login_script not working with arachni_rpc
Hello,
I use the last stable version downloaded from the arachni site, when I run locally with ./arachni my login_script works ok, but when I execute using my grid of dispachers it gives me a errror message.
command:
./arachni_rpc --dispatcher-url 10.40.3.12:7331 --grid --spawn=10 --plugin=login_script:script=/opt/login_scripts/script.rb
https://somesite.com/
login_script (script.rb):
response = http.post( 'https://somesite.com/login',
parameters: {
'user' => 'xxxxxx',
'password' => 'xxxx'
},
mode: :sync,
update_cookies: true
)
framework.options.session.check_url = to_absolute( response.headers.location, response.url )
framework.options.session.check_pattern = /Por/
error:
[-] [ui/cli/rpc/client/instance#run:81] [Arachni::RPC::Exceptions::RemoteException] Invalid options for component: login_script
* Invalid type: script => '/opt/login_scripts/sigac2.rb'
* Expected type: path
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 11 Apr, 2016 06:44 PM
Hello,
First of all, using this many spawned instances is not a good idea, you'll likely cause stability issues -- and to be honest it hasn't been tested all that much, better remove that option altogether.
Secondly, the login script needs to be on the Dispatcher machine, otherwise that'd allow for people to execute arbitrary code remotely.
Cheers
2 Posted by Silvio Correia on 11 Apr, 2016 11:16 PM
Tasos,
Thanks so much for the super fast response. I'll try and send a feedback. By the way, we are working to have a big grid of arachni (more than 200 dispachers) for the brazilian government. I'll be glad to share our experiences on this project and receive your mentoring.
We are integreting with jenkins and threadfix, so we are going to have the brazilian gov webapps scanned in a automated way using arachni.
We have here hp webinspect and the results and detection rate are so close.
cheers
Support Staff 3 Posted by Tasos Laskos on 12 Apr, 2016 07:18 AM
That sounds very interesting, please keep me in the loop (tasos[dot]laskos[at]arachni-scanner.com).
Usually people roll their own workload distribution system or reuse the one they already have for such extensive deployments, so I'd be very interested in getting some feedback on how the grid does at that level.
Cheers
4 Posted by Silvio Correia on 14 Apr, 2016 12:32 PM
Tasos,
Thanks for the response and suppport. I'll send you an e-mail describing our project.
cheers
Support Staff 5 Posted by Tasos Laskos on 14 Apr, 2016 12:33 PM
Looking forward to it. :)
Tasos Laskos closed this discussion on 14 Apr, 2016 12:33 PM.