login_script and web app

yuri.komarov's Avatar

yuri.komarov

02 Aug, 2016 12:55 PM

Good day!

I have problem with login script. I want login in WEB APP. On Ruby (NET::Http) auth response looks like this:

require 'uri'
require 'net/http'

url = URI("https://API_URL")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Post.new(url)
request["content-type"] = 'application/x-www-form-urlencoded'
request.body = "user%5Bemail%5D=XXX&user%5Bpassword%5D=XXX&remember_me=true"

response = http.request(request)
puts response.read_body

But I can't understand, how I can refactor this code snippet to Arachni Ruby syntax.

With best regards,
Me!

  1. Support Staff 1 Posted by Tasos Laskos on 02 Aug, 2016 12:58 PM

    Tasos Laskos's Avatar
  2. 2 Posted by yuri.komarov on 02 Aug, 2016 01:05 PM

    yuri.komarov's Avatar

    Of course

    Main problem for me is that APP_API Content-type is "x-www-form-urlencoded". That why i can't generate login_script.

    Now I try to use this code snippet:

    request["content-type"] = 'application/x-www-form-urlencoded'
    request.body = "user%5Bemail%5D=XXX&user%5Bpassword%5D=XXX&remember_me=true"
    
    response = http.request(request)
    
    framework.options.session.check_url = to_absolute( /auth/login, https://api.test.com )
    framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/
    

    And see error in console

  3. Support Staff 3 Posted by Tasos Laskos on 02 Aug, 2016 01:08 PM

    Tasos Laskos's Avatar

    Try:

    response = http.post( 'https://API_URL',
        body:           "user%5Bemail%5D=XXX&user%5Bpassword%5D=XXX&remember_me=true",
        headers:        {
            'Content-Type' => 'application/x-www-form-urlencoded'
        }
        mode:           :sync,
        update_cookies: true
    )
    

    You may need to un-encode the :body, I'm not sure.

  4. 4 Posted by yuri.komarov on 02 Aug, 2016 02:04 PM

    yuri.komarov's Avatar
     [~] No checks were specified, loading all.
     [~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs.
    
     [*] Initializing...
     [*] Preparing plugins...
     [-] [ui/cli/framework#run:103] Invalid options for component: login_script
     *  Invalid type: script => '/root/Documents/arachni_login_script/test.xxx.com.rb'
     *  Expected type: path
    
  5. Support Staff 5 Posted by Tasos Laskos on 02 Aug, 2016 02:06 PM

    Tasos Laskos's Avatar

    You forgot the username after /home/.

  6. 6 Posted by yuri.komarov on 02 Aug, 2016 02:13 PM

    yuri.komarov's Avatar

    Oh, God... My mistake

    [~] Login script: Running the script.
     [-] [components/plugins/login_script#prepare:59] Login script: [SyntaxError] (eval):6: syntax error, unexpected tIDENTIFIER, expecting ')'
        mode:           :sync,
            ^
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/components/plugins/login_script.rb:29:in `eval'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/components/plugins/login_script.rb:29:in `block in prepare'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/components/plugins/login_script.rb:50:in `block in prepare'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/session.rb:322:in `login_from_sequence'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/session.rb:245:in `block in login'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/utilities.rb:425:in `exception_jail'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/session.rb:244:in `login'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/components/plugins/login_script.rb:57:in `prepare'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/plugin/manager.rb:67:in `block in run'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/plugin/manager.rb:65:in `each'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/plugin/manager.rb:65:in `run'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/framework/parts/state.rb:348:in `prepare'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/lib/arachni/framework.rb:110:in `run'
     [-] [components/plugins/login_script#prepare:59] Login script: /usr/share/arachni/ui/cli/framework.rb:63:in `block in run'
     [-] [components/plugins/login_script#set_status:99] Login script: An error was encountered while executing the login script.
     [~] Login script: Aborting the scan.
     [*] ... done.
    
  7. Support Staff 7 Posted by Tasos Laskos on 02 Aug, 2016 02:14 PM

    Tasos Laskos's Avatar

    You've got a syntax error in the script, the error points you to the location.

  8. 8 Posted by yuri.komarov on 02 Aug, 2016 02:20 PM

    yuri.komarov's Avatar
    response = http.post( 'https://api.xxx.com/auth/login',
        body:           {
            'user[email]' => 'XXX',
            'user[password]' => 'XXX',
            'rember_me' => 'true'
        }
        headers:        {
            'Content-Type' => 'application/x-www-form-urlencoded'
        }
        mode:           :sync,
        update_cookies: true
    )
    
    framework.options.session.check_url     = to_absolute( response.headers.location, response.url )
    framework.options.session.check_pattern = /Sign Off|MY ACCOUNT/
    

    What the problem is? (((

  9. Support Staff 9 Posted by Tasos Laskos on 02 Aug, 2016 02:22 PM

    Tasos Laskos's Avatar

    You forgot the commas after the } in the request options.
    Also, you know you can't use the example framework.options.session options, right?
    You need to set your own.

  10. Tasos Laskos closed this discussion on 08 Aug, 2016 09:59 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac