Can't authenticate with login_script against centralized AD web service.

joiey.seeley's Avatar

joiey.seeley

03 Apr, 2017 07:31 PM

I'm trying to scan as an authenticated user where we have one web service that does all authentication backed by active directory.

The process is you visit a site, if you are not authenticated you will be redirected to the AD service with a URL callback. After successfully authenticating you are redirected back to the original URL.

I have tried creating a login_script, but I end up receiving an error "The script was executed successfully, but the login check failed." I've been at this for several days and making no progress.

I have tried this using both browser & browserless versions of the script (http.post vs browser.goto). Currently my script looks something like this.

browser.goto 'https://login.authenticator.com/login.page?service=https%3A%2F%2Foriginaldomain.com%2Fsessions%2Flogin_tool'

form = browser.form(name: 'loginForm')
form.text_field(name: 'username').set 'me'
form.text_field(name: 'password').set 'password'

form.submit

framework.options.session.check_url = browser.url
framework.options.session.check_pattern = /Log Out/

I then execute this using

./arachni --plugin=login_script:script="login.rb" --report-save-path=output.afr https://originaldomain.com

A related question; is there a way to have this open a real browser like Firefox rather than using phantomjs so that a user can see what is happening as arachni is running?

  1. Support Staff 1 Posted by Tasos Laskos on 04 Apr, 2017 11:38 AM

    Tasos Laskos's Avatar

    You can add this to the top:

    browser = Watir::Browser.new(:firefox)
    

    The comment all framework references and run it with bin/arachni_script. It won't help with the log-in but it will show you what a browser does.

    Also, you can take screenshots using browser.screenshot.save "screenshot.png" at any point in your login script. The screenshot approach is more reliable as it will show you what's really going on, Firefox may behave differently.

  2. 2 Posted by joiey.seeley on 04 Apr, 2017 02:08 PM

    joiey.seeley's Avatar

    When I try that I am getting an error from Selenium.

    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/response.rb:72:in `assert_ok': status code 500 (Selenium::WebDriver::Error::ServerError)
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/response.rb:32:in `initialize'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/http/common.rb:81:in `new'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/http/common.rb:81:in `create_response'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/http/default.rb:86:in `request'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/http/common.rb:59:in `call'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/w3c_bridge.rb:659:in `raw_execute'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/w3c_bridge.rb:132:in `create_session'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/remote/w3c_bridge.rb:89:in `initialize'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/firefox/w3c_bridge.rb:34:in `initialize'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/common/driver.rb:52:in `new'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver/common/driver.rb:52:in `for'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/selenium-webdriver-3.0.1/lib/selenium/webdriver.rb:82:in `for'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/watir-webdriver-0.8.0/lib/watir-webdriver/browser.rb:45:in `initialize' u3login.rb:14:in `new' u3login.rb:14:in `<top (required)>'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/bin/arachni_script:32:in `load'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/system/gems/gems/arachni-1.5.1/bin/arachni_script:32:in `<top (required)>'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/bin/../system/arachni-ui-web/bin/arachni_script:17:in `load'
    /Users/me/Downloads/arachni-1.5.1-0.5.12/bin/../system/arachni-ui-web/bin/arachni_script:17:in `<main>'
    
  3. Support Staff 3 Posted by Tasos Laskos on 06 Apr, 2017 01:37 PM

    Tasos Laskos's Avatar

    Hm, ok this is out of my hands, can you try the screenshot approach please while running the script via Arachni proper?

  4. Tasos Laskos closed this discussion on 12 May, 2017 12:44 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac