Cannot get autologin/login modules to work

Alessandro Di Giuseppe's Avatar

Alessandro Di Giuseppe

23 Oct, 2015 07:33 PM

I'm having some trouble with the autologin and login_script.rb modules; I read the article about "Logging in and maintaining a valid session", but I'm still not able to figure it out.

Are there how-to's you can point me to with more concrete usage examples?

Thanks,

Alessandro

  1. Support Staff 1 Posted by Tasos Laskos on 23 Oct, 2015 07:34 PM

    Tasos Laskos's Avatar

    There aren't any other examples but I can help, what issues are you having?

  2. 2 Posted by Alessandro Di G... on 23 Oct, 2015 08:00 PM

    Alessandro Di Giuseppe's Avatar

    I've tried several different site, with different parameters and the error that keeps getting returned is; "Could not find a form suiting the provided parameters".

    Please see attached txt file for complete scan error output.

  3. Support Staff 3 Posted by Tasos Laskos on 24 Oct, 2015 02:17 AM

    Tasos Laskos's Avatar

    I see, this little section explains why this happens: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

    In addition, that form doesn't have inputs named username and pass but username and password.

  4. 4 Posted by Alessandro Di G... on 24 Oct, 2015 02:48 AM

    Alessandro Di Giuseppe's Avatar

    OK, so I figured the autologin plugin was not working because of the way they web site presented its login form, so I tried modifying the login_script.rb and use it also; I believe that even when I modified the pass input parameter to password in a different scan attempt, but it didn't work either...

    Another question, as it is unclear to me, can autologin and login_script.rb be used simultaneously, or should I only attempt using one and not the other? (e.g., if autologin fails, does it try with login_script.rb as fallback, or does it just fail to scan?)

  5. Support Staff 5 Posted by Tasos Laskos on 24 Oct, 2015 02:55 AM

    Tasos Laskos's Avatar

    No it's either one or the other, if you've already got a login script then there's no need for anything else, it's the more versatile version and its functionality is a superset of all others.

    Could you show me your script?

  6. 6 Posted by Alessandro Di G... on 24 Oct, 2015 02:59 AM

    Alessandro Di Giuseppe's Avatar

    In all my experimenting, I guess I was trying both together and autologin module would fail before login_script.rb had a chance.

    I'm trying it again with just login_script.rb (autologin disabled) and it seems to be working (at least the scan did not fail to start as with autologin module)... will confirm when scan completes if it did actually authenticate to the web app.

  7. Support Staff 7 Posted by Tasos Laskos on 24 Oct, 2015 03:01 AM

    Tasos Laskos's Avatar

    If you setup the session check correctly and the scan started then it worked.
    If I recall correctly though, in that site authentication doesn't make any difference.

  8. 8 Posted by Alessandro Di G... on 24 Oct, 2015 02:26 PM

    Alessandro Di Giuseppe's Avatar

    Thanks for confirming.

    You may be right, but the authenticated scan with same settings as previous unauthenticated scan discovered several extra issues on same site, so I think the login_script.rb worked and probably did make a difference.

    I realize that login_script.rb is more powerful and flexible than autologin module; but I think that it would be more user-friendly to incorporate the login_script.rb functionality into the Web UI rather than editing the file manually; are there any plans integrating it into the Web UI?

  9. Support Staff 9 Posted by Tasos Laskos on 24 Oct, 2015 02:30 PM

    Tasos Laskos's Avatar

    Hm, I'll have another look at that site then, thanks for the info.

    About the WebUI, it is not receiving features anymore, its replacement will indeed have that functionality though.

  10. 10 Posted by Alessandro Di G... on 24 Oct, 2015 02:36 PM

    Alessandro Di Giuseppe's Avatar

    Is the v1.0 Web UI (nightly builds) the replacement for the current Web UI?

  11. Support Staff 11 Posted by Tasos Laskos on 24 Oct, 2015 02:37 PM

    Tasos Laskos's Avatar

    No, the new interface is not published yet.

  12. 12 Posted by Alessandro Di G... on 24 Oct, 2015 02:50 PM

    Alessandro Di Giuseppe's Avatar

    Well, we're obviously looking forward to it. If you need beta testers, count me in.

    Again, thanks for all your hard work on this and your responsiveness to my requests.

  13. Support Staff 13 Posted by Tasos Laskos on 24 Oct, 2015 02:51 PM

    Tasos Laskos's Avatar

    Thanks man good to know, putting you on my list. :)

  14. Tasos Laskos closed this discussion on 24 Oct, 2015 02:51 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac