check valid session use --session-check-url and --session-check-url does not work at all

jingxus's Avatar


08 Feb, 2018 07:24 PM

I tried to give arachni a valid cookie and check if there is a valid session. But from the logs, it shows arachni was not able to use these two parameters.

arachni --http-proxy= --http-cookie-jar=cookies.txt --session-check-url=https://xxxxx/account/settings/profile --session-check-pattern=">Log out<" --scope-exclude-pattern=logout,png --scope-directory-depth-limit=10 --audit-forms https://xxxx --output-debug=1
Arachni - Web Application Security Scanner Framework v1.5.1
Author: Tasos "Zapotek" Laskos [email blocked]

   (With the support of the community and the Arachni Team.)


[~] No checks were specified, loading all. [] Initializing... [] Preparing plugins... [] ... done. [] BrowserCluster: Initializing 6 browsers...

  1. 1 Posted by jingxus on 09 Feb, 2018 04:10 AM

    jingxus's Avatar

    I thought it was not working at the beginning, but later i figured it out it was checking, but did not check the login session at the beginning, it check in the middle of other scanning. which still does not make any sense to me.

  2. 2 Posted by bWF0dC50b3JiaW4... on 09 Feb, 2018 08:32 PM

    bWF0dC50b3JiaW4K's Avatar

    jingxus, I noticed something with my own testing that you might find helpful. I was trying to check session with what the user would see. The problem is that in between the first POST request and our final 200 OK, there are several 302 and 304 redirects. This causes all sorts of issues for session validation.

    However, what seems to be working (I'm testing now) was to find one request/response that would result in a 200 OK if a valid session is found which doesn't necessarily have to be a visual endpoint. In our case, I found an dependency call that worked just fine. I'll let you know what happens after the scan is complete; hopefully this helps you as well.

  3. 3 Posted by jingxus on 12 Feb, 2018 08:45 PM

    jingxus's Avatar

    Yes, that would help, thank you.
    My question is when you do the session check, it will not abort if the check fails, right? it will go through all other scanning. It is not like the session check when you use autologin plugin. if you use the auto-login plugin, it will immediately log in and check if it succeed. if not, it will abort.
    I am expecting the same behavior when I use the cookies to do the session check, but it was different.

  4. 4 Posted by bWF0dC50b3JiaW4... on 12 Feb, 2018 09:05 PM

    bWF0dC50b3JiaW4K's Avatar

    Of course. I'm super happy to help the community. As to your question, keeping in mind that I'm not yet a full "expert" with this software yet, it seems to me that the session check needs to be combined with something; in other words, the session check itself is only qualifying a boolean value, not actually trying to login.

    Assuming this to be true, then you either use the autologin plugin (which will abort if the check fails, you're right) or something like the input values and hope that the login form page gets scanned.

    Please keep in mind though that the session check is dependent upon the body of the payload, not the headers. Specifically, if you only pass back headers in the url that you're using for the qualifier, this may not work. This is why we chose a dependency file and not an actual endpoint for our scans.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac