Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with max-attack-time: Attack Doesn't Stop After Specified Time #619

Open
Kundan8000 opened this issue Oct 8, 2024 · 8 comments
Open

Issue with max-attack-time: Attack Doesn't Stop After Specified Time #619

Kundan8000 opened this issue Oct 8, 2024 · 8 comments

Comments

@Kundan8000
Copy link

I'm running the following command, but it isn't stopping the attack after 1 minute. Instead, it gets stuck, and I think I have to manually move to the next attack by pressing CTRL + C and selecting the next attack from the menu.

wapiti \
  --level 1 \
  -u http://testasp.vulnweb.com \
  -f json \
  -o report.json \
  -m all \
  --scope folder \
  --flush-session \
  -v2 \
  --no-bugreport \
  --max-attack-time 60
@Kundan8000
Copy link
Author

@devl00p, please check. It gets stuck after a certain amount of time and either completes after 24 hours or sometimes takes up to 3 days to finish.

@devl00p
Copy link
Contributor

devl00p commented Oct 11, 2024

Hello,

Which version are you using ? Which module was running ?

@Kundan8000
Copy link
Author

Kundan8000 commented Oct 11, 2024
edited
Loading

Hello,

Which version are you using ? Which module was running ?

I'm running all modules you can check in command I've mentioned it & I've Wapiti 3.2.0 installed on my server Ubuntu 22.04.4 LTS

@Kundan8000
Copy link
Author

Kundan8000 commented Oct 15, 2024
edited
Loading

Hi @devl00p, Have you found anything why it's getting stuck?
++ @thomasjbradley, @ramiror, @LocutusOfBorg

@LocutusOfBorg
Copy link
Contributor

sorry no idea...

@devl00p
Copy link
Contributor

devl00p commented Oct 19, 2024

The --max-attack-time is used to specify a max duration of processing for EACH attach module.

So if you specify 60 seconds with (for example) all 33 attack modules it will take approximately 30 minutes to execute. This is the expected behavior.

The CTRL+C behavior is not perfect though as the stop signal is checked after each crawled URL, not its mutations. Depending on the module it can takes quite some time but I'm looking to improve it thanks to asyncio cancellation features

@Kundan8000
Copy link
Author

Hi @devl00p, Thank you for responding. I’ve found another issue: the brute_login_form should automatically detect the login form and attempt brute-force login or SQL injection. Currently, this site is vulnerable to SQL injection through the login form, which appears as a modal but wapiti fails to detect that.

@Kundan8000
Copy link
Author

The --max-attack-time is used to specify a max duration of processing for EACH attach module.

So if you specify 60 seconds with (for example) all 33 attack modules it will take approximately 30 minutes to execute. This is the expected behavior.

The CTRL+C behavior is not perfect though as the stop signal is checked after each crawled URL, not its mutations. Depending on the module it can takes quite some time but I'm looking to improve it thanks to asyncio cancellation features

But when I start the scan, all the modules take the specified time except for the buster module, which takes too long and gets stuck.

@devl00p devl00p mentioned this issue Nov 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LocutusOfBorg @devl00p @Kundan8000