or Create a profile

Home Questions

Passing Login Credentials when using the Arachni GEM

arhn7's Avatar

arhn7

14 May, 2013 04:56 PM

Hi Guys,

I have written a bunch of scripts using the Arachni GEM for launching scans, so far I have been using the opts.cookie_string option to pass a cookie string to enable Arachni to login into an application. Now, I have a need to provide the credentials (just like the auto-login feature). I was thinking I could pass credentials to Session(https://github.com/Arachni/arachni/blob/master/lib/arachni/session.rb) as opts. Would that work ? If not how can set the site credentials through my script. My script goes along these lines:

include Arachni
        scanner = Framework.new
scanner.opts.url = target
                scanner.opts.cookie_string = params[:cookie_string]
                scanner.opts.audit = params[:audit_options]
scanner.opts.link_count_limit = params[:link_count]
scanner.opts.depth_limit = params[:depth_limit]
scanner.opts.redirect_limit = params[:redirect_limit]
scanner.opts.follow_subdomains = params[:follow_subdomains]
                scanner.run
Basically I make a hash of all the required params and I want to pass the username and password through these params.

  1. Support Staff 1 Posted by Tasos Laskos on 14 May, 2013 05:14 PM

    Tasos Laskos's Avatar

    Hey,

    You can either just use the auto-login plugin:

    scanner.opts.plugins['autologin'] = {
    'url'    => 'http://stuff.com/login',
    'params' => 'username2=john&password=doe',
    'check'  => 'Hi there logged-in user'
}

    Or, if you need finer control, use the Session class directly, you can checkout the code of the autologin plugin for hints as to how to do it.

    See also:

  2. 2 Posted by arhn7 on 14 May, 2013 05:17 PM

    arhn7's Avatar

    Sounds good. Thanks again for your prompt response. :)

  3. Support Staff 3 Posted by Tasos Laskos on 14 May, 2013 05:25 PM

    Tasos Laskos's Avatar

    No problem, let me know if you run into any issues.

    Also, it might interest you to know that you can do the same thing like so:

    # By passing a block we ask the Framework to reset itself once the block
# is executed so that it'll be ready for re-use.
Arachni::Framework.new do |f|
    f.opts.set url:             'http://testfire.net',
               audit:           [:links, :forms, :cookies],
               link_count_limit: 1

    f.modules.load 'xss*'
    f.run

    f.auditstore.issues.each do |i|
        puts "#{i.name.capitalize} in #{i.elem} input '#{i.var}' submitted to '#{i.url}'."
    end
end

    I think it looks cleaned that way.

  4. Tasos Laskos closed this discussion on 14 May, 2013 05:25 PM.

Comments are currently closed for this discussion. You can start a new one.

  • New Issue

  • Conversation Started

  • The discussion is closed

    No more actions from Arachni or the discussion starter are required.

  • Re-open the discussion

Private Permissions

This discussion is private. Only you and Arachni support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

19 Oct, 2023 06:03 PM Error - Not able Scan /ruby/lib/ruby/gems/2.7.0/gems/arachni-1.6.1.3/lib/arachni/rpc/server/framework.rb:156:in `block in run'
12 Aug, 2023 11:04 AM Error when launching arachni_web
08 May, 2023 05:30 PM Security Assessment
05 May, 2023 10:53 AM REST API - Not detecting Any Issues
16 Mar, 2023 02:43 AM BITCOIN LOTTERY - SOFTWARE FREE

Recent Articles

Optimizing for faster scans
Service scanning
Software as a Service (Saas)