Arachni can't login on ADFS through login_script(or proxy) since it does not store cookies from intermediate servers (during login process)

Sander's Avatar

Sander

28 Oct, 2016 05:40 PM

The subject almost says it all.

I am trying to login to an internal website with a username and password. Access is granted through ADFS and I can succesfully login through a browser or through Burpsuite.

However Arachni fails to properly login since it does not store and/or return the Cookies it receives from the login server. The proces is as follows (if all is correct):
1. arachniscanhost.FQDN.redacted (requires trusted login and redirects to 2) [2 requests]
2. portal.FQDN.redacted (here I have to choose the appropriate identity provider) [4 requests]
3. login.FQDN.redacted (Here Arachni receives 2 Cookies. MSIS and then something, Arachni does insert (POSTs) the u/p into the form fields, but doesn't return the Cookies) [3 requests]
Then it gets redirected back to the portal (1 request) and ultimately back to the scannable host (another 3 requests to get back to the main URL).

Unfortunately the login is invalid since it state got lost while the Cookies aren't saved. The Cookies get pushed in lines 797 and 798 and should be present in the following request (lines 857 - 866), but they are missing.

Attached the debuglog level 4 and the login script.

Please help with this problem; otherwise I have to use an external login script

  1. 1 Posted by Sander on 04 Nov, 2016 05:31 PM

    Sander's Avatar

    I have tried the same login sequence; this time with the proxy and I receive the message: "username or password incorrect" when I enter in the credentials.

    It appears though that the cookies do get collected but appear as part of the first hostname (arachni.scan.host) and not as part of the login.FQDN.redacted site.

  2. 2 Posted by Sander on 07 Nov, 2016 07:22 PM

    Sander's Avatar

    I have opened a bug report on Github for this problem.

    This problem may be closed.

  3. Tasos Laskos closed this discussion on 07 Nov, 2016 07:24 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac