Problem with http authentication
I have a problem with http authentication. When I use a browser to log in to the application there is a pop-up window to enter the username and password. So using Arachni through command line I used parameters –http-authentication-username and –http-authentication-password.
I ran Arachni like this:
arachni http://000.000.00.0:0000/
--http-authentication-username "my_user_name"
–http-authentication-password "my_password"
–scope-exclude-pattern=logout
Unfortunately authentication failed and Arachni did not perform security scan, only visited home page (http://my_page/). In the generated report, in sitemap section, there is only this home page with the http status code 401.
Is there any other parameter I should set? Or is this possible that the problem is due to special characters in password like exclamation mark?
I have also tried passing credentials in the URL, but I get the same output, also 401 status code. Am I right that in this case it is not possible to use autologin plugin, because I don’t have login form, just http authentication?
This is my first time using arachni and I have no idea where is the problem. I would be grateful for any help and suggestion.
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 02 Mar, 2016 02:14 PM
Hello,
Yeah this isn't a situation where the autologin plugin would help.
The site isn't using NTLM authentication by any chance is it?
Cheers
2 Posted by ktabc123 on 07 Mar, 2016 08:39 AM
Thank you for the response. The authentication header starts with NTLM, so I suppose the site uses NTLM. Is this a problem?
Support Staff 3 Posted by Tasos Laskos on 07 Mar, 2016 12:19 PM
Authentication type is supposed to be auto-detected although it was brought to my attention recently that this doesn't always work.
The nightlies now include the
--http-authentication-type
option so that the user can explicitly specify the proper type.Give that a try and let me know how it works.
Cheers
4 Posted by ktabc123 on 07 Mar, 2016 04:57 PM
Now it works. Thank you vary much for help :)
Support Staff 5 Posted by Tasos Laskos on 07 Mar, 2016 04:57 PM
Excellent. :)
Tasos Laskos closed this discussion on 07 Mar, 2016 04:57 PM.