input parameters supplied via --input-value do not get used

bernhard.schelling's Avatar

bernhard.schelling

29 Jun, 2017 10:33 PM

I'm using arachni on the commandline:

arachni --audit-forms --browser-cluster-wait-for-element='withElement:#form-login' https://my-site.com/ --checks=xss* --input-value='username:[email blocked]' --input-value='password:a' --http-response-max-size=5000000

arachni correctly finds the login form and submits it:

[*] XSS in script context: Analyzing response #595 for form input 'password' pointing to: 'https:///my-site.com/api/auth/token'
[*] XSS in script context: Analyzing response #594 for form input 'username' pointing to: 'https:///my-site.com/api/auth/token'

i have enabled postdata logging on nginx to see what gets submitted:
but it never uses the data i supplied on command line ([email blocked], a) for the fields password and username
instead i see things like
52.50.36.35 - - [29/Jun/2017:22:25:25 +0000] "POST /api/auth/token HTTP/1.1" 400 297 "https://my-site.com/forgot_password" "Arachni/v2.0dev" "grant_type=password&username=arachni_name&password=5543!%25arachni_secret

what am i doing wrong?
thx for hints.

  1. Support Staff 1 Posted by Tasos Laskos on 01 Jul, 2017 11:25 AM

    Tasos Laskos's Avatar

    Can you show me the HTML of the form please?

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac