Arachni not using session cookies?

Frank's Avatar

Frank

06 Apr, 2016 07:27 PM

I'm using Arachni v1.4, and inputing cookies via a cookie-jar file.

In an effort to ensure that Arachni is crawling the entire site I'm running the following command with --check - to check the pages:

arachni --http-cookie-jar cookies.txt --scope-exclude-pattern=signout --scope-https-only [redacted target URL] --checks -

Upon starting, the scan is redirected from the target URL, which requires an authenticated session, to the sign in page, although the session cookies are provided in the cookie-jar:

Arachni - Web Application Security Scanner Framework v1.4
   Author: Tasos "Zapotek" Laskos <[email blocked]>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs.

 [*] Initializing...
 [*] Preparing plugins...
 [*] ... done.
 [*] BrowserCluster: Initializing 6 browsers...
 [*] BrowserCluster: Spawned #1 with PID 9295 [lifeline at PID 9292].
 [*] BrowserCluster: Spawned #2 with PID 9318 [lifeline at PID 9315].
 [*] BrowserCluster: Spawned #3 with PID 9341 [lifeline at PID 9338].
 [*] BrowserCluster: Spawned #4 with PID 9364 [lifeline at PID 9361].
 [*] BrowserCluster: Spawned #5 with PID 9387 [lifeline at PID 9384].
 [*] BrowserCluster: Spawned #6 with PID 9410 [lifeline at PID 9407].
 [*] BrowserCluster: Initialization completed with 6 browsers in the pool.
 [~] Scheduled 302 redirection: [redacted target URL] => [redacted URL for sign page]

 [*] [HTTP: 302] [redacted target URL]
 [~] Analysis resulted in 0 usable paths.
 [~] DOM depth: 0 (Limit: 5)
...

This results in no URLs that are within the authenticated user portion of the application.

After the scan, I immediately check that the cookie-jar, and session cookie, is valid via a curl command. I'm not redirected, but get a successful HTTP 200:

> curl -s -b cookies.txt -D - [redacted target URL] -o /dev/null
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Wed, 06 Apr 2016 18:17:46 GMT
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Server: nginx/1.4.6 (Ubuntu)
Set-Cookie: XSRF-TOKEN=UeXxYCDVjaDmyB2jVM27Y85jil2cmTKNDw9tlHcr6ZCXStyYmLt9hnhp%2BTeM%2FPPmzzMG0xi0FljABbEn9CR5fQ%3D%3D; path=/
Set-Cookie: _course_player_session=ZUgveXA2RHJUSkdNUjVnRUovRXhTTkswWVdnY2s3Q0VITjZZOU8rSVRBSUo0YlZhaVB0dUtrTnVOVHBUSE1sOC83YWc5bmtRVWFCZ0o5ZVBnMTlKZDhlTHRxd1RrV3ArRlNnc3BwQXU1MUFMVVlKS1lRcWt2YnpTUG4rUXR0akNuVHhidmcxOTNTTzQ4RlVoVkRGZS9TSXR6S2VZUENuOHl0ZHB0NHgvb1BRd2pMM1ZIRFE4T0t3TXR4UzRRVFA4d1hXdmxBenJrZW1yODRCdjhaamFrRmdSQWpnVEhGa2phZG1oUzJlRTl2SFNTUTBUQ3NWYVk3TE55TzFLNHhKVzJLYXlTQ054cGl2MXR3UFV4VTg5MEZTSHl2eVJNbzFWaGlsVGZqMXlMS0VrZG9IUlBCeFRVMTdtdDNYQytGUlgyK0NUQVdnTVNmcHVIcVBUMkZDeTl1MEw0OU1vczJUUDNxbHRDNDJiWFFRTWlkV0ovbDNMUXdUa0xIbndCV3d0QWtqMTZRTmFJTmFpZHZqREJwbWFlRldpUVJaSlB0MEoxbDB6SUp0cVpXVT0tLTkvbzJVRTFEV0traCs3bDA1cFkwNFE9PQ%3D%3D--e1546c8eea09024e6207eef0efb24d274ba9e108; path=/; HttpOnly
Status: 200 OK
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 6c571cf5-4a7f-4993-954c-6ede62026e78
X-Runtime: 0.087415
X-XSS-Protection: 1; mode=block
Content-Length: 16677
Connection: keep-alive

Trying to figure out if the session cookies are being sent to the target URL.

BTW - Attempted to proxy Arachni through Burp and ZAP, but was unsuccessful in the setup. I'll try again later, but in the interim, please assist.

  1. Support Staff 1 Posted by Tasos Laskos on 06 Apr, 2016 07:34 PM

    Tasos Laskos's Avatar

    Any chance the cookies are set with a subdomain like www and the URL you're passing to Arachni doesn't have it? Or vice versa?

  2. 2 Posted by Frank on 06 Apr, 2016 09:08 PM

    Frank's Avatar

    The cookies are set to the full domain of the target URL.

    Example:

    Target URL = https://appname.cloud.com/user/home
    Cookie domain = appname.cloud.com

  3. Support Staff 3 Posted by Tasos Laskos on 06 Apr, 2016 09:10 PM

    Tasos Laskos's Avatar

    I'm not aware of any issues with that option, would you mind sending me the details at tasos[dot]laskos[at]gmail.com so that I can have a look?

  4. 4 Posted by Frank on 06 Apr, 2016 11:47 PM

    Frank's Avatar

    Check your email.

  5. 5 Posted by Frank on 07 Apr, 2016 06:15 AM

    Frank's Avatar

    I found the issue.

    I was able to proxy the Arachni requests through Burp, and noticed the size of the request was different than the request made in curl with the same headers.

    A string comparison showed the session and XSRF cookies were different.

    In the cookie-jar, the session and XSRF cookies are URL encoded. When passing the cookie-jar to Arachni, it URL encodes the cookies so essentially double URL encodes the session cookie.

    For example:
    pTZ%2FwseH5%2BNCRYKi63blY5GK6EwGPzB6%2B%2FMjE%2FqBktZtsn%2F6lamjlWlu5t2Tzj8iedJvIvIhBX4f7mrZhWuBkw%3D%3D

    becomes...

    pTZ%252FwseH5%252BNCRYKi63blY5GK6EwGPzB6%252B%252FMjE%252FqBktZtsn%252F6lamjlWlu5t2Tzj8iedJvIvIhBX4f7mrZhWuBkw%253D%253D

    This creates an invalid token, and hence the redirect to the login page.

  6. Support Staff 6 Posted by Tasos Laskos on 07 Apr, 2016 12:56 PM

    Tasos Laskos's Avatar

    Thanks for the info, I think I've fixed the issue and I'm now running the test suite to make sure I didn't break anything.
    If all goes well I'll push a nightly for you to test and let you know once it's up.

    Cheers

  7. Support Staff 7 Posted by Tasos Laskos on 07 Apr, 2016 06:58 PM

    Tasos Laskos's Avatar
  8. 8 Posted by Frank on 07 Apr, 2016 08:52 PM

    Frank's Avatar

    OK. About to download and test it now.

  9. 9 Posted by Frank on 07 Apr, 2016 10:23 PM

    Frank's Avatar

    I tested with the nightly, and it seems to no longer URL encode cookie values that are already URL encoded.

    This can be closed.

  10. Tasos Laskos closed this discussion on 08 Apr, 2016 08:10 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac