Cannot get autologin/login modules to work
I'm having some trouble with the autologin and login_script.rb modules; I read the article about "Logging in and maintaining a valid session", but I'm still not able to figure it out.
Are there how-to's you can point me to with more concrete usage examples?
Thanks,
Alessandro
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 23 Oct, 2015 07:34 PM
There aren't any other examples but I can help, what issues are you having?
2 Posted by Alessandro Di G... on 23 Oct, 2015 08:00 PM
I've tried several different site, with different parameters and the error that keeps getting returned is; "Could not find a form suiting the provided parameters".
Please see attached txt file for complete scan error output.
Support Staff 3 Posted by Tasos Laskos on 24 Oct, 2015 02:17 AM
I see, this little section explains why this happens: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...
In addition, that form doesn't have inputs named
username
andpass
butusername
andpassword.
4 Posted by Alessandro Di G... on 24 Oct, 2015 02:48 AM
OK, so I figured the autologin plugin was not working because of the way they web site presented its login form, so I tried modifying the login_script.rb and use it also; I believe that even when I modified the
pass
input parameter topassword
in a different scan attempt, but it didn't work either...Another question, as it is unclear to me, can autologin and login_script.rb be used simultaneously, or should I only attempt using one and not the other? (e.g., if autologin fails, does it try with login_script.rb as fallback, or does it just fail to scan?)
Support Staff 5 Posted by Tasos Laskos on 24 Oct, 2015 02:55 AM
No it's either one or the other, if you've already got a login script then there's no need for anything else, it's the more versatile version and its functionality is a superset of all others.
Could you show me your script?
6 Posted by Alessandro Di G... on 24 Oct, 2015 02:59 AM
In all my experimenting, I guess I was trying both together and autologin module would fail before login_script.rb had a chance.
I'm trying it again with just login_script.rb (autologin disabled) and it seems to be working (at least the scan did not fail to start as with autologin module)... will confirm when scan completes if it did actually authenticate to the web app.
Support Staff 7 Posted by Tasos Laskos on 24 Oct, 2015 03:01 AM
If you setup the session check correctly and the scan started then it worked.
If I recall correctly though, in that site authentication doesn't make any difference.
8 Posted by Alessandro Di G... on 24 Oct, 2015 02:26 PM
Thanks for confirming.
You may be right, but the authenticated scan with same settings as previous unauthenticated scan discovered several extra issues on same site, so I think the login_script.rb worked and probably did make a difference.
I realize that login_script.rb is more powerful and flexible than autologin module; but I think that it would be more user-friendly to incorporate the login_script.rb functionality into the Web UI rather than editing the file manually; are there any plans integrating it into the Web UI?
Support Staff 9 Posted by Tasos Laskos on 24 Oct, 2015 02:30 PM
Hm, I'll have another look at that site then, thanks for the info.
About the WebUI, it is not receiving features anymore, its replacement will indeed have that functionality though.
10 Posted by Alessandro Di G... on 24 Oct, 2015 02:36 PM
Is the v1.0 Web UI (nightly builds) the replacement for the current Web UI?
Support Staff 11 Posted by Tasos Laskos on 24 Oct, 2015 02:37 PM
No, the new interface is not published yet.
12 Posted by Alessandro Di G... on 24 Oct, 2015 02:50 PM
Well, we're obviously looking forward to it. If you need beta testers, count me in.
Again, thanks for all your hard work on this and your responsiveness to my requests.
Support Staff 13 Posted by Tasos Laskos on 24 Oct, 2015 02:51 PM
Thanks man good to know, putting you on my list. :)
Tasos Laskos closed this discussion on 24 Oct, 2015 02:51 PM.