Home → Questions →

Scan website with .htaccess protection

• Edit

samuel

25 Apr, 2013 10:46 AM

hello,

is it possible to perform a login on a website which is with .htaccess protected?

1. Support Staff 1 Posted by Tasos Laskos on 25 Apr, 2013 12:16 PM

   

   Sure, just pass the credentials in the URL, just like you would with a browser:

   http://username:[email blocked]/stuff/
   

   • Edit

2. Tasos Laskos closed this discussion on 25 Apr, 2013 12:16 PM.

3. samuel re-opened this discussion on 17 Jul, 2013 10:34 AM

4. 2 Posted by samuel on 17 Jul, 2013 10:34 AM

   

   Hello.
   Arachni has a problem if the .htaccess password contains a § for example. He is always telling:
   /var/lib/gems/1.9.1/gems/arachni-0.4.3.2/lib/arachni/options.rb:777:in `url=': Invalid URL argument, please provide a full absolute URL and try again. (Arachni::Options::Error::InvalidURL)
           from /var/lib/gems/1.9.1/gems/arachni-0.4.3.2/lib/arachni/options.rb:1293:in `parse'
           from /var/lib/gems/1.9.1/gems/arachni-0.4.3.2/lib/arachni/options.rb:1531:in `method_missing'
           from /var/lib/gems/1.9.1/gems/arachni-0.4.3.2/bin/arachni:20:in `<top (required)>'
           from /usr/local/bin/arachni:23:in `load'
           from /usr/local/bin/arachni:23:in `<main>'

   • Edit

5. Support Staff 3 Posted by Tasos Laskos on 17 Jul, 2013 12:07 PM

   

   Hm, can you try URL encoding it?

   • Edit

6. 4 Posted by samuel on 17 Jul, 2013 02:27 PM

   

   sorry man. its not working

   • Edit

7. Support Staff 5 Posted by Tasos Laskos on 17 Jul, 2013 03:18 PM

   

   As in not authenticating or showing that error again?

   • Edit

8. Support Staff 6 Posted by Tasos Laskos on 17 Jul, 2013 03:21 PM

   

   Nevermind, I just tested it, it shouldn't require URL encoding it, it should have just worked. This is a bug, I'll update this discussion once I get it fixed.

   Thanks for letting me know man.

   • Edit

9. Support Staff 7 Posted by Tasos Laskos on 18 Jul, 2013 06:24 PM

   

   Ruby's URI implementation doesn't seem to allow that, even though the RFC only restricts the un-encoded usage of @ and : in the password field.

   I'll see if there's some way to bypass this.

   • Edit

10. Support Staff 8 Posted by Tasos Laskos on 18 Jul, 2013 09:16 PM

    

    I updated my parser to handle special characters but it's still not reliable, it wasn't a good idea to only allow providing userinfo via the URLs as it's not the most reliable way of doing this -- as it turns out.

    I'll add system options for HTTP username and password to make sure things work properly. I'll let you know when it's ready.

    • Edit

11. Support Staff 9 Posted by Tasos Laskos on 19 Jul, 2013 06:55 PM

    

    I added --http-username and --http-password options to the CLI and the relevant ones to the WebUI Profiles.

    You can try it in the nightlies: http://downloads.arachni-scanner.com/nightlies/

    • Edit

12. Tasos Laskos closed this discussion on 19 Jul, 2013 06:55 PM.