Arachni Scan - OpenID Connect with OpenIG gateway - login_script

Malween Le Goffic's Avatar

Malween Le Goffic

14 Nov, 2017 04:43 PM

Hello,

I found a problem with Arachni scanner and the login_script on my test infrastructure.
The problem raised by Arachni during the script_login phase was: "The script was executed successfully, but the login check failed".

I will quickly describe the infra used :
openam.entity1.com => (Forgerock product) OpenAM AS & RS OIDC / Tomcat on 8080 / Cookie called iPlanetDirectoryPro
openig.entity2.com => (Foregorck product) Open IG / Tomcat on 8080 / Cookie called JSESSIONID
webapp.entity2.com => webapp / Tomcat on 8080 / Cookie called JSESSIONID

OpenAM plays the roles of Autorisation Server and Resource Server, the user has to be authenticated from OpenAM to access to the Webapp.
OpenIG is a gateway and the OpenIDConnect Relying Party who protected the webapp. When user is authenticated, OpenIG transfers requests/responses to/from the web application/end user.
Webapp: a web application protected by OIDC RP OpenIG.

Scenario:
1) The user try to access to the webapp through the OpenIG gateway
2) OpenIG redirect the user to OpenAM for authentication and consent
3) A code flow is used (invisible for the user)
4) The user is authenticated, he can now access to the web app through the OpenIG gateway (an OpenIG cookie is set, called JSESSIONID)
5) The user access to the web app (a cookie from the webapp is set, called JESSIONID too)

Here is the script :

browser.goto 'http://openig.entity2.com:8080/webapp'
sleep(2)
browser.text_field(:id => 'IDToken1').set 'demo'
browser.text_field(:id => 'IDToken2').set 'changeit'
sleep(2)
browser.button(:value => 'allow').click
sleep(2)
framework.options.session.check_url = browser.url
framework.options.session.check_pattern = 'logout'

The problem from Arachni login_script plugin is caused by the cookies with the same name "JSESSIONID". I just (in web.xml tomcat file) changed the openig cookie's name and the login_script works fine.

Maybe this post can help some people.

Juste a question about the login script (Im not very familiar with Ruby), sleep() instruction are really helpfull to wait the loading page or not ? :D

Best regards,

  1. Support Staff 1 Posted by Tasos Laskos on 20 Nov, 2017 10:48 AM

    Tasos Laskos's Avatar

    Thanks for the heads up, I'd need a reproducible real world case to sort this out properly but this workaround should be helpful to others.

    As for sleep, it isn't really the way to go, it's better to use something like: http://www.rubydoc.info/gems/watir-webdriver/Watir%2FEventuallyPres...

    Cheers

  2. Tasos Laskos closed this discussion on 20 Nov, 2017 10:48 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac