_6b2d88aad3eb1e606ee4814b39cc36bfb4f11146309edb4a580f6847acef1224
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
[v] XSS: Matched regular expression: (?-mix:<arachni_xss_6b2d88aad3eb1e606ee4814b39cc36bfb4f11146309edb4a580f6847acef1224)
|
|
[v] XSS: Injected string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
|
[v] XSS: Verified string: <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
|
[*] XSS: Analyzing response #7...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[v] XSS: Injected string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
|
[v] XSS: Verified string: '-;<some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/>
|
|
|
|
[*] XSS: Analyzing response #8...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[v] XSS: Injected string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
|
|
|
|
[v] XSS: Verified string: --> <some_dangerous_input_e9829177cc9e8bbc164a5c96acf12b2a477beda9b268a18fcc63a99a9f134c8c/> <!--
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h3(#debug). "Debug mode ==(--debug)==":debug
|
|
h3(#debug). "Debug mode ==(--debug)==":debug
|
... | @@ -498,37 +527,46 @@ h4(#exclude_example). "Example":#exclude_example |
... | @@ -498,37 +527,46 @@ h4(#exclude_example). "Example":#exclude_example |
|
In this simple example we tell Arachni to exclude all URLs that contain the string "xss".
|
|
In this simple example we tell Arachni to exclude all URLs that contain the string "xss".
|
|
Thus no further action was taken.
|
|
Thus no further action was taken.
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --modules=xss http://localhost/zapotek/tests/forms/xss.php --exclude=xss
|
|
$ arachni http://testfire.net --modules=xss --exclude=testfire
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
[~] No audit options were specified.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[*] Initing...
|
|
|
|
|
|
[*] Initialising...
|
|
|
|
[*] Waiting for plugins to settle...
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.38.18 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
================================================================================
|
|
================================================================================
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2010-11-24 14:43:53 +0000
|
|
[~] Report generated on: 2012-09-09 02:38:18 +0300
|
|
[~] Report false positives: http://github.com/Arachni/arachni/issues
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
[+] System settings:
|
|
[~] ---------------
|
|
[~] ---------------
|
|
[~] Version: 0.2.1
|
|
[~] Version: 0.4.1dev
|
|
[~] Revision: 0.2
|
|
[~] Revision: 0.2.7
|
|
[~] Audit started on: Wed Nov 24 14:43:53 2010
|
|
[~] Audit started on: Sun Sep 9 02:38:15 2012
|
|
[~] Audit finished on: Wed Nov 24 14:43:53 2010
|
|
[~] Audit finished on: Sun Sep 9 02:38:16 2012
|
|
[~] Runtime: 00:00:00
|
|
[~] Runtime: 00:00:01
|
|
|
|
|
|
[~] URL: http://localhost/zapotek/tests/forms/xss.php
|
|
[~] URL: http://testfire.net/
|
|
[~] User agent: Arachni/0.2.1
|
|
[~] User agent: Arachni/v0.4.1dev
|
|
|
|
|
|
[*] Audited elements:
|
|
[*] Audited elements:
|
|
[~] * Links
|
|
[~] * Links
|
... | @@ -539,26 +577,35 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
... | @@ -539,26 +577,35 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
|
|
|
|
|
[*] Filters:
|
|
[*] Filters:
|
|
[~] Exclude:
|
|
[~] Exclude:
|
|
[~] (?-mix:xss)
|
|
[~] (?-mix:testfire)
|
|
[~] Include:
|
|
|
|
[~] (?-mix:.*)
|
|
|
|
[~] Redundant:
|
|
|
|
|
|
|
|
[*] Cookies:
|
|
|
|
|
|
|
|
[~] ===========================
|
|
[~] ===========================
|
|
|
|
|
|
[+] 0 vulnerabilities were detected.
|
|
[+] 0 issues were detected.
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2010-11-24 14:43:53 +0000.afr'.
|
|
[~] 0.0% [=> ] 100%
|
|
[*] Done!
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawling, discovered 0 pages and counting.
|
|
|
|
|
|
[~] Sent 0 requests.
|
|
[~] Sent 0 requests.
|
|
[~] Received and analyzed 0 responses.
|
|
[~] Received and analyzed 0 responses.
|
|
[~] In 00:00:00
|
|
[~] In 00:00:01
|
|
[~] Average: 0 requests/second.
|
|
[~] Average: 0 requests/second.
|
|
|
|
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
|
|
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h3(#include). "Include ==(--include/-i)==":#include
|
|
h3(#include). "Include ==(--include/-i)==":#include
|
... | @@ -772,75 +819,108 @@ h4(#lsmod_example). "Example":#lsmod_example |
... | @@ -772,75 +819,108 @@ h4(#lsmod_example). "Example":#lsmod_example |
|
|
|
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --lsmod
|
|
$ arachni --lsmod
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available modules:
|
|
[~] Available modules:
|
|
|
|
|
|
[*] xss_path:
|
|
[*] code_injection:
|
|
--------------------
|
|
--------------------
|
|
Name: XSSPath
|
|
Name: Code injection
|
|
Description: Cross-Site Scripting module for path injection
|
|
Description: It tries to inject code snippets into the
|
|
Author: zapotek
|
|
web application and assess whether or not the injection
|
|
Version: 0.1.2
|
|
was successful.
|
|
|
|
Elements: form, link, cookie, header
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.6
|
|
References:
|
|
References:
|
|
[~] ha.ckers http://ha.ckers.org/xss.html
|
|
[~] PHP http://php.net/manual/en/function.eval.php
|
|
[~] Secunia http://secunia.com/advisories/9716/
|
|
[~] Perl http://perldoc.perl.org/functions/eval.html
|
|
|
|
[~] Python http://docs.python.org/py3k/library/functions.html#eval
|
|
|
|
[~] ASP http://www.aspdev.org/asp/asp-eval-execute/
|
|
|
|
[~] Ruby http://en.wikipedia.org/wiki/Eval#Ruby
|
|
Targets:
|
|
Targets:
|
|
[~] Generic all
|
|
[~] PHP
|
|
Path: /home/zapotek/workspace/arachni/modules/audit/xss_path.rb
|
|
[~] Perl
|
|
|
|
[~] Python
|
|
[*] ldapi:
|
|
[~] ASP
|
|
|
|
[~] Ruby
|
|
|
|
Metasploitable: unix/webapp/arachni_php_eval
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/code_injection.rb
|
|
|
|
|
|
|
|
[*] path_traversal:
|
|
--------------------
|
|
--------------------
|
|
Name: LDAPInjection
|
|
Name: PathTraversal
|
|
Description: It tries to force the web application to
|
|
Description: It injects paths of common files (/etc/passwd and boot.ini)
|
|
return LDAP error messages in order to discover failures
|
|
and evaluates the existence of a path traversal vulnerability
|
|
in user input validation.
|
|
based on the presence of relevant content in the HTML responses.
|
|
Elements: form, link, cookie
|
|
Elements: form, link, cookie, header
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.2.6
|
|
References:
|
|
References:
|
|
[~] WASC http://projects.webappsec.org/w/page/13246947/LDAP-Injection
|
|
[~] OWASP http://www.owasp.org/index.php/Path_Traversal
|
|
[~] OWASP http://www.owasp.org/index.php/LDAP_injection
|
|
[~] WASC http://projects.webappsec.org/Path-Traversal
|
|
Targets:
|
|
Targets:
|
|
[~] Generic all
|
|
[~] Unix
|
|
Path: /home/zapotek/workspace/arachni/modules/audit/ldapi.rb
|
|
[~] Windows
|
|
|
|
[~] Tomcat
|
|
|
|
Metasploitable: unix/webapp/arachni_path_traversal
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/path_traversal.rb
|
|
|
|
|
|
[*] simple_cmd_exec:
|
|
[*] sqli_blind_rdiff:
|
|
--------------------
|
|
--------------------
|
|
Name: SimpleCmdExec
|
|
Name: Blind (rDiff) SQL Injection
|
|
Description: Simple shell command execution recon module
|
|
Description: It uses rDiff analysis to decide how different inputs affect
|
|
Elements: form, link, cookie
|
|
the behavior of the the web pages.
|
|
Author: zapotek
|
|
Using that as a basis it extrapolates about what inputs are vulnerable to blind SQL injection.
|
|
Version: 0.1.2
|
|
(Note: This module may get confused by certain types of XSS vulnerabilities.
|
|
|
|
If this module returns a positive result you should investigate nonetheless.)
|
|
|
|
Elements: link, form, cookie
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.3.2
|
|
References:
|
|
References:
|
|
[~] OWASP http://www.owasp.org/index.php/OS_Command_Injection
|
|
[~] OWASP http://www.owasp.org/index.php/Blind_SQL_Injection
|
|
|
|
[~] MITRE - CAPEC http://capec.mitre.org/data/definitions/7.html
|
|
Targets:
|
|
Targets:
|
|
[~] Generic all
|
|
[~] Generic
|
|
Metasploitable: unix/webapp/arachni_exec
|
|
Metasploitable: unix/webapp/arachni_sqlmap
|
|
Path: /home/zapotek/workspace/arachni/modules/audit/simple_cmd_exec.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/sqli_blind_rdiff.rb
|
|
|
|
|
|
Hit <space> <enter> to continue, any other key to exit.
|
|
Hit <space> <enter> to continue, any other key to exit.
|
|
Exiting...
|
|
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
You can filter module listing like so:
|
|
You can filter module listing like so:
|
|
<pre><code>
|
|
<pre><code>
|
|
|
|
|
|
$ arachni --lsmod=xss --lsmod=path
|
|
$ arachni --lsmod=xss --lsmod=path
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available modules:
|
|
[~] Available modules:
|
... | @@ -849,15 +929,15 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
... | @@ -849,15 +929,15 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
|
--------------------
|
|
--------------------
|
|
Name: XSSPath
|
|
Name: XSSPath
|
|
Description: Cross-Site Scripting module for path injection
|
|
Description: Cross-Site Scripting module for path injection
|
|
Author: zapotek
|
|
Elements: path
|
|
Version: 0.1.2
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.8
|
|
References:
|
|
References:
|
|
[~] ha.ckers http://ha.ckers.org/xss.html
|
|
[~] ha.ckers http://ha.ckers.org/xss.html
|
|
[~] Secunia http://secunia.com/advisories/9716/
|
|
[~] Secunia http://secunia.com/advisories/9716/
|
|
Targets:
|
|
Targets:
|
|
[~] Generic all
|
|
[~] Generic
|
|
Path: /home/zapotek/workspace/arachni/modules/audit/xss_path.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/modules/audit/xss_path.rb
|
|
|
|
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
|
|
|
... | @@ -905,17 +985,39 @@ h4(#lsrep_example). "Example":#lsrep_example |
... | @@ -905,17 +985,39 @@ h4(#lsrep_example). "Example":#lsrep_example |
|
|
|
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --lsrep
|
|
$ arachni --lsrep
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available reports:
|
|
[~] Available reports:
|
|
|
|
|
|
|
|
[*] yaml:
|
|
|
|
--------------------
|
|
|
|
Name: YAML Report
|
|
|
|
Description: Exports the audit results as a YAML file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.yaml
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/yaml.rb
|
|
|
|
|
|
[*] txt:
|
|
[*] txt:
|
|
--------------------
|
|
--------------------
|
|
Name: Text report
|
|
Name: Text report
|
... | @@ -923,12 +1025,12 @@ Description: Exports a report as a plain text file. |
... | @@ -923,12 +1025,12 @@ Description: Exports a report as a plain text file. |
|
Options:
|
|
Options:
|
|
[~] outfile - Where to save the report.
|
|
[~] outfile - Where to save the report.
|
|
[~] Type: string
|
|
[~] Type: string
|
|
[~] Default: 2010-11-24 15:30:38 +0000.txt
|
|
[~] Default: 2012-09-09 02.41.03 +0300.txt
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
Author: zapotek
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.2.1
|
|
Path: /home/zapotek/workspace/arachni/reports/txt.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/txt.rb
|
|
|
|
|
|
[*] xml:
|
|
[*] xml:
|
|
--------------------
|
|
--------------------
|
... | @@ -937,28 +1039,12 @@ Description: Exports a report as an XML file. |
... | @@ -937,28 +1039,12 @@ Description: Exports a report as an XML file. |
|
Options:
|
|
Options:
|
|
[~] outfile - Where to save the report.
|
|
[~] outfile - Where to save the report.
|
|
[~] Type: string
|
|
[~] Type: string
|
|
[~] Default: 2010-11-24 15:30:38 +0000.xml
|
|
[~] Default: 2012-09-09 02.41.03 +0300.xml
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
Author: zapotek
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.2.2
|
|
Path: /home/zapotek/workspace/arachni/reports/xml.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/xml.rb
|
|
|
|
|
|
[*] ap:
|
|
|
|
--------------------
|
|
|
|
Name: AP
|
|
|
|
Description: Awesome prints an AuditStore hash.
|
|
|
|
Author: zapotek
|
|
|
|
Version: 0.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/reports/ap.rb
|
|
|
|
|
|
|
|
[*] stdout:
|
|
|
|
--------------------
|
|
|
|
Name: Stdout
|
|
|
|
Description: Prints the results to standard output.
|
|
|
|
Author: zapotek
|
|
|
|
Version: 0.2.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/reports/stdout.rb
|
|
|
|
|
|
|
|
[*] metareport:
|
|
[*] metareport:
|
|
--------------------
|
|
--------------------
|
... | @@ -967,12 +1053,26 @@ Description: Creates a file to be used with the Arachni MSF plug-in. |
... | @@ -967,12 +1053,26 @@ Description: Creates a file to be used with the Arachni MSF plug-in. |
|
Options:
|
|
Options:
|
|
[~] outfile - Where to save the report.
|
|
[~] outfile - Where to save the report.
|
|
[~] Type: string
|
|
[~] Type: string
|
|
[~] Default: 2010-11-24 15:30:38 +0000.msf
|
|
[~] Default: 2012-09-09 02.41.03 +0300.msf
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
Author: zapotek
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.1.1
|
|
Path: /home/zapotek/workspace/arachni/reports/metareport.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/metareport.rb
|
|
|
|
|
|
|
|
[*] afr:
|
|
|
|
--------------------
|
|
|
|
Name: Arachni Framework Report
|
|
|
|
Description: Saves the file in the default Arachni Framework Report (.afr) format.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.afr
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/afr.rb
|
|
|
|
|
|
[*] html:
|
|
[*] html:
|
|
--------------------
|
|
--------------------
|
... | @@ -981,31 +1081,61 @@ Description: Exports a report as an HTML document. |
... | @@ -981,31 +1081,61 @@ Description: Exports a report as an HTML document. |
|
Options:
|
|
Options:
|
|
[~] tpl - Template to use.
|
|
[~] tpl - Template to use.
|
|
[~] Type: path
|
|
[~] Type: path
|
|
[~] Default: /home/zapotek/workspace/arachni/reports/html/default.tpl
|
|
[~] Default: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html/default.erb
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
[~] outfile - Where to save the report.
|
|
[~] outfile - Where to save the report.
|
|
[~] Type: string
|
|
[~] Type: string
|
|
[~] Default: 2010-11-24 15:30:38 +0000.html
|
|
[~] Default: 2012-09-09 02.41.03 +0300.html
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
Author: zapotek
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.3.1
|
|
Path: /home/zapotek/workspace/arachni/reports/html.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/html.rb
|
|
|
|
|
|
[*] afr:
|
|
[*] ap:
|
|
--------------------
|
|
--------------------
|
|
Name: Arachni Framework Report
|
|
Name: AP
|
|
Description: Saves the file in the default Arachni Framework Report (.afr) format.
|
|
Description: Awesome prints an AuditStore hash.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/ap.rb
|
|
|
|
|
|
|
|
[*] marshal:
|
|
|
|
--------------------
|
|
|
|
Name: Marshal Report
|
|
|
|
Description: Exports the audit results as a Marshal file.
|
|
Options:
|
|
Options:
|
|
[~] outfile - Where to save the report.
|
|
[~] outfile - Where to save the report.
|
|
[~] Type: string
|
|
[~] Type: string
|
|
[~] Default: 2010-11-24 15:30:38 +0000.afr
|
|
[~] Default: 2012-09-09 02.41.03 +0300.marshal
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
Author: zapotek
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.1.1
|
|
Path: /home/zapotek/workspace/arachni/reports/afr.rb
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/marshal.rb
|
|
|
|
|
|
|
|
[*] json:
|
|
|
|
--------------------
|
|
|
|
Name: JSON Report
|
|
|
|
Description: Exports the audit results as a JSON file.
|
|
|
|
Options:
|
|
|
|
[~] outfile - Where to save the report.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: 2012-09-09 02.41.03 +0300.json
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/json.rb
|
|
|
|
|
|
|
|
[*] stdout:
|
|
|
|
--------------------
|
|
|
|
Name: Stdout
|
|
|
|
Description: Prints the results to standard output.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.2.2
|
|
|
|
Path: /home/zapotek/builds/arachni/gems/gems/arachni-0.4.1dev/reports/stdout.rb
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h3(#repload). "Load a report ==(--repload)==":#repload
|
|
h3(#repload). "Load a report ==(--repload)==":#repload
|
... | @@ -1021,63 +1151,63 @@ h4(#repload_example). "Example":#repload_example |
... | @@ -1021,63 +1151,63 @@ h4(#repload_example). "Example":#repload_example |
|
|
|
|
|
Load an AFR report file and send it to the "stdout" report.
|
|
Load an AFR report file and send it to the "stdout" report.
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --repload=2010-11-24\ 14\:52\:59\ +0000.afr --report=stdout
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
================================================================================
|
|
================================================================================
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2010-11-24 14:53:42 +0000
|
|
[~] Report generated on: 2012-09-09 02:42:54 +0300
|
|
[~] Report false positives: http://github.com/Arachni/arachni/issues
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
[+] System settings:
|
|
[~] ---------------
|
|
[~] ---------------
|
|
[~] Version: 0.2.1
|
|
[~] Version: 0.4.1dev
|
|
[~] Revision: 0.2
|
|
[~] Revision: 0.2.7
|
|
[~] Audit started on: Wed Nov 24 14:52:59 2010
|
|
[~] Audit started on: Sun Sep 9 02:42:15 2012
|
|
[~] Audit finished on: Wed Nov 24 14:52:59 2010
|
|
[~] Audit finished on: Sun Sep 9 02:42:18 2012
|
|
[~] Runtime: 00:00:00
|
|
[~] Runtime: 00:00:03
|
|
|
|
|
|
[~] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
[~] URL: http://testfire.net/
|
|
[~] User agent: Arachni/0.2.1
|
|
[~] User agent: Arachni/v0.4.1dev
|
|
|
|
|
|
[*] Audited elements:
|
|
[*] Audited elements:
|
|
[~] * Links
|
|
|
|
[~] * Forms
|
|
[~] * Forms
|
|
[~] * Cookies
|
|
|
|
|
|
|
|
[*] Modules: xss
|
|
[*] Modules: xss
|
|
|
|
|
|
[*] Filters:
|
|
|
|
[~] Exclude:
|
|
|
|
[~] Include:
|
|
|
|
[~] (?-mix:.*)
|
|
|
|
[~] Redundant:
|
|
|
|
|
|
|
|
[*] Cookies:
|
|
[*] Cookies:
|
|
|
|
[~] ASP.NET_SessionId = zdjkcj2t3qdmmw555alngpbm
|
|
|
|
[~] amSessionId = 203429333847
|
|
|
|
|
|
[~] ===========================
|
|
[~] ===========================
|
|
|
|
|
|
[+] 1 vulnerabilities were detected.
|
|
[+] 1 issues were detected.
|
|
|
|
|
|
[+] Cross-Site Scripting (XSS)
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
[~] Severity: High
|
|
[~] Severity: High
|
|
[~] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
[~] URL: http://testfire.net/search.aspx
|
|
[~] Elements: form
|
|
[~] Element: form
|
|
[~] Variable: xss
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
[~] Description:
|
|
[~] Description:
|
|
[~] Client-side code, like JavaScript, can
|
|
[~] Client-side code (like JavaScript) can
|
|
be injected into the web application.
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
... | @@ -1090,28 +1220,70 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
... | @@ -1090,28 +1220,70 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
|
[*] Variations
|
|
[*] Variations
|
|
[~] ----------
|
|
[~] ----------
|
|
[~] Variation 1:
|
|
[~] Variation 1:
|
|
[~] URL: http://localhost/~zapotek/tests/forms/xss.php
|
|
[~] URL: http://testfire.net/search.aspx
|
|
[~] ID: <arachni_xss_955420f4722f1116416100259a0ff352f269f15ba0db23cca38c1428ef2ab42d
|
|
[~] Injected value: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
[~] Injected value: 1<arachni_xss_955420f4722f1116416100259a0ff352f269f15ba0db23cca38c1428ef2ab42d
|
|
[~] Regular expression:
|
|
[~] Regular expression: (?-mix:<arachni_xss_955420f4722f1116416100259a0ff352f269f15ba0db23cca38c1428ef2ab42d)
|
|
[~] Matched string: <some_dangerous_input_851ed9aefabd36fc0ad7d0611c23e1ae561b7caaa28b42ef305a109c9f1cb639/>
|
|
[~] Matched string: <arachni_xss_955420f4722f1116416100259a0ff352f269f15ba0db23cca38c1428ef2ab42d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
|
|
[*] Health map
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
|
|
[~] Legend:
|
|
|
|
[+] No issues
|
|
|
|
[-] Has issues
|
|
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
|
|
|
|
|
[~] Total: 2
|
|
|
|
[+] Without issues: 1
|
|
|
|
[-] With issues: 1 ( 50% )
|
|
|
|
|
|
|
|
[*] Profiler
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text023849c38925e2af028a2eb4e1dc41afd7dc7a238195c1c2ae00438d1dae00e1':
|
|
|
|
[~] * Body
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
Load an AFR file and create an HTML report from it.
|
|
Load an AFR file and create an HTML report from it.
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --repload=2010-11-24\ 14\:52\:59\ +0000.afr --report=html
|
|
$ arachni --repload=2012-09-09\ 02.42.20\ +0300.afr --report=html
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[*] Creating HTML report...
|
|
[*] Creating HTML report...
|
|
[*] Saved in '2010-11-24 14:53:35 +0000.html'.
|
|
[*] Saved in '2012-09-09 02.43.42 +0300.html'.
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h3(#report). "Report ==(--report)==":#report
|
|
h3(#report). "Report ==(--report)==":#report
|
... | @@ -1127,41 +1299,97 @@ h4(#report_example). "Example":#report_example |
... | @@ -1127,41 +1299,97 @@ h4(#report_example). "Example":#report_example |
|
|
|
|
|
Running the HTML report with an outfile option:
|
|
Running the HTML report with an outfile option:
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --modules=xss http://localhost/~zapotek/tests/forms/xss.php --report=html:outfile=my_html_report.html
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss --report=html:outfile=my_html_report.html
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
[~] No audit options were specified.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[*] Initing...
|
|
|
|
|
|
|
|
[*] [HTTP: 200] http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Initialising...
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] Waiting for plugins to settle...
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/xss.php
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Auditing form variable 'xss' of http://localhost/~zapotek/tests/forms/xss.php
|
|
|
|
[*] Harvesting HTTP responses...
|
|
[*] Harvesting HTTP responses...
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[*] XSS: Analyzing response #2...
|
|
|
|
[+] XSS: In form var 'xss' ( http://localhost/~zapotek/tests/forms/xss.php )
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Analyzing response #0...
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
[*] XSS: Analyzing response #1...
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] Harvesting HTTP responses...
|
|
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
[*] Profiler: Analyzing response #3...
|
|
|
|
[*] Profiler: Analyzing response #4...
|
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
|
[*] Profiler: Analyzing response #5...
|
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
|
[*] XSS: Analyzing response #9...
|
|
|
|
[*] XSS: Analyzing response #10...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #13...
|
|
|
|
[*] XSS: Analyzing response #14...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
|
[*] XSS: Analyzing response #12...
|
|
|
|
[*] XSS: Analyzing response #11...
|
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.45.19 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
[*] Creating HTML report...
|
|
[*] Creating HTML report...
|
|
[*] Saved in 'my_html_report.html'.
|
|
[*] Saved in 'my_html_report.html'.
|
|
|
|
|
|
[*] Dumping audit results in '2010-11-24 14:56:47 +0000.afr'.
|
|
[~] 100.0% [============================================================>] 100%
|
|
[*] Done!
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
[~] Sent 3 requests.
|
|
[~] Sent 25 requests.
|
|
[~] Received and analyzed 3 responses.
|
|
[~] Received and analyzed 25 responses.
|
|
[~] In 00:00:00
|
|
[~] In 00:00:04
|
|
[~] Average: 56 requests/second.
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h2(#plugins). "Plugins":#plugins
|
|
h2(#plugins). "Plugins":#plugins
|
... | @@ -1178,24 +1406,163 @@ h4(#lsplug_example). "Example":#lsplug_example |
... | @@ -1178,24 +1406,163 @@ h4(#lsplug_example). "Example":#lsplug_example |
|
|
|
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni --lsplug
|
|
$ arachni --lsplug
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
|
|
[~] No modules were specified.
|
|
|
|
[~] -> Will run all mods.
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
|
|
[~] -> Will audit links, forms and cookies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[~] Available plugins:
|
|
[~] Available plugins:
|
|
|
|
|
|
|
|
[*] resolver:
|
|
|
|
--------------------
|
|
|
|
Name: Resolver
|
|
|
|
Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb
|
|
|
|
|
|
|
|
[*] healthmap:
|
|
|
|
--------------------
|
|
|
|
Name: Health map
|
|
|
|
Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.3
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb
|
|
|
|
|
|
|
|
[*] profiler:
|
|
|
|
--------------------
|
|
|
|
Name: Profiler
|
|
|
|
Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.5
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb
|
|
|
|
|
|
|
|
[*] uniformity:
|
|
|
|
--------------------
|
|
|
|
Name: Uniformity (Lack of central sanitization)
|
|
|
|
Description: Analyzes the scan results and logs issues which persist across different pages.
|
|
|
|
This is usually a sign for a lack of a central/single point of input sanitization,
|
|
|
|
a bad coding practise.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb
|
|
|
|
|
|
|
|
[*] manual_verification:
|
|
|
|
--------------------
|
|
|
|
Name: Issues requiring manual verification
|
|
|
|
Description: The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
|
|
|
|
even before any audit action has taken place -- this challenges the relevance of the audit procedure.
|
|
|
|
|
|
|
|
Thus, these issues require manual verification.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb
|
|
|
|
|
|
|
|
[*] timing_attacks:
|
|
|
|
--------------------
|
|
|
|
Name: Timing attack anomalies
|
|
|
|
Description: Analyzes the scan results and logs issues that used timing attacks
|
|
|
|
while the affected web pages demonstrated an unusually high response time.
|
|
|
|
A situation which renders the logged issues inconclusive or (possibly) false positives.
|
|
|
|
|
|
|
|
Pages with high response times usually include heavy-duty processing
|
|
|
|
which makes them prime targets for Denial-of-Service attacks.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb
|
|
|
|
|
|
|
|
[*] discovery:
|
|
|
|
--------------------
|
|
|
|
Name: Discovery module response anomalies
|
|
|
|
Description: Analyzes the scan results and identifies issues logged by discovery modules
|
|
|
|
(i.e. modules that look for certain files and folders on the server),
|
|
|
|
while the server responses were exhibiting an anomalous factor of similarity.
|
|
|
|
|
|
|
|
There's a good chance that these issues are false positives.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb
|
|
|
|
|
|
|
|
[*] autothrottle:
|
|
|
|
--------------------
|
|
|
|
Name: AutoThrottle
|
|
|
|
Description: Monitors HTTP response times and automatically
|
|
|
|
throttles the request concurrency in order to maintain stability
|
|
|
|
and avoid from killing the server.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.3
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb
|
|
|
|
|
|
|
|
[*] content_types:
|
|
|
|
--------------------
|
|
|
|
Name: Content-types
|
|
|
|
Description: Logs content-types of server responses.
|
|
|
|
It can help you categorize and identify publicly available file-types
|
|
|
|
which in turn can help you identify accidentally leaked files.
|
|
|
|
Options:
|
|
|
|
[~] exclude - Exclude content-types that match this regular expression.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: text
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb
|
|
|
|
|
|
|
|
[*] libnotify:
|
|
|
|
--------------------
|
|
|
|
Name: libnotify
|
|
|
|
Description: Uses the libnotify library to send notifications for each discovered issue
|
|
|
|
and a summary at the end of the scan.
|
|
|
|
Options:
|
|
|
|
[~] for_every_issue - Show every issue.
|
|
|
|
[~] Type: bool
|
|
|
|
[~] Default: true
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/libnotify.rb
|
|
|
|
|
|
|
|
[*] cookie_collector:
|
|
|
|
--------------------
|
|
|
|
Name: Cookie collector
|
|
|
|
Description: Monitors and collects cookies while establishing a timeline of changes.
|
|
|
|
|
|
|
|
WARNING: Highly discouraged when the audit includes cookies.
|
|
|
|
It will log thousands of results leading to a huge report,
|
|
|
|
highly increased memory and CPU usage.
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.5
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/cookie_collector.rb
|
|
|
|
|
|
[*] proxy:
|
|
[*] proxy:
|
|
--------------------
|
|
--------------------
|
|
Name: Proxy
|
|
Name: Proxy
|
|
Description: Gathers data based on user actions and exchanged HTTP
|
|
Description:
|
|
|
|
* Gathers data based on user actions and exchanged HTTP
|
|
traffic and pushes that data to the framework's page-queue to be audited.
|
|
traffic and pushes that data to the framework's page-queue to be audited.
|
|
It also updates the framework cookies with the cookies of the HTTP requests and
|
|
* Updates the framework cookies with the cookies of the HTTP requests and
|
|
responses, thus it can also be used to login to a web application.
|
|
responses, thus it can also be used to login to a web application.
|
|
|
|
* Supports SSL interception.
|
|
|
|
|
|
|
|
To skip crawling and only audit elements discovered by using the proxy
|
|
|
|
set '--link-count=0'.
|
|
Options:
|
|
Options:
|
|
[~] port - Port to bind to.
|
|
[~] port - Port to bind to.
|
|
[~] Type: port
|
|
[~] Type: port
|
... | @@ -1207,16 +1574,236 @@ Options: |
... | @@ -1207,16 +1574,236 @@ Options: |
|
[~] Default: 0.0.0.0
|
|
[~] Default: 0.0.0.0
|
|
[~] Required?: false
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] timeout - How long to wait for a request to complete, in milliseconds.
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 20000
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.2
|
|
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
|
|
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
|
|
|
|
|
|
|
|
[*] beep_notify:
|
|
|
|
--------------------
|
|
|
|
Name: Beep notify
|
|
|
|
Description: It beeps when the scan finishes.
|
|
|
|
Options:
|
|
|
|
[~] repeat - How many times to beep.
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 4
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] interval - How long to wait between beeps.
|
|
|
|
[~] Type: float
|
|
|
|
[~] Default: 0.4
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/beep_notify.rb
|
|
|
|
|
|
|
|
[*] rescan:
|
|
|
|
--------------------
|
|
|
|
Name: ReScan
|
|
|
|
Description: It uses the AFR report of a previous scan to
|
|
|
|
extract the sitemap in order to avoid a redundant crawl.
|
|
|
|
|
|
|
|
Options:
|
|
|
|
[~] afr - Path to the AFR report.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/rescan.rb
|
|
|
|
|
|
|
|
[*] http_dicattack:
|
|
|
|
--------------------
|
|
|
|
Name: HTTP dictionary attacker
|
|
|
|
Description: Uses wordlists to crack password protected directories.
|
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
|
Options:
|
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/http_dicattack.rb
|
|
|
|
|
|
|
|
[*] vector_feed:
|
|
|
|
--------------------
|
|
|
|
Name: Vector feed
|
|
|
|
Description: Reads in vector data from which it creates elements to be audited.
|
|
|
|
Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
|
|
|
|
|
|
|
|
Notes:
|
|
|
|
* To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
|
|
|
|
* Can handle multiple YAML documents.
|
|
|
|
|
|
|
|
Example YAML file:
|
|
|
|
-
|
|
|
|
# you can pass pages to be audited by grep modules (and JS in the future)
|
|
|
|
type: page
|
|
|
|
url: http://localhost/
|
|
|
|
# response code
|
|
|
|
code: 200
|
|
|
|
# response headers
|
|
|
|
headers:
|
|
|
|
Content-Type: "text/html; charset=utf-8"
|
|
|
|
body: "HTML code goes here"
|
|
|
|
|
|
|
|
-
|
|
|
|
# default type is link which has method get
|
|
|
|
#type: link
|
|
|
|
action: http://localhost/link
|
|
|
|
inputs:
|
|
|
|
my_param: "my val"
|
|
|
|
|
|
|
|
-
|
|
|
|
# if a method is post it'll default to a form type
|
|
|
|
type: form
|
|
|
|
method: post
|
|
|
|
action: http://localhost/form
|
|
|
|
inputs:
|
|
|
|
post_this: "HUA!"
|
|
|
|
csrf: "my_csrf_token"
|
|
|
|
# do not fuzz/mutate/audit the following inputs (by name obviously)
|
|
|
|
skip:
|
|
|
|
- csrf
|
|
|
|
|
|
|
|
# GET only
|
|
|
|
-
|
|
|
|
type: cookie
|
|
|
|
action: http://localhost/cookie
|
|
|
|
inputs:
|
|
|
|
session_id: "43434234343sddsdsds"
|
|
|
|
|
|
|
|
# GET only
|
|
|
|
-
|
|
|
|
type: header
|
|
|
|
action: http://localhost/header
|
|
|
|
# only 1 input allowed, each header field=>value must be defined separately
|
|
|
|
inputs:
|
|
|
|
User-Agent: "Blah/2"
|
|
|
|
|
|
|
|
|
|
|
|
Options:
|
|
|
|
[~] vectors - Vector array (for configuration over RPC).
|
|
|
|
[~] Type: abstract
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] yaml_string - A string of YAML serialized vectors (for configuration over RPC).
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] yaml_file - A file containing the YAML serialized vectors.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/vector_feed.rb
|
|
|
|
|
|
|
|
[*] script:
|
|
|
|
--------------------
|
|
|
|
Name: Script
|
|
|
|
Description: Loads and runs an external Ruby script under the scope of a plugin,
|
|
|
|
used for debugging and general hackery.
|
|
|
|
|
|
|
|
Will not work over RPC.
|
|
|
|
Options:
|
|
|
|
[~] path - Path to the script.
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.1
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/script.rb
|
|
|
|
|
|
|
|
[*] email_notify:
|
|
|
|
--------------------
|
|
|
|
Name: E-mail notify
|
|
|
|
Description: Sends a notification (and optionally a report) over SMTP at the end of the scan.
|
|
|
|
Options:
|
|
|
|
[~] to - E-mail address of the receiver.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] cc - E-mail address to which to send a carbon copy of the notification.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] bcc - E-mail address for a blind carbon copy.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] from - E-mail address of the sender.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] server_address - Address of the SMTP server to use.
|
|
|
|
[~] Type: address
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] server_port - SMTP port.
|
|
|
|
[~] Type: port
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] tls - Use TLS/SSL?.
|
|
|
|
[~] Type: bool
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] username - SMTP username.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password - SMTP password.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] authentication - Authentication.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default: plain
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
[~] report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
|
|
|
|
[~] Type: enum
|
|
|
|
[~] Default: txt
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/email_notify.rb
|
|
|
|
|
|
[*] autologin:
|
|
[*] autologin:
|
|
--------------------
|
|
--------------------
|
|
Name: AutoLogin
|
|
Name: AutoLogin
|
|
Description: It looks for the login form in the user provided URL,
|
|
Description: It looks for the login form in the user provided URL,
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
of the response and request as framework-wide cookies to be user by the spider later on.
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
Options:
|
|
Options:
|
|
[~] url - The URL that contains the login form.
|
|
[~] url - The URL that contains the login form.
|
... | @@ -1229,10 +1816,76 @@ Options: |
... | @@ -1229,10 +1816,76 @@ Options: |
|
[~] Default:
|
|
[~] Default:
|
|
[~] Required?: true
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] check - A pattern which will be used to verify a successful login.
|
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Version: 0.1
|
|
Version: 0.1.5
|
|
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
|
|
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
|
|
|
|
|
|
|
|
[*] waf_detector:
|
|
|
|
--------------------
|
|
|
|
Name: WAF Detector
|
|
|
|
Description: Performs basic profiling on the web application
|
|
|
|
in order to assess the existence of a Web Application Firewall.
|
|
|
|
|
|
|
|
This is a 4 stage process:
|
|
|
|
1. Grab the original page as is
|
|
|
|
2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
|
|
|
|
3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
|
|
|
|
4. Make heads or tails of the gathered responses
|
|
|
|
|
|
|
|
Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
|
|
|
|
Options:
|
|
|
|
[~] precision - Stage precision (how many times to perform each detection stage).
|
|
|
|
[~] Type: integer
|
|
|
|
[~] Default: 5
|
|
|
|
[~] Required?: false
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.2
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/waf_detector.rb
|
|
|
|
|
|
|
|
[*] form_dicattack:
|
|
|
|
--------------------
|
|
|
|
Name: Form dictionary attacker
|
|
|
|
Description: Uses wordlists to crack login forms.
|
|
|
|
If the cracking process is successful the found credentials will be set
|
|
|
|
framework-wide and used for the duration of the audit.
|
|
|
|
If that's not what you want set the crawler's link-count limit to "0".
|
|
|
|
Options:
|
|
|
|
[~] username_list - File with a list of usernames (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_list - File with a list of passwords (newline separated).
|
|
|
|
[~] Type: path
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] username_field - The name of the username form field.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] password_field - The name of the password form field.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
[~] login_verifier - A regular expression which will be used to verify a successful login.
|
|
|
|
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
|
|
|
|
[~] Type: string
|
|
|
|
[~] Default:
|
|
|
|
[~] Required?: true
|
|
|
|
|
|
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
|
|
Version: 0.1.4
|
|
|
|
Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
h3(#plugin). "Plugin ==(--plugin)==":#plugin
|
|
h3(#plugin). "Plugin ==(--plugin)==":#plugin
|
... | @@ -1248,84 +1901,131 @@ h4(#plugin_example). "Example":#plugin_example |
... | @@ -1248,84 +1901,131 @@ h4(#plugin_example). "Example":#plugin_example |
|
|
|
|
|
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
|
|
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
|
|
<pre><code>
|
|
<pre><code>
|
|
$ arachni -m xss http://localhost/~zapotek/tests/forms/login.php \
|
|
$ arachni http://testfire.net --link-count=1 --modules=xss \
|
|
-e logout \
|
|
--plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
|
|
--plugin=autologin:url=http://localhost/~zapotek/tests/forms/login.php,params='username=user&password=pass'
|
|
-e logout
|
|
|
|
|
|
Arachni - Web Application Security Scanner Framework v0.2.1 [0.2]
|
|
Arachni - Web Application Security Scanner Framework v0.4.1dev
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
|
|
<zapotek@segfault.gr>
|
|
|
|
(With the support of the community and the Arachni Team.)
|
|
(With the support of the community and the Arachni Team.)
|
|
|
|
|
|
Website: http://github.com/Arachni/arachni
|
|
Website: http://arachni-scanner.com
|
|
Documentation: http://github.com/Arachni/arachni/wiki
|
|
Documentation: http://arachni-scanner.com/wiki
|
|
|
|
|
|
|
|
|
|
[~] No audit options were specified.
|
|
[~] No audit options were specified.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[~] -> Will audit links, forms and cookies.
|
|
[*] Initing...
|
|
|
|
|
|
[*] Initialising...
|
|
|
|
[~] AutoLogin: System paused.
|
|
[*] Waiting for plugins to settle...
|
|
[*] Waiting for plugins to settle...
|
|
[*] AutoLogin: Found log-in form with name: <n/a>
|
|
[*] AutoLogin: Found log-in form with name: login
|
|
[+] AutoLogin: Form submitted successfully.
|
|
[+] AutoLogin: Form submitted successfully.
|
|
[~] AutoLogin: Extracted cookies:
|
|
[~] AutoLogin: Cookies set to:
|
|
[~] AutoLogin: * PHPSESSID => 21698106459076a83e9eaae9cc752b25
|
|
[~] AutoLogin: * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
|
[~] AutoLogin: * amSessionId = 204023334531
|
|
[*] [HTTP: 200] http://localhost/~zapotek/tests/forms/login.php
|
|
[~] AutoLogin: * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
[~] AutoLogin: * amUserId = 100116014
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
[~] AutoLogin: * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
[*] XSS: Auditing form variable 'sql_inj' of http://localhost/~zapotek/tests/forms/login.php
|
|
[*] [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable 'rfi' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable 'xss' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable 'eval' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__original_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable '__sample_values__' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing form variable 'os_command' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] XSS: Auditing cookie variable 'PHPSESSID' of http://localhost/~zapotek/tests/forms/login.php
|
|
|
|
[*] Harvesting HTTP responses...
|
|
[*] Harvesting HTTP responses...
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[*] XSS: Analyzing response #2...
|
|
|
|
[*] XSS: Analyzing response #4...
|
|
[*] Auditing: [HTTP: 200] http://testfire.net/
|
|
[*] XSS: Analyzing response #5...
|
|
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
[*] XSS: Analyzing response #6...
|
|
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Analyzing response #7...
|
|
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Analyzing response #8...
|
|
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Analyzing response #3...
|
|
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #9...
|
|
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #10...
|
|
[*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
[+] XSS: In form var 'xss' ( http://localhost/~zapotek/tests/forms/login.php )
|
|
[*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #11...
|
|
[*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #12...
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
[*] XSS: Analyzing response #13...
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
[*] XSS: Analyzing response #14...
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #15...
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #17...
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
[*] XSS: Analyzing response #16...
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
|
|
|
|
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
|
|
|
|
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
|
|
|
|
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
|
|
[*] Harvesting HTTP responses...
|
|
[*] Harvesting HTTP responses...
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
[~] Depending on server responsiveness and network conditions this may take a while.
|
|
|
|
[*] Profiler: Analyzing response #6...
|
|
|
|
[*] Profiler: Analyzing response #7...
|
|
|
|
[*] XSS: Analyzing response #26...
|
|
|
|
[*] XSS: Analyzing response #27...
|
|
|
|
[~] Trainer: Found 1 new links.
|
|
|
|
[*] Profiler: Analyzing response #9...
|
|
|
|
[*] Profiler: Analyzing response #8...
|
|
|
|
[*] XSS: Analyzing response #28...
|
|
|
|
[*] XSS: Analyzing response #15...
|
|
|
|
[*] XSS: Analyzing response #16...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #22...
|
|
|
|
[*] XSS: Analyzing response #30...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] Profiler: Analyzing response #10...
|
|
|
|
[*] XSS: Analyzing response #31...
|
|
|
|
[*] XSS: Analyzing response #32...
|
|
|
|
[*] Profiler: Analyzing response #11...
|
|
|
|
[*] Profiler: Analyzing response #12...
|
|
|
|
[*] Profiler: Analyzing response #14...
|
|
|
|
[*] Profiler: Analyzing response #13...
|
|
|
|
[*] XSS: Analyzing response #33...
|
|
|
|
[*] XSS: Analyzing response #17...
|
|
|
|
[*] XSS: Analyzing response #18...
|
|
|
|
[*] XSS: Analyzing response #19...
|
|
|
|
[*] XSS: Analyzing response #34...
|
|
|
|
[*] XSS: Analyzing response #20...
|
|
|
|
[*] XSS: Analyzing response #21...
|
|
|
|
[*] XSS: Analyzing response #23...
|
|
|
|
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
|
|
|
|
[*] XSS: Analyzing response #35...
|
|
|
|
[*] XSS: Analyzing response #24...
|
|
|
|
[*] XSS: Analyzing response #25...
|
|
|
|
[*] XSS: Analyzing response #29...
|
|
|
|
|
|
|
|
[*] Resolver: Resolving hostnames...
|
|
|
|
[*] Resolver: Done!
|
|
|
|
|
|
|
|
|
|
|
|
[*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
|
|
|
|
[*] Done!
|
|
|
|
|
|
|
|
|
|
================================================================================
|
|
================================================================================
|
|
|
|
|
|
|
|
|
|
[+] Web Application Security Report - Arachni Framework
|
|
[+] Web Application Security Report - Arachni Framework
|
|
|
|
|
|
[~] Report generated on: 2010-11-24 15:11:50 +0000
|
|
[~] Report generated on: 2012-09-09 02:48:17 +0300
|
|
[~] Report false positives: http://github.com/Arachni/arachni/issues
|
|
[~] Report false positives at: http://github.com/Arachni/arachni/issues
|
|
|
|
|
|
[+] System settings:
|
|
[+] System settings:
|
|
[~] ---------------
|
|
[~] ---------------
|
|
[~] Version: 0.2.1
|
|
[~] Version: 0.4.1dev
|
|
[~] Revision: 0.2
|
|
[~] Revision: 0.2.7
|
|
[~] Audit started on: Wed Nov 24 15:11:45 2010
|
|
[~] Audit started on: Sun Sep 9 02:48:08 2012
|
|
[~] Audit finished on: Wed Nov 24 15:11:49 2010
|
|
[~] Audit finished on: Sun Sep 9 02:48:15 2012
|
|
[~] Runtime: 00:00:04
|
|
[~] Runtime: 00:00:06
|
|
|
|
|
|
[~] URL: http://localhost/~zapotek/tests/forms/login.php
|
|
[~] URL: http://testfire.net/
|
|
[~] User agent: Arachni/0.2.1
|
|
[~] User agent: Arachni/v0.4.1dev
|
|
|
|
|
|
[*] Audited elements:
|
|
[*] Audited elements:
|
|
[~] * Links
|
|
[~] * Links
|
... | @@ -1337,26 +2037,24 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
... | @@ -1337,26 +2037,24 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
|
[*] Filters:
|
|
[*] Filters:
|
|
[~] Exclude:
|
|
[~] Exclude:
|
|
[~] (?-mix:logout)
|
|
[~] (?-mix:logout)
|
|
[~] Include:
|
|
|
|
[~] (?-mix:.*)
|
|
|
|
[~] Redundant:
|
|
|
|
|
|
|
|
[*] Cookies:
|
|
|
|
[~] PHPSESSID = 21698106459076a83e9eaae9cc752b25
|
|
|
|
|
|
|
|
[~] ===========================
|
|
[~] ===========================
|
|
|
|
|
|
[+] 1 vulnerabilities were detected.
|
|
[+] 2 issues were detected.
|
|
|
|
|
|
[+] Cross-Site Scripting (XSS)
|
|
[+] [1] Cross-Site Scripting (XSS)
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
|
|
[~] Severity: High
|
|
[~] Severity: High
|
|
[~] URL: http://localhost/~zapotek/tests/forms/login.php
|
|
[~] URL: http://testfire.net/search.aspx
|
|
[~] Elements: form
|
|
[~] Element: form
|
|
[~] Variable: xss
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
[~] Description:
|
|
[~] Description:
|
|
[~] Client-side code, like JavaScript, can
|
|
[~] Client-side code (like JavaScript) can
|
|
be injected into the web application.
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
... | @@ -1369,22 +2067,126 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
... | @@ -1369,22 +2067,126 @@ Arachni - Web Application Security Scanner Framework v0.2.1 [0.2] |
|
[*] Variations
|
|
[*] Variations
|
|
[~] ----------
|
|
[~] ----------
|
|
[~] Variation 1:
|
|
[~] Variation 1:
|
|
[~] URL: http://localhost/~zapotek/tests/forms/login.php
|
|
[~] URL: http://testfire.net/search.aspx
|
|
[~] ID: <arachni_xss_ccf5b233c901dd3023aac135acd390aef5d111699be6aa646710d5362417496a
|
|
[~] Injected value: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
[~] Injected value: 1<arachni_xss_ccf5b233c901dd3023aac135acd390aef5d111699be6aa646710d5362417496a
|
|
[~] Regular expression:
|
|
[~] Regular expression: (?-mix:<arachni_xss_ccf5b233c901dd3023aac135acd390aef5d111699be6aa646710d5362417496a)
|
|
[~] Matched string: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
[~] Matched string: <arachni_xss_ccf5b233c901dd3023aac135acd390aef5d111699be6aa646710d5362417496a
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] [2] Cross-Site Scripting (XSS)
|
|
|
|
[~] ~~~~~~~~~~~~~~~~~~~~
|
|
|
|
[~] ID Hash: 2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
|
|
|
|
[~] Severity: High
|
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Element: link
|
|
|
|
[~] Method: GET
|
|
|
|
[~] Tags: xss, regexp, injection, script
|
|
|
|
[~] Variable: txtSearch
|
|
|
|
[~] Description:
|
|
|
|
[~] Client-side code (like JavaScript) can
|
|
|
|
be injected into the web application which is then returned to the user's browser.
|
|
|
|
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
|
|
|
|
|
|
|
|
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
|
|
|
|
|
|
[*] Dumping audit results in '2010-11-24 15:11:50 +0000.afr'.
|
|
[~] Requires manual verification?: false
|
|
[*] Done!
|
|
|
|
|
|
|
|
[~] Sent 20 requests.
|
|
[~] References:
|
|
[~] Received and analyzed 20 responses.
|
|
[~] ha.ckers - http://ha.ckers.org/xss.html
|
|
[~] In 00:00:04
|
|
[~] Secunia - http://secunia.com/advisories/9716/
|
|
[~] Average: 4 requests/second.
|
|
|
|
|
|
[*] Variations
|
|
|
|
[~] ----------
|
|
|
|
[~] Variation 1:
|
|
|
|
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Injected value: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
[~] Regular expression:
|
|
|
|
[~] Matched string: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[+] Plugin data:
|
|
|
|
[~] ---------------
|
|
|
|
|
|
|
|
|
|
|
|
[*] Resolver
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Resolves vulnerable hostnames to IP addresses.
|
|
|
|
|
|
|
|
[~] testfire.net: 65.61.137.117
|
|
|
|
|
|
|
|
[*] Health map
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Generates a simple list of safe/unsafe URLs.
|
|
|
|
|
|
|
|
[~] Legend:
|
|
|
|
[+] No issues
|
|
|
|
[-] Has issues
|
|
|
|
|
|
|
|
[+] http://testfire.net/
|
|
|
|
[-] http://testfire.net/search.aspx
|
|
|
|
[-] http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
|
|
|
|
[~] Total: 3
|
|
|
|
[+] Without issues: 1
|
|
|
|
[-] With issues: 2 ( 67% )
|
|
|
|
|
|
|
|
[*] Profiler
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: Examines the behavior of the web application gathering general statistics
|
|
|
|
and performs taint analysis to determine which inputs affect the output.
|
|
|
|
|
|
|
|
It does not perform any vulnerability assessment nor does it send attack payloads.
|
|
|
|
|
|
|
|
[~] Inputs affecting output:
|
|
|
|
|
|
|
|
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
|
|
|
|
[~] * Body
|
|
|
|
[+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
|
|
|
|
[~] It was submitted using the following parameters:
|
|
|
|
[~] * txtSearch = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
|
|
|
|
[~]
|
|
|
|
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
|
|
|
|
[~] * Body
|
|
|
|
|
|
|
|
[*] AutoLogin
|
|
|
|
[~] ~~~~~~~~~~~~~~
|
|
|
|
[~] Description: It looks for the login form in the user provided URL,
|
|
|
|
merges its input fields with the user supplied parameters and sets the cookies
|
|
|
|
of the response and request as framework-wide cookies to be used by the spider later on.
|
|
|
|
|
|
|
|
|
|
|
|
[+] Form submitted successfully.
|
|
|
|
[~] Cookies set to:
|
|
|
|
[~] * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
|
|
|
|
[~] * amSessionId = 204023334531
|
|
|
|
[~] * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
|
|
|
|
[~] * amUserId = 100116014
|
|
|
|
[~] * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
|
|
|
|
|
|
|
|
[~] 100.0% [============================================================>] 100%
|
|
|
|
[~] Est. remaining time: --:--:--
|
|
|
|
|
|
|
|
[~] Crawler has discovered 2 pages.
|
|
|
|
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
|
|
|
|
|
|
|
|
[~] Sent 40 requests.
|
|
|
|
[~] Received and analyzed 40 responses.
|
|
|
|
[~] In 00:00:06
|
|
|
|
[~] Average: 6 requests/second.
|
|
|
|
|
|
|
|
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=arachni_text
|
|
|
|
[~] Burst response time total 0
|
|
|
|
[~] Burst response count total 0
|
|
|
|
[~] Burst average response time 0
|
|
|
|
[~] Burst average 0 requests/second
|
|
|
|
[~] Timed-out requests 0
|
|
|
|
[~] Original max concurrency 20
|
|
|
|
[~] Throttled max concurrency 20
|
|
</code></pre>
|
|
</code></pre>
|
|
|
|
|
|
|
|
|
... | | ... | |