Problem with http authentication

ktabc123's Avatar

ktabc123

02 Mar, 2016 02:08 PM

I have a problem with http authentication. When I use a browser to log in to the application there is a pop-up window to enter the username and password. So using Arachni through command line I used parameters –http-authentication-username and –http-authentication-password.

I ran Arachni like this:
arachni http://000.000.00.0:0000/ --http-authentication-username "my_user_name" –http-authentication-password "my_password" –scope-exclude-pattern=logout

Unfortunately authentication failed and Arachni did not perform security scan, only visited home page (http://my_page/). In the generated report, in sitemap section, there is only this home page with the http status code 401.

Is there any other parameter I should set? Or is this possible that the problem is due to special characters in password like exclamation mark?

I have also tried passing credentials in the URL, but I get the same output, also 401 status code. Am I right that in this case it is not possible to use autologin plugin, because I don’t have login form, just http authentication?

This is my first time using arachni and I have no idea where is the problem. I would be grateful for any help and suggestion.

  1. Support Staff 1 Posted by Tasos Laskos on 02 Mar, 2016 02:14 PM

    Tasos Laskos's Avatar

    Hello,

    Yeah this isn't a situation where the autologin plugin would help.
    The site isn't using NTLM authentication by any chance is it?

    Cheers

  2. 2 Posted by ktabc123 on 07 Mar, 2016 08:39 AM

    ktabc123's Avatar

    Thank you for the response. The authentication header starts with NTLM, so I suppose the site uses NTLM. Is this a problem?

  3. Support Staff 3 Posted by Tasos Laskos on 07 Mar, 2016 12:19 PM

    Tasos Laskos's Avatar

    Authentication type is supposed to be auto-detected although it was brought to my attention recently that this doesn't always work.
    The nightlies now include the --http-authentication-type option so that the user can explicitly specify the proper type.

    Give that a try and let me know how it works.

    Cheers

  4. 4 Posted by ktabc123 on 07 Mar, 2016 04:57 PM

    ktabc123's Avatar

    Now it works. Thank you vary much for help :)

  5. Support Staff 5 Posted by Tasos Laskos on 07 Mar, 2016 04:57 PM

    Tasos Laskos's Avatar

    Excellent. :)

  6. Tasos Laskos closed this discussion on 07 Mar, 2016 04:57 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac