tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/3604-cannot-login-on-wackopickoArachni: Discussion 2015-05-06T13:20:10Ztag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-20T14:46:36Z2015-04-20T14:46:36ZCannot login on Wackopicko<div><p>Hello,</p>
<p>Are the username and password fields actually named
<code>username</code> and <code>password</code> in the login form
or did the example options confuse you?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-20T16:18:49Z2015-04-20T16:18:49ZCannot login on Wackopicko<div><p>Yes, the names are right.</p>
<pre>
<code> <form action="/users/login.php" method="POST">
<tr><td>Username :</td><td> <input type="text" name="username" /></td></tr>
<tr><td>Password :</td><td> <input type="password" name="password" /></td></tr>
<tr><td><input type="submit" value="login" /></td><td> <a href="/users/register.php">Register</a></td></tr>
</form></code>
</pre></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-20T16:24:36Z2015-04-20T16:24:36ZCannot login on Wackopicko<div><p>Hm, and <code>http://172.30.58.20:8888/users/login.php</code> is
both the container of the login form and its action?</p>
<p>Could you show be what's returned by a simple <code>GET</code>
request to it please?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-20T16:40:25Z2015-04-20T16:40:25ZCannot login on Wackopicko<div><p>Yes, first the page is fetched by GET, then it is called by
POST.</p>
<p>The whole page (GET) is big, I'm not sure this is more useful
than the small piece of code that I extracted.</p></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-20T16:51:41Z2015-04-20T16:51:41ZCannot login on Wackopicko<div><p>The code you extracted is very different from the one in the
page you attached:</p>
<pre>
<code> <h2>Login</h2>
<table style="width:320px" cellspacing="0">
<form action="./WackoPickoLogin_files/WackoPickoLogin.html" method="POST"></form>
<tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
<tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
<tr><td><input type="submit" value="login"></td><td> <a href="http://172.30.58.20:8888/users/register.php">Register</a></td></tr>
</tbody></table></code>
</pre>
<p>The HTML of the page in general is horribly broken, the inputs
don't actually belong to the login form, they're just orphan
elements; the form itself has no inputs.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-21T08:12:00Z2015-04-21T08:12:00ZCannot login on Wackopicko<div><p>Sorry, the HTML was broken by the save action :-(</p></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-21T17:12:29Z2015-04-21T17:12:29ZCannot login on Wackopicko<div><p>Hm, can you retry with<code>--output-debug=3</code> please and
attach the output here?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-21T17:46:14Z2015-04-21T17:46:14ZCannot login on Wackopicko<div><p>Here it is.</p></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-21T18:05:37Z2015-04-21T18:05:37ZCannot login on Wackopicko<div><p>I'm not sure if it's the browser sanitization that alters the
structure, but this is what the system effectively gets:</p>
<pre>
<code> <h2>Login</h2>
<table style="width:320px" cellspacing="0">
<form action="/users/login.php" method="POST"></form>
<tbody><tr><td>Username :</td><td> <input type="text" name="username"></td></tr>
<tr><td>Password :</td><td> <input type="password" name="password"></td></tr>
<tr><td><input type="submit" value="login"></td><td> <a href="/users/register.php">Register</a></td></tr>
</tbody></table></code>
</pre>
<p>Which presents the same issue as your first attachment -- i.e.
the inputs being outside the form.</p>
<p>So you have 2 options:</p>
<ol>
<li>Disable using the browsers altogether. This is more accepting
of broken HTML code and will probably parse the form. It will
however result in less scan coverage since the crawl and some XSS
checks require the browsers.<br></li>
<li>Login using a simple script instead of using the
<code>autologin</code> plugin, like so: <a href="http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session#without-browser-fast-">
http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...</a></li>
</ol></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-22T09:02:47Z2015-04-22T09:02:47ZCannot login on Wackopicko<div><p>How can I disable the browsers? Should I use
<code>--browser-cluster-pool-size 0</code>?</p></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-22T09:04:03Z2015-04-22T09:04:03ZCannot login on Wackopicko<div><p>Exactly, apologies for forgetting to mention it.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-22T09:51:33Z2015-04-22T09:51:33ZCannot login on Wackopicko<div><p>It does not work either :( This is not very important, as
Wackopicko is not a real application, but all this is odd.</p>
<p>I had no luck with <code>login_script</code>, my competences in
Watir are close to zero.</p></div>Michel Arboitag:support.arachni-scanner.com,2012-07-01:Comment/366248492015-04-22T09:53:22Z2015-04-22T09:53:22ZCannot login on Wackopicko<div><p>You were supposed to use the HTTP request method for the login
script as the browser sanitization is causing issues.<br>
It is odd though, I'll have a look at it when I find some free
time.</p></div>Tasos Laskos