input parameters supplied via --input-value do not get used
I'm using arachni on the commandline:
arachni --audit-forms --browser-cluster-wait-for-element='withElement:#form-login' https://my-site.com/ --checks=xss* --input-value='username:[email blocked]' --input-value='password:a' --http-response-max-size=5000000
arachni correctly finds the login form and submits it:
[*] XSS in script context: Analyzing response #595 for form input 'password' pointing to: 'https:///my-site.com/api/auth/token'
[*] XSS in script context: Analyzing response #594 for form input 'username' pointing to: 'https:///my-site.com/api/auth/token'
i have enabled postdata logging on nginx to see what gets submitted:
but it never uses the data i supplied on command line ([email blocked], a) for the fields password and username
instead i see things like
52.50.36.35 - - [29/Jun/2017:22:25:25 +0000] "POST /api/auth/token HTTP/1.1" 400 297 "https://my-site.com/forgot_password" "Arachni/v2.0dev" "grant_type=password&username=arachni_name&password=5543!%25arachni_secret
what am i doing wrong?
thx for hints.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 01 Jul, 2017 11:25 AM
Can you show me the HTML of the form please?