tag:support.arachni-scanner.com,2012-07-01:/discussions/questions/9411-arachni-and-anti-csrfArachni: Discussion 2014-06-27T23:30:28Ztag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-15T17:51:55Z2014-05-15T17:51:55ZArachni and Anti-CSRF <div><p>Hm, the problem might be that the forms have more than 1 token
that needs to be refreshed.</p>
<p>Let me play around with this for a bit and get back to you.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-15T18:04:36Z2014-05-15T18:04:36ZArachni and Anti-CSRF <div><p>Thank for the fast answer! :-)</p></div>Meroktag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-15T21:55:47Z2014-05-15T21:55:47ZArachni and Anti-CSRF <div><p>Yep, that was probably it. I've updated it to refresh all nonce
fields and once all the tests pass I'll push a nightly for you to
test.</p>
<p>I'll update this ticket to let you know.</p>
<p>Thanks for the feedback.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-16T00:24:53Z2014-05-16T00:24:53ZArachni and Anti-CSRF <div><p>Nightlies are up: <a href=
"http://downloads.arachni-scanner.com/nightlies/">http://downloads.arachni-scanner.com/nightlies/</a></p>
<p>Give them a try when you get a chance and let me know if there's
any difference.</p>
<p>Cheers</p>
<p>PS. The 32bit package is temporarily broken.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-16T07:31:18Z2014-05-16T09:08:23ZArachni and Anti-CSRF <div><p>Thanks for the fast replies.</p>
<p>I've tried the Nightlies but I still can't get logged in.</p>
<p>Maybe my setting is wrong ?</p>
<p>If I've understood well the procedure, in order to handle
anti-csrf I need to use the csrf module. To use this module I need
to get authenticated with a cookie.jar.</p>
<p>So I use the commande :<br>
/arachni --load-profile=/root/Desktop/a/arachni/profileNoToken.yaml
--cookie-jar=/root/Desktop/a/arachni/cookies.txt
--report=afr:outfile=test.com.afr <a href=
"http://www.xxxx.org/">http://www.xxxx.org/</a></p>
<h2><a class="anchor" name="and-here-is-my-yaml-configuration-"
href="#and-here-is-my-yaml-configuration-" id=
"and-here-is-my-yaml-configuration-"></a>and here is my .yaml
configuration:</h2>
<p>audit_links: true<br>
audit_forms: true<br>
audit_cookies: true<br>
audit_headers: false<br>
modules:<br>
- code_injection - code_injection_php_input_wrapper -
code_injection_timing - csrf - file_inclusion - os_cmd_injection -
os_cmd_injection_timing - path_traversal - rfi - session_fixation -
sqli - sqli_blind_rdiff - sqli_blind_timing - unvalidated_redirect
- common_directories - directory_listing - htaccess_limit -
http_only_cookies - insecure_cookies - password_autocomplete -
unencrypted_password_forms include:<br>
- <a href="http://www.xxxx.org">http://www.xxxx.org</a> - <a href=
"http://www.xxxx.org">http://www.xxxx.org</a> - <a href=
"http://www.xxxx.org">http://www.xxxx.org</a> - <a href=
"http://www.xxxx.org">http://www.xxxx.org</a> - <a href=
"http://www.xxxx.org">http://www.xxxx.org</a> follow_subdomains:
false<br>
fuzz_methods: false<br>
audit_cookies_extensively: false<br>
exclude_binaries: false<br>
https_only: false<br>
no_fingerprinting: false<br>
platforms:<br>
- php name: anticsrfONLYPROFIL<br>
description: anticsrf ONLY PROFIL</p>
<p>To get the cookie, I first login on the website. Then I use
firebug and use "export cookies for this Site".</p>
<p>Am I doing something wrong ?</p>
<p>Last thing, I would like to know how does Arachni append
anti-CSRF token ? In the cakePHP documentation (the framework that
is used on the website I'm testing) <a href=
"http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html">
http://book.cakephp.org/2.0/en/core-libraries/components/security-c...</a>,
it is specified that "Hidden token fields will automatically be
inserted into forms and checked by the Security component ". But
since the scanner juste sends request POST (and does not click on
the "send" button of the Form) how does it do to generate valid
tokens ?</p>
<p>Thank you very much for the help!</p></div>Meroktag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-16T14:50:21Z2014-05-16T14:50:21ZArachni and Anti-CSRF <div><p>Ah now I see, you've misunderstood how this works.<br>
The CSRF module checks if business relevant forms lack anti-CSRF
tokens, the modules are the components that perform security
checks.</p>
<p>Your issue is with configuring the scanner to maintain a valid
session, for that you should consult: <a href=
"http://support.arachni-scanner.com/kb/general-use/logging-in-and-maintaining-a-valid-session">
http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...</a></p>
<p>Pay close attention to the parts about excluding resources that
can terminate the session.</p>
<p>After you've got a valid configuration let me know if the issue
persists.</p>
<p>Cheers</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-17T15:15:00Z2014-05-17T15:15:00ZArachni and Anti-CSRF <div><p>But how can the scanner send a valid Post request if there are
hidden unique anti-csrf tokens added into all post request ?</p>
<p>For example, for authentication with autologin plugin : " -- A
URL-query-like string of form parameters" will not work since the
form parameters have non-static element (i.e the unique
tokens).</p>
<p>I've tried with the Cookie-jar method but I could not
authenticate either.</p></div>Meroktag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-17T15:27:14Z2014-05-17T15:27:14ZArachni and Anti-CSRF <div><p>It doesn't matter, any form that has nonces will be refreshed
with new nonces before being submitted. You'd just provide your
credentials to the autologin plugin along with the rest of the
configuration and it'll do the rest.</p>
<p>And if it doesn't work then there's probably a bug somewhere
that I can fix and once I do we'll have you on your way.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-19T09:43:30Z2014-05-19T14:30:31ZArachni and Anti-CSRF <div><p>I have some trouble to understand what to put in the options of
the authentication plugin. If the post request from the
authentication form looks like that :</p>
<p>
<em>method=POST&data%5B_Token%5D%5Bkey%5D=f436b5912706ffb0135edfdaab6e005b018f8658&data%5BUser%5D%5Busername%5D=mylogin&data%5BUser%5D%5Bpassword%5D=mypass&data%5BUser%5D%5Bremember</em>me%5D=0&data%5B_Token%5D%5Bfields%5D=752f019d1fec9adf75f27a330ea9acbb179be51e%253A&data%5B_Token%5D%5Bunlocked%5D=</p>
<p>in clear text :</p>
<p>
_method=POST&data[_Token][key]=f436b5912706ffb0135edfdaab6e005b018f8658&data[User][username]=mylogin&data[User][password]=mypasswd&data[User][remember_me]=0&data[_Token][fields]=752f019d1fec9adf75f27a330ea9acbb179be51e%3A&data[_Token][unlocked]=</p>
<p>what should I write in the "params" field of the plugin ?</p>
<p>Other question, If I use the authentication plugin, do I need to
fill the parameters in the "login check" section ? (since I already
provided a check pattern in the authentication plugin).</p>
<p>Thanks for your help !</p></div>Meroktag:support.arachni-scanner.com,2012-07-01:Comment/329922352014-05-19T15:53:21Z2014-05-19T15:53:21ZArachni and Anti-CSRF <div><p>Same thing you'd put in the form if you were using the browser,
the login credentials:</p>
<pre>
<code>data[User][username]=mylogin&data[User][password]=mypasswd</code>
</pre>
<p>As for the login check, you don't have to specify it twice, the
<code>autologin</code> plugin will pass it along to the system.</p>
<p>Cheers</p></div>Tasos Laskos