Autologin Plugin Issue with Tomcat FORM Based Auth
Hi,
I have problems using autologin module.
First let me describe how to login with CURL
Use the Login URL, grab the JSESSIONID Cookie, Submit username, password to j_security_check .
Sucessful login results in a HTTP 302 Moved Temporarily
>curl http://wega:8080/WebinarDemo/protected/bla.jsp
Response
....
Set-Cookie: JSESSIONID=8B4B31984C9115FD9254F7865F90123A; Path=/WebinarDemo
...
<form method="POST" action="j_security_check">
...<input type="text" name="j_username"/>... <input type="password" name="j_password"/>
----------
Grap the JSESSIONID and POST to the form
curl -v -b JSESSIONID=8B4B31984C9115FD9254F7865F90123A http://wega:8080/WebinarDemo/protected/j_security_check
-d "j_username=chimp&j_password=chimp'
Response
< HTTP/1.0 302 Moved Temporarily
< Server: Apache-Coyote/1.1
< Location: http://wega:8080/WebinarDemo/protected/bla.jsp
----
Arachni command line in Attachment M
Arachni Debug Output in Attachment L
The 408 HTTP Code seems IMHO to indicate that the JSESSIONID Cookie is not POSTed to the j_security_check URL.
How can I tell Arachni it should honor this Cookie ???
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by o.flebbe on 08 Jul, 2013 01:04 PM
Added Attachment with better names....
Support Staff 2 Posted by Tasos Laskos on 08 Jul, 2013 01:55 PM
That's my mistake, I assumed that the login procedure would reset the session cookie so the original cookies (for when looking for the login form) are not stored.
Unfortunately, you won't be able use the autologin plugin for your webapp until I fix this, at least not without some more manual configuration.
You can either:
--cookie-string="JSESSIONID=<value here>"
, which will explicitly set the session cookie and will thus be present during the login procedure.Support Staff 3 Posted by Tasos Laskos on 08 Jul, 2013 02:06 PM
Fixing it now btw, if you're willing to wait for a few ours you'll be able to use the nightly build.
4 Posted by o.flebbe on 08 Jul, 2013 02:12 PM
Fine. Can wait a few days...
Support Staff 5 Posted by Tasos Laskos on 08 Jul, 2013 02:36 PM
Fix: https://github.com/Arachni/arachni/commit/15921fcc06acf66f50a97553d...
Pushing new nightlies so you can try it.
Support Staff 6 Posted by Tasos Laskos on 08 Jul, 2013 08:40 PM
Ok, grab one of these and you should be good to go:
http://downloads.arachni-scanner.com/nightlies/
Let me know how it works.
7 Posted by o.flebbe on 09 Jul, 2013 03:19 PM
Thanks, this worked around the first issue.
Now it fails because the JSESSION Cookie is changed after successful login to something different in order to provent session fixation ( This is standard tomcat and some other Java Servlet Container). arachni should use this new JSESSION Cookie for all other request (until relogin is required).
I Added a --debug log showing the problem.
#0 First Request without Cookie to FORM. o.k.
#1 Get the Cookie and Submit Cookie with Form. Result 302 get redirect. o.k.
#2 Get Page with Cookie : Result 200 and new Cookie o.k.
#3 and .... Should use Authenticated Cookie from Response #2 !
(Response from #3 gets erroneous Cookie ...)
8 Posted by o.flebbe on 09 Jul, 2013 03:23 PM
Different problem:
--cookie-string="JSESSIONID=<value here>" does only set the cookie for the first Request, not all subsequent.
Support Staff 9 Posted by Tasos Laskos on 09 Jul, 2013 03:39 PM
Should be an easy fix, I'll set all requests originating from the autologin plugin to update the framework cookies. Will update this ticket when there are some fresh nightlies for you to try out.
Support Staff 10 Posted by Tasos Laskos on 09 Jul, 2013 04:36 PM
Fix: https://github.com/Arachni/arachni/commit/8bbb12753a63dadcef639a6b5...
Pushing nightlies now.
Support Staff 11 Posted by Tasos Laskos on 09 Jul, 2013 06:29 PM
All done, give these a shot and let me know: http://downloads.arachni-scanner.com/nightlies/
12 Posted by o.flebbe on 10 Jul, 2013 06:51 AM
Thank you for your support! Works now.
Unfortunately the spider does not work as I expected and I am seriously running out of time ...
Support Staff 13 Posted by Tasos Laskos on 10 Jul, 2013 11:32 AM
I may be able to help with that, unless the links use JS or something, What did you expect? What do you need?
Support Staff 14 Posted by Tasos Laskos on 18 Jul, 2013 08:18 PM
Closing this since the autologin issue was solved. If there's anything wrong with the spider or some other component please start a new discussion.
Tasos Laskos closed this discussion on 18 Jul, 2013 08:18 PM.