Using autologin in web UI with Struts2 login form

nate.kerkhofs's Avatar

nate.kerkhofs

12 May, 2016 10:01 AM

Hi,

i'm trying to test my company product using Arachni and the web UI. The product is in the midst of migrating from Struts1 to Struts2, and I'm getting an Arachni Reactor error message when trying to login. The scan also doesn't abort in the web UI, instead it keeps displaying the "starting scan" message.

I've added the Arachni error log file as an attachment. I have redacted the username and password, these are different in the actual profile. Beneath is the form of the login page.

                          <app:form action="/loginAction.do?reqCode=login" width="100%" focus="loginUserId" styleClass="login">
                            <html:hidden property="welcomePage" value="${welcomePage}"/>
                            <app:text type="text" key="label.user.userId" property="loginUserId" size="16" maxlength="20" isRequired="true" styleClass="label"/>
                            <app:password key="label.user.password" property="loginPassword" size="16" maxlength="25" isRequired="true" styleClass="label"/>
                            <app:formActions>
                              <app:submit property="submit" styleClass="button">
                                <app:message key="button.login"/>
                              </app:submit>
                              <app:reset styleClass="button">
                                <app:message key="button.reset"/>
                              </app:reset>
                            </app:formActions>
                          </app:form>

Any help would be appreciated.

Showing page 2 out of 2. View the first page

  1. Support Staff 31 Posted by Tasos Laskos on 13 May, 2016 02:20 PM

    Tasos Laskos's Avatar

    That could very well be the cause, that would put a stress on both Arachni and the server.
    You could try lowering the HTTP request concurrency and the amount of browsers as well as HTTP and browser job timeouts to decrease the stress but it would take a long time for the scan to complete.

  2. 32 Posted by nate.kerkhofs on 17 May, 2016 08:16 AM

    nate.kerkhofs's Avatar

    I just ran Arachni for another 2 hours, and the earlier problem where that "0 usable code paths" message shows and sticks around happened again. However, I think it is related to session timeouts, because I configured my Tomcat to timeout after 2 hours (120 minutes), which coincides exactly with this message. I was using the nightly build from last Friday for this test, the 2.0dev-1.0dev build.

    I have done an interrupt (control-C) because last time it didn't get past the "0 usable code paths" message, and now it just shows the message "Aborting... Please wait while the system cleans up" without any other messages before or after that. is this supposed to take very long, this cleanup? Or is it crashing on that as well?

  3. Support Staff 33 Posted by Tasos Laskos on 17 May, 2016 08:19 AM

    Tasos Laskos's Avatar

    I can't think of a reason why a timed-out session would cause this.
    Is there any chance I can run a scan against that webapp?

  4. 34 Posted by nate.kerkhofs on 17 May, 2016 08:32 AM

    nate.kerkhofs's Avatar

    You can download a trial version of our software (unlimited use for 30 days) at http://www.ikanalm.com/download.html which you can install and run locally. You will have to create an account to download it, unfortunately. I hope that's not a problem. We don't ask for credit card details and our passwords are properly secured.

  5. 35 Posted by nate.kerkhofs on 17 May, 2016 09:52 AM

    nate.kerkhofs's Avatar

    I forgot to mention that I had to tweak the command quite a lot for it to work through trial and error. This is the command I'm currently using, with alm.rb attached:

    arachni http://ikan032:8080/alm/desktop.action --audit-exclude-vector=Oid --audit-exclude-vector=oid --audit-exclude-vector=browserID --audit-exclude-vector=JSESSIONID --browser-cluster-pool-size=4 --browser-cluster-ignore-images --checks=*,-common_*,-backup_*,-backdoors --scope-exclude-pattern=logout --scope-exclude-pattern=index --scope-exclude-pattern=housekeeping --scope-exclude-pattern=License --scope-exclude-pattern=login --scope-include-pattern=\.action --scope-include-pattern=\.do --http-request-concurrency=12 --platforms=windows,mysql,java,tomcat --plugin=login_script:script=alm.rb --report-save-path=alm.com.afr
    

    You'll have to adapt the command to point to your local ALM instance, mainly the domain name and the platform (the ALM demo version uses HSQLDB, not MySQL like my development environment does).

    The reasons I think this is related to Tomcat timing out are: 1. the message coincides with the moment when the Arachni session should have timed out according to web.xml; 2. Because of the excluded patterns, there are no remaining code paths for Arachni to try on the Login page, which is exactly the error I'm getting.

  6. Support Staff 36 Posted by Tasos Laskos on 17 May, 2016 10:49 AM

    Tasos Laskos's Avatar

    The message you're seeing isn't an error, just letting you know that that particular page has no new paths that are within scope.
    If all the workload was exhausted the system should have exited with a report, under no circumstances is the behavior you're seeing acceptable.

    I'll have a look at it myself, in the meantime you can try enabling --output-debug=3 to see what's going on.
    You can also set it during runtime by pressing Enter and then d3 and then Enter.
    You can do that when the system looks stuck and it'll show if something else is going on in the background.

  7. 37 Posted by nate.kerkhofs on 17 May, 2016 11:33 AM

    nate.kerkhofs's Avatar

    I am running a modified command with that output statement, plus auto-redundant configured to 2 and most dropdown inputs excluded.

    I have also had the scan stop a few times in a similar fashion where it shows 2/3 of the html of a page with after the final tag something about @taint and then a javascript snippet attached to window.top, which is probably related to http://www.arachni-scanner.com/blog/arachnibrowser-js-data-flow-tai.... I don't see the Dojo framework mentioned on that page, which is what we use.

  8. Support Staff 38 Posted by Tasos Laskos on 17 May, 2016 11:35 AM

    Tasos Laskos's Avatar

    Does CPU utilization spike during those freezes?

  9. 39 Posted by nate.kerkhofs on 18 May, 2016 06:31 AM

    nate.kerkhofs's Avatar

    Pressing Enter during runtime does not do anything on my machine. It just keeps going.

  10. Support Staff 40 Posted by Tasos Laskos on 18 May, 2016 07:46 AM

    Tasos Laskos's Avatar

    You must be on MS Windows, the command screen isn't available there, you'll need to specify it at the beginning of the scan.

  11. 41 Posted by nate.kerkhofs on 18 May, 2016 12:34 PM

    nate.kerkhofs's Avatar

    I have ran arachni overnight, but Tomcat ran out of memory, but that might be related to the computer unexpectedly locking itself.

    Then, today, I started another run at 10:17 using debug=3 output, which went well, until at 13:06, the final message appeared on my screen, a debug message about a Browser job that timed out, right after that same browser job got created. I've considered piping the debug output into a text file so I might be able to upload it, but after only a few minutes it was already 8 MB big, so that's not an option for a command that has to run for several hours.

    I've already gotten quite a bit of useful information, but because it keeps breaking, I haven't yet been able to complete a full scan. Is there any more advice you could give me?

  12. Support Staff 42 Posted by Tasos Laskos on 18 May, 2016 12:37 PM

    Tasos Laskos's Avatar

    Rerouting to a file it is your best bet, it'll probably grow to GBs but you can tail it from a *nix box (unless Windows has something similar to tail) to inspect the last messages, which will be the interesting ones anyways.

  13. 43 Posted by nate.kerkhofs on 19 May, 2016 07:50 AM

    nate.kerkhofs's Avatar

    So another update since the last update:

    I ran Arachni for another 6 hours yesterday and again, it didn't finish properly. At around 20:08:35 last night, it downloaded the last page, then halted again. I attached the relevant chunk from the debug output file (which was 2.7 GB after control-C ending the scan). apparently, it halted on another "0 unusable paths" page (line 677 413).

    I ran into another problem, though. After ending the scan and forcing Arachni to generate a report, it found 173 issues in total according to the debugoutput. However, when generating a html file from the attached report, it only generated a report with 73 issues. The generated alm.html.zip file also was smaller than the alm.com.afr (2.5 MB vs 1.7 MB). I really hope the .afr file isn't corrupted in some way. I was wondering if you could check if it generates a proper .html.zip file with 173 issues on your end, as indicated by the CLI output when generating the report.

    Actually, scratch that last one. I forgot to add -- before the reporter param, so it just reported what was in the report.

  14. Support Staff 44 Posted by Tasos Laskos on 08 Aug, 2016 10:00 AM

    Tasos Laskos's Avatar

    The fix should be available in the latest nightlies.
    If it doesn't work for you feel free to re-open this discussion.

  15. Tasos Laskos closed this discussion on 08 Aug, 2016 10:00 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac