autologin plugin missing required parameters in auth request

wspires's Avatar

wspires

16 Feb, 2016 04:55 PM

The scenario how we have Arachni deployed isn't really conducive to using a custom login script, so we are somewhat dependent on how well the autologin plugin functions. We're running into an issue with a fairly simple login scenario where an additional parameter gets submitted along with credentials, however Arachni does not submit the additional parameter. This causes authentication to fail so scans can't proceed.

We are using the following options to test this from the CLI:

arachni http://127.0.0.1/dup_cookie_issue/ --plugin=autologin:url="http://127.0.0.1/dup_cookie_issue/index.php",parameters="username=admin&password=test",check='>Log Out' --http-proxy=127.0.0.1:8080 --output-debug 3
We have a fairly simple login form example that 302's to a profile page on successful auth:
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<br/ ><div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text"/><label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password"/><input name="submit" type="submit" value="Login"/><span/>
</form>
</div>
</div>
</body>
</html>

This is a successful login sequence with a browser (note the POST data sent):

POST /dup_cookie_issue/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Content-Length: 45
Pragma: no-cache
Cache-Control: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/dup_cookie_issue/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=4pg83kmoegqroq3hf9cfl9g2u6


username=admin&password=test&submit=Login


HTTP/1.1 302 Found Date: Tue, 16 Feb 2016 15:45:21 GMT Server: Apache/2.4.10 (Ubuntu) X-Powered-By: PHP/5.5.12-2ubuntu4.6 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=fjou43n1ikb8j076juh7rke9h5; path=/ location: profile.php Content-Length: 575 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html
When proxying (using mitmproxy) Arachni's login sequence when using the autologin plugin we get the following sequence (note the missing "submit" parameter):
POST /dup_cookie_issue/index.php HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
User-Agent: Arachni/v2.0dev
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://127.0.0.1/dup_cookie_issue/index.php
Content-Length: 32
Cookie: PHPSESSID=og80leg3gq1divm553uoc55sp1
Accept-Language: en-US,*


username=admin&password=test


HTTP/1.1 200 OK Date: Tue, 16 Feb 2016 15:27:07 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 383
Content-Type: text/html


<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<br/ ><div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text"/><label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password"/><input name="submit" type="submit" value="Login"/><span/>
</form>
</div>
</div>
</body>
</html>

Logging shows that the login request gets submitted with all parameters:

[!!] [browser#fire_event:759] Browser: [waiting for requests]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!!] [browser#wait_for_pending_requests:1346] Browser: Waiting for 0 requests to complete...
[!!] [browser#wait_for_pending_requests:1351] Browser: ...done.
[!!] [browser#fire_event:761] Browser: [done waiting for requests]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!!] [browser#fire_event:766] Browser: [done in 0.55259004s]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!] [session#login_from_configuration:383] Session: Form submitted.

I'm not sure if this is related, but prior in the log I see this error:

[!] [page/dom#restore:168] Browser: Loaded snapshot by URL: http://127.0.0.1/dup_cookie_issue/index.php
 [!!] [browser#fire_event:715] Browser: [start]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
 [!!] [browser#fill_in_form_inputs:1141] Browser: Could not fill in form input 'submit' because: Error Message => 'Element must be user-editable in order to clear it.'
 caused by Request => {"headers":{"Accept":"application/json","Accept-Encoding":"gzip;q=1.0,deflate;q=0.6,identity;q=0.3","Connection":"close","Content-Length":"2","Content-Type":"application/x-www-form-urlencoded","Host":"127.0.0.1:24152
","User-Agent":"Ruby"},"httpVersion":"1.1","method":"POST","post":"{}","postRaw":"{}","url":"/clear","urlParsed":{"anchor":"","query":"","file":"clear","directory":"/","path":"/clear","relative":"/clear","port":"","host":"","password":"",
"user":"","userInfo":"","authority":"","protocol":"","source":"/clear","queryKey":{},"chunks":["clear"]},"urlOriginal":"/session/ddc31b40-d433-11e5-9c5e-dd1f8878ace7/element/%3Awdc%3A1455575495294/clear"} (ReqHand) [Selenium::WebDriver::E
rror::InvalidElementStateError

Is there a workaround or fix for this issue while still using the autologin plugin?

  1. Support Staff 1 Posted by Tasos Laskos on 17 Feb, 2016 01:12 AM

    Tasos Laskos's Avatar

    The form is submitted by triggering the submit event, just like if a user had hit Enter.
    In order for a value of a button to be included, the form will need to be submitted by triggering the click event on that button (because forms can have many submit buttons).

    Fortunately, this is fixable, I'll update the session manager so that if a supplied parameter is a button, it will click it.

    So, basically you'll just need to add submit=Login to the plugin's parameter configuration and it'll work.

    I'll let you know once I've got some nightlies for you to test.

    Cheers

  2. 2 Posted by wspires on 17 Feb, 2016 01:54 PM

    wspires's Avatar

    Very cool. Thanks!

  3. Support Staff 3 Posted by Tasos Laskos on 18 Feb, 2016 01:00 PM

    Tasos Laskos's Avatar

    I implemented it and it seems to be working fine, I need to do some cleanup and I'll have a nightly for you by tomorrow, maybe even today.

  4. Support Staff 4 Posted by Tasos Laskos on 18 Feb, 2016 07:07 PM

    Tasos Laskos's Avatar

    Nightlies are up, let me know it they take care of the issue.

  5. 5 Posted by wspires on 18 Feb, 2016 07:30 PM

    wspires's Avatar

    Cool. That worked. Thanks for the quick turnaround!

  6. Support Staff 6 Posted by Tasos Laskos on 18 Feb, 2016 09:34 PM

    Tasos Laskos's Avatar

    My pleasure. :)

  7. Tasos Laskos closed this discussion on 18 Feb, 2016 09:34 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac