Using Login_Script Plugin in combination with ARACHNI REST API & ARACHNI Jenkins Plugin

Andreas von Keviczky's Avatar

Andreas von Keviczky

11 Apr, 2019 04:40 PM

Hi,

I recently setup an dedicated ARACHNI Scanner to check Web Applications as part of our Software Developement activities. Web Application Authentication is implemented with WebForms so we use the ARACHNI Plugin Login_Script and a Ruby Script to execute the login. This setup works as intendend when using the ARACHNI CLI.

The plan is to launch scans as part of the build chain from a Jenkins Server via ARACHNI REST API and to store the scan reports local to the Jenkins Workspace. This setup has been successfully deployed for a ARACHI SCAN where the Web Application supports HTTP Basic AUTH using the ARACHNI AUTOLOGIN Plugin.

Calling the ARACHNI REST API throuh a python script using a ARACHNI JSON SCAN CONFIG and ARACHNI LOGIN_SCRIPT the SERVER Returns a Error 500 . I fail to collect the detailed Error Message to get a better understanding why it fails.

My assumption is: The script configured in the Plugin Login_Script section has to reside on the ARACHNI REST API Server and the path to the script is wrong.

The question is: can you give me any advice or point me to a section / ticket / blog entry so that I can resolve my issue?

Details:
Using Arachni Version 1.5.1

FILE: test_arachni_scan.py
#!/usr/bin/env python

see the documentation how to use more options in the JSON call

https://github.com/Arachni/arachni/wiki/REST-API

import json
import urllib2
import base64

req = urllib2.Request('https:///scans')
base64string = base64.b64encode('%s:%s' % (,))
req.add_header("Authorization", "Basic %s" % base64string)
req.add_header('Content-Type', 'application/json')

response = urllib2.urlopen(req)
print response.info()
html = response.read()
print html
response.close()
#response = urllib2.urlopen(req, json.dumps(data))

START SCAN

import request

data = json.loads(open('./arachni_configuration_file.json').read())

req = urllib2.Request('https:///scans', data)
req.add_header("Authorization", "Basic %s" % base64string)
req.add_header('Content-Type', 'application/json')

try:
response = urllib2.urlopen(req)

except urllib2.HTTPError as e:
print e html = response.info() print html

FILE: test_login.rb
browser.goto ''

form = browser.form( name: 'loginForm' )
form.text_field( name: 'j_username' ).set ''
form.text_field( name: 'j_password' ).set ''

form.submit

FILE: arachni_configuration_file.json
{ "url": "", "audit" : { "parameter_values" : true, "exclude_vector_patterns" : [], "include_vector_patterns" : [], "link_templates" : [], "links" : false, "forms" : false, "cookies" : false, "headers" : false, "with_both_http_methods" : false, "cookies_extensively" : false, "jsons" : true, "xmls" : true, "ui_forms" : true, "ui_inputs" : true }, "session" : { "check_url" : "", "check_pattern" : "(?-mix:Welcome)" }, "browser_cluster" : { "local_storage" : {}, "wait_for_elements" : {}, "pool_size" : 6, "job_timeout" : 10, "worker_time_to_live" : 100, "ignore_images" : false, "screen_width" : 1600, "screen_height" : 1200 }, "http" : { "user_agent" : "Arachni/v1.5.1", "request_timeout" : 10000, "request_redirect_limit" : 5, "request_concurrency" : 5, "request_queue_size" : 100, "request_headers" : {}, "response_max_size" : 500000, "cookies" : {}, "authentication_type" : "auto" }, "datastore" : {}, "scope" : { "redundant_path_patterns" : {}, "dom_depth_limit" : 2, "exclude_file_extensions" : [], "exclude_path_patterns" : [], "exclude_content_patterns" : [], "include_path_patterns" : [], "restrict_paths" : [], "extend_paths" : [], "url_rewrites" : {}, "page_limit" : 30, "include_subdomains" : false, "exclude_binaries" : false, "https_only" : false }, "input" : { "values" : {}, "without_defaults" : true, "force" : false }, "checks" : [ "code_injection", "code_injection_php_input_wrapper", "code_injection_timing", "csrf", "file_inclusion", "ldap_injection", "no_sql_injection", "no_sql_injection_differential", "os_cmd_injection", "os_cmd_injection_timing", "path_traversal", "response_splitting", "rfi", "session_fixation", "source_code_disclosure", "sql_injection", "sql_injection_differential", "sql_injection_timing", "trainer", "unvalidated_redirect", "unvalidated_redirect_dom", "xpath_injection", "xss", "xss_dom", "xss_dom_script_context", "xss_event", "xss_path", "xss_script_context", "xss_tag", "xxe", "allowed_methods", "backdoors", "backup_directories", "backup_files", "captcha", "common_admin_interfaces", "common_directories", "common_files", "cookie_set_for_parent_domain", "credit_card", "cvs_svn_users", "directory_listing", "emails", "form_upload", "hsts", "htaccess_limit", "html_objects", "http_only_cookies", "http_put", "insecure_client_access_policy", "insecure_cookies", "insecure_cors_policy", "insecure_cross_domain_policy_access", "insecure_cross_domain_policy_headers", "interesting_responses", "localstart_asp", "mixed_resource", "origin_spoof_access_restriction_bypass", "password_autocomplete", "private_ip", "ssn", "unencrypted_password_forms", "webdav", "x_frame_options", "xst" ], "platforms" : [ "unix", "mysql", "pgsql", "oracle", "mongodb", "apache", "iis", "jetty", "nginx", "tomcat", "django", "jsf" ], "plugins" : { "login_script" : { "script": "./test_login.rb" } , "email_notify" : { "to" : "[email blocked]", "cc" : "[email blocked]", "bcc" : "", "from" : "[email blocked]", "server_address" : "webmail.email.de", "server_port" : "25", "username" : "", "password" : "", "domain" : "email.de", "authentication" : "", "report" : "html" } }, "no_fingerprinting" : false, "authorized_by" : null, "name" : "Jenkins-Default", "description" : "JSON Profile in use with Arachni Jenkins Plugin " }

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac