Passing Login Credentials when using the Arachni GEM

arhn7's Avatar


14 May, 2013 04:56 PM

Hi Guys,

I have written a bunch of scripts using the Arachni GEM for launching scans, so far I have been using the opts.cookie_string option to pass a cookie string to enable Arachni to login into an application. Now, I have a need to provide the credentials (just like the auto-login feature). I was thinking I could pass credentials to Session( as opts. Would that work ? If not how can set the site credentials through my script. My script goes along these lines:

include Arachni
        scanner =
scanner.opts.url = target
                scanner.opts.cookie_string = params[:cookie_string]
                scanner.opts.audit = params[:audit_options]
scanner.opts.link_count_limit = params[:link_count]
scanner.opts.depth_limit = params[:depth_limit]
scanner.opts.redirect_limit = params[:redirect_limit]
scanner.opts.follow_subdomains = params[:follow_subdomains]
Basically I make a hash of all the required params and I want to pass the username and password through these params.

  1. Support Staff 1 Posted by Tasos Laskos on 14 May, 2013 05:14 PM

    Tasos Laskos's Avatar


    You can either just use the auto-login plugin:

    scanner.opts.plugins['autologin'] = {
        'url'    => '',
        'params' => 'username2=john&password=doe',
        'check'  => 'Hi there logged-in user'

    Or, if you need finer control, use the Session class directly, you can checkout the code of the autologin plugin for hints as to how to do it.

    See also:

  2. 2 Posted by arhn7 on 14 May, 2013 05:17 PM

    arhn7's Avatar

    Sounds good. Thanks again for your prompt response. :)

  3. Support Staff 3 Posted by Tasos Laskos on 14 May, 2013 05:25 PM

    Tasos Laskos's Avatar

    No problem, let me know if you run into any issues.

    Also, it might interest you to know that you can do the same thing like so:

    # By passing a block we ask the Framework to reset itself once the block
    # is executed so that it'll be ready for re-use. do |f|
        f.opts.set url:             '',
                   audit:           [:links, :forms, :cookies],
                   link_count_limit: 1
        f.modules.load 'xss*'
        f.auditstore.issues.each do |i|
            puts "#{} in #{i.elem} input '#{i.var}' submitted to '#{i.url}'."

    I think it looks cleaned that way.

  4. Tasos Laskos closed this discussion on 14 May, 2013 05:25 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac