Skip to content
GitLab

Command line user interface · Changes

Page history
Updated Command-line-user-interface (markdown) authored by Tasos Laskos's avatar Tasos Laskos
Show whitespace changes
Inline Side-by-side
guides/user/Command-line-user-interface.md
View page @ 8cb1743c
......@@ -123,12 +123,11 @@ in the [knowledge base](http://support.arachni-scanner.com/kb/).
* [Include vector (--audit-include-vector)](#audit-include-vector)
* [Checks](#checks)
* [List (--checks-list)](#checks-list)
* [Checks (--checks)](#checks-checks)
* [Load (--checks)](#checks-checks)
* [Example](#checks-checks_example)
* [Plugins](#plugins)
* [List plugins (--lsplug)](#lsplug)
* [Example](#lsplug_example)
* [Load a plugin (--plugin)](#plugin)
* [List (--plugins-list)](#plugins-list)
* [Load (--plugin)](#plugin)
* [Example](#plugin_example)
* [Platforms](#platforms)
* [List platforms (--lsplat)](#lsplat)
......@@ -912,7 +911,7 @@ Lists all available checks.
If an option has been provided, it will be treated as a pattern and be used to filter the displayed checks.
<h3 id='checks-checks'><a href='#checks-checks'>Checks (--checks)</a></h3>
<h3 id='checks-checks'><a href='#checks-checks'>Load (--checks)</a></h3>
**Expects**: `string,string`
......@@ -923,11 +922,11 @@ If an option has been provided, it will be treated as a pattern and be used to f
Loads the given checks, by name.
Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
You can specify the checks to load as comma separated values (without spaces) or `*` to load all.
You can prevent checks from being loaded by prefixing their name with a dash (`-`).
**Note**: Checks are referenced by their filename without the `.rb` extension, use `--checks-list` to see all.
<h4 id='checks-checks_example'><a href='#checks_checks_example'>Example</a></h4>
As CSV:
......@@ -948,7 +947,7 @@ The above will load all checks except for the `backup_files` and `xss` ones.
<h2 id='plugins'><a href='#plugins'>Plugins</a></h2>
<h3 id='lsplug'><a href='#lsplug'>List plugins (--lsplug)</a></h3>
<h3 id='plugins-list'><a href='#plugins-list'>List (--plugins-list)</a></h3>
**Expects**: `<n/a>`
......@@ -959,797 +958,27 @@ The above will load all checks except for the `backup_files` and `xss` ones.
Lists all available plugins.
<h4 id='lsplug_example'><a href='#lsplug_example'>Example</a></h4>
```
$ arachni --lsplug
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No modules were specified.
[~] -> Will run all mods.
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[~] Available plugins:
[*] resolver:
--------------------
Name: Resolver
Description: Resolves vulnerable hostnames to IP addresses.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/defaults/resolver.rb
[*] healthmap:
--------------------
Name: Health map
Description: Generates a simple list of safe/unsafe URLs.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.3
Path: /home/zapotek/workspace/arachni/plugins/defaults/healthmap.rb
[*] profiler:
--------------------
Name: Profiler
Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/defaults/profiler.rb
[*] uniformity:
--------------------
Name: Uniformity (Lack of central sanitization)
Description: Analyzes the scan results and logs issues which persist across different pages.
This is usually a sign for a lack of a central/single point of input sanitization,
a bad coding practise.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/uniformity.rb
[*] manual_verification:
--------------------
Name: Issues requiring manual verification
Description: The HTTP responses of the issues logged by this plugin exhibit a suspicious pattern
even before any audit action has taken place -- this challenges the relevance of the audit procedure.
Thus, these issues require manual verification.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/manual_verification.rb
[*] timing_attacks:
--------------------
Name: Timing attack anomalies
Description: Analyzes the scan results and logs issues that used timing attacks
while the affected web pages demonstrated an unusually high response time.
A situation which renders the logged issues inconclusive or (possibly) false positives.
Pages with high response times usually include heavy-duty processing
which makes them prime targets for Denial-of-Service attacks.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/timing_attacks.rb
[*] discovery:
--------------------
Name: Discovery module response anomalies
Description: Analyzes the scan results and identifies issues logged by discovery modules
(i.e. modules that look for certain files and folders on the server),
while the server responses were exhibiting an anomalous factor of similarity.
There's a good chance that these issues are false positives.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/defaults/meta/remedies/discovery.rb
[*] autothrottle:
--------------------
Name: AutoThrottle
Description: Monitors HTTP response times and automatically
throttles the request concurrency in order to maintain stability
and avoid from killing the server.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.3
Path: /home/zapotek/workspace/arachni/plugins/defaults/autothrottle.rb
[*] content_types:
--------------------
Name: Content-types
Description: Logs content-types of server responses.
It can help you categorize and identify publicly available file-types
which in turn can help you identify accidentally leaked files.
Options:
[~] exclude - Exclude content-types that match this regular expression.
[~] Type: string
[~] Default: text
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/defaults/content_types.rb
[*] libnotify:
--------------------
Name: libnotify
Description: Uses the libnotify library to send notifications for each discovered issue
and a summary at the end of the scan.
Options:
[~] for_every_issue - Show every issue.
[~] Type: bool
[~] Default: true
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/libnotify.rb
[*] cookie_collector:
--------------------
Name: Cookie collector
Description: Monitors and collects cookies while establishing a timeline of changes.
WARNING: Highly discouraged when the audit includes cookies.
It will log thousands of results leading to a huge report,
highly increased memory and CPU usage.
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/cookie_collector.rb
[*] proxy:
--------------------
Name: Proxy
Description:
* Gathers data based on user actions and exchanged HTTP
traffic and pushes that data to the framework's page-queue to be audited.
* Updates the framework cookies with the cookies of the HTTP requests and
responses, thus it can also be used to login to a web application.
* Supports SSL interception.
To skip crawling and only audit elements discovered by using the proxy
set '--link-count=0'.
Options:
[~] port - Port to bind to.
[~] Type: port
[~] Default: 8282
[~] Required?: false
[~] bind_address - IP address to bind to.
[~] Type: address
[~] Default: 0.0.0.0
[~] Required?: false
[~] timeout - How long to wait for a request to complete, in milliseconds.
[~] Type: integer
[~] Default: 20000
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.2
Path: /home/zapotek/workspace/arachni/plugins/proxy.rb
[*] beep_notify:
--------------------
Name: Beep notify
Description: It beeps when the scan finishes.
Options:
[~] repeat - How many times to beep.
[~] Type: integer
[~] Default: 4
[~] Required?: false
[~] interval - How long to wait between beeps.
[~] Type: float
[~] Default: 0.4
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1
Path: /home/zapotek/workspace/arachni/plugins/beep_notify.rb
[*] rescan:
--------------------
Name: ReScan
Description: It uses the AFR report of a previous scan to
extract the sitemap in order to avoid a redundant crawl.
Options:
[~] afr - Path to the AFR report.
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/rescan.rb
[*] http_dicattack:
--------------------
Name: HTTP dictionary attacker
Description: Uses wordlists to crack password protected directories.
If the cracking process is successful the found credentials will be set
framework-wide and used for the duration of the audit.
If that's not what you want set the crawler's link-count limit to "0".
Options:
[~] username_list - File with a list of usernames (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] password_list - File with a list of passwords (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/http_dicattack.rb
[*] vector_feed:
--------------------
Name: Vector feed
Description: Reads in vector data from which it creates elements to be audited.
Can be used to perform extremely specialized/narrow audits on a per vector/element basis.
Notes:
* To only audit the vectors in the feed you must set the 'link-count' limit to 0 to prevent crawling.
* Can handle multiple YAML documents.
Example YAML file:
-
# you can pass pages to be audited by grep modules (and JS in the future)
type: page
url: http://localhost/
# response code
code: 200
# response headers
headers:
Content-Type: "text/html; charset=utf-8"
body: "HTML code goes here"
-
# default type is link which has method get
#type: link
action: http://localhost/link
inputs:
my_param: "my val"
-
# if a method is post it'll default to a form type
type: form
method: post
action: http://localhost/form
inputs:
post_this: "HUA!"
csrf: "my_csrf_token"
# do not fuzz/mutate/audit the following inputs (by name obviously)
skip:
- csrf
# GET only
-
type: cookie
action: http://localhost/cookie
inputs:
session_id: "43434234343sddsdsds"
# GET only
-
type: header
action: http://localhost/header
# only 1 input allowed, each header field=>value must be defined separately
inputs:
User-Agent: "Blah/2"
Options:
[~] vectors - Vector array (for configuration over RPC).
[~] Type: abstract
[~] Default:
[~] Required?: false
[~] yaml_string - A string of YAML serialized vectors (for configuration over RPC).
[~] Type: string
[~] Default:
[~] Required?: false
[~] yaml_file - A file containing the YAML serialized vectors.
[~] Type: path
[~] Default:
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/vector_feed.rb
[*] script:
--------------------
Name: Script
Description: Loads and runs an external Ruby script under the scope of a plugin,
used for debugging and general hackery.
Will not work over RPC.
Options:
[~] path - Path to the script.
[~] Type: path
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.1
Path: /home/zapotek/workspace/arachni/plugins/script.rb
[*] email_notify:
--------------------
Name: E-mail notify
Description: Sends a notification (and optionally a report) over SMTP at the end of the scan.
Options:
[~] to - E-mail address of the receiver.
[~] Type: string
[~] Default:
[~] Required?: true
[~] cc - E-mail address to which to send a carbon copy of the notification.
[~] Type: string
[~] Default:
[~] Required?: false
[~] bcc - E-mail address for a blind carbon copy.
[~] Type: string
[~] Default:
[~] Required?: false
[~] from - E-mail address of the sender.
[~] Type: string
[~] Default:
[~] Required?: true
[~] server_address - Address of the SMTP server to use.
[~] Type: address
[~] Default:
[~] Required?: true
[~] server_port - SMTP port.
[~] Type: port
[~] Default:
[~] Required?: true
[~] tls - Use TLS/SSL?.
[~] Type: bool
[~] Default:
[~] Required?: false
[~] username - SMTP username.
[~] Type: string
[~] Default:
[~] Required?: true
[~] password - SMTP password.
[~] Type: string
[~] Default:
[~] Required?: true
[~] authentication - Authentication.
[~] Type: string
[~] Default: plain
[~] Required?: false
[~] report - Report type to send as an attachment. (accepted: txt, xml, html, json, yaml, marshalnone)
[~] Type: enum
[~] Default: txt
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/email_notify.rb
[*] autologin:
--------------------
Name: AutoLogin
Description: It looks for the login form in the user provided URL,
merges its input fields with the user supplied parameters and sets the cookies
of the response and request as framework-wide cookies to be used by the spider later on.
Options:
[~] url - The URL that contains the login form.
[~] Type: url
[~] Default:
[~] Required?: true
[~] params - Form parameters to submit. ( username=user&password=pass )
[~] Type: string
[~] Default:
[~] Required?: true
[~] check - A pattern which will be used to verify a successful login.
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
[~] Type: string
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.5
Path: /home/zapotek/workspace/arachni/plugins/autologin.rb
[*] waf_detector:
--------------------
Name: WAF Detector
Description: Performs basic profiling on the web application
in order to assess the existence of a Web Application Firewall.
This is a 4 stage process:
1. Grab the original page as is
2. Send a lot of innocent (vanilla) strings in non-existent inputs so as to profile normal behavior
3. Send a lot of suspicious (spicy) strings in non-existent inputs and check if behavior changes
4. Make heads or tails of the gathered responses
Steps 1 to 3 will be repeated _precision_ times (default: 5) and the responses will be averaged using rDiff analysis.
Options:
[~] precision - Stage precision (how many times to perform each detection stage).
[~] Type: integer
[~] Default: 5
[~] Required?: false
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.2
Path: /home/zapotek/workspace/arachni/plugins/waf_detector.rb
[*] form_dicattack:
--------------------
Name: Form dictionary attacker
Description: Uses wordlists to crack login forms.
If the cracking process is successful the found credentials will be set
framework-wide and used for the duration of the audit.
If that's not what you want set the crawler's link-count limit to "0".
Options:
[~] username_list - File with a list of usernames (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] password_list - File with a list of passwords (newline separated).
[~] Type: path
[~] Default:
[~] Required?: true
[~] username_field - The name of the username form field.
[~] Type: string
[~] Default:
[~] Required?: true
[~] password_field - The name of the password form field.
[~] Type: string
[~] Default:
[~] Required?: true
[~] login_verifier - A regular expression which will be used to verify a successful login.
For example, if a logout link only appears when a user is logged in then it can be a perfect choice.
[~] Type: string
[~] Default:
[~] Required?: true
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
Version: 0.1.4
Path: /home/zapotek/workspace/arachni/plugins/form_dicattack.rb
```
<h3 id='plugin'><a href='#plugin'>Plugin (--plugin)</a></h3>
**Expects**: `plugin name`
**Expects**: `string`
**Default**: `disabled`
**Multiple invocations?**: `yes`
Tells Arachni which plugin components to run.
Plugins are referenced by their filename without the `.rb` extension, use `--lsplug` to see all.
Loads a plugin by name and configures it with the given options.
**Note**: Plugins are referenced by their filename without the `.rb` extension, use `--plugins-list` to see all.
<h4 id='plugin_example'><a href='#plugin_example'>Example</a></h4>
Excluding the logout URL and running the AutoLogin plugin to automatically login to a web application:
Excluding the logout URL and running the `autologin1 plugin to automatically login to a web application:
```
$ arachni http://testfire.net --link-count=1 --modules=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,params='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
-e logout
Arachni - Web Application Security Scanner Framework v0.4.2
Author: Tasos "Zapotek" Laskos <tasos.laskos@gmail.com>
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No audit options were specified.
[~] -> Will audit links, forms and cookies.
[*] Initialising...
[~] AutoLogin: System paused.
[*] Waiting for plugins to settle...
[*] AutoLogin: Found log-in form with name: login
[+] AutoLogin: Form submitted successfully.
[~] AutoLogin: Cookies set to:
[~] AutoLogin: * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
[~] AutoLogin: * amSessionId = 204023334531
[~] AutoLogin: * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
[~] AutoLogin: * amUserId = 100116014
[~] AutoLogin: * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
[*] [HTTP: 200] http://testfire.net/
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Auditing: [HTTP: 200] http://testfire.net/
[*] Profiler: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] Profiler: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__original_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing form variable '__sample_values__' with action 'http://testfire.net/search.aspx'.
[*] Profiler: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] Profiler: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] XSS: Auditing link variable 'content' with action 'http://testfire.net/default.aspx?content=inside_contact.htm'.
[*] XSS: Auditing form variable 'txtSearch' with action 'http://testfire.net/search.aspx'.
[*] XSS: Auditing cookie variable 'ASP.NET_SessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amSessionId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserInfo' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amUserId' with action 'http://testfire.net/'.
[*] XSS: Auditing cookie variable 'amCreditOffer' with action 'http://testfire.net/'.
[*] Harvesting HTTP responses...
[~] Depending on server responsiveness and network conditions this may take a while.
[*] Profiler: Analyzing response #6...
[*] Profiler: Analyzing response #7...
[*] XSS: Analyzing response #26...
[*] XSS: Analyzing response #27...
[~] Trainer: Found 1 new links.
[*] Profiler: Analyzing response #9...
[*] Profiler: Analyzing response #8...
[*] XSS: Analyzing response #28...
[*] XSS: Analyzing response #15...
[*] XSS: Analyzing response #16...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #22...
[*] XSS: Analyzing response #30...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] Profiler: Analyzing response #10...
[*] XSS: Analyzing response #31...
[*] XSS: Analyzing response #32...
[*] Profiler: Analyzing response #11...
[*] Profiler: Analyzing response #12...
[*] Profiler: Analyzing response #14...
[*] Profiler: Analyzing response #13...
[*] XSS: Analyzing response #33...
[*] XSS: Analyzing response #17...
[*] XSS: Analyzing response #18...
[*] XSS: Analyzing response #19...
[*] XSS: Analyzing response #34...
[*] XSS: Analyzing response #20...
[*] XSS: Analyzing response #21...
[*] XSS: Analyzing response #23...
[+] XSS: In form var 'txtSearch' ( http://testfire.net/search.aspx )
[*] XSS: Analyzing response #35...
[*] XSS: Analyzing response #24...
[*] XSS: Analyzing response #25...
[*] XSS: Analyzing response #29...
[*] Resolver: Resolving hostnames...
[*] Resolver: Done!
[*] Dumping audit results in '2012-09-09 02.48.17 +0300.afr'.
[*] Done!
[+] Web Application Security Report - Arachni Framework
[~] Report generated on: 2012-09-09 02:48:17 +0300
[~] Report false positives at: http://github.com/Arachni/arachni/issues
[+] System settings:
[~] ---------------
[~] Version: 0.4.1dev
[~] Revision: 0.2.7
[~] Audit started on: Sun Sep 9 02:48:08 2012
[~] Audit finished on: Sun Sep 9 02:48:15 2012
[~] Runtime: 00:00:06
[~] URL: http://testfire.net/
[~] User agent: Arachni/v0.4.2
[*] Audited elements:
[~] * Links
[~] * Forms
[~] * Cookies
[*] Modules: xss
[*] Filters:
[~] Exclude:
[~] (?-mix:logout)
[~] =
[+] 2 issues were detected.
[+] [1] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 106295fcfffa8fea3664f8fb27defe5b81f3dfba2b54c5c7f2bcb63b36246359
[~] Severity: High
[~] URL: http://testfire.net/search.aspx
[~] Element: form
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx
[~] Injected value: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[~] Regular expression:
[~] Matched string: <some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[+] [2] Cross-Site Scripting (XSS)
[~] ~~~~~~~~~~~~~~~~~~~~
[~] ID Hash: 2530b44f891ab1ebbdad206ceff0c82bee2bf038a978ebcb75f4fa34e9dca727
[~] Severity: High
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Element: link
[~] Method: GET
[~] Tags: xss, regexp, injection, script
[~] Variable: txtSearch
[~] Description:
[~] Client-side code (like JavaScript) can
be injected into the web application which is then returned to the user's browser.
This can lead to a compromise of the client's system or serve as a pivoting point for other attacks.
[~] CWE: http://cwe.mitre.org/data/definitions/79.html
[~] Requires manual verification?: false
[~] References:
[~] ha.ckers - http://ha.ckers.org/xss.html
[~] Secunia - http://secunia.com/advisories/9716/
[*] Variations
[~] ----------
[~] Variation 1:
[~] URL: http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Injected value: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[~] Regular expression:
[~] Matched string: '-;<some_dangerous_input_0ee58e885a87d988553542c0e6c56bc258b7478d3d7c4157233792539add3ab9/>
[+] Plugin data:
[~] ---------------
[*] Resolver
[~] ~~~~~~~~~~~~~~
[~] Description: Resolves vulnerable hostnames to IP addresses.
[~] testfire.net: 65.61.137.117
[*] Health map
[~] ~~~~~~~~~~~~~~
[~] Description: Generates a simple list of safe/unsafe URLs.
[~] Legend:
[+] No issues
[-] Has issues
[+] http://testfire.net/
[-] http://testfire.net/search.aspx
[-] http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Total: 3
[+] Without issues: 1
[-] With issues: 2 ( 67% )
[*] Profiler
[~] ~~~~~~~~~~~~~~
[~] Description: Examines the behavior of the web application gathering general statistics
and performs taint analysis to determine which inputs affect the output.
It does not perform any vulnerability assessment nor does it send attack payloads.
[~] Inputs affecting output:
[+] Form using the 'txtSearch' input at 'http://testfire.net/' pointing to 'http://testfire.net/search.aspx' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_texte4e549408422875958476160732390defefcac7c2bd8353d918fe452d20de2a6':
[~] * Body
[+] Link using the 'txtSearch' input at 'http://testfire.net/search.aspx?txtSearch=arachni_text' pointing to 'http://testfire.net/search.aspx?txtSearch=arachni_text' using 'GET'.
[~] It was submitted using the following parameters:
[~] * txtSearch = arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056
[~]
[~] The taint landed in the following elements at 'http://testfire.net/search.aspx?txtSearch=arachni_text5f2703a5211db19a9020f7443f6a440fbc95cda90b7c2d53912f5ce47d050056':
[~] * Body
[*] AutoLogin
[~] ~~~~~~~~~~~~~~
[~] Description: It looks for the login form in the user provided URL,
merges its input fields with the user supplied parameters and sets the cookies
of the response and request as framework-wide cookies to be used by the spider later on.
[+] Form submitted successfully.
[~] Cookies set to:
[~] * ASP.NET_SessionId = 14kge555fdb4bjflm3rx3t55
[~] * amSessionId = 204023334531
[~] * amUserInfo = UserName=anNtaXRo&Password=RGVtbzEyMzQ=
[~] * amUserId = 100116014
[~] * amCreditOffer = CardType=Gold&Limit=10000&Interest=7.9
[~] 100.0% [>] 100%
[~] Est. remaining time: --:--:--
[~] Crawler has discovered 2 pages.
[~] Audit limited to a max of 1 pages -- excluding 1 pages of Trainer feedback.
[~] Sent 40 requests.
[~] Received and analyzed 40 responses.
[~] In 00:00:06
[~] Average: 6 requests/second.
[~] Currently auditing http://testfire.net/search.aspx?txtSearch=arachni_text
[~] Burst response time total 0
[~] Burst response count total 0
[~] Burst average response time 0
[~] Burst average 0 requests/second
[~] Timed-out requests 0
[~] Original max concurrency 20
[~] Throttled max concurrency 20
arachni http://testfire.net --scope-page-limit=1 --checks=xss \
--plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters='uid=jsmith&passw=Demo1234',check='Sign Off|MY ACCOUNT' \
--scope-exclude-pattern logout
```
<h2 id='platforms'><a href='#platforms'>Platforms</a></h2>
......