tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/18-autologin-plugin-issuesArachni: Discussion 2012-11-17T11:06:02Ztag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-14T21:25:12Z2012-11-14T21:25:12ZAutologin plugin issues<div><p>Technically speaking the 'check' option is a regular expression
so you can provide a pattern that will always match (like
<code>.*</code> or something), or use a regular expression that
matches inversely in order to cover your second point.</p>
<p>Generally, I like to encourage users to provide a login check
pattern because it's important for logouts to be dealt with even if
I've got to clarify this in a support ticket now and then.</p>
<p>Or, better yet, I should clarify this in the plugin's
description, which is something I will do since others will
probably come across the same scenario at some point.</p>
<p>Does that help you?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T16:01:18Z2012-11-15T16:01:19ZAutologin plugin issues<div><p>I tried that at the end of yesterday and it looks like it
worked. I need to experiment more today. Thanks for the fast
response.<br>
Jake</p></div>Jake Evanstag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T16:48:34Z2012-11-15T16:48:36ZAutologin plugin issues<div><p>Autologin appears to be working - I'm getting a session cookie.
But when the scan starts after I get no results and the crawler
discovers no pages. I'm attaching the command line I'm using with
output.</p>
<p>Arachni can handle SSL, right? I'm wondering if it's not finding
anything because the initial response page to autologin is a
redirect with nothing in the body (i.e., no links). Any other
ideas?</p>
<p>For the output on the attachment I only used XSS-related
modules, but I get the same results when I use all of them.</p></div>Jake Evanstag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T16:54:14Z2012-11-15T16:54:14ZAutologin plugin issues<div><p>Is there a redirect to a different subdomain? Even "www"...if so
use the fully qualified domain name or the <code>-f</code> flag to
follow subdomains.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T17:49:09Z2012-11-15T17:49:11ZAutologin plugin issues<div><p>No, the actual host is a private IP address. I'm just replacing
it with app.com. None of the requests are outside <a href=
"https://10.10.10.1/">https://10.10.10.1/</a>. There are different
areas under 10.10.10.1 that are loaded (ajax, plugins, etc.) but it
never reaches out to other domains. (I also tried -f just in case
with same results).</p>
<p>I'm attaching another file with --debug turned on. You can see
the page it is redirected to, but it just ends there.</p></div>Jake Evanstag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T20:34:37Z2012-11-15T20:34:37ZAutologin plugin issues<div><p>I'm starting to think that the problem is caused by the path
variables
<code>;jsessionid=2983620CCD7B79C3EA8D8E0EB4D39476</code>, see they
are being stripped because they've been causing problems in the
past but it looks like your app either needs them or the logins are
unsuccessful.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T20:53:38Z2012-11-15T20:53:39ZAutologin plugin issues<div><p>Right, that is the session cookie and is only needed in the HTTP
headers. Requests that are formed after login (or at any time)
don't normally include that as part of the path... in fact, I've
never seen that. Is there a way to get the Arachni to not append
the string?</p></div>Jake Evanstag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T21:11:26Z2012-11-15T21:11:26ZAutologin plugin issues<div><p>Yeah, is strips it from any URLs it receives but if your webapp
needs it then there are problems.<br>
What's curious is that it doesn't even move on to the crawl phase
and I can't reproduce it...</p>
<p>I don't imagine you'd let me have a go at this with the webapp
being private and all, right?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-15T21:37:22Z2012-11-15T21:37:23ZAutologin plugin issues<div><p>I'm pretty sure the webapp doesn't need the session ID in the
URL since it is included in the header cookies so I'm not sure why
the scanner thinks it's needed in the URL.</p>
<p>As far as getting you access, it's a commercial app that I test
in an isolated and sandboxed area of our lab so I won't be able to
get you direct access. Not sure if a phone call or webex would do.
I'm free for that most of tomorrow. Could you contact me at my
email address directly and then I can reply to you via email? I
probably shouldn't publicly post more details about the product.
Thanks for all your help, btw.</p></div>Jake Evanstag:support.arachni-scanner.com,2012-07-01:Comment/208510242012-11-17T11:06:02Z2012-11-17T11:06:02ZAutologin plugin issues<div><p>Continuing this over e-mail.</p></div>Tasos Laskos