login_script not working with arachni_rpc

Silvio Correia's Avatar

Silvio Correia

11 Apr, 2016 06:25 PM

Hello,

I use the last stable version downloaded from the arachni site, when I run locally with ./arachni my login_script works ok, but when I execute using my grid of dispachers it gives me a errror message.

command:

./arachni_rpc --dispatcher-url 10.40.3.12:7331 --grid --spawn=10 --plugin=login_script:script=/opt/login_scripts/script.rb 
https://somesite.com/

login_script (script.rb):


response = http.post( 'https://somesite.com/login',
        parameters:     {
            'user'   => 'xxxxxx',
            'password' => 'xxxx'
        },
        mode:           :sync,
        update_cookies: true
    )

framework.options.session.check_url     = to_absolute( response.headers.location, response.url )
framework.options.session.check_pattern = /Por/

error:

[-] [ui/cli/rpc/client/instance#run:81] [Arachni::RPC::Exceptions::RemoteException] Invalid options for component: login_script
 *  Invalid type: script => '/opt/login_scripts/sigac2.rb'
 *  Expected type: path
  1. Support Staff 1 Posted by Tasos Laskos on 11 Apr, 2016 06:44 PM

    Tasos Laskos's Avatar

    Hello,

    First of all, using this many spawned instances is not a good idea, you'll likely cause stability issues -- and to be honest it hasn't been tested all that much, better remove that option altogether.

    Secondly, the login script needs to be on the Dispatcher machine, otherwise that'd allow for people to execute arbitrary code remotely.

    Cheers

  2. 2 Posted by Silvio Correia on 11 Apr, 2016 11:16 PM

    Silvio Correia's Avatar

    Tasos,

    Thanks so much for the super fast response. I'll try and send a feedback. By the way, we are working to have a big grid of arachni (more than 200 dispachers) for the brazilian government. I'll be glad to share our experiences on this project and receive your mentoring.
    We are integreting with jenkins and threadfix, so we are going to have the brazilian gov webapps scanned in a automated way using arachni.
    We have here hp webinspect and the results and detection rate are so close.

    cheers

  3. Support Staff 3 Posted by Tasos Laskos on 12 Apr, 2016 07:18 AM

    Tasos Laskos's Avatar

    That sounds very interesting, please keep me in the loop (tasos[dot]laskos[at]arachni-scanner.com).
    Usually people roll their own workload distribution system or reuse the one they already have for such extensive deployments, so I'd be very interested in getting some feedback on how the grid does at that level.

    Cheers

  4. 4 Posted by Silvio Correia on 14 Apr, 2016 12:32 PM

    Silvio Correia's Avatar

    Tasos,

    Thanks for the response and suppport. I'll send you an e-mail describing our project.

    cheers

  5. Support Staff 5 Posted by Tasos Laskos on 14 Apr, 2016 12:33 PM

    Tasos Laskos's Avatar

    Looking forward to it. :)

  6. Tasos Laskos closed this discussion on 14 Apr, 2016 12:33 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac