Autologin doesn't work

Amarendra's Avatar

Amarendra

06 May, 2015 06:31 PM

Hello,

I am using the latest version of Arachni (Framework 1.1 and webUI 0.5.7), and the AutoLogin plugin doesn't seem to work, or maybe I am missing something. My application is standard servlet based, and I tried using both web-UI and command-line for Arachni, but the autologin doesn't happen - Arachni discovers the form accurately, and submits the credentials fine too. However, one particular line in the debug log bothers me:

[!] Client: Parsed headers: {"Server"=>"Apache-Coyote/1.1", "P3p"=>"CP=\"COM CNT INT CAO CUR ADM OUR IND\"", "Expires"=>"Thu, 01 Jan 1970 00:00:00 GMT", "Pragma"=>"no-cache", "Cache-Control"=>"no-cache", "Content-Type"=>"text/css", "Content-Length"=>"240", "Date"=>"Wed, 06 May 2015 18:09:26 GMT"}
[!] Client: ------------
[!] Browser: Loaded snapshot by URL: https://myserver/mypath/navigate?menuID=default
[!] Browser: fire_event [start]: submit ({:inputs=>{"username"=>"Administrator", "j_username"=>"Administrator", "j_password"=>"mypasswd"}}) <form name="logonForm" method="post" action="/Manager/j_security_check" autocomplete="off">
[!] Client: ------------
[!] Client: Queued request.
[!] Client: ID#: 13
[!] Client: Performer: #<Arachni::Browser pid=31534 last-url="https://myserver/mypath/navigate?menuID=default" transitions=13>
[!] Client: URL: https://myserver/Manager/j_security_check
[!] Client: Method: post
[!] Client: Params: {}
[!] Client: Body: username=Administrator&j_username=&j_password=mypasswd
[!] Client: Headers: {"Origin"=>"https://myserver", "User-Agent"=>"Arachni/v1.1", "Content-Type"=>"application/x-www-form-urlencoded", "Accept"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Referer"=>"https://myserver/mypath/navigate?menuID=default", "Cookie"=>"JSESSIONID=7C99150D9B7239E3B0C0B4255B61FE3C", "Accept-Encoding"=>"gzip", "Accept-Language"=>"en,*", "Host"=>"myserver"}

Notice the Body: line, which has j_username set to (NULL). Can this be the problem?

My commandline looks like this:

bin/arachni https://myserver --output-debug 3 --checks=xss* --plugin autologin:url=https://myserver/mypath/navigate?menuID=default,parameters='username=Administrator&j_username=Administrator&j_password=mypasswd',check='Endpoint|Manage|Incidents|unexpected' --scope-exclude-pattern 'Logout|css|js|png|ico|Help|help'

I have uploaded the entire log file, if that helps. Thanks in advance.

-Amarendra

  1. Support Staff 1 Posted by Tasos Laskos on 06 May, 2015 06:47 PM

    Tasos Laskos's Avatar

    That'd odd, may I please try this myself?
    I can switch the discussion to private or you can send me the info via e-mail if you prefer.

    Cheers

    PS. Excellent feedback!

  2. 2 Posted by Amarendra on 06 May, 2015 07:53 PM

    Amarendra's Avatar

    Can't try, its an internally deployed/developed UI. Is there something else I can check? Thanks.

  3. Support Staff 3 Posted by Tasos Laskos on 06 May, 2015 07:54 PM

    Tasos Laskos's Avatar

    Can you attach the HTML of the login page?

  4. 4 Posted by Amarendra on 06 May, 2015 08:24 PM

    Amarendra's Avatar

    I'll email you the login page. Thanks.

  5. Support Staff 5 Posted by Tasos Laskos on 10 May, 2015 01:17 PM

    Tasos Laskos's Avatar

    Discussion continued over e-mail, closing.

  6. Tasos Laskos closed this discussion on 10 May, 2015 01:17 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac