Auto login

Eliah's Avatar

Eliah

02 Jun, 2017 11:31 AM

Hi Tasos,

I'm inexperienced in web development (I'm more well versed in networking).
I'm required to work on a project involving Arachni for my internship.

NOTE: I'm using the WebUI.
So I was trying to make my own policy but i came across something I don't understand.
I don't understand the "parameters" tab. Can you explain it to me?
I didn't make the application myself, for the record.

Thanks!

  1. 1 Posted by Eliah on 02 Jun, 2017 11:55 AM

    Eliah's Avatar

    Also i would like to know whats the difference betwoon HTTP authentication and auto-login?

  2. Support Staff 2 Posted by Tasos Laskos on 03 Jun, 2017 12:26 PM

    Tasos Laskos's Avatar

    The parameters option is used to fill in the login form based on input names, if the form has 2 inputs, say username and password, you'd need to fill in that option just like the example shows.

    Also, HTTP auth is a protocol level authentication, the autologin plugin is used to login via a form at the application level.

  3. 3 Posted by Eliah on 06 Jun, 2017 07:54 AM

    Eliah's Avatar

    Hi Tasos,

    I've tried doing that but i keep getting the same error over an over again.
    Parameters that i've used are: username=bee&password=bug

    Error:

    2017-06-06 09:47:21 +0200 --------------------------------------------------------------------------------
    ENV:
    ---
    CPLUS_INCLUDE_PATH: "/home/eliah/Desktop/arachni/bin/../system/usr/include"
    XDG_VTNR: '7'
    XDG_SESSION_ID: c2
    XDG_GREETER_DATA_DIR: "/var/lib/lightdm-data/eliah"
    CLUTTER_IM_MODULE: xim
    SESSION: ubuntu
    GEM_HOME: "/home/eliah/Desktop/arachni/system/gems"
    GPG_AGENT_INFO: "/home/eliah/.gnupg/S.gpg-agent:0:1"
    VTE_VERSION: '4205'
    XDG_MENU_PREFIX: gnome-
    SHELL: "/bin/bash"
    TERM: xterm-256color
    IRBRC: "/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby/.irbrc"
    LIBRARY_PATH: "/home/eliah/Desktop/arachni/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
    QT_LINUX_ACCESSIBILITY_ALWAYS_ON: '1'
    WINDOWID: '52428810'
    GNOME_KEYRING_CONTROL: ''
    UPSTART_SESSION: unix:abstract=/com/ubuntu/upstart-session/1000/1822
    MY_RUBY_HOME: "/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby"
    GTK_MODULES: gail:atk-bridge:unity-gtk-module
    USER: eliah
    LD_LIBRARY_PATH: "/home/eliah/Desktop/arachni/bin/../system/usr/lib:/usr/lib:/usr/local/lib"
    QT_ACCESSIBILITY: '1'
    LS_COLORS: 'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:'
    XDG_SESSION_PATH: "/org/freedesktop/DisplayManager/Session0"
    XDG_SEAT_PATH: "/org/freedesktop/DisplayManager/Seat0"
    SSH_AUTH_SOCK: "/run/user/1000/keyring/ssh"
    DEFAULTS_PATH: "/usr/share/gconf/ubuntu.default.path"
    SESSION_MANAGER: local/Arachni:@/tmp/.ICE-unix/2050,unix/Arachni:/tmp/.ICE-unix/2050
    XDG_CONFIG_DIRS: "/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg"
    FONTCONFIG_PATH: "/home/eliah/Desktop/arachni/bin/../system/home/arachni/.fonts"
    DESKTOP_SESSION: ubuntu
    PATH: "/home/eliah/Desktop/arachni/system/gems/bin:/home/eliah/Desktop/arachni/bin/../system/../bin:/home/eliah/Desktop/arachni/bin/../system/usr/bin:/home/eliah/Desktop/arachni/bin/../system/gems/bin:/home/eliah/bin:/home/eliah/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
    QT_QPA_PLATFORMTHEME: appmenu-qt5
    QT_IM_MODULE: ibus
    C_INCLUDE_PATH: "/home/eliah/Desktop/arachni/bin/../system/usr/include"
    PWD: "/home/eliah/Desktop/arachni/bin"
    JOB: dbus
    XDG_SESSION_TYPE: x11
    XMODIFIERS: "@im=ibus"
    ARACHNI_WEBUI_LOGDIR: "/home/eliah/Desktop/arachni/bin/../system/logs/webui"
    LANG: en_GB.UTF-8
    GNOME_KEYRING_PID: ''
    MANDATORY_PATH: "/usr/share/gconf/ubuntu.mandatory.path"
    GDM_LANG: en_GB
    ARACHNI_FRAMEWORK_LOGDIR: "/home/eliah/Desktop/arachni/bin/../system/logs/framework"
    COMPIZ_CONFIG_PROFILE: ubuntu
    IM_CONFIG_PHASE: '1'
    GDMSESSION: ubuntu
    GTK2_MODULES: overlay-scrollbar
    SESSIONTYPE: gnome-session
    SHLVL: '1'
    HOME: "/home/eliah/Desktop/arachni/bin/../system/home/arachni"
    XDG_SEAT: seat0
    LANGUAGE: en_GB:en
    RAILS_ENV: production
    GNOME_DESKTOP_SESSION_ID: this-is-deprecated
    LIBGL_ALWAYS_SOFTWARE: '1'
    LOGNAME: eliah
    XDG_SESSION_DESKTOP: ubuntu
    GEM_PATH: "/home/eliah/Desktop/arachni/bin/../system/gems"
    DBUS_SESSION_BUS_ADDRESS: unix:abstract=/tmp/dbus-6hQ4xHqDtD
    XDG_DATA_DIRS: "/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/:/var/lib/snapd/desktop"
    QT4_IM_MODULE: xim
    LESSOPEN: "| /usr/bin/lesspipe %s"
    INSTANCE: ''
    DISPLAY: ":0"
    XDG_RUNTIME_DIR: "/run/user/1000"
    GTK_IM_MODULE: ibus
    XDG_CURRENT_DESKTOP: Unity
    RUBYLIB: "/home/eliah/Desktop/arachni/system/gems/gems/bundler-1.14.6/lib:/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby:/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby/site_ruby/2.2.0:/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby/2.2.0:/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby/2.2.0/x86_64-linux:/home/eliah/Desktop/arachni/bin/../system/usr/lib/ruby/site_ruby/2.2.0/x86_64-linux"
    RUBY_VERSION: ruby-2.2.3
    LESSCLOSE: "/usr/bin/lesspipe %s %s"
    XAUTHORITY: "/home/eliah/.Xauthority"
    RACK_ENV: development
    BUNDLE_GEMFILE: "/home/eliah/Desktop/arachni/system/arachni-ui-web/Gemfile"
    BUNDLER_ORIG_PATH: "/home/eliah/Desktop/arachni/bin/../system/../bin:/home/eliah/Desktop/arachni/bin/../system/usr/bin:/home/eliah/Desktop/arachni/bin/../system/gems/bin:/home/eliah/bin:/home/eliah/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
    BUNDLER_ORIG_GEM_PATH: "/home/eliah/Desktop/arachni/bin/../system/gems"
    BUNDLE_BIN_PATH: "/home/eliah/Desktop/arachni/system/gems/gems/bundler-1.14.6/exe/bundle"
    BUNDLER_VERSION: 1.14.6
    RUBYOPT: "-rbundler/setup"
    MANPATH: "/home/eliah/Desktop/arachni/system/gems/gems/kramdown-1.4.1/man"
    BUNDLER_ORIG_MANPATH: "/home/eliah/Desktop/arachni/system/gems/gems/kramdown-1.4.1/man"
    --------------------------------------------------------------------------------
    OPTIONS:
    ---
    session: {}
    audit:
      parameter_values: true
      exclude_vector_patterns: []
      include_vector_patterns: []
      link_templates: []
      links: true
      forms: true
      cookies: false
      headers: false
      with_both_http_methods: false
      cookies_extensively: false
      jsons: true
      xmls: true
      ui_forms: true
      ui_inputs: true
    datastore:
      token: 1f11b2b0db4946c5823371a85fdbd31d
    input:
      values: {}
      default_values:
        name: arachni_name
        user: arachni_user
        usr: arachni_user
        pass: 5543!%arachni_secret
        txt: arachni_text
        num: '132'
        amount: '100'
        mail: [email blocked]
        account: '12'
        id: '1'
      without_defaults: true
      force: false
    http:
      user_agent: Arachni/v1.5.1
      request_timeout: 10000
      request_redirect_limit: 5
      request_concurrency: 20
      request_queue_size: 100
      request_headers: {}
      response_max_size: 600000
      cookies: {}
      authentication_type: auto
    browser_cluster:
      local_storage: {}
      wait_for_elements: {}
      pool_size: 6
      job_timeout: 10
      worker_time_to_live: 100
      ignore_images: false
      screen_width: 1600
      screen_height: 1200
    scope:
      redundant_path_patterns: {}
      dom_depth_limit: 5
      exclude_file_extensions: []
      exclude_path_patterns: []
      exclude_content_patterns: []
      include_path_patterns: []
      restrict_paths: []
      extend_paths: []
      url_rewrites: {}
      directory_depth_limit: 5
      page_limit: 1000
      include_subdomains: false
      exclude_binaries: false
      https_only: false
    checks:
    - code_injection
    - code_injection_php_input_wrapper
    - code_injection_timing
    - csrf
    - file_inclusion
    - ldap_injection
    - no_sql_injection
    - no_sql_injection_differential
    - os_cmd_injection
    - os_cmd_injection_timing
    - path_traversal
    - response_splitting
    - rfi
    - session_fixation
    - source_code_disclosure
    - sql_injection
    - sql_injection_differential
    - sql_injection_timing
    - trainer
    - unvalidated_redirect
    - unvalidated_redirect_dom
    - xpath_injection
    - xss
    - xss_dom
    - xss_dom_script_context
    - xss_event
    - xss_path
    - xss_script_context
    - xss_tag
    - xxe
    - allowed_methods
    - backdoors
    - backup_directories
    - backup_files
    - captcha
    - common_admin_interfaces
    - common_directories
    - common_files
    - cookie_set_for_parent_domain
    - credit_card
    - cvs_svn_users
    - directory_listing
    - emails
    - form_upload
    - hsts
    - htaccess_limit
    - html_objects
    - http_only_cookies
    - http_put
    - insecure_client_access_policy
    - insecure_cookies
    - insecure_cors_policy
    - insecure_cross_domain_policy_access
    - insecure_cross_domain_policy_headers
    - interesting_responses
    - localstart_asp
    - mixed_resource
    - origin_spoof_access_restriction_bypass
    - password_autocomplete
    - private_ip
    - ssn
    - unencrypted_password_forms
    - webdav
    - x_frame_options
    - xst
    platforms: []
    plugins:
      autologin:
        url: http://192.168.253.212/bWAPP/login.php
        parameters: username=bee&password=bug
        check: check
      rate_limiter:
        requests_per_second: '25'
      timing_attacks: 
      uniformity: 
    no_fingerprinting: false
    authorized_by: 
    url: http://192.168.253.212/bWAPP/login.php
    --------------------------------------------------------------------------------
    [2017-06-06 09:47:21 +0200] [Arachni::Session::Error::FormNotFound] Login form could not be found with: {:url=>"http://192.168.253.212/bWAPP/login.php", :inputs=>{"username"=>"bee", "password"=>"bug"}}
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:356:in `login_from_configuration'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:245:in `block in login'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/components/plugins/autologin.rb:37:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:69:in `block (2 levels) in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:68:in `block in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/framework/parts/state.rb:348:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:257:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:148:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/instance.rb:594:in `block in scan'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:95:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:95:in `block in each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:106:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:106:in `block in each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:241:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:241:in `block in spawn_workers'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/base.rb:52:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/base.rb:52:in `call_task'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/one_off.rb:23:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `block in call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:309:in `block in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:307:in `loop'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:307:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/instance.rb:152:in `initialize'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/instance.rb:13:in `new'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/instance.rb:13:in `<top (required)>'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/base.rb:50:in `load'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/base.rb:50:in `<main>'
    [2017-06-06 09:47:21 +0200] 
    [2017-06-06 09:47:21 +0200] Parent:
    [2017-06-06 09:47:21 +0200] Arachni::Session
    [2017-06-06 09:47:21 +0200] 
    [2017-06-06 09:47:21 +0200] Block:
    [2017-06-06 09:47:21 +0200] #<Proc:0x00000004aee8f0@/home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244>
    [2017-06-06 09:47:21 +0200] 
    [2017-06-06 09:47:21 +0200] Caller:
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/components/plugins/autologin.rb:37:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:69:in `block (2 levels) in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:68:in `block in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/plugin/manager.rb:65:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/framework/parts/state.rb:348:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:257:in `prepare'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:148:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/instance.rb:594:in `block in scan'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:95:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:95:in `block in each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:106:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:106:in `block in each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:241:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/iterator.rb:241:in `block in spawn_workers'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/base.rb:52:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/base.rb:52:in `call_task'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks/one_off.rb:23:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `block in call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `each'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor/tasks.rb:96:in `call'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:309:in `block in run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:307:in `loop'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-reactor-0.1.2/lib/arachni/reactor.rb:307:in `run'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/rpc/server/instance.rb:152:in `initialize'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/instance.rb:13:in `new'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/instance.rb:13:in `<top (required)>'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/base.rb:50:in `load'
    [2017-06-06 09:47:21 +0200] /home/eliah/Desktop/arachni/system/gems/gems/arachni-1.5.1/lib/arachni/processes/executables/base.rb:50:in `<main>'
    [2017-06-06 09:47:21 +0200] --------------------------------------------------------------------------------
    [2017-06-06 09:47:21 +0200] Could not find a form suiting the provided parameters.
    
  4. Support Staff 4 Posted by Tasos Laskos on 06 Jun, 2017 08:03 AM

    Tasos Laskos's Avatar

    Are you sure that the form input names are actually username and password?

  5. 5 Posted by Eliah on 06 Jun, 2017 08:09 AM

    Eliah's Avatar

    I can probably find that in the login.php file right?

  6. Support Staff 6 Posted by Tasos Laskos on 06 Jun, 2017 08:11 AM

    Tasos Laskos's Avatar

    Not necessary, you can check the generated HTML from your browser with "View page source" or, if the form is created dynamically via JS, use something like Firebug to inspect it and check its inputs.

  7. 7 Posted by Eliah on 06 Jun, 2017 08:15 AM

    Eliah's Avatar

    I guess it is?

    <div id="main">
    
        <h1>Login</h1>
    
        <p>Enter your credentials <i>(bee/bug)</i>.</p>
    
        <form action="/bWAPP/login.php" method="POST">
    
            <p><label for="login">Login:</label><br />
            <input type="text" id="login" name="login" size="20" autocomplete="off"></p> 
    
            <p><label for="password">Password:</label><br />
            <input type="password" id="password" name="password" size="20" autocomplete="off"></p>
    
            <p><label for="security_level">Set the security level:</label><br />
    
            <select name="security_level">
    
                <option value="0">low</option>
                <option value="1">medium</option>
                <option value="2">high</option>
    
            </select>
    
            </p>
    
            <button type="submit" name="form" value="submit">Login</button>
    
        </form>
    
        <br />
        
    </div>
    
  8. 8 Posted by Eliah on 06 Jun, 2017 08:16 AM

    Eliah's Avatar

    Excuse me i'll have to upload it in a file.

  9. Support Staff 9 Posted by Tasos Laskos on 06 Jun, 2017 08:17 AM

    Tasos Laskos's Avatar

    I fixed the formatting, use login instead of username.

  10. 10 Posted by Eliah on 06 Jun, 2017 08:23 AM

    Eliah's Avatar

    I'm getting something else now.

    plugins:
      autologin:
        url: http://192.168.253.212/bWAPP/login.php
        parameters: login=bee&password=bug
        check: check
      rate_limiter:
        requests_per_second: '25'
      timing_attacks: 
      uniformity: 
    no_fingerprinting: false
    authorized_by: 
    url: http://192.168.253.212/bWAPP/login.php
    --------------------------------------------------------------------------------
    [2017-06-06 10:20:35 +0200] The response did not match the verifier.
    
  11. Support Staff 11 Posted by Tasos Laskos on 06 Jun, 2017 08:26 AM

    Tasos Laskos's Avatar

    You need to provide a session check, right now you've specified check which I doubt that it's valid. You need to specify a string that would only appear when the user is logged-in.

    Also, automatically that string will be looked in the same URL as the login form, if that's now what you need to can specify an alternative via the Session options.

  12. 12 Posted by Eliah on 06 Jun, 2017 08:33 AM

    Eliah's Avatar

    You mean the URL a user would get when logged in successfully right?
    So this URL:
    https://192.168.253.212/bWAPP/portal.php

  13. Support Staff 13 Posted by Tasos Laskos on 06 Jun, 2017 08:35 AM

    Tasos Laskos's Avatar

    Yeah try that one. And don't forget to exclude logout links etc.

  14. 14 Posted by Eliah on 06 Jun, 2017 08:43 AM

    Eliah's Avatar

    Do i leave "Session check pattern" empty?
    Also, where do i exclude logout links in de WebUI?

  15. Support Staff 15 Posted by Tasos Laskos on 06 Jun, 2017 09:11 AM

    Tasos Laskos's Avatar

    No you need to specify a pattern, put in the same one as in the plugin.
    Scope options can be found in the Scope section.

  16. 16 Posted by Eliah on 06 Jun, 2017 09:26 AM

    Eliah's Avatar

    Does this look ok?
    The application only has a Logout butten which asks "Do you really want to logout?"
    If you click "Ok", it will redirect to the portal.php page again.

  17. Support Staff 17 Posted by Tasos Laskos on 06 Jun, 2017 09:33 AM

    Tasos Laskos's Avatar

    The exclusion patterns match paths, you need to exclude a logout resource whatever that may be.

  18. 18 Posted by Eliah on 06 Jun, 2017 09:40 AM

    Eliah's Avatar

    So i should fill in the http://192.168.253.212/bWAPP/login.php page to be excluded?
    Cause when i logout it doesn't go to a page like "You've logged out successfully", it goes to the login.php page.
    Also, the check still gives the same error.

  19. 19 Posted by Eliah on 06 Jun, 2017 01:22 PM

    Eliah's Avatar

    So i've replaced the "Check" at the auto login options with "Logout" and everything seems to be fine. So if i understand this correctly, you have to give a link/word which is on the page after you login to the application, so the tool knows it's still logged into the application? For example: if i login and i see 'Logout' the whole time, you are going to give the word "Logout"? This way the application knows it's logged in.
    Does this sound right?

  20. Support Staff 20 Posted by Tasos Laskos on 06 Jun, 2017 01:41 PM

    Tasos Laskos's Avatar

    Exactly.

  21. 21 Posted by Eliah on 06 Jun, 2017 01:53 PM

    Eliah's Avatar

    Ok thanks!
    I have some other problems with crawling of the application.
    How do i know which links have been crawled?
    When i start the scan everything seems to be fine
    I see Arachni crawling:
    http://192.168.253.212/bWAPP/login.php
    http://192.168.253.212/bWAPP/create_user.php
    .... Than it goes the wrong way it starts scanning from the root:
    http://192.168.253.212/
    http://192.168.253.212/drupal
    http://192.168.253.212/phpadmin
    .... The only things i want to scan are http://192.168.253.212/bWAPP and everything above that.

    This website is a website with build in vulnerabilities.
    So i really want links like http://192.168.253.212/sqli_2.php etc to be scanned so i can see if Arachni is able to find them.

  22. 22 Posted by Eliah on 06 Jun, 2017 02:45 PM

    Eliah's Avatar

    I have tried other applications like https://acmportal.kbc.be/ but it also has trouble crawling.
    It goes like this:
    https://acmportal.kbc.be/
    https://acmportal.kbc.be/ErrorHandling.aspx?aspxerrorpath=/login.aspx
    https://acmportal.kbc.be/
    https://acmportal.kbc.be/ErrorHandling.aspx?aspxerrorpath=/login.as...
    https://acmportal.kbc.be/

    It seems like it never gets beyond the login page.
    After 37minutes the scan stops without any errors.

    I'm really confused...

  23. Support Staff 23 Posted by Tasos Laskos on 07 Jun, 2017 08:36 AM

    Tasos Laskos's Avatar
    1. You need to control the scope using an inclusion pattern so that only URLs including /bWAPP/ will be followed.
    2. I can't know what's going on without access but it seems that you're causing an error and thus getting logged out.
  24. 24 Posted by Eliah on 07 Jun, 2017 09:08 AM

    Eliah's Avatar

    Ok, I'll look in to the scope.
    Anyway i think you're correct about the fact it's not correctly logging in. How can i know for sure?

  25. Support Staff 25 Posted by Tasos Laskos on 07 Jun, 2017 09:11 AM

    Tasos Laskos's Avatar

    If the login check succeeds then you're logging in properly, but the scan may be causing an error that is logging you out, I'm not sure how to look into that, it depends on the webapp.

  26. 26 Posted by Eliah on 07 Jun, 2017 09:19 AM

    Eliah's Avatar

    Yeah, but i never see a URL getting audited that is beyond the login page.
    So basically the only think i'm seeing is:
    https://acmportal.kbc.be/
    https://acmportal.kbc.be/ErrorHandling.aspx?aspxerrorpath=/login.aspx

    Is there a way i can show you all the settings i've made in the application? Maybe i have something missconfigured or forgot something?

  27. Support Staff 27 Posted by Tasos Laskos on 07 Jun, 2017 09:21 AM

    Tasos Laskos's Avatar

    First thing's first, does the login check succeed? Are you getting logged in successfully?

  28. 28 Posted by Eliah on 07 Jun, 2017 09:26 AM

    Eliah's Avatar

    How can i tell?
    I don't see any errors, which i had before.

  29. Support Staff 29 Posted by Tasos Laskos on 07 Jun, 2017 09:33 AM

    Tasos Laskos's Avatar

    OK, then you must have logged-in successfully, but I don't know what triggers the error that logs you out. My advise would be to contact the admin.

    If that's not possible, try auditing each element type individually instead of all of them to narrow the scope of the issue down. Try to disable cookie audits for starters and see if that helps.

  30. 30 Posted by Eliah on 07 Jun, 2017 09:41 AM

    Eliah's Avatar

    Is this correctly? Parameters is correct, but i'm not sure about the check tab.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac