login_script plugin usage

Zehr's Avatar

Zehr

18 Jun, 2015 03:31 PM

I am running arachni version 1.1-0.5.7, which I downloaded from http://downloads.arachni-scanner.com/arachni-1.1-0.5.7-linux-x86_64..., in a Kali VM. I am trying to audit a website that generates a nonce at the login page, so I've written a little login script to open that page in a browser, according to the instructions here: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma....

I'm entering in the following command from the bin directory of the extracted arachnid folder:

./arachni --plugin=login_script:browser=firefox,script=/home/cyber/login1.rb --report-save-path '/home/cyber/arachni.afr' [target URL]
From the program output, it appears there are two errors. I've included the seemingly relevant parts below, but I can upload the entire output if that is helpful.
Arachni - Web Application Security Scanner Framework v1.1
  Author: Tasos "Zapotek" Laskos <[email blocked]>
    (With the support of the community and the Arachni Team.)


Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki


[~] No checks were specified, loading all. [~] No element audit options were specified, will audit links, forms, cookies, JSONs and XMLs.


[*] Initializing... [*] Preparing plugins... [*] ... done. [~] Login script: System paused. [~] Login script: Running the script. [-] [ArgumentError] unknown encoding name - utf8


... [-] Session: [ArgumentError] wrong number of arguments (0 for 1)


... [-] Login script: A runtime error was encountered while executing the login script. [~] Login script: Aborting the scan.


...

My question is this: Am I typing the command wrong? Or am I missing some prerequisites for this command to work?

  1. Support Staff 1 Posted by Tasos Laskos on 18 Jun, 2015 03:35 PM

    Tasos Laskos's Avatar

    Hey there,

    There's no browser option for that plugin, it'll be using PhantomJS.
    You've removed all the good stuff though, I'm afraid I'll need the backtraces and everything.

    A look into your script would be helpful as well.

    Cheers

  2. 2 Posted by Zehr on 18 Jun, 2015 03:47 PM

    Zehr's Avatar

    Ok, I tried the following command instead:

    ./arachni --plugin=login_script:script=/home/cyber/login1.rb --report-save-path '/home/cyber/arachni.afr' [target URL]
    
    I've attached the login script and full output.
  3. Support Staff 3 Posted by Tasos Laskos on 18 Jun, 2015 03:53 PM

    Tasos Laskos's Avatar

    Your login script has an error at line 6, apparently form.select_list( id: 'form:console:0' ).select is missing an argument.

    The encoding error is a bug in Arachni though, any chance you can send me the details in private in order to reproduce it?
    I won't need to scan anything, just visiting the login page should be enough.

    Cheers

  4. 4 Posted by Zehr on 18 Jun, 2015 04:08 PM

    Zehr's Avatar

    Ah, I see. I thought the missing argument was referring back to the arachni command. I modified the script, I needed to use .set rather than .select and I'm getting a different error, but now I know it's with my script and I'll keep working on it.

    Interestingly, the encoding error did not reappear after making that change. Unfortunately, I can't share the login page with you because it's behind a VPN firewall.

    Thanks for the help

  5. Support Staff 5 Posted by Tasos Laskos on 18 Jun, 2015 04:15 PM

    Tasos Laskos's Avatar

    Doing a "Save as" and compressing the directory could work, if you're allowed to share that.

  6. Support Staff 6 Posted by Tasos Laskos on 30 Sep, 2015 02:54 PM

    Tasos Laskos's Avatar

    Closing due to lack of feedback, please provide the requested information if you'd like me to pursue this further.

  7. Tasos Laskos closed this discussion on 30 Sep, 2015 02:54 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac