How to scan an entire project angularJs behind a CAS auth

Mat's Avatar

Mat

08 Feb, 2018 03:08 PM

Hello,
I need a little help, I have a project in AngularJs containing a lot of pages (about fifty), and I can not scan all the pages.

I created a script to login:

browser.goto 'https://my-site/cas/login?service=https%3A%2F%2Fmy-site.com%2Fdashboard%2FcheckCasTicket#/'
form = browser.form( id: 'fm1' )
form.text_field( name: 'username' ).set 'USER_ID'
form.text_field( name: 'password' ).set 'PASSWORD'
form.submit
sleep(3)
framework.options.session.check_url = 'https://my-site/dashboard/#/'
framework.options.session.check_pattern = 'dashboard || Dashboard'

I use this cmd :

bin/arachni https://my-site/dashboard/ --plugin=login_script:script='loginDashboard.rb' --scope-exclude-pattern="logout" --report-save-path=reports/testReport.afr --scope-include-subdomains --checks= -

And i receive this :

[+] Login was successful.
 [~] Cookies set to:
 [~]     * JSESSIONID =  [long token]
 [~]     * TGC = [long token]
 [~]     * my-token =  [app token]


[*] Health map [~] ~~~~~~~~~~~~~~ [~] Description: Generates a simple list of safe/unsafe URLs.


[~] Legend: [+] No issues [-] Has issues


[+] https://my-site/dashboard/


[~] Total: 1 [+] Without issues: 1 [-] With issues: 0 ( 0% )


[~] Report saved at: /home/mat/Logiciels/arachni-1.5.1-0.5.12/reports/testReport.afr [0.0MB]


[~] Audited 1 page snapshots.


[~] Duration: 00:00:09 [~] Processed 140/140 HTTP requests. [~] -- 91.3 requests/second. [~] Processed 0/0 browser jobs. [~] -- 0.0 second/job.


[~] Currently auditing https://my-site/dashboard/ [~] Burst response time sum 5.16 seconds [~] Burst response count 32 [~] Burst average response time 0.161 seconds [~] Burst average 45.883 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20

my project contain for example, the page 'request' at https://my-site/dashboard/request

Can you help me ?

  1. Support Staff 1 Posted by Tasos Laskos on 04 May, 2018 09:10 AM

    Tasos Laskos's Avatar

    It's basically impossible for me to tell without access to the webapp, but PhantomJS is loosing support for some modern libs and until the new engine is ready there's not much I can do.

    It could be just that.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac