O-Saft icon indicating copy to clipboard operation
O-Saft copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Cannot kill hanging scan on sites without SSL/TLS

Open stitch opened this issue 6 years ago • 2 comments

How to quit/kill/stop the script when it hangs? Is there a keyboard command, escape key that works?

The manual points out that: "If the specified targets accepts connections but does not speak SSL, the connection will be closed after the system's TCP/IP-timeout. This script will hang (about 2-3 minutes)."

I've found that the hang is indefinite scanning a non-tls site with the following command: docker run --rm -it owasp/o-saft --trace-key --legacy=quick +check arnhem.nl:80

As suggested the --ssl-error-max= (or --no-ssl-error) can be used. After the script hangs, this counter does not increase. Thus using a --ssl-error-max= with a too high value might be a risk of a hang. This is enough for a workaround for this issue 😄

docker run --rm -it owasp/o-saft --trace-key --legacy=quick +check arnhem.nl:80
=== reading: ./.o-saft.pl (RC-FILE done) ===
=== reading: /O-Saft/o-saft-dbx.pm (trace file done) ===
=== reading: /usr/local/share/perl5/site_perl/IO/Socket/SSL.pm (IO SSL module done) ===
=== reading: /usr/share/perl5/core_perl/Time/Local.pm (Time module done) ===
=== reading: /O-Saft/Net/SSLinfo.pm (O-Saft module done) ===
**WARNING: 143: SSL version 'TLSv13': not supported by Net::SSLeay; not checked
**WARNING: 066: 7 data and check outputs are disbaled due to use of '--no-out':
!!Hint: use  '--v'  for more information
!!Hint: do not use '--ignore-out=*' or '--no-out=*' options
**WARNING: 410: SSLv2 does not support SNI; checks skipped
!!Hint: use '--no-sni' for checking
**WARNING: 410: SSLv3 does not support SNI; checks skipped
!!Hint: use '--no-sni' for checking
**WARNING: 302: TLSv1: (31 of 193 ciphers checked) abort connection attempts after 5 max errors
!!Hint: use  --no-ssl-error  or  --ssl-error-max=  to continue connecting
**WARNING: 301: TLSv11: (8 of 193 ciphers checked) abort connection attempts after 10 total errors
!!Hint: use  --no-ssl-error  or  --ssl-error-max=  to continue connecting
**WARNING: 301: TLSv12: (21 of 193 ciphers checked) abort connection attempts after 10 total errors
!!Hint: use  --no-ssl-error  or  --ssl-error-max=  to continue connecting
^C
^C^C^C^C^C^C^C^C
^C^C^C^C^C^[^[^[^[^[^[

stitch avatar Jul 12 '18 19:07 stitch

Ok, I'll answer according the subject of this issue: cannot kill hanging scan

Up to now, this is a known run-time issue, it's also documented. Hence I'd like to mark this as "enhancement request".

EnDe avatar Jul 12 '18 21:07 EnDe

according "How to quit/kill/stop the script when it hangs?" Depends on your shell and/or operating system. In plain shell on *nix Ctrl-C should work. If it is in a VM, depends on your VM preferences too. If it is in docker, I guess you need to kill the container: docker container kill <ID> may be rm also works docker container rm <ID>

EnDe avatar Jul 12 '18 21:07 EnDe