tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/13140-webui-application-authenticationArachni: Discussion 2018-10-19T07:41:56Ztag:support.arachni-scanner.com,2012-07-01:Comment/418788532017-02-03T00:46:58Z2017-02-03T00:47:59ZWebUI - Application Authentication<div><p>Hi<br>
I am feeling really dumb because I can't seem to figure out how to
train Arachni to log into an application >.<<br>
Ideally I would like to see the results in the WebUI for easier
report generation.</p>
<p>So far I followed the instructions in "Service Scanning" and
captured a vector.yml but it does not appear as though it is
actually logging in.<br>
Also tried a few things including the autologin, login_script
plugins as well as the proxy plugin but again I'm unsure about how
to capture/train and replay those.</p>
<p>At one point I found instructions which said to:<br>
- Log into WebUI - Configure/run Proxy - Capture login (start/stop
recording)</p>
<p>But I haven't been able to find that either :(</p>
<p>Service Scanning KB Article.<br>
<a href="http://support.arachni-scanner.com/kb/general-use/service-scanning">
http://support.arachni-scanner.com/kb/general-use/service-scanning</a></p></div>pipnflinxtag:support.arachni-scanner.com,2012-07-01:Comment/418788532017-02-03T09:38:11Z2017-02-03T09:38:11ZWebUI - Application Authentication<div><p>You don't need to capture or replay the autologin or
login_script plugins, you just need to configure them again for
every scan.<br>
You can then import the report to the WebUI with
<code>arachni_web_scan_import</code>.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/418788532017-02-03T16:41:17Z2017-02-03T16:41:17ZWebUI - Application Authentication<div><p>Thanks Tasos,<br>
I hadn't quite gotten around to playing with the
'arachni_web_scan_import' tool yet.<br>
My bigger issue though seems to be getting the login functionality
to work.</p>
<p>For the sake of clarity:<br>
I was able to setup the 'proxy' and watched the authentication in
the Arachni output. However, getting that traffic into the scanner
was unclear. Is there an '--export' switch that I am not
seeing?</p>
<p>A list of tools and their associated options would go a long way
in helping me to figure this out! :D</p>
<p>In terms of the 'autologin' and 'login_script' tools, the KB
articles were pretty good about explaining their usage, but the
sample code (after tailoring values) did not appear to work for me.
I did also try samples that other users had posted with no
luck.</p>
<p>Generally speaking I am familiar enough with Ruby and JS to read
and modify code but cannot necessarily code something from
scratch.</p></div>pipnflinxtag:support.arachni-scanner.com,2012-07-01:Comment/418788532017-02-04T13:21:37Z2017-02-04T13:21:37ZWebUI - Application Authentication<div><p>You can't export proxy traffic in order to replay it later, the
most reliable way to login and maintain a valid session is by using
the <code>autologin</code> or <code>login_script</code>
plugins.<br>
Which is best for your case depends on the web application and
without access to it I won't be able to help.</p>
<p>The <code>autologin</code> one is the simplest, if the form is
visible in the provided URL it'll fill in the form and submit
it.<br>
The <code>login_script</code> is the most flexible, you use it to
interact with the web application interface; the how depends on
each web application.</p>
<p>I'm afraid that I don't have anything to add that isn't in the
KB articles.</p>
<p>As for a list of all utilities, you can find it at the <a href="https://github.com/Arachni/arachni/wiki/Executables">Wiki</a>, to
see their options call them with the <code>-h</code> flag.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/418788532017-02-05T00:13:04Z2017-02-05T00:13:04ZWebUI - Application Authentication<div><p>Thank you for the inputs.</p>
<p>I will give it another shot.</p></div>pipnflinx