AutoLogin does not crawl
After https login I see a session id then it does not crawl to check all other pages
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 20 Feb, 2013 10:52 PM
Does the login page redirect to another domain or subdomain?
2 Posted by Renga Srinivas on 20 Feb, 2013 11:03 PM
no
Support Staff 3 Posted by Tasos Laskos on 20 Feb, 2013 11:06 PM
What version are you using?
4 Posted by Renga Srinivas on 20 Feb, 2013 11:07 PM
Arachni v0.4.1.3
Cygwin on windows system
5 Posted by Renga Srinivas on 20 Feb, 2013 11:11 PM
1.0 Arachni v0.4.1.3
Cygwin on windows 7
2.0 I then tried the following public site http://mynameisaditya.info, after unchecking autologon
It is coming up with Pages discovered 0
Support Staff 6 Posted by Tasos Laskos on 20 Feb, 2013 11:17 PM
You are using the WebUI right? Could you please try the command-line interface?
I think that the login is not successful but the WebUI eats the relevant error message.
PS. The old web interface is being replaced with a much better one for the upcoming release.
7 Posted by Renga Srinivas on 20 Feb, 2013 11:19 PM
Ok I will try later. need to go now
8 Posted by Renga Srinivas on 21 Feb, 2013 03:59 AM
Hi
I tried the CLI. There too it does not go beyond login 2 pages crawled
Plugin results shows as below, what does this mean?. Is login successful or not
Cookies were set to:
JSESSIONID = 0000fJeA7irTyN6d9Std9jYVLnf:-1
After I login there is a page with License Agreement, with two button Agree and Disagree. Not sure whether the crawler is not able to go beyond because one needs to hit agree to see all the tabs and pages of the application
Let me know
Thanks
Support Staff 9 Posted by Tasos Laskos on 21 Feb, 2013 04:18 AM
Well, the crawler won't submit forms so it won't go past that initial page; however, the forms should have been logged and audited and newly discovered pages (resulting from that audit) should have been fed back into the system for further audit.
It's sort of a co-operative process in order to keep passive and active operations separated.
But still, any sort of distinguishable paths (like an "action" attribute of a form) would have been extracted and followed by the crawler, but in this case that's not happening; which leads me to believe that the buttons are neither part of a form nor a link.
Which brings me back to this:
Do the buttons execute any JS in order to progress to the next page?
10 Posted by Renga Srinivas on 21 Feb, 2013 04:25 PM
In the audit file I see this
Not sure how to rectify the following
plugins:
autologin: :results: :code: -2 :msg: Form submitted but the response did not match the verifier. :name: AutoLogin
Support Staff 11 Posted by Tasos Laskos on 21 Feb, 2013 04:36 PM
Yep, the login was not successful, are you sure you didn't see a relevant message in the output when using the CLI?
Anyways, can you show me the whole command you're using to run Arachni?
You can reduct the URL and credentials.
12 Posted by Renga Srinivas on 21 Feb, 2013 04:53 PM
The profile file is enclosed with URL and credential redacted
Support Staff 13 Posted by Tasos Laskos on 21 Feb, 2013 05:57 PM
Thanks. What happens is that the string
LogOut
isn't found in the response after the login form is submitted so the plugin marks the login attempt as failed.So, either the login fails due to wrong or missing parameters or
LogOut
is a wrong choice for a verification pattern or something's wrong with the plugin.Since I doubt that you can give me a demo account in order to debug this, and if you're sure that the login credentials are correct, you can pass
.
as a pattern which would basically match anything and trick the plugin into thinking that the login was successful.14 Posted by Renga Srinivas on 21 Feb, 2013 06:55 PM
Hi
Now I see the following after changing as you suggested. Positive step
But still it does not crawl beyond.
When I do proxy I see the following
For login post it is ivoking
https://redacted/UserLogin.do
with the parameters I indicated in the profile, then it is again invoking in the following license agreement page, behind agree button
https://redacted/UserLogin.do
with the parameters
x=42&y=6&strAction=LicenceAgree&firsttime=agree
plugins:
autologin: :results: :code: 1 :msg: Form submitted successfully. :cookies: JSESSIONID: 00001-5XbvKFyronzmpXgjaIWwV:-1
Support Staff 15 Posted by Tasos Laskos on 21 Feb, 2013 07:04 PM
So what you're describing would fit the case of the scanner not having a valid session and be presented with the login form again when trying to audit elements it discovered while you were using the proxy plugin?
This can go on for a while so I have to ask, would allowing me access to the site be a possibility? Because this could have an easy solution but we won't find it by going back and forth this way.
Support Staff 16 Posted by Tasos Laskos on 19 Jul, 2013 07:35 PM
The
autologin
plugin received a few bugfixes for the new release which should take care of this issue, others had reported the same thing and it fixed it for them.http://www.arachni-scanner.com/download/
Tasos Laskos closed this discussion on 19 Jul, 2013 07:35 PM.