Perfect Storm - Multi-part Login Form + Strict Transport Security

ZT's Avatar


12 Jan, 2016 09:55 PM

We are currently trying to review a site for a client. Their page makes use of a multi-step login form (located at the same URL, using ASP.NET) where the username is entered first and the password second. We are having no luck at all getting the scanner to login. The auto_login plugin won't work because the form never has both the username and password field at the same time and it appears that which step the user is on in the process is held server side in the session array. We have tried the proxy login method, but are running into SSL issues. The site makes use of Strict Transport security, meaning I can't just point a browser at the proxy as I can't accept the intercepter cert. I have tried chaining proxies with my BURP instance first and the Arachni proxy as an upstream proxy for the path. This works and it appears that the requests are passing through the Arachni proxy. I don't, however, see the record start/stop buttons. We've not used this method before, so I'm a little unclear as to where/what they are supposed to be or look like. Also, is there a way to grab/export the inspector CA so that Firefox can be set up to implicitly trust it, thus getting around the Strict Transport issue?

We have tried a few instances of defined cookies/cookie jars as well. We mainly use the WebUI (latest version) - I have tried the CLI with our exported profile AFP file from the WebUI as well as an exported cookie jar from Firefox. This scan immediately stops. This is less of an issue - I just need to see if I can get this scan running. If not, its full manual on this test. Since it was assigned to a junior tester, that means its back in my court if we can't get a login solution.

Any ideas?

  1. Support Staff 1 Posted by Tasos Laskos on 12 Jan, 2016 09:59 PM

    Tasos Laskos's Avatar

    Your best bet would be using the nightlies and logging in with the login_script plugin.

    It's CLI only but that's the best solution for this problem.


  2. 2 Posted by ZT on 12 Jan, 2016 10:56 PM

    ZT's Avatar

    Thanks for the reply! Grabbed the nightly and have tried running from the CLI. Login script is executing, but I must not be groking the multi-part requirements in the script itself. I'm trying both the browser and fast model. Below are redacted scripts. The browser model I think it making it past the first POST (based on the debug logs) but it is again failing to find the second field to input into. The fast model is getting redirected back to the root of the site when it tries to access the session check URL, implying that the session ain't making it

    Browser Version

    browser.goto 'https://host/path/Login.aspx'
    form = browser.form( id: 'ctl01' )
    form.text_field( name: 'ctl00$MainContent$txtEmail_divEnterEmail' ).set '[email blocked]'
    form2 = browser.form( id: 'ctl01' )
    form2.text_field( name: 'ctl00$MainContent$txtPassword_divEnterPassword' ).set 'password'

    I had a second browser.goto in there, but didn't seem to make a difference either way.

    Fast Method:

    response = 'https://host/path/Login.aspx',
        parameters:     {
            'ctl00$MainContent$txtEmail_divEnterEmail'   => 'email@domain',
        mode:           :sync,
        update_cookies: true
    response = 'https://host/path/Login.aspx',
        parameters:     {
            'ctl00$MainContent$txtPassword_divEnterPassword'   => 'password',
        mode:           :sync,
        update_cookies: true
    framework.options.session.check_url     = 'https://host/path/authed_onlyPage'
    framework.options.session.check_pattern = /Unique String/

    Granted, I'm not a Ruby guy, so I'm only going off the examples provided. Thoughts?

  3. Support Staff 3 Posted by Tasos Laskos on 12 Jan, 2016 11:00 PM

    Tasos Laskos's Avatar

    Not sure what kind of error you're getting from the browser but you may need to wait for the second page by waiting for the necessary elements to appear.

    These are the available methods for waiting:

  4. Tasos Laskos closed this discussion on 24 Feb, 2016 12:29 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac