autologin plugin missing required parameters in auth request
The scenario how we have Arachni deployed isn't really conducive to using a custom login script, so we are somewhat dependent on how well the autologin plugin functions. We're running into an issue with a fairly simple login scenario where an additional parameter gets submitted along with credentials, however Arachni does not submit the additional parameter. This causes authentication to fail so scans can't proceed.
We are using the following options to test this from the
CLI:
arachni http://127.0.0.1/dup_cookie_issue/ --plugin=autologin:url="http://127.0.0.1/dup_cookie_issue/index.php",parameters="username=admin&password=test",check='>Log Out' --http-proxy=127.0.0.1:8080 --output-debug 3
We have a fairly simple login form example that 302's to a profile
page on successful auth:
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<br/
><div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text"/><label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password"/><input name="submit" type="submit" value="Login"/><span/>
</form>
</div>
</div>
</body>
</html>
This is a successful login sequence with a browser (note the
POST data sent):
POST /dup_cookie_issue/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Content-Length: 45
Pragma: no-cache
Cache-Control: no-cache
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://127.0.0.1/dup_cookie_issue/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: PHPSESSID=4pg83kmoegqroq3hf9cfl9g2u6
username=admin&password=test&submit=Login
HTTP/1.1 302 Found
Date: Tue, 16 Feb 2016 15:45:21 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=fjou43n1ikb8j076juh7rke9h5; path=/
location: profile.php
Content-Length: 575
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
When proxying (using mitmproxy) Arachni's login sequence when using
the autologin plugin we get the following sequence (note the
missing "submit" parameter):
POST /dup_cookie_issue/index.php HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
User-Agent: Arachni/v2.0dev
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://127.0.0.1/dup_cookie_issue/index.php
Content-Length: 32
Cookie: PHPSESSID=og80leg3gq1divm553uoc55sp1
Accept-Language: en-US,*
username=admin&password=test
HTTP/1.1 200 OK
Date: Tue, 16 Feb 2016 15:27:07 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.5.12-2ubuntu4.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 383
Content-Type: text/html
<!DOCTYPE html>
<html>
<head>
<title>Login Form in PHP with Session</title>
<link href="style.css" rel="stylesheet" type="text/css"/>
</head>
<body>
<div id="main">
<h1>PHP Login Session Example</h1>
<br/
><div id="login">
<h2>Login Form</h2>
<form action="" method="post">
<label>UserName :</label>
<input id="name" name="username" placeholder="username" type="text"/><label>Password :</label>
<input id="password" name="password" placeholder="**********" type="password"/><input name="submit" type="submit" value="Login"/><span/>
</form>
</div>
</div>
</body>
</html>
Logging shows that the login request gets submitted with all
parameters:
[!!] [browser#fire_event:759] Browser: [waiting for requests]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!!] [browser#wait_for_pending_requests:1346] Browser: Waiting for 0 requests to complete...
[!!] [browser#wait_for_pending_requests:1351] Browser: ...done.
[!!] [browser#fire_event:761] Browser: [done waiting for requests]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!!] [browser#fire_event:766] Browser: [done in 0.55259004s]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!] [session#login_from_configuration:383] Session: Form submitted.
I'm not sure if this is related, but prior in the log I see this
error:
[!] [page/dom#restore:168] Browser: Loaded snapshot by URL: http://127.0.0.1/dup_cookie_issue/index.php
[!!] [browser#fire_event:715] Browser: [start]: submit ({:inputs=>{"username"=>"admin", "password"=>"test", "submit"=>"Login"}}) <form action="" method="post">
[!!] [browser#fill_in_form_inputs:1141] Browser: Could not fill in form input 'submit' because: Error Message => 'Element must be user-editable in order to clear it.'
caused by Request => {"headers":{"Accept":"application/json","Accept-Encoding":"gzip;q=1.0,deflate;q=0.6,identity;q=0.3","Connection":"close","Content-Length":"2","Content-Type":"application/x-www-form-urlencoded","Host":"127.0.0.1:24152
","User-Agent":"Ruby"},"httpVersion":"1.1","method":"POST","post":"{}","postRaw":"{}","url":"/clear","urlParsed":{"anchor":"","query":"","file":"clear","directory":"/","path":"/clear","relative":"/clear","port":"","host":"","password":"",
"user":"","userInfo":"","authority":"","protocol":"","source":"/clear","queryKey":{},"chunks":["clear"]},"urlOriginal":"/session/ddc31b40-d433-11e5-9c5e-dd1f8878ace7/element/%3Awdc%3A1455575495294/clear"} (ReqHand) [Selenium::WebDriver::E
rror::InvalidElementStateError
Is there a workaround or fix for this issue while still using the autologin plugin?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 17 Feb, 2016 01:12 AM
The form is submitted by triggering the
submit
event, just like if a user had hitEnter
.In order for a value of a button to be included, the form will need to be submitted by triggering the
click
event on that button (because forms can have many submit buttons).Fortunately, this is fixable, I'll update the session manager so that if a supplied parameter is a button, it will click it.
So, basically you'll just need to add
submit=Login
to the plugin's parameter configuration and it'll work.I'll let you know once I've got some nightlies for you to test.
Cheers
2 Posted by wspires on 17 Feb, 2016 01:54 PM
Very cool. Thanks!
Support Staff 3 Posted by Tasos Laskos on 18 Feb, 2016 01:00 PM
I implemented it and it seems to be working fine, I need to do some cleanup and I'll have a nightly for you by tomorrow, maybe even today.
Support Staff 4 Posted by Tasos Laskos on 18 Feb, 2016 07:07 PM
Nightlies are up, let me know it they take care of the issue.
5 Posted by wspires on 18 Feb, 2016 07:30 PM
Cool. That worked. Thanks for the quick turnaround!
Support Staff 6 Posted by Tasos Laskos on 18 Feb, 2016 09:34 PM
My pleasure. :)
Tasos Laskos closed this discussion on 18 Feb, 2016 09:34 PM.