autologin plugin and user-editable content

bewell's Avatar

bewell

15 Jul, 2016 06:26 AM

Hey,

I've downloaded Damn-Vulnerable-Application to test my Arachni runs and I came across interesting detail. The autologin plugin seems to fail to login into the application.
It's nothing fancy, two simple fields. They are found. But the plugin gets upset with the error message:
Browser: Could not fill in form input 'Login' because: Error Message => 'Element must be user-editable in order to clear it.'

my running of the arachni looks like this:
./arachni http://myip/DVWA-1.9/index.php --plugin=autologin:url=http://myip/DVWA1.9/login.php,parameters="username=admin&password=password",check="Home|Logout" --checks=-active/* --output-debug=3

  1. Support Staff 1 Posted by Tasos Laskos on 15 Jul, 2016 06:31 AM

    Tasos Laskos's Avatar

    That shouldn't be a problem, non editable inputs like hidden fields should be ignored.
    Can you please show me the entire output?

  2. 2 Posted by bewell on 15 Jul, 2016 06:53 AM

    bewell's Avatar

    Sure, I'm attaching the log.

  3. 3 Posted by bewell on 18 Jul, 2016 12:30 PM

    bewell's Avatar

    Found the problem. Tell me if I'm wrong:

    • Arachni tries to login, submits the form.
    • As a response gets 302 /login.php that contains redirect to the legitimate page.
    • Because Arachni takes response.url and uses it as verifier, it takes the 302 login.php, therefore visits the login.php again.
    • That's by default cannot contain verifier therefore check fails and scan is aborted.

    Can the autologin plugin take the last url where redirect sends it to?

  4. Support Staff 4 Posted by Tasos Laskos on 18 Jul, 2016 01:27 PM

    Tasos Laskos's Avatar

    In these cases it's better to explicitly set the check URL via the --session-check-url option, you'll also need to set the --session-check-check one as well.

  5. Tasos Laskos closed this discussion on 03 Aug, 2016 02:20 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac