Authentication failed with ReacJS form

Malween Le Goffic's Avatar

Malween Le Goffic

01 Mar, 2018 10:54 AM

Hi,

I tried to scan an application with an authentication form created by Javascript (ReactJS framework). Arachni does not succeed to login to the application, gere the ruby script I used :

browser.goto 'https://***********.com/'
browser.screenshot.save('screen1.jpg')
browser.text_field(:id => 'username' ).set '****'
browser.text_field(:id => 'password' ).set '****'
browser.element(:id => 'confirm-login' ).click
browser.screenshot.save('screen2.jpg')

framework.options.session.check_url = browser.url
framework.options.session.check_pattern = 'pattern'

It's a simple authentication flow (no SSO login or Federation system). Here the logs output from Arachni :

Session: [Watir::Exception::UnknownObjectException] unable to locate element, using {:id=>"username", :tag_name=>"input or textarea", :type=>"(any text type)"}

The "screen1.jpg" does not print the authentication form, only the background of the webpage is present. I tried to add a sleep(x) or a waitForElement just after the goto but the scan does not work either.

Here the source code when I inspect the web page (with chrome/firefox):

<form id="login-form">
  <div><!-- react-empty: 5 -->
    <div>
      <div class="form-group">
        <label class="control-label h5"><span>email address</span></label>
        <div>
          <input type="email" value="" name="username" autocomplete="email" id="username" class="form-control">
        </div>
      </div>
      <div class="form-group">
        <label class="control-label w100 h5"><span>Password</span></label>
        <input type="password" value="" name="password" autocomplete="current-password" id="password" class="form-control">
      </div>
      <a class="small" href="/forget"><span>Forgot your password ?</span></a>
    </div>
  </div>
  <button id="confirm-login" type="submit" class="btn-block btn-success btn btn-primary" style="margin-top: 10px;"><span>Login</span></button>
</form>

Javascript is necessary to visit the webpage and to have access to the authentication form.

Have you an idea to fix this situation and succeed to scan this aplication ?

Regards,

  1. 1 Posted by Gordon on 20 Mar, 2018 08:36 PM

    Gordon's Avatar

    I had similar problems with my script before. Not as a fix, but rather as a suggestion, I can advise to add some sleeps commands. Try below approach and let us know if that helps
    sleep 2
    browser.goto 'https://********.com/'
    sleep 2
    browser.screenshot.save('screen1.jpg')
    browser.text_field(:id => 'username').wait_until_present
    browser.text_field(:id => 'username' ).set '
    '
    browser.text_field(:id => 'password').wait_until_present
    browser.text_field(:id => 'password' ).set '
    ***'
    browser.element(:id => 'confirm-login' ).click
    browser.screenshot.save('screen2.jpg')

    Another approach will be to check there is only one unique id of 'username' on the page.

  2. Support Staff 2 Posted by Tasos Laskos on 26 Mar, 2018 07:43 AM

    Tasos Laskos's Avatar

    That could work sometimes but this is the proper way to wait for elements: http://www.rubydoc.info/gems/watir-webdriver/Watir/Wait

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac