Form Based Authentication Request

Aruna's Avatar

Aruna

21 Aug, 2017 09:41 AM

Hi Admin,
I am trying to perform an form based authenticated scan which has spring security enabled. Will I be able to perform a scan for spring security enabled site. I am trying to do it using REST API . I am using POST request for URI (http://127.0.0.1:7331/scans) using the below JSON request . However, I continously see the response as "Could not find a form suiting the provided parameters."

I am unable to set DEBUG to see more logs. PLease explain clearly on how to set DEBUG when running arachni_rest_server. Also, let me know how Arachni validates the parameters being sent in the request. Do we need encoded parameters. Please help. Thanks a lot,

{ "url" : "http://172.23.148.94:9091/devImpact/j_spring_security_check", "plugins" : {
"autologin": { "url": "http://172.23.148.94:9091/devImpact/j_spring_security_check", "parameters": "j_username=demouser&j_password=welcome123&submit=%A0%A0+%A0+%A0%A0+Login", "check": ".*" } } }

  1. Support Staff 1 Posted by Tasos Laskos on 21 Aug, 2017 04:49 PM

    Tasos Laskos's Avatar

    Hello,

    I'm afraid I won't be able to help without access to the target webapp.

    Cheers,
    Tasos L.

  2. 2 Posted by Aruna on 31 Aug, 2017 09:57 AM

    Aruna's Avatar

    HI Admin,

    I understand that you will not be able to hit that webapp. Could you please let me know if ARACHNI is capable of logging in to the application using spring security. Also, let me know if the format of the JSON being used to authenticate is valid.

    { "url" : "http://172.23.148.94:9091/devImpact/j_spring_security_check", "plugins" : { "autologin": { "url": "http://172.23.148.94:9091/devImpact/j_spring_security_check", "parameters": "j_username=demouser&j_password=welcome123&submit=%A0%A0+%A0+%A0%A0+Login", "check": ".*" } } }

    Also, please redirect me to some general JSON input examples for which authentication has been successful.

    Thanks again.

  3. 3 Posted by Aruna on 31 Aug, 2017 10:25 AM

    Aruna's Avatar

    I did try from my side for one of the external sites and there was success response. Please give me some examples to see how to pass the form params to make login successful.

  4. 4 Posted by Aruna on 06 Sep, 2017 06:46 AM

    Aruna's Avatar

    Hi Admin,

    Can you please respond on the above query. I have been waiting eagerly to use Arachni.

    Best,
    Aruna

  5. Support Staff 5 Posted by Tasos Laskos on 06 Sep, 2017 10:46 AM

    Tasos Laskos's Avatar

    Hello,

    Unfortunately, like I said, I can't know without access. It seems like Arachni can't find the login form and I need to debug this myself to see why.
    I'd suggest that you try using the login_script plugin instead as that'll give you more control over the login process.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac