Login failing in Arachni scan

Mike's Avatar

Mike

17 Aug, 2016 05:29 PM

I see the following in my log for the Jenkins job. I can log into the url no problem with the user/pwd that I have in the job. Any help/thought/ideas are appreciated.

[*] Initializing...
[*] Preparing plugins...
[*] AutoLogin: Logging in, please wait.
[-] [utilities#exception_jail:428] Session: [Arachni::Session::Error::FormNotFound] Login form could not be found with: {:url=>"http://xyz/home/index.html", :inputs=>{"UserID"=>"abc", "UserPassword"=>"pwd"}}
[-] Session: [Errno::EACCES] Permission denied @ rb_sysopen - /opt/arachni-1.4-0.5.10/bin/../system/logs/framework/error-4002.log
  1. Support Staff 1 Posted by Tasos Laskos on 17 Aug, 2016 07:27 PM

    Tasos Laskos's Avatar

    You've got 2 issues there:

    1. There is no form with UserID and UserPassword inputs at http://xyz/home/index.html. If it's a redirect prefer setting the URL with the actual form.
    2. You've got Arachni placed at a directory for which it doesn't have write privileges.
  2. 2 Posted by Brendan on 17 Aug, 2016 07:57 PM

    Brendan's Avatar

    Here is a snippet for the /home/index.html containing the

    and elements to help clarify the underlying source code.

    https://gist.github.com/bmurtagh/891beff6b7cd5917a6c3f04120bdb346

  3. Support Staff 3 Posted by Tasos Laskos on 17 Aug, 2016 07:59 PM

    Tasos Laskos's Avatar

    Is the form visible by default or do you need to interact with the page somehow?

  4. 4 Posted by Mike on 17 Aug, 2016 08:10 PM

    Mike's Avatar

    Hitting that url brings up the page

  5. Support Staff 5 Posted by Tasos Laskos on 17 Aug, 2016 08:12 PM

    Tasos Laskos's Avatar

    Hm, I can't tell for sure without access to the page, but you may need to configure this option: https://github.com/Arachni/arachni/wiki/Command-line-user-interface...

  6. 6 Posted by Brendan on 17 Aug, 2016 08:13 PM

    Brendan's Avatar

    Here is a temporary screenshot of the login form: http://imgur.com/QQZI0LK

    We have a /UI/index.html that acts as a launch page that opens a new window with this form on there. We're using that new URL /home/index.html in the arachni scanning configuration.

  7. Support Staff 7 Posted by Tasos Laskos on 17 Aug, 2016 08:15 PM

    Tasos Laskos's Avatar

    Like I said, I can't tell for sure but if there's some delay in loading or interaction of some sort you may need to resort to the login_script approach.

  8. 8 Posted by Brendan on 17 Aug, 2016 08:21 PM

    Brendan's Avatar

    Is it possible to see if there's a rendering delay in debug output?

    Also, is it possible to set an ENV var for debug or is only a CLI flag the option?

  9. Support Staff 9 Posted by Tasos Laskos on 17 Aug, 2016 08:23 PM

    Tasos Laskos's Avatar

    It's just CLI, --output-debug=2 will show you the rendered HTML body at the time the form was being located.

  10. 10 Posted by Brendan on 17 Aug, 2016 09:05 PM

    Brendan's Avatar

    Here is some code from the rendered version as you can see, there's the

    and elements as expected: https://gist.github.com/bmurtagh/b67d26ce97b98e68e86eee468dae68bc
  11. Support Staff 11 Posted by Tasos Laskos on 18 Aug, 2016 08:53 AM

    Tasos Laskos's Avatar

    Any chance I can get access to that page?

  12. 12 Posted by Brendan on 18 Aug, 2016 12:28 PM

    Brendan's Avatar

    We will inquire this morning about permission/approval to send the URL. Is there a way to send the URL privately if we get approval?

  13. Support Staff 13 Posted by Tasos Laskos on 18 Aug, 2016 12:29 PM

    Tasos Laskos's Avatar
  14. 14 Posted by Brendan on 18 Aug, 2016 01:55 PM

    Brendan's Avatar

    Your message came across as [email blocked].

  15. Support Staff 15 Posted by Tasos Laskos on 18 Aug, 2016 01:56 PM

    Tasos Laskos's Avatar

    My bad: tasos[dot]laskos[at]arachni-scanner.com

  16. 16 Posted by Brendan on 18 Aug, 2016 02:17 PM

    Brendan's Avatar

    Thank you for the continued help. We had one of our InfoSec guys look at it and we are having issues due to Angular (v2 specifically) being used which is not making arachni happy. He has some login scripts he'll be customizing for our usage.

    Thank you again for the help & developing a great product!

  17. 17 Posted by Mike on 18 Aug, 2016 02:19 PM

    Mike's Avatar

    Thanks again, wish more products provided this level of support/response!

  18. Support Staff 18 Posted by Tasos Laskos on 18 Aug, 2016 02:20 PM

    Tasos Laskos's Avatar

    No worries guys.

    About your issue, there's a known incompatibility, please follow this for updates: https://github.com/Arachni/arachni/issues/764

    Cheers

  19. Tasos Laskos closed this discussion on 18 Aug, 2016 02:20 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac