Still having issues w/ URL+Pattern Checks on Custom Login
Apologies for the duplicate Tasos, you closed the other one before the weekend. I'm not sure exactly what's going on, but it doesn't appear the pattern check is properly parsing the body of check_url. The web app in question (using mootools and react) may be using a Shadow DOM to render certain aspects of the
, but even on a static page I couldn't seem to get the pattern matching to work. At this point, I can just stick with checking pattern on a static page.I'm also spawning a new browser instance at the beginning of my custom login script, to pass the appropriate --ssl-protocol arg to phantomjs. That seems to work fine (without it, I render about:blank on loading the login page).
Logging doesn't seem to give much info, just a list of headers returned from a request and the message stating that the check failed. I can supply more info privately (screenshots). Login script is attached. Thanks..
- login_roo-latest.rb 804 Bytes
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 04 Apr, 2016 07:07 PM
That won't actually log you in since you're bypassing the system's browser and use your own.
What's the issue with the default? It uses
--ssl-protocol=any
so it should work, shouldn't it?Btw, you can just re-open discussions, you don't have to create new ones.
Cheers
2 Posted by Neha on 04 Apr, 2016 07:20 PM
Y'know, that's what I thought as well - we're using HSTS and self-signed certs. I'm using a couple of other tools based on phantomjs (casperjs and wraith), where we also need to explicitly set 'tlsv1'. Otherwise, what happens is phantom loads 'about:blank' and errors out. With this script, I'm able to login, and I have the screenshots to prove it - captures taken from the script directly.
Otherwise, I'd like to know if there's a more orthogonal way to pass --ssl-protocol to the underlying phantomjs threads, besides directly hacking up browser.rb? That's what I wanted to avoid.
Support Staff 3 Posted by Tasos Laskos on 04 Apr, 2016 07:26 PM
The browser you're using does login but it's invisible to Arachni so the scanner isn't logged in.
I was actually mistaken when I mentioned Arachni's phantomjs SSL config, that's not what actually applies in this case.
You can set the global SSL configuration via the
--http-ssl-*
configuration,--http-ssl-version
for starters and if that doesn't work you can use the rest to specify custom CA or keys or anything else you might need.4 Posted by Neha on 04 Apr, 2016 07:45 PM
Hmm.. yeah. Removing the new browser declaration and including '--http-ssl-version TLSv1' option just results in a timeout using the same script. That's the strange part.
If I specify the protocol within the script, the script runs and logs in successfully, but with an explicit check_url, the rest of the arachni threads fail.. and it's clear that arachni is not scanning the post-login pages.
If I specify the version via command-line, the phantomjs thread will timeout waiting for the form to render.. of course, it won't appear, because the site doesn't actually load. There's some failure at tls negotiation.
Support Staff 5 Posted by Tasos Laskos on 04 Apr, 2016 07:46 PM
Can you try the nightlies?
There was a bug that was resolved recently that affected cleanup of SSL connections.
6 Posted by Neha on 05 Apr, 2016 02:44 PM
Ok, so I narrowed this down to a stale phantomjs version. I was running the apt package from ubuntu (which was a stale dependency for another tool). I've installed the latest phantomjs via npm, and that appears to work as far as tls/https negotation. However now there's a new issue, related to how phantomjs and Selenium webdriver eval the login script. Our internal and external sites all use CSP.
I'm not really clear why selenium webdriver runs, but based on debug messages phantomjs is also used in parallel? Here's the current phantomjs issue#:
https://github.com/ariya/phantomjs/issues/13114
It was updated roughly 15 hours ago. I can confirm that this problem doesn't occur with phantomjs. Although the update does fix my issue, as I believe phantom-1.9.8 chokes on our set of strong cipher suites. Here's the error (sensitive info scrubbed):
[-] Login script: A runtime error was encountered while executing the login script. [-] Login script: [Selenium::WebDriver::Error::UnknownError] {errorMessage":"Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: \"script-src 'self' https://cdblah.segment.com https://api.3rdparty.com https://s3.amazonaws.com https://site.cloudfront.net \".\n","request":{"objectName":"","statusCode":200,"headers":{"Cache":"no-cache","Content-Type (org.openqa.selenium.WebDriverException) [-] Login script: /home/arachni/vendor/ruby/2.2.0/bundler/gems/arachni-0730baccced8/components/plugins/login_script.rb:23:in `eval'
Support Staff 7 Posted by Tasos Laskos on 05 Apr, 2016 02:49 PM
Aren't you running Arachni from its official packages?
If so then the system will use its bundled PhantomJS executable at version 1.9.2 -- other versions have issues.
If you're not running Arachni from its package then I don't think I'll be able to help, too many things could be different in your environment.
I'd be glad to have a look at this myself though, you can send me the login script and the rest of the configuration privately via e-mail and I'll try to find and fix any issues.
tasos.laskos at gmail.com
Cheers
8 Posted by Neha on 05 Apr, 2016 03:12 PM
Our build pipeline basically requires we 'repackage' arachni as a service in our environment. This involves a set ruby version and a few other knobs. The arachni package is installed in a temporary environment, packed into a tarball, and redeployed onto a dedicated instance. I can't seem to identify an where arachni installs phantom.
We install arachni like so (via make):
I'll contact you via email to clarify. Thanks!
9 Posted by Neha on 05 Apr, 2016 03:13 PM
Ah apologies - in this case $(FRAMEWORK_RELEASE) = experimental
Support Staff 10 Posted by Tasos Laskos on 11 Apr, 2016 12:29 PM
Closing this since we've moved to e-mail.
Tasos Laskos closed this discussion on 11 Apr, 2016 12:29 PM.