using login plugins

Andrew Dent's Avatar

Andrew Dent

30 Aug, 2016 05:39 AM

We are trying to get auto login or login script working with a website we are testing

For autologin we tried:

bin\arachni --plugin=autologin:url=https://www.xxxx.com.au,parameters="Username=xxxx&Password=xxxx",check="Log Out" --scope-exclude-pattern=LogOff https://www.xxxx.com.au

the response was a FormNotFound error, checking the code in chrome the form has no id and the action for the form is "/"

For login_script we tried:

bin\arachni --plugin=login_script:script="C:/Users/xxxx/Desktop/arachni-1.4-0.5.10-windows-x86_64/loginScript.js" --report-save-path=output.afr https://www.xxxx.com.au

where loginScript.js is:

response = http.post( 'https://www.xxxx.com.au/',
    parameters:     {
        'Username'   => 'xxxx',
        'Password' => 'xxxx'
    },
    mode:           :sync,
    update_cookies: true
)

framework.options.session.check_url     = to_absolute( response.headers.location, response.url )
framework.options.session.check_pattern = /Log Out/

On our windows 10 pc it failed to log in because of a Parse error, but on windows 8 it wasn't even able to open the script file and responded with the following:

C:\Users\xxxx\Desktop\arachni-1.4-0.5.10-windows-x86_64>bin\arachni --plugin=login_script:script="C:/Users/xxxx/Desktop/arachni-1.4-0.5.10-windows-x86_64/loginScript.js" --report-save-path=output.afr https://www.xxxx.com.au
Arachni - Web Application Security Scanner Framework v1.4
   Author: Tasos "Zapotek" Laskos <[email blocked]>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


[~] No checks were specified, loading all.
[~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs.

[*] Initializing...
[*] Preparing plugins...
[-] [ui/cli/framework#run:103] Invalid options for component: login_script
*  Invalid type: script => 'C:/Users/xxxx/Desktop/arachni-1.4-0.5.10-windows-x86_64/loginScript.js'
*  Expected type: path

I thought I was specifying the path to the file incorrectly but as I said above the same command line run in a windows 10 prompt gave a different error. Any ideas?

The parse error on windows 10 is probably a mistake in my script which I will take a closer look at before i ask more questions :)

  1. Support Staff 1 Posted by Tasos Laskos on 30 Aug, 2016 09:10 AM

    Tasos Laskos's Avatar

    Hello,

    You've specified a JS login script but the code is Ruby, try renaming it to have a .rb extension.

    Edit: You can also try the nightlies which include the latest bugfixes.

  2. 2 Posted by Andrew Dent on 31 Aug, 2016 01:56 AM

    Andrew Dent's Avatar

    That worked, script runs now :-)

    Check fails, but now that the script runs successfully we can play around with different checks until we get one that works. It may be the example where you use body instead of parameters to match to username and password may work better.

    Thanks for the help :-)

  3. Support Staff 3 Posted by Tasos Laskos on 01 Sep, 2016 03:36 PM

    Tasos Laskos's Avatar

    No problem, feel free re-open if you need further assistance.

    Cheers

  4. Tasos Laskos closed this discussion on 01 Sep, 2016 03:36 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac