Problem with scope-exclude-pattern and maintaining a valid session

clabc11's Avatar

clabc11

07 Feb, 2017 10:23 AM

I’m scanning Java based web application, where logging out is done by POST request to main application address, which content looks like this:

topMenuForm=topMenuForm&topMenuForm%3AbuttonLogout=&javax.faces.ViewState=-4381406600000008637%3A0000000000290172245

I have configured Arachni to use session cookie, so first I log in by a browser and then sets this cookie using --http-cookie-string parameters but shortly after the scan starts, Arachni logs out.
I was trying to use --scope-exclude-pattern and sets it to button name, but it doesn’t work.
Logs out button looks like this:

Logout: user1
My configuration:
bin\arachni.bat http://10.0.00.000:8070/main/ --http-cookie-string='JSESSIONID=DdZ1sdsdasdadjjjiyAS; Path=/main" --scope-exclude-pattern=" Logout: user1" --session-check-url http://10.0.00.000:8070/main/ --session-check-pattern " Logout: user1" --scope-extend-paths links.txt

I would be grateful for any help

  1. Support Staff 1 Posted by Tasos Laskos on 07 Feb, 2017 10:27 AM

    Tasos Laskos's Avatar

    You need to exclude based on the logout URL not the button.
    Also, more reliably ways to perform an authenticated scan be found at: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

    By using either the autologin or login_script plugins the system will be able to re-login if its session expires.

  2. 2 Posted by clabc11 on 07 Feb, 2017 10:38 AM

    clabc11's Avatar

    Thank you. So if logout is done by request to main page is it possible to exclude request to main page and allow request to sub-pages?
    Is this a proper syntax of scope-exclude-pattern?
    --scope-exclude-pattern="http://10.0.00.000:8070/main/”

  3. Support Staff 3 Posted by Tasos Laskos on 07 Feb, 2017 10:44 AM

    Tasos Laskos's Avatar

    Unfortunately not, but in this case you can exclude the parameters that will trigger the logout via something like --audit-exclude-vector=buttonLogout.

    Although, to be honest, that's just for the audit, the browsers may still click the button as part of the DOM exploration/crawl process.
    Still, give it a try and if it doesn't work I'll see what I can do.

  4. 4 Posted by clabc11 on 07 Feb, 2017 11:47 AM

    clabc11's Avatar

    Thank you, now session is active longer but still after some time scanner logs out.

  5. Support Staff 5 Posted by Tasos Laskos on 07 Feb, 2017 03:50 PM

    Tasos Laskos's Avatar

    I was afraid of that, let me run some tests and get back to you.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac