tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/13291-cookies-escaped-in-login_scriptArachni: Discussion 2017-05-18T13:19:14Ztag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-03-29T15:14:57Z2017-03-29T15:14:57ZCookies escaped in login_script<div><p>Would it be possible to send me the login script in private with some demo credentials so that I can try to debug this?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-05T07:36:04Z2017-04-05T07:36:06ZCookies escaped in login_script<div><p>sorry for my late response, i had a busy week.<br>
Unfortunately i can't provide you with the actual application, but i built a dummy web server to replicate the problem, i will provide it & the script, as soon as I finish it.</p>
<p>Thanks<br>
Lukas</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-05T08:56:36Z2017-04-05T08:56:37ZCookies escaped in login_script<div><p>Ok so,<br>
i made a dummy node application, which should replicate the problem.<br>
The login page is under localhost:3000/login<br>
When i use my script, it logs in correctly and sets cookies (you can see in the logs that it logs the cookie string as 'user authenticated' instead of 'user+authenticated'.</p>
<p>However this seems not to be the problem, as all the subsequent requests from arachni contain the + in the cookies. And i tested it without the + sign in the cookie string, but it did not work either.<br>
Arachni seems not to use these cookies to scan the sitemap. it just uses variations of the value to try to inject some stuff on the site, but it gets a 401 on the index page.</p>
<p>I am thinking maybe my script is just wrong?</p>
<p>The script is also in the root folder of the repository.</p>
<p>Thanks</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-05T08:57:21Z2017-04-05T08:57:23ZCookies escaped in login_script<div><p>oh and the application is here<br>
<a href="https://github.com/lukasstanek/arachni_login_test">https://github.com/lukasstanek/arachni_login_test</a></p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-06T13:16:42Z2017-04-06T13:16:42ZCookies escaped in login_script<div><p>Thanks a lot for setting this up, I'll look into it and let you know.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-25T08:52:44Z2017-04-25T08:52:45ZCookies escaped in login_script<div><p>hey, just wanted to check in and ask if theres any news on the issue. I maybe revisit the problem this week and let you know if i find out more.</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-26T08:53:56Z2017-04-26T08:53:56ZCookies escaped in login_script<div><p>Sorry I've been a little preoccupied, I'll have a look at it soon.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-29T11:22:59Z2017-04-29T11:22:59ZCookies escaped in login_script<div><p>I don't have much experience with NodeJS, I just run the executable under bin/ and that's it?</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-04-29T12:21:32Z2017-04-29T12:21:35ZCookies escaped in login_script<div><p>Sorry that i used node then.</p>
<p>You have to have nodejs installed, then execute npm install in this directory and then npm run start.</p>
<p>Hope this helps</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-05-01T11:28:15Z2017-05-01T11:28:15ZCookies escaped in login_script<div><p>No worries.</p>
<p>Turns out it's the URLs you're using inside the script, you can't use <code>localhost</code> or any other loopback interface as they're reserved, which is why they're not allowed as scan targets in the first place.</p>
<p>I changed it to a hostname and it worked.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-05-10T14:54:03Z2017-05-10T14:54:06ZCookies escaped in login_script<div><p>Hey,<br>
you were right with my demo application, the problem really was the hostname. Sadly<br>
this does not apply to my production application. The problem persisted.</p>
<p>I took some time to dive into the arachni source code and tried to find the source of<br>
the problem.</p>
<p>I outputted everytime the cookie_jar is updated.</p>
<p>During the login script the cookie jar is updated 2 times.</p>
<p>Once when the login sequence is recorded and once when it is executed for login.</p>
<p>When I scan my application it retrieves the correct cookies, but somehow retrieves<br>
the session cookie 2 times, one time in the correct format (with +) and one time<br>
urlencoded (+ become %20 ).</p>
<p>I used a kind of hacky approach and edited the cookie jar update method. I check if<br>
a cookie has the correct name and then replace every %20 in its value with +.</p>
<p>This actually made my scan work. Sadly this is unfortunately no permanent solution. As<br>
my knowledge of ruby is quite limited I am not really sure where the source of the problem<br>
could be exactly.</p>
<p>Maybe you know more?</p>
<p>Anyway thanks for your help so far!<br>
Lukas</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-05-12T12:39:24Z2017-05-12T12:39:24ZCookies escaped in login_script<div><p>Unfortunately it's impossible for me to fix this without a reproducible case.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-05-17T10:18:10Z2017-05-17T10:18:14ZCookies escaped in login_script<div><p>hey,<br>
i managed to workaround the "bug" from the login script so I can use it without modifying the arachni source. This should be good enough.</p>
<p>Also thanks a lot for your help.</p></div>Lukastag:support.arachni-scanner.com,2012-07-01:Comment/422499472017-05-18T13:19:13Z2017-05-18T13:19:13ZCookies escaped in login_script<div><p>No problem, glad to hear it.</p></div>Tasos Laskos