Can't authenticate with login_script against centralized AD web service.
I'm trying to scan as an authenticated user where we have one web service that does all authentication backed by active directory.
The process is you visit a site, if you are not authenticated you will be redirected to the AD service with a URL callback. After successfully authenticating you are redirected back to the original URL.
I have tried creating a login_script, but I end up receiving an error "The script was executed successfully, but the login check failed." I've been at this for several days and making no progress.
I have tried this using both browser & browserless versions of the script (http.post vs browser.goto). Currently my script looks something like this.
browser.goto 'https://login.authenticator.com/login.page?service=https%3A%2F%2Foriginaldomain.com%2Fsessions%2Flogin_tool'
form = browser.form(name: 'loginForm')
form.text_field(name: 'username').set 'me'
form.text_field(name: 'password').set 'password'
form.submit
framework.options.session.check_url = browser.url
framework.options.session.check_pattern = /Log Out/
I then execute this using
./arachni --plugin=login_script:script="login.rb" --report-save-path=output.afr https://originaldomain.com
A related question; is there a way to have this open a real browser like Firefox rather than using phantomjs so that a user can see what is happening as arachni is running?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 04 Apr, 2017 11:38 AM
You can add this to the top:
The comment all
framework
references and run it withbin/arachni_script
. It won't help with the log-in but it will show you what a browser does.Also, you can take screenshots using
browser.screenshot.save "screenshot.png"
at any point in your login script. The screenshot approach is more reliable as it will show you what's really going on, Firefox may behave differently.2 Posted by joiey.seeley on 04 Apr, 2017 02:08 PM
When I try that I am getting an error from Selenium.
Support Staff 3 Posted by Tasos Laskos on 06 Apr, 2017 01:37 PM
Hm, ok this is out of my hands, can you try the screenshot approach please while running the script via Arachni proper?
Tasos Laskos closed this discussion on 12 May, 2017 12:44 PM.