tag:support.arachni-scanner.com,2012-07-01:/discussions/suggestions/1014-autologin-suggestionsArachni: Discussion 2013-09-24T19:12:50Ztag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T16:01:29Z2013-09-24T16:01:29ZAutoLogin suggestions<div><p>Hi man, thanks for the kind words,</p>
<p>When you're dealing with more complex login scenarios then it's
better to use the <code>proxy</code> plugin or just script it
yourself, like you did.</p>
<p>Using the actual form inputs to identify it would be a safer bet
as most forms have those but there are a lot without an
<code>id</code> and <code>name</code>.</p>
<p>I'd really like to look into that particular case though because
I'm not sure I understand how it works. You can send me the details
in private if you wish: tasos.laskos at gmail</p>
<p>About having to use the CLI to confirm the configuration, that's
my fault. For some reason the autologin plugin was't sending its
errors to the error log, if it had you'd have seen these errors via
the WebUI.<br>
Also, it may be a good idea to update it to abort the scan if the
login fails instead of just printing the error and letting the scan
start.</p>
<p>About exporting the WebUI profiles to a CLI config, you can do
this as of a few days ago. You can export a Profile as YAML and
then pass it to the CLI via the <code>--load-profile</code>
option.</p>
<p>Thanks for the feedback. :)</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T16:33:55Z2013-09-24T16:33:55ZAutoLogin suggestions<div><p>I updated the way <code>autologin</code> handles errors:
<a href="https://github.com/Arachni/arachni/commit/049380fef70312438af53f662a9431f47bb932f0">
https://github.com/Arachni/arachni/commit/049380fef70312438af53f662...</a></p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T17:35:40Z2013-09-24T17:39:53ZAutoLogin suggestions<div><p>That was fast! lol</p>
<p>I will definitely be testing the proxy plugin as well. I did run
into issues with it not being able to verify the login page for
these same two applications after recording it (popup would appear,
prompt for url and something else, and would indicate a failure in
testing). I'm assuming it's related to the above and will tinker
with it.</p>
<p>Regarding the case I'm talking about, you can reproduce by
simply adding an input of the form:</p>
<p><code><input type="image" src="/someimageornot.jpg"
name="imageInput"></code></p>
<p>When you click on the image (or broken image icon, you'll see
two parameters in the subsequent request:
<code>imageInput.x=..&imageInput.y=..</code> where the values
correlate to the x and y values of your mouse cursor when you
clicked on the image.</p>
<p>Here's a live example: <a href=
"http://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_input_type_image">
http://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_input_typ...</a></p>
<p>Before I realized what AutoLogin was doing, I was just blindly
pasting previous proxy-intercepted posts to the login form into the
AutoLogin configuration. When AutoLogin saw these parameters, it
tried to match them to the form in the HTML and couldn't find a
home for the .x and .y variants.</p>
<p>Hope that helps...thanks again!</p></div>rrichtag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T17:42:03Z2013-09-24T17:42:03ZAutoLogin suggestions<div><p>Ah, so it's using JS, yeah until v0.5 comes out there's nothing
I can do about that.</p>
<p>And even though the <code>proxy</code> will let you login and
get a session, it won't be able figure out how to re-login on its
own if its session ends during the scan, which is the bit that
failed while you were testing it.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T17:58:09Z2013-09-24T18:01:24ZAutoLogin suggestions<div><p>No javascript required or used in the apps I was testing. It's
an image alternate to the standard 'submit' input type. I posted a
sample here:</p>
<p><a href=
"http://jsbin.com/UYUkAHo/3/">http://jsbin.com/UYUkAHo/3/</a></p>
<p>(<a href=
"http://jsbin.com/UYUkAHo/3/edit">http://jsbin.com/UYUkAHo/3/edit</a>
if you want to see the source first, the JS crud at the bottom of
the raw view above isn't used)</p></div>rrichtag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T18:04:31Z2013-09-24T18:04:31ZAutoLogin suggestions<div><p>Huh, I didn't know the browser did that on its own. Anyhow, this
will still have to wait 'till v0.5, where a real browser will be
used for these things.</p></div>Tasos Laskostag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T18:10:55Z2013-09-24T18:10:55ZAutoLogin suggestions<div><p>Awesome! Sorry for dragging it out, it's just a wonky behavior
from the browser and pretty obscure, so I figured I'd point it
out...lol</p>
<p>Thanks again!</p></div>rrichtag:support.arachni-scanner.com,2012-07-01:Comment/289912802013-09-24T19:12:46Z2013-09-24T19:12:46ZAutoLogin suggestions<div><p>No no that's good. Now I know to add some browser tests for it
in the <a href="https://github.com/Arachni/arachni/tree/v0.5">v0.5
development</a> branch.</p>
<p>Thanks again for the feedback man.</p></div>Tasos Laskos