Add raw request/response data to reports #349

Closed
user021 opened this Issue Jul 6, 2013 · 8 comments

Comments

Projects
None yet
4 participants
@user021
Contributor

user021 commented Jul 6, 2013

Hi, could you add more info on headers, like full request including the affected variable

Arachni:
arachni

other web scanner:
other

@ghost ghost assigned Zapotek Jul 6, 2013

@treadie

This comment has been minimized.

Show comment Hide comment
@treadie

treadie Jul 15, 2013

+1, The way the web front end renders the response is nice, although as mentioned above, full request and response (both with headers) would be awesome. allows you to push the raw request straight into other tools. ie. sqlmap -r request

treadie commented Jul 15, 2013

+1, The way the web front end renders the response is nice, although as mentioned above, full request and response (both with headers) would be awesome. allows you to push the raw request straight into other tools. ie. sqlmap -r request

@Zapotek

This comment has been minimized.

Show comment Hide comment
@Zapotek

Zapotek Jul 15, 2013

Member

Yeah that was my thinking too. I've already opened a ticket on the HTTP client used by Arachni: typhoeus/ethon#63
Once that's sorted I'll implement this in Arachni.

Member

Zapotek commented Jul 15, 2013

Yeah that was my thinking too. I've already opened a ticket on the HTTP client used by Arachni: typhoeus/ethon#63
Once that's sorted I'll implement this in Arachni.

@Zapotek

This comment has been minimized.

Show comment Hide comment
@Zapotek

Zapotek Mar 28, 2014

Member

Seems like this could be supported by: typhoeus/typhoeus#247

However, I've got to make sure to check how this affects performance -- debug/verbose options may carry a penalty.

Member

Zapotek commented Mar 28, 2014

Seems like this could be supported by: typhoeus/typhoeus#247

However, I've got to make sure to check how this affects performance -- debug/verbose options may carry a penalty.

@champ1

This comment has been minimized.

Show comment Hide comment
@champ1

champ1 Mar 29, 2014

great..:)
+1 fr0m me..:)

but, not sure about the extra amout of data going over the wire..

anyway, 4me, ara only sends like ~500 req, then im done, and have my bug..:)

champ1 commented Mar 29, 2014

great..:)
+1 fr0m me..:)

but, not sure about the extra amout of data going over the wire..

anyway, 4me, ara only sends like ~500 req, then im done, and have my bug..:)

@Zapotek

This comment has been minimized.

Show comment Hide comment
@Zapotek

Zapotek Mar 29, 2014

Member

Erm, which wire? There won't be any more data sent over HTTP. You mean extra report data?

Member

Zapotek commented Mar 29, 2014

Erm, which wire? There won't be any more data sent over HTTP. You mean extra report data?

@treadie

This comment has been minimized.

Show comment Hide comment
@treadie

treadie May 26, 2014

So just an idea, given you have recently updated/defined the levels of verbosity, when a finding is discovered, would you consider dumping the entire request (headers and body) to the screen when verbosity is max? this would allow you to take the request and manually verify without having to wait for the scan to complete?

I guess the end goal that I would find useful would be to have access to the full request (and less importantly the response) prior to completion of the scan from either WebUI or CLI.

treadie commented May 26, 2014

So just an idea, given you have recently updated/defined the levels of verbosity, when a finding is discovered, would you consider dumping the entire request (headers and body) to the screen when verbosity is max? this would allow you to take the request and manually verify without having to wait for the scan to complete?

I guess the end goal that I would find useful would be to have access to the full request (and less importantly the response) prior to completion of the scan from either WebUI or CLI.

@Zapotek

This comment has been minimized.

Show comment Hide comment
@Zapotek

Zapotek May 26, 2014

Member

I've only added levels to the debug function, verbosity is still on or off. While your case would certainly benefit from verbosity levels, wouldn't it be better served from the run-time report generation feature?

That way you'll immediately get all available data to verify the issues and in a much more usable format.
I guess it comes down to having the foresight of specifying a report format against having the foresight of specifying a verbosity level.

I'll might as well add support for multiple verbosity levels since I'm at it though, so you'll get the behavior you suggested.

Cheers

Member

Zapotek commented May 26, 2014

I've only added levels to the debug function, verbosity is still on or off. While your case would certainly benefit from verbosity levels, wouldn't it be better served from the run-time report generation feature?

That way you'll immediately get all available data to verify the issues and in a much more usable format.
I guess it comes down to having the foresight of specifying a report format against having the foresight of specifying a verbosity level.

I'll might as well add support for multiple verbosity levels since I'm at it though, so you'll get the behavior you suggested.

Cheers

@Zapotek

This comment has been minimized.

Show comment Hide comment
@Zapotek

Zapotek Jun 19, 2014

Member

Done.

Member

Zapotek commented Jun 19, 2014

Done.

@Zapotek Zapotek closed this Jun 19, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment