Session sharing
Hi,
I am trying to scan three urls.
Example: login page and home page and another page after login. But i want to scan each of these three urls separately and generate three scan reports.
As there is an authentication exists to my application, how to share the session among these urls when i use user agent as firefox using arachini
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 08 Dec, 2016 09:41 AM
You'll need to first login via a browser and supply the same cookie-jar to all 3 scans.
Be careful to exclude any logout links and the like.
Tasos Laskos closed this discussion on 08 Dec, 2016 09:41 AM.
Naveen re-opened this discussion on 08 Dec, 2016 02:56 PM
2 Posted by Naveen on 08 Dec, 2016 02:56 PM
Hi Tasos,
Thank you very much for your inputs. i would like to use cookie jar approach. For cookie jar approach, it seems we need to store cookie jar as netscape format cookie.
Does it means, Can login to a website in netscape browser manually and get and store the cookies in a file path and run arachni scanning for the links..?
Support Staff 3 Posted by Tasos Laskos on 08 Dec, 2016 03:00 PM
Yep, the developer tools of Firefox and Chrome should allow you to do that, although I don't quite remember how.
Tasos Laskos closed this discussion on 14 Dec, 2016 02:15 PM.
Naveen re-opened this discussion on 15 Dec, 2016 03:06 PM
4 Posted by Naveen on 15 Dec, 2016 03:06 PM
Hi,
I am trying to do via login script to authenticate before scan but i am not able to spin the browser and getting exception
code
Support Staff 5 Posted by Tasos Laskos on 15 Dec, 2016 03:14 PM
First of all, you need to use the packages.
Secondly, you need to use the Watir instance provided to the login script via the
browser
variable rather than instantiating Selenium on your own.6 Posted by Naveen on 15 Dec, 2016 03:32 PM
Hi Tasos,
Even after using watir and broswer i got similar error
Stack trace
Support Staff 7 Posted by Tasos Laskos on 15 Dec, 2016 03:41 PM
You didn't do any of what I just said.
You need to use the packages and use the provided browser instance via the
browser
variable, do not create your own.8 Posted by Naveen on 15 Dec, 2016 04:39 PM
Hi Tasos,
Thank you.
Can you please validate below script of what i am using to start with and correct me i something wrong as it is giving error
require 'ap'
require 'httpclient'
require 'json'
require 'browser'
require 'watir'
browser =Watir::Browser.new :firefox
browser.goto('https://google.com')
Support Staff 9 Posted by Tasos Laskos on 16 Dec, 2016 02:21 PM
Please check out the documentation: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...
10 Posted by Naveen on 16 Dec, 2016 07:47 PM
Hi Tasos,
Please find the sample script i am trying to scan and got the error trace attached in debug.log
command i have used is
arachni --plugin=login_script:script="C:/Naveen/arachni_practice/arachni.rb" --report-save-path=output.afr https://www.site.com/serv/home?secureLogin --output-debug 2> debug.log
11 Posted by Naveen on 16 Dec, 2016 08:41 PM
Program
For got to add attachment in last reply..
12 Posted by Naveen on 19 Dec, 2016 09:57 PM
Tasos,
I am able to resolve the issue and able to run my script by alone. But when I am running from arachini loginscript
arachni https://mysite/servicing/home--checks=xss --scope-page-limit=1 --plugin=login_script:script="C:/Users/nnalam/workspace/Arachni/Login_script_1.rb" --report-save-path=output.afr --output-debug 2> debug.log
giving login plugin error
Support Staff 13 Posted by Tasos Laskos on 21 Dec, 2016 06:50 AM
The login script you provided could not have caused the error in the debug log.
The error says you're requiring
httpclient
but that's nowhere in the script.14 Posted by Naveen on 21 Dec, 2016 05:15 PM
Hi Tasos,
Sorry i missed that line to put in script. Now i am running with a different issue. I've my arachni in this foldder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64" .
does my "Login_script_1.rb" need to be in folder "C:\Naveen\softwares\arachni\arachni-2.0dev-1.0dev-windows-x86_64\system\ruby\lib\ruby\gems\2.2.0\bundler\gems\arachni-15e02381d75c\components\plugins" ??
As I am always getting Timeout error
2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] [Net::ReadTimeout] Net::ReadTimeout
[2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/gems/2.2.0/bundler/gems/arachni-15e02381d75c/components/plugins/login_script.rb:29:in
eval' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:152:in
rbuf_fill' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:134:inreaduntil' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/protocol.rb:144:in
readline' [2016-12-21 11:08:34 -0500] Session: [utilities#exception_jail:428] C:/Naveen/softwares/arachni/arachni-2.0dev-1.0dev-windows-x86_64/system/ruby/lib/ruby/2.2.0/net/http/response.rb:39:in `read_status_line'15 Posted by Naveen on 22 Dec, 2016 03:45 PM
Hi Tasos,
Thank you very much . Finally I was able to run successfully.
Can you please on this use case?
1) I have a login script and scanning a site which has login with username / password.
2) After logging in it takes me to home page. ..
Here how to run arachini scanner only for this home page and I don't want to go any other pages( anchor links in home page. As home page contains links to other pages and i don't want to scan other pages)
Support Staff 16 Posted by Tasos Laskos on 23 Dec, 2016 01:37 PM
Glad you got it working.
To configure the scope of the scan please take a look at the scope options.
Tasos Laskos closed this discussion on 28 Dec, 2016 02:47 PM.