Using Login_Script Plugin in combination with ARACHNI REST API & ARACHNI Jenkins Plugin
Hi,
I recently setup an dedicated ARACHNI Scanner to check Web Applications as part of our Software Developement activities. Web Application Authentication is implemented with WebForms so we use the ARACHNI Plugin Login_Script and a Ruby Script to execute the login. This setup works as intendend when using the ARACHNI CLI.
The plan is to launch scans as part of the build chain from a Jenkins Server via ARACHNI REST API and to store the scan reports local to the Jenkins Workspace. This setup has been successfully deployed for a ARACHI SCAN where the Web Application supports HTTP Basic AUTH using the ARACHNI AUTOLOGIN Plugin.
Calling the ARACHNI REST API throuh a python script using a ARACHNI JSON SCAN CONFIG and ARACHNI LOGIN_SCRIPT the SERVER Returns a Error 500 . I fail to collect the detailed Error Message to get a better understanding why it fails.
My assumption is: The script configured in the Plugin Login_Script section has to reside on the ARACHNI REST API Server and the path to the script is wrong.
The question is: can you give me any advice or point me to a section / ticket / blog entry so that I can resolve my issue?
Details:
Using Arachni Version 1.5.1
FILE: test_arachni_scan.py
#!/usr/bin/env python
see the documentation how to use more options in the JSON call
https://github.com/Arachni/arachni/wiki/REST-API
import json
import urllib2
import base64
req = urllib2.Request('https:///scans')
base64string = base64.b64encode('%s:%s' % (,))
req.add_header("Authorization", "Basic %s" % base64string)
req.add_header('Content-Type', 'application/json')
response = urllib2.urlopen(req)
print response.info()
html = response.read()
print html
response.close()
#response = urllib2.urlopen(req, json.dumps(data))
START SCAN
import request
data = json.loads(open('./arachni_configuration_file.json').read())
req = urllib2.Request('https:///scans', data)
req.add_header("Authorization", "Basic %s" % base64string)
req.add_header('Content-Type', 'application/json')
try:
response = urllib2.urlopen(req)
except urllib2.HTTPError as e:
print e html = response.info() print html
FILE: test_login.rb
browser.goto ''
form = browser.form( name: 'loginForm' )
form.text_field( name: 'j_username' ).set ''
form.text_field( name: 'j_password' ).set ''
form.submit
FILE: arachni_configuration_file.json
{ "url": "", "audit" : { "parameter_values" : true, "exclude_vector_patterns" : [], "include_vector_patterns" : [], "link_templates" : [], "links" : false, "forms" : false, "cookies" : false, "headers" : false, "with_both_http_methods" : false, "cookies_extensively" : false, "jsons" : true, "xmls" : true, "ui_forms" : true, "ui_inputs" : true }, "session" : { "check_url" : "", "check_pattern" : "(?-mix:Welcome)" }, "browser_cluster" : { "local_storage" : {}, "wait_for_elements" : {}, "pool_size" : 6, "job_timeout" : 10, "worker_time_to_live" : 100, "ignore_images" : false, "screen_width" : 1600, "screen_height" : 1200 }, "http" : { "user_agent" : "Arachni/v1.5.1", "request_timeout" : 10000, "request_redirect_limit" : 5, "request_concurrency" : 5, "request_queue_size" : 100, "request_headers" : {}, "response_max_size" : 500000, "cookies" : {}, "authentication_type" : "auto" }, "datastore" : {}, "scope" : { "redundant_path_patterns" : {}, "dom_depth_limit" : 2, "exclude_file_extensions" : [], "exclude_path_patterns" : [], "exclude_content_patterns" : [], "include_path_patterns" : [], "restrict_paths" : [], "extend_paths" : [], "url_rewrites" : {}, "page_limit" : 30, "include_subdomains" : false, "exclude_binaries" : false, "https_only" : false }, "input" : { "values" : {}, "without_defaults" : true, "force" : false }, "checks" : [ "code_injection", "code_injection_php_input_wrapper", "code_injection_timing", "csrf", "file_inclusion", "ldap_injection", "no_sql_injection", "no_sql_injection_differential", "os_cmd_injection", "os_cmd_injection_timing", "path_traversal", "response_splitting", "rfi", "session_fixation", "source_code_disclosure", "sql_injection", "sql_injection_differential", "sql_injection_timing", "trainer", "unvalidated_redirect", "unvalidated_redirect_dom", "xpath_injection", "xss", "xss_dom", "xss_dom_script_context", "xss_event", "xss_path", "xss_script_context", "xss_tag", "xxe", "allowed_methods", "backdoors", "backup_directories", "backup_files", "captcha", "common_admin_interfaces", "common_directories", "common_files", "cookie_set_for_parent_domain", "credit_card", "cvs_svn_users", "directory_listing", "emails", "form_upload", "hsts", "htaccess_limit", "html_objects", "http_only_cookies", "http_put", "insecure_client_access_policy", "insecure_cookies", "insecure_cors_policy", "insecure_cross_domain_policy_access", "insecure_cross_domain_policy_headers", "interesting_responses", "localstart_asp", "mixed_resource", "origin_spoof_access_restriction_bypass", "password_autocomplete", "private_ip", "ssn", "unencrypted_password_forms", "webdav", "x_frame_options", "xst" ], "platforms" : [ "unix", "mysql", "pgsql", "oracle", "mongodb", "apache", "iis", "jetty", "nginx", "tomcat", "django", "jsf" ], "plugins" : { "login_script" : { "script": "./test_login.rb" } , "email_notify" : { "to" : "[email blocked]", "cc" : "[email blocked]", "bcc" : "", "from" : "[email blocked]", "server_address" : "webmail.email.de", "server_port" : "25", "username" : "", "password" : "", "domain" : "email.de", "authentication" : "", "report" : "html" } }, "no_fingerprinting" : false, "authorized_by" : null, "name" : "Jenkins-Default", "description" : "JSON Profile in use with Arachni Jenkins Plugin " }
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac