Session sharing

naveen's Avatar

naveen

06 Dec, 2016 05:35 PM

Hi,

I am trying to scan three urls.

Example: login page and home page and another page after login. But i want to scan each of these three urls separately and generate three scan reports.

As there is an authentication exists to my application, how to share the session among these urls when i use user agent as firefox using arachini

  1. Support Staff 1 Posted by Tasos Laskos on 08 Dec, 2016 09:41 AM

    Tasos Laskos's Avatar

    You'll need to first login via a browser and supply the same cookie-jar to all 3 scans.
    Be careful to exclude any logout links and the like.

  2. Tasos Laskos closed this discussion on 08 Dec, 2016 09:41 AM.

  3. Naveen re-opened this discussion on 08 Dec, 2016 02:56 PM

  4. 2 Posted by Naveen on 08 Dec, 2016 02:56 PM

    Naveen's Avatar

    Hi Tasos,
    Thank you very much for your inputs. i would like to use cookie jar approach. For cookie jar approach, it seems we need to store cookie jar as netscape format cookie.

    Does it means, Can login to a website in netscape browser manually and get and store the cookies in a file path and run arachni scanning for the links..?

  5. Support Staff 3 Posted by Tasos Laskos on 08 Dec, 2016 03:00 PM

    Tasos Laskos's Avatar

    Yep, the developer tools of Firefox and Chrome should allow you to do that, although I don't quite remember how.

  6. Tasos Laskos closed this discussion on 14 Dec, 2016 02:15 PM.

  7. Naveen re-opened this discussion on 15 Dec, 2016 03:06 PM

  8. 4 Posted by Naveen on 15 Dec, 2016 03:06 PM

    Naveen's Avatar

    Hi,

    I am trying to do via login script to authenticate before scan but i am not able to spin the browser and getting exception

    /Ruby200/lib/ruby/2.0.0/net/http/generic_request.rb:27:in `initialize': HTTP request path is empty (ArgumentError)
          from C:/Ruby200/lib/ruby/2.0.0/net/http/request.rb:14:in `initialize'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new_request_for'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:56:in `request'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:84:in `request'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/common.rb:59:in `call'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:647:in `raw_execute'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:109:in `create_session'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/bridge.rb:69:in `initialize'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:57:in `new'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:57:in `for'
          from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver.rb:82:in `for'
    

    code

    require 'selenium-webdriver'
    
    Selenium::WebDriver::Firefox::Binary.path='C:/AppData/Local/Mozilla Firefox/firefox.exe'
    caps = Selenium::WebDriver::Remote::Capabilities.firefox
    caps['marionette'] = false
    driver = Selenium::WebDriver.for(:remote, :desired_capabilities => caps)
    #driver = Selenium::WebDriver.for :firefox
    driver.navigate.to "wwww.google.com"
    
    element = driver.find_element(:name, 'q')
    element.send_keys "Selenium Tutorials"
    element.submit
    
    driver.quit
    
  9. Support Staff 5 Posted by Tasos Laskos on 15 Dec, 2016 03:14 PM

    Tasos Laskos's Avatar

    First of all, you need to use the packages.
    Secondly, you need to use the Watir instance provided to the login script via the browser variable rather than instantiating Selenium on your own.

  10. 6 Posted by Naveen on 15 Dec, 2016 03:32 PM

    Naveen's Avatar

    Hi Tasos,

    Even after using watir and broswer i got similar error

    '#!/usr/bin/env ruby
    require 'ap'
    require 'httpclient'
    require 'json'
    require 'browser'
    require 'watir-webdriver'
    # chrome driver path
    
    # Specify the driver path
    
    Selenium::WebDriver::Firefox::Binary.path = 'C:/Users/nnalam/AppData/Local/Mozilla Firefox/firefox.exe'
    
    profile = Selenium::WebDriver::Firefox::Profile.new
    
    
    browser =Watir::Browser.new :firefox
    browser.goto('https://www.google.com/')
    

    Stack trace

     from C:/Ruby200/lib/ruby/2.0.0/net/http/request.rb:14:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:91:in `new_request_for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:56:in `request'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/default.rb:84:in `request'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/http/common.rb:59:in `call'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:640:in `raw_execute'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:114:in `create_session'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/remote/w3c_bridge.rb:69:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/firefox/w3c_bridge.rb:35:in `initialize'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:52:in `new'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver/common/driver.rb:52:in `for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/selenium-webdriver-3.0.3/lib/selenium/webdriver.rb:82:in `for'
     from C:/Ruby200/lib/ruby/gems/2.0.0/gems/watir-webdriver-0.9.3/lib/watir-webdriver/browser.rb:46:in `initialize'
     from sel-1.rb:16:in `new'
     from sel-1.rb:16:in `<main>'
    
  11. Support Staff 7 Posted by Tasos Laskos on 15 Dec, 2016 03:41 PM

    Tasos Laskos's Avatar

    You didn't do any of what I just said.
    You need to use the packages and use the provided browser instance via the browser variable, do not create your own.

  12. 8 Posted by Naveen on 15 Dec, 2016 04:39 PM

    Naveen's Avatar

    Hi Tasos,

    Thank you.

    Can you please validate below script of what i am using to start with and correct me i something wrong as it is giving error

    require 'ap'
    require 'httpclient'
    require 'json'
    require 'browser'

    require 'watir'
    browser =Watir::Browser.new :firefox
    browser.goto('https://google.com')

  13. Support Staff 9 Posted by Tasos Laskos on 16 Dec, 2016 02:21 PM

    Tasos Laskos's Avatar
  14. 10 Posted by Naveen on 16 Dec, 2016 07:47 PM

    Naveen's Avatar

    Hi Tasos,

    Please find the sample script i am trying to scan and got the error trace attached in debug.log

    command i have used is

    arachni --plugin=login_script:script="C:/Naveen/arachni_practice/arachni.rb" --report-save-path=output.afr https://www.site.com/serv/home?secureLogin --output-debug 2> debug.log

  15. 11 Posted by Naveen on 16 Dec, 2016 08:41 PM

    Naveen's Avatar

    Program
    For got to add attachment in last reply..

    browser.goto 'https://www.site.com/serv/home?secureLogin'
    
    form = browser.form( id: 'form' )
    form.text_field( name: 'username' ).set 'xey'
    form.text_field( name: 'password' ).set 'Happyksu123'
    
    form.submit
    
    # You can also configure the session check from the script, dynamically,
    # if you don't want to set static options via the user interface.
    framework.options.session.check_url     = browser.url
    framework.options.session.check_pattern = /Sign Off|Your profile|logout|Log out/
    
  16. 12 Posted by Naveen on 19 Dec, 2016 09:57 PM

    Naveen's Avatar

    Tasos,

    I am able to resolve the issue and able to run my script by alone. But when I am running from arachini loginscript

    arachni https://mysite/servicing/home--checks=xss --scope-page-limit=1 --plugin=login_script:script="C:/Users/nnalam/workspace/Arachni/Login_script_1.rb" --report-save-path=output.afr --output-debug 2> debug.log

    giving login plugin error

  17. Support Staff 13 Posted by Tasos Laskos on 21 Dec, 2016 06:50 AM

    Tasos Laskos's Avatar

    The login script you provided could not have caused the error in the debug log.
    The error says you're requiring httpclient but that's nowhere in the script.

  18. 14 Posted by Naveen on 21 Dec, 2016 05:15 PM

    Naveen's Avatar

    Hi Tasos,

    Sorry i missed that line to put in script. Now i am running with a different issue. I've my arachni in this foldder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64" .

    does my "Login_script_1.rb" need to be in folder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64\system\ruby\lib\ruby\gems\2.2.0\bundler\gems\arachni-15e02381d75c\components\plugins" ??

    As I am always getting Timeout error

    2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] [Net::ReadTimeout] Net::ReadTimeout
    [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/gems/2.2.0/bundler/gems/arachni-15e02381d75c/components/plugins/login_script.rb:29:in eval' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:152:inrbuf_fill' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:134:in readuntil' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:144:inreadline' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/http/response.rb:39:in `read_status_line'

  19. 15 Posted by Naveen on 22 Dec, 2016 03:45 PM

    Naveen's Avatar

    Hi Tasos,
    Thank you very much . Finally I was able to run successfully.

    Can you please on this use case?

    1) I have a login script and scanning a site which has login with username / password.
    2) After logging in it takes me to home page. ..

    Here how to run arachini scanner only for this home page and I don't want to go any other pages( anchor links in home page. As home page contains links to other pages and i don't want to scan other pages)

  20. Support Staff 16 Posted by Tasos Laskos on 23 Dec, 2016 01:37 PM

    Tasos Laskos's Avatar

    Glad you got it working.
    To configure the scope of the scan please take a look at the scope options.

  21. Tasos Laskos closed this discussion on 28 Dec, 2016 02:47 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac