Failure to authenticate due to hidden field in form submit
I've read up on what appears to be similar (http://support.arachni-scanner.com/discussions/questions/9411-arach... and http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...) but cannot see how to do this because one of the parameters I have to include is variable and changes with each GET.
I can login and authenticate just fine if I use curl with the appropriate calculated values (by analysing the returned form), so I know if I can get Arachni to do the same, it will all work fine.
The main login form has the following (trimmed as otherwise the forum tries to render it :-)):
<form action="/signin/?originalurl=%2f" method="post"><input name="__RequestVerificationToken" type="hidden" value="RP5v458ETOsbANhBUEyCuClwEUL5ddYmaDLFrBJzcGhKEyU6yfQckRnDFX161Npnjv0g4KTfPBF38apavpvWe0KanmGNJz6-nzdye5BtmCg1" >
<label for="username">Username</label>
<input type="text" maxlength="255" name="username" id="username" />
<label for="password">Password</label>
<input type="password" maxlength="127" name="password" id="password" />
etc etc. I have tried using the format
arachni https://myurl.com --plugin=autologin:url=https://myurl.com/signin,parameters="username=somebody&password=blahblah",check="Sign Off" --scope-exclude-pattern=logout
But I do not know how to craft the changing parameter as I'd have to read the form returned, extract the "__RequestVerificationToken" and insert it. This actually works fine using a shell script and curl. What I send there is something like:
curl $CURL_FLAGS https://myurl.com/signin
[code to extract the RequestVerification token]
curl $CURL_FLAGS --data "username=somebody&password=blahbah&__RequestVerificationToken=$TOKEN" https://myurl/signin/
I understand Arachni has CSRF capability but do not understand how to tell it to insert the additional parameter (dynamically read from the returned form) along with my username/password info when it POSTS.
Thanks for any pointers
Mike
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Mike on 11 Jul, 2016 09:48 AM
As a temporary fix, I have used my bash+curl script to login the session, and then passed the cookie jar file to arachni with --http-cookie-jar. This works. But I would still be interested in how to pass these variable fields...
Support Staff 2 Posted by Tasos Laskos on 14 Jul, 2016 09:06 AM
Your original approach using the
autologin
plugin should have worked, what messages are you seeing?Also, are you sure you've specified a correct
check
option?3 Posted by Mike on 15 Jul, 2016 03:05 PM
There are no error message that I can see. I am unable to pass in this extra hidden field (as I don't know how to specify it because it's returned to the client (arachni) as the response to the initial GET. All that happens is arachni continually triesto get the page and login, and the server refuses to login (as the full data has not been passed - the hidden field in particular) so returns the user to the main login page again. This just goes round and round and never changes.
Can you clarify: the autologin parameters I set above ... they are correct as far as you see them?
The reason I specified check as "Sign Off" is that text appears in the form page when you successfully login (I tried that manually) and does NOT appear anywhere until you have signed in. It's the sort of thing you see under a Profile name in the top corner of a signed-in site (like a forum etc).
Support Staff 4 Posted by Tasos Laskos on 15 Jul, 2016 03:39 PM
The autologin plugin doesn't just send the parameters you've specified, it uses them to fill in and submit the form, so that hidden field should be sent to the server.
I can't say what the problem is without access to the web application but for a more flexible approach please see the
login_script
plugin: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...Tasos Laskos closed this discussion on 03 Aug, 2016 02:19 PM.