AutoLogin does not crawl

Renga Srinivas's Avatar

Renga Srinivas

20 Feb, 2013 10:46 PM

After https login I see a session id then it does not crawl to check all other pages

  1. Support Staff 1 Posted by Tasos Laskos on 20 Feb, 2013 10:52 PM

    Tasos Laskos's Avatar

    Does the login page redirect to another domain or subdomain?

  2. 2 Posted by Renga Srinivas on 20 Feb, 2013 11:03 PM

    Renga Srinivas's Avatar

    no

  3. Support Staff 3 Posted by Tasos Laskos on 20 Feb, 2013 11:06 PM

    Tasos Laskos's Avatar

    What version are you using?

  4. 4 Posted by Renga Srinivas on 20 Feb, 2013 11:07 PM

    Renga Srinivas's Avatar

    Arachni v0.4.1.3

    Cygwin on windows system

  5. 5 Posted by Renga Srinivas on 20 Feb, 2013 11:11 PM

    Renga Srinivas's Avatar

    1.0 Arachni v0.4.1.3
    Cygwin on windows 7

    2.0 I then tried the following public site http://mynameisaditya.info, after unchecking autologon

    It is coming up with Pages discovered 0

  6. Support Staff 6 Posted by Tasos Laskos on 20 Feb, 2013 11:17 PM

    Tasos Laskos's Avatar

    You are using the WebUI right? Could you please try the command-line interface?
    I think that the login is not successful but the WebUI eats the relevant error message.

    PS. The old web interface is being replaced with a much better one for the upcoming release.

  7. 7 Posted by Renga Srinivas on 20 Feb, 2013 11:19 PM

    Renga Srinivas's Avatar

    Ok I will try later. need to go now

  8. 8 Posted by Renga Srinivas on 21 Feb, 2013 03:59 AM

    Renga Srinivas's Avatar

    Hi
    I tried the CLI. There too it does not go beyond login 2 pages crawled

    Plugin results shows as below, what does this mean?. Is login successful or not
    Cookies were set to:
    JSESSIONID = 0000fJeA7irTyN6d9Std9jYVLnf:-1
    After I login there is a page with License Agreement, with two button Agree and Disagree. Not sure whether the crawler is not able to go beyond because one needs to hit agree to see all the tabs and pages of the application

    Let me know

    Thanks

  9. Support Staff 9 Posted by Tasos Laskos on 21 Feb, 2013 04:18 AM

    Tasos Laskos's Avatar

    Well, the crawler won't submit forms so it won't go past that initial page; however, the forms should have been logged and audited and newly discovered pages (resulting from that audit) should have been fed back into the system for further audit.

    It's sort of a co-operative process in order to keep passive and active operations separated.

    But still, any sort of distinguishable paths (like an "action" attribute of a form) would have been extracted and followed by the crawler, but in this case that's not happening; which leads me to believe that the buttons are neither part of a form nor a link.

    Which brings me back to this:
    Do the buttons execute any JS in order to progress to the next page?

  10. 10 Posted by Renga Srinivas on 21 Feb, 2013 04:25 PM

    Renga Srinivas's Avatar

    In the audit file I see this
    Not sure how to rectify the following


    plugins:
    autologin: :results: :code: -2 :msg: Form submitted but the response did not match the verifier. :name: AutoLogin

  11. Support Staff 11 Posted by Tasos Laskos on 21 Feb, 2013 04:36 PM

    Tasos Laskos's Avatar

    Yep, the login was not successful, are you sure you didn't see a relevant message in the output when using the CLI?

    Anyways, can you show me the whole command you're using to run Arachni?
    You can reduct the URL and credentials.

  12. 12 Posted by Renga Srinivas on 21 Feb, 2013 04:53 PM

    Renga Srinivas's Avatar

    The profile file is enclosed with URL and credential redacted

  13. Support Staff 13 Posted by Tasos Laskos on 21 Feb, 2013 05:57 PM

    Tasos Laskos's Avatar

    Thanks. What happens is that the string LogOut isn't found in the response after the login form is submitted so the plugin marks the login attempt as failed.

    So, either the login fails due to wrong or missing parameters or LogOut is a wrong choice for a verification pattern or something's wrong with the plugin.

    Since I doubt that you can give me a demo account in order to debug this, and if you're sure that the login credentials are correct, you can pass . as a pattern which would basically match anything and trick the plugin into thinking that the login was successful.

  14. 14 Posted by Renga Srinivas on 21 Feb, 2013 06:55 PM

    Renga Srinivas's Avatar

    Hi
    Now I see the following after changing as you suggested. Positive step
    But still it does not crawl beyond.

    When I do proxy I see the following

    For login post it is ivoking
    https://redacted/UserLogin.do

    with the parameters I indicated in the profile, then it is again invoking in the following license agreement page, behind agree button

    https://redacted/UserLogin.do
    with the parameters
    x=42&y=6&strAction=LicenceAgree&firsttime=agree

    plugins:
    autologin: :results: :code: 1 :msg: Form submitted successfully. :cookies: JSESSIONID: 00001-5XbvKFyronzmpXgjaIWwV:-1

  15. Support Staff 15 Posted by Tasos Laskos on 21 Feb, 2013 07:04 PM

    Tasos Laskos's Avatar

    So what you're describing would fit the case of the scanner not having a valid session and be presented with the login form again when trying to audit elements it discovered while you were using the proxy plugin?

    This can go on for a while so I have to ask, would allowing me access to the site be a possibility? Because this could have an easy solution but we won't find it by going back and forth this way.

  16. Support Staff 16 Posted by Tasos Laskos on 19 Jul, 2013 07:35 PM

    Tasos Laskos's Avatar

    The autologin plugin received a few bugfixes for the new release which should take care of this issue, others had reported the same thing and it fixed it for them.

    http://www.arachni-scanner.com/download/

  17. Tasos Laskos closed this discussion on 19 Jul, 2013 07:35 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac