Home → Questions →

Session sharing

• Edit

naveen

06 Dec, 2016 05:35 PM

Hi,

I am trying to scan three urls.

Example: login page and home page and another page after login. But i want to scan each of these three urls separately and generate three scan reports.

As there is an authentication exists to my application, how to share the session among these urls when i use user agent as firefox using arachini

1. Support Staff 1 Posted by Tasos Laskos on 08 Dec, 2016 09:41 AM

   

   You'll need to first login via a browser and supply the same cookie-jar to all 3 scans.
   Be careful to exclude any logout links and the like.

   • Edit

2. Tasos Laskos closed this discussion on 08 Dec, 2016 09:41 AM.

3. Naveen re-opened this discussion on 08 Dec, 2016 02:56 PM

4. 2 Posted by Naveen on 08 Dec, 2016 02:56 PM

   

   Hi Tasos,
   Thank you very much for your inputs. i would like to use cookie jar approach. For cookie jar approach, it seems we need to store cookie jar as netscape format cookie.

   Does it means, Can login to a website in netscape browser manually and get and store the cookies in a file path and run arachni scanning for the links..?

   • Edit

5. Support Staff 3 Posted by Tasos Laskos on 08 Dec, 2016 03:00 PM

   

   Yep, the developer tools of Firefox and Chrome should allow you to do that, although I don't quite remember how.

   • Edit

6. Tasos Laskos closed this discussion on 14 Dec, 2016 02:15 PM.

7. Naveen re-opened this discussion on 15 Dec, 2016 03:06 PM

8. 4 Posted by Naveen on 15 Dec, 2016 03:06 PM

   

   Hi,

   I am trying to do via login script to authenticate before scan but i am not able to spin the browser and getting exception

   /Ruby200/lib/ruby/2.0.0/net/http/generic_request.rb:27:in `initialize': HTTP request path is empty (ArgumentError)
         from C:/Ruby200/lib/ruby/2.0.0/net/http/request.rb:14:in `initialize'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new_request_for'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:56:in `request'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:84:in `request'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/common.rb:59:in `call'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:647:in `raw_execute'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:109:in `create_session'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:69:in `initialize'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:57:in `new'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:57:in `for'
         from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver.rb:82:in `for'
   

   code

   require 'selenium-webdriver'
   
   Selenium::WebDriver::Firefox::Binary.path='C:/AppData/Local/Mozilla Firefox/firefox.exe'
   caps = Selenium::WebDriver::Remote::Capabilities.firefox
   caps['marionette'] = false
   driver = Selenium::WebDriver.for(:remote, :desired_capabilities => caps)
   #driver = Selenium::WebDriver.for :firefox
   driver.navigate.to "wwww.google.com"
   
   element = driver.find_element(:name, 'q')
   element.send_keys "Selenium Tutorials"
   element.submit
   
   driver.quit
   

   • Edit

9. Support Staff 5 Posted by Tasos Laskos on 15 Dec, 2016 03:14 PM

   

   First of all, you need to use the packages.
   Secondly, you need to use the Watir instance provided to the login script via the browser variable rather than instantiating Selenium on your own.

   • Edit

10. 6 Posted by Naveen on 15 Dec, 2016 03:32 PM

    

    Hi Tasos,

    Even after using watir and broswer i got similar error

    '#!/usr/bin/env ruby
    require 'ap'
    require 'httpclient'
    require 'json'
    require 'browser'
    require 'watir-webdriver'
    # chrome driver path
    
    # Specify the driver path
    
    Selenium::WebDriver::Firefox::Binary.path = 'C:/Users/nnalam/AppData/Local/Mozilla Firefox/firefox.exe'
    
    profile = Selenium::WebDriver::Firefox::Profile.new
    
    
    browser =Watir::Browser.new :firefox
    browser.goto('https://www.google.com/')
    

    Stack trace

     from C:/Ruby200/lib/ruby/2.0.0/net/http/request.rb:14:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new_request_for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:56:in `request'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:84:in `request'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/common.rb:59:in `call'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:640:in `raw_execute'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:114:in `create_session'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:69:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/firefox/w3c_bridge.rb:35:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:52:in `new'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:52:in `for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver.rb:82:in `for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/watir-webdriver-0.9.3/lib/watir-webdriver/browser.rb:46:in `initialize'
     from sel-1.rb:16:in `new'
     from sel-1.rb:16:in `<main>'
    

    • Edit

11. Support Staff 7 Posted by Tasos Laskos on 15 Dec, 2016 03:41 PM

    

    You didn't do any of what I just said.
    You need to use the packages and use the provided browser instance via the browser variable, do not create your own.

    • Edit

12. 8 Posted by Naveen on 15 Dec, 2016 04:39 PM

    

    Hi Tasos,

    Thank you.

    Can you please validate below script of what i am using to start with and correct me i something wrong as it is giving error

    require 'ap'
    require 'httpclient'
    require 'json'
    require 'browser'

    require 'watir'
    browser =Watir::Browser.new :firefox
    browser.goto('https://google.com')

    • Edit

13. Support Staff 9 Posted by Tasos Laskos on 16 Dec, 2016 02:21 PM

    

    Please check out the documentation: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

    • Edit

14. 10 Posted by Naveen on 16 Dec, 2016 07:47 PM

    

    Hi Tasos,

    Please find the sample script i am trying to scan and got the error trace attached in debug.log

    command i have used is

    arachni --plugin=login_script:script="C:/Naveen/arachni_practice/arachni.rb" --report-save-path=output.afr https://www.site.com/serv/home?secureLogin --output-debug 2> debug.log

    • Edit

15. 11 Posted by Naveen on 16 Dec, 2016 08:41 PM

    

    Program
    For got to add attachment in last reply..

    browser.goto 'https://www.site.com/serv/home?secureLogin'
    
    form = browser.form( id: 'form' )
    form.text_field( name: 'username' ).set 'xey'
    form.text_field( name: 'password' ).set 'Happyksu123'
    
    form.submit
    
    # You can also configure the session check from the script, dynamically,
    # if you don't want to set static options via the user interface.
    framework.options.session.check_url     = browser.url
    framework.options.session.check_pattern = /Sign Off|Your profile|logout|Log out/
    

    • debug.log 7.67 KB
    • Edit

16. 12 Posted by Naveen on 19 Dec, 2016 09:57 PM

    

    Tasos,

    I am able to resolve the issue and able to run my script by alone. But when I am running from arachini loginscript

    arachni https://mysite/servicing/home--checks=xss --scope-page-limit=1 --plugin=login_script:script="C:/Users/nnalam/workspace/Arachni/Login_script_1.rb" --report-save-path=output.afr --output-debug 2> debug.log

    giving login plugin error

    • debug.log 6.47 KB
    • Edit

17. Support Staff 13 Posted by Tasos Laskos on 21 Dec, 2016 06:50 AM

    

    The login script you provided could not have caused the error in the debug log.
    The error says you're requiring httpclient but that's nowhere in the script.

    • Edit

18. 14 Posted by Naveen on 21 Dec, 2016 05:15 PM

    

    Hi Tasos,

    Sorry i missed that line to put in script. Now i am running with a different issue. I've my arachni in this foldder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64" .

    does my "Login_script_1.rb" need to be in folder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64\system\ruby\lib\ruby\gems\2.2.0\bundler\gems\arachni-15e02381d75c\components\plugins" ??

    As I am always getting Timeout error

    2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] [Net::ReadTimeout] Net::ReadTimeout
    [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/gems/2.2.0/bundler/gems/arachni-15e02381d75c/components/plugins/login_script.rb:29:in eval' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:152:inrbuf_fill' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:134:in readuntil' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:144:inreadline' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/http/response.rb:39:in `read_status_line'

    • Edit

19. 15 Posted by Naveen on 22 Dec, 2016 03:45 PM

    

    Hi Tasos,
    Thank you very much . Finally I was able to run successfully.

    Can you please on this use case?

    1) I have a login script and scanning a site which has login with username / password.
    2) After logging in it takes me to home page. ..

    Here how to run arachini scanner only for this home page and I don't want to go any other pages( anchor links in home page. As home page contains links to other pages and i don't want to scan other pages)

    • Edit

20. Support Staff 16 Posted by Tasos Laskos on 23 Dec, 2016 01:37 PM

    

    Glad you got it working.
    To configure the scope of the scan please take a look at the scope options.

    • Edit

21. Tasos Laskos closed this discussion on 28 Dec, 2016 02:47 PM.