Login_Script check_pattern Failing
Tasos, although I am new to Arachni, you have done extraordinary work on this Framework.
I have been working on a Login_Script against WebGoat on a Kali
Linux VM. I have tried multiple patterns to use as the check
pattern, but the only time the script works is when I use '/.*/'
which does not properly handle logging in during the scan. I have
read multiple discussions, including ones specifically about
login_script and WebGoat, but have come up with nothing but errors.
The only error I see when I add a different check_pattern:
[components/plugins/login_scripts#set_status:99] Login
script: The script was executed successfully, but the login check
failed.
Here is my current login_script.rb that I am running:
response = http.get( 'http://127.0.0.2:8080/WebGoat/login.mvc',
parameters: {
'username' => 'webgoat',
'password' => 'webgoat'
},
mode: :sync,
update_cookies: true
)
framework.options.session.check_url = 'http://127.0.0.2:8080/WebGoat/start.mvc' # I have tried multiple check_url arguments including /lessonmenu.mvc which you provided in another post about WebGoat
framework.options.session.check_pattern = /.*/
Current command-line arguments I am running:
./arachni http://127.0.0.2:8080/WebGoat --plugin=login_script:script=/path/to/script/login_script.rb
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 07 Jul, 2016 06:48 PM
Could you give the nightlies a shot please?
2 Posted by kt on 07 Jul, 2016 06:54 PM
Thank you for the incredibely fast response. I will give it a shot right now and update you accordingly.
Also, is there a way to contact you directly for more of an elaborate and specific question?
Support Staff 3 Posted by Tasos Laskos on 07 Jul, 2016 06:55 PM
No problem.
About contacting me directly, unless you're disclosing sensitive information I prefer discussions to be public so that others can benefit too.
4 Posted by kt on 07 Jul, 2016 06:57 PM
Will open a new discussion.
5 Posted by kt on 07 Jul, 2016 07:14 PM
I have installed the Arachni linux nightly and ran the same argument with the same ruby scritp and the results were identical. I encountered the same error:
[components/plugins/login_scripts#set_status:99] Login script: The script was executed successfully, but the login check failed.
and the scan exits itself when the error is returned.Support Staff 6 Posted by Tasos Laskos on 07 Jul, 2016 07:22 PM
Did you try the following?
7 Posted by kt on 07 Jul, 2016 07:27 PM
When running that exact command:
Support Staff 8 Posted by Tasos Laskos on 07 Jul, 2016 07:28 PM
Can you show me the entire error please?
9 Posted by kt on 07 Jul, 2016 07:33 PM
Followed by:
Support Staff 10 Posted by Tasos Laskos on 07 Jul, 2016 07:36 PM
Ah, got it, something must have changed between versions.
Can you try using the browser-based login script?
Please use the session checks I provided in my
autologin
example.11 Posted by kt on 07 Jul, 2016 07:45 PM
Here is my command line argument:
Here is the output:Here is the code:
12 Posted by kt on 07 Jul, 2016 07:54 PM
Solved it.
In the actual ruby code I changed it to
but kept the command-line argument for check_patternThis worked out and after 5 minutes of scanning I stopped it and saw it had properly scanned pages that required login. Thank you for all the help. Keep up the amazing work on this Framework!
Tasos Laskos closed this discussion on 08 Jul, 2016 04:34 AM.