check valid session use --session-check-url and --session-check-url does not work at all
I tried to give arachni a valid cookie and check if there is a valid session. But from the logs, it shows arachni was not able to use these two parameters.
arachni --http-proxy=127.0.0.1:8080 --http-cookie-jar=cookies.txt --session-check-url=https://xxxxx/account/settings/profile --session-check-pattern=">Log out<" --scope-exclude-pattern=logout,png --scope-directory-depth-limit=10 --audit-forms --report-save-path=example.com.afr https://xxxx --output-debug=1
Arachni - Web Application Security Scanner Framework v1.5.1
Author: Tasos "Zapotek" Laskos [email blocked]
(With the support of the community and the Arachni Team.)
Website: http://arachni-scanner.com
Documentation: http://arachni-scanner.com/wiki
[~] No checks were specified, loading all. [] Initializing... [] Preparing plugins... [] ... done. [] BrowserCluster: Initializing 6 browsers...
Keyboard shortcuts
Generic
| ? | Show this help |
|---|---|
| ESC | Blurs the current field |
Comment Form
| r | Focus the comment reply box |
|---|---|
| ^ + ↩ | Submit the comment |
You can use Command ⌘ instead of Control ^ on Mac
1 Posted by jingxus on 09 Feb, 2018 04:10 AM
I thought it was not working at the beginning, but later i figured it out it was checking, but did not check the login session at the beginning, it check in the middle of other scanning. which still does not make any sense to me.
2 Posted by bWF0dC50b3JiaW4... on 09 Feb, 2018 08:32 PM
jingxus, I noticed something with my own testing that you might find helpful. I was trying to check session with what the user would see. The problem is that in between the first POST request and our final 200 OK, there are several 302 and 304 redirects. This causes all sorts of issues for session validation.
However, what seems to be working (I'm testing now) was to find one request/response that would result in a 200 OK if a valid session is found which doesn't necessarily have to be a visual endpoint. In our case, I found an dependency call that worked just fine. I'll let you know what happens after the scan is complete; hopefully this helps you as well.
3 Posted by jingxus on 12 Feb, 2018 08:45 PM
Yes, that would help, thank you.
My question is when you do the session check, it will not abort if the check fails, right? it will go through all other scanning. It is not like the session check when you use autologin plugin. if you use the auto-login plugin, it will immediately log in and check if it succeed. if not, it will abort.
I am expecting the same behavior when I use the cookies to do the session check, but it was different.
4 Posted by bWF0dC50b3JiaW4... on 12 Feb, 2018 09:05 PM
Of course. I'm super happy to help the community. As to your question, keeping in mind that I'm not yet a full "expert" with this software yet, it seems to me that the session check needs to be combined with something; in other words, the session check itself is only qualifying a boolean value, not actually trying to login.
Assuming this to be true, then you either use the autologin plugin (which will abort if the check fails, you're right) or something like the input values and hope that the login form page gets scanned.
Please keep in mind though that the session check is dependent upon the body of the payload, not the headers. Specifically, if you only pass back headers in the url that you're using for the qualifier, this may not work. This is why we chose a dependency file and not an actual endpoint for our scans.
Support Staff 5 Posted by Tasos Laskos on 04 May, 2018 09:08 AM
There's really no point for a session check with a cookie-jar, there's nothing to be done whatever the case.
But with a login script or autologin config you can use that knowledge to maintain a valid session and relogin and so on.