tag:support.arachni-scanner.com,2012-07-01:/discussions/problems/5336-using-login_script-plugin-in-combination-with-arachni-rest-api-arachni-jenkins-plugin
Arachni: Discussion
2019-04-11T16:40:39Z
tag:support.arachni-scanner.com,2012-07-01:Comment/47169345
2019-04-11T16:40:38Z
2019-04-11T16:40:39Z
Using Login_Script Plugin in combination with ARACHNI REST API & ARACHNI Jenkins Plugin
<div><p>Hi,</p>
<p>I recently setup an dedicated ARACHNI Scanner to check Web Applications as part of our Software Developement activities. Web Application Authentication is implemented with WebForms so we use the ARACHNI Plugin Login_Script and a Ruby Script to execute the login. This setup works as intendend when using the ARACHNI CLI.</p>
<p>The plan is to launch scans as part of the build chain from a Jenkins Server via ARACHNI REST API and to store the scan reports local to the Jenkins Workspace. This setup has been successfully deployed for a ARACHI SCAN where the Web Application supports HTTP Basic AUTH using the ARACHNI AUTOLOGIN Plugin.</p>
<p>Calling the ARACHNI REST API throuh a python script using a ARACHNI JSON SCAN CONFIG and ARACHNI LOGIN_SCRIPT the SERVER Returns a Error 500 . I fail to collect the detailed Error Message to get a better understanding why it fails.</p>
<p>My assumption is: The script configured in the Plugin Login_Script section has to reside on the ARACHNI REST API Server and the path to the script is wrong.</p>
<p>The question is: can you give me any advice or point me to a section / ticket / blog entry so that I can resolve my issue?</p>
<p>Details:<br>
Using Arachni Version 1.5.1</p>
<p>FILE: test_arachni_scan.py<br>
#!/usr/bin/env python</p>
<h1><a name="see-the-documentation-how-to-use-more-options-in-the-json-call" class="anchor" href="#see-the-documentation-how-to-use-more-options-in-the-json-call"></a>see the documentation how to use more options in the JSON call</h1>
<h1><a name="https-github-com-arachni-arachni-wiki-rest-api" class="anchor" href="#https-github-com-arachni-arachni-wiki-rest-api"></a><a href="https://github.com/Arachni/arachni/wiki/REST-API">https://github.com/Arachni/arachni/wiki/REST-API</a></h1>
<p>import json<br>
import urllib2<br>
import base64</p>
<p>req = urllib2.Request('https:///scans')<br>
base64string = base64.b64encode('%s:%s' % (,))<br>
req.add_header("Authorization", "Basic %s" % base64string)<br>
req.add_header('Content-Type', 'application/json')</p>
<p>response = urllib2.urlopen(req)<br>
print response.info()<br>
html = response.read()<br>
print html<br>
response.close()<br>
#response = urllib2.urlopen(req, json.dumps(data))</p>
<h2><a name="start-scan" class="anchor" href="#start-scan"></a>START SCAN</h2>
<p>import request</p>
<p>data = json.loads(open('./arachni_configuration_file.json').read())</p>
<p>req = urllib2.Request('https:///scans', data)<br>
req.add_header("Authorization", "Basic %s" % base64string)<br>
req.add_header('Content-Type', 'application/json')</p>
<p>try:<br>
response = urllib2.urlopen(req)</p>
<p>except urllib2.HTTPError as e:<br>
print e html = response.info() print html</p>
<p>FILE: test_login.rb<br>
browser.goto ''</p>
<p>form = browser.form( name: 'loginForm' )<br>
form.text_field( name: 'j_username' ).set ''<br>
form.text_field( name: 'j_password' ).set ''</p>
<p>form.submit</p>
<p>FILE: arachni_configuration_file.json<br>
{ "url": "", "audit" : { "parameter_values" : true, "exclude_vector_patterns" : [], "include_vector_patterns" : [], "link_templates" : [], "links" : false, "forms" : false, "cookies" : false, "headers" : false, "with_both_http_methods" : false, "cookies_extensively" : false, "jsons" : true, "xmls" : true, "ui_forms" : true, "ui_inputs" : true }, "session" : { "check_url" : "", "check_pattern" : "(?-mix:Welcome)" }, "browser_cluster" : { "local_storage" : {}, "wait_for_elements" : {}, "pool_size" : 6, "job_timeout" : 10, "worker_time_to_live" : 100, "ignore_images" : false, "screen_width" : 1600, "screen_height" : 1200 }, "http" : { "user_agent" : "Arachni/v1.5.1", "request_timeout" : 10000, "request_redirect_limit" : 5, "request_concurrency" : 5, "request_queue_size" : 100, "request_headers" : {}, "response_max_size" : 500000, "cookies" : {}, "authentication_type" : "auto" }, "datastore" : {}, "scope" : { "redundant_path_patterns" : {}, "dom_depth_limit" : 2, "exclude_file_extensions" : [], "exclude_path_patterns" : [], "exclude_content_patterns" : [], "include_path_patterns" : [], "restrict_paths" : [], "extend_paths" : [], "url_rewrites" : {}, "page_limit" : 30, "include_subdomains" : false, "exclude_binaries" : false, "https_only" : false }, "input" : { "values" : {}, "without_defaults" : true, "force" : false }, "checks" : [ "code_injection", "code_injection_php_input_wrapper", "code_injection_timing", "csrf", "file_inclusion", "ldap_injection", "no_sql_injection", "no_sql_injection_differential", "os_cmd_injection", "os_cmd_injection_timing", "path_traversal", "response_splitting", "rfi", "session_fixation", "source_code_disclosure", "sql_injection", "sql_injection_differential", "sql_injection_timing", "trainer", "unvalidated_redirect", "unvalidated_redirect_dom", "xpath_injection", "xss", "xss_dom", "xss_dom_script_context", "xss_event", "xss_path", "xss_script_context", "xss_tag", "xxe", "allowed_methods", "backdoors", "backup_directories", "backup_files", "captcha", "common_admin_interfaces", "common_directories", "common_files", "cookie_set_for_parent_domain", "credit_card", "cvs_svn_users", "directory_listing", "emails", "form_upload", "hsts", "htaccess_limit", "html_objects", "http_only_cookies", "http_put", "insecure_client_access_policy", "insecure_cookies", "insecure_cors_policy", "insecure_cross_domain_policy_access", "insecure_cross_domain_policy_headers", "interesting_responses", "localstart_asp", "mixed_resource", "origin_spoof_access_restriction_bypass", "password_autocomplete", "private_ip", "ssn", "unencrypted_password_forms", "webdav", "x_frame_options", "xst" ], "platforms" : [ "unix", "mysql", "pgsql", "oracle", "mongodb", "apache", "iis", "jetty", "nginx", "tomcat", "django", "jsf" ], "plugins" : { "login_script" : { "script": "./test_login.rb" } , "email_notify" : { "to" : "<a href="mailto:email@email.de">email@email.de</a>", "cc" : "<a href="mailto:email@email.de">email@email.de</a>", "bcc" : "", "from" : "<a href="mailto:email@email.de">email@email.de</a>", "server_address" : "webmail.email.de", "server_port" : "25", "username" : "", "password" : "", "domain" : "email.de", "authentication" : "", "report" : "html" } }, "no_fingerprinting" : false, "authorized_by" : null, "name" : "Jenkins-Default", "description" : "JSON Profile in use with Arachni Jenkins Plugin " }</p></div>
Andreas von Keviczky