Failure to authenticate due to hidden field in form submit

Mike's Avatar

Mike

10 Jul, 2016 02:40 PM

I've read up on what appears to be similar (http://support.arachni-scanner.com/discussions/questions/9411-arach... and http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...) but cannot see how to do this because one of the parameters I have to include is variable and changes with each GET.

I can login and authenticate just fine if I use curl with the appropriate calculated values (by analysing the returned form), so I know if I can get Arachni to do the same, it will all work fine.

The main login form has the following (trimmed as otherwise the forum tries to render it :-)):

 <form action="/signin/?originalurl=%2f" method="post"><input name="__RequestVerificationToken" type="hidden" value="RP5v458ETOsbANhBUEyCuClwEUL5ddYmaDLFrBJzcGhKEyU6yfQckRnDFX161Npnjv0g4KTfPBF38apavpvWe0KanmGNJz6-nzdye5BtmCg1" >

        
    <label for="username">Username</label>
    <input type="text" maxlength="255" name="username" id="username" />


    <label for="password">Password</label>
    <input type="password" maxlength="127" name="password" id="password"  />

etc etc. I have tried using the format

arachni https://myurl.com --plugin=autologin:url=https://myurl.com/signin,parameters="username=somebody&password=blahblah",check="Sign Off" --scope-exclude-pattern=logout

But I do not know how to craft the changing parameter as I'd have to read the form returned, extract the "__RequestVerificationToken" and insert it. This actually works fine using a shell script and curl. What I send there is something like:

curl $CURL_FLAGS https://myurl.com/signin
[code to extract the RequestVerification token]

curl $CURL_FLAGS --data "username=somebody&password=blahbah&__RequestVerificationToken=$TOKEN" https://myurl/signin/

I understand Arachni has CSRF capability but do not understand how to tell it to insert the additional parameter (dynamically read from the returned form) along with my username/password info when it POSTS.

Thanks for any pointers
Mike

  1. 1 Posted by Mike on 11 Jul, 2016 09:48 AM

    Mike's Avatar

    As a temporary fix, I have used my bash+curl script to login the session, and then passed the cookie jar file to arachni with --http-cookie-jar. This works. But I would still be interested in how to pass these variable fields...

  2. Support Staff 2 Posted by Tasos Laskos on 14 Jul, 2016 09:06 AM

    Tasos Laskos's Avatar

    Your original approach using the autologin plugin should have worked, what messages are you seeing?
    Also, are you sure you've specified a correct check option?

  3. 3 Posted by Mike on 15 Jul, 2016 03:05 PM

    Mike's Avatar

    There are no error message that I can see. I am unable to pass in this extra hidden field (as I don't know how to specify it because it's returned to the client (arachni) as the response to the initial GET. All that happens is arachni continually triesto get the page and login, and the server refuses to login (as the full data has not been passed - the hidden field in particular) so returns the user to the main login page again. This just goes round and round and never changes.

    Can you clarify: the autologin parameters I set above ... they are correct as far as you see them?

    The reason I specified check as "Sign Off" is that text appears in the form page when you successfully login (I tried that manually) and does NOT appear anywhere until you have signed in. It's the sort of thing you see under a Profile name in the top corner of a signed-in site (like a forum etc).

  4. Support Staff 4 Posted by Tasos Laskos on 15 Jul, 2016 03:39 PM

    Tasos Laskos's Avatar

    The autologin plugin doesn't just send the parameters you've specified, it uses them to fill in and submit the form, so that hidden field should be sent to the server.

    I can't say what the problem is without access to the web application but for a more flexible approach please see the login_script plugin: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

  5. Tasos Laskos closed this discussion on 03 Aug, 2016 02:19 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac