Autologin Plugin Issue with Tomcat FORM Based Auth

o.flebbe's Avatar

o.flebbe

08 Jul, 2013 01:02 PM

Hi,

I have problems using autologin module.

First let me describe how to login with CURL
Use the Login URL, grab the JSESSIONID Cookie, Submit username, password to j_security_check .

Sucessful login results in a HTTP 302 Moved Temporarily

>curl http://wega:8080/WebinarDemo/protected/bla.jsp
Response
....
Set-Cookie: JSESSIONID=8B4B31984C9115FD9254F7865F90123A; Path=/WebinarDemo
...
<form method="POST" action="j_security_check">
...<input type="text" name="j_username"/>... <input type="password" name="j_password"/>
----------
Grap the JSESSIONID and POST to the form

curl -v -b JSESSIONID=8B4B31984C9115FD9254F7865F90123A http://wega:8080/WebinarDemo/protected/j_security_check
-d "j_username=chimp&j_password=chimp'
Response

< HTTP/1.0 302 Moved Temporarily
< Server: Apache-Coyote/1.1
< Location: http://wega:8080/WebinarDemo/protected/bla.jsp

----
Arachni command line in Attachment M

Arachni Debug Output in Attachment L

The 408 HTTP Code seems IMHO to indicate that the JSESSIONID Cookie is not POSTed to the j_security_check URL.
How can I tell Arachni it should honor this Cookie ???

  1. 1 Posted by o.flebbe on 08 Jul, 2013 01:04 PM

    o.flebbe's Avatar

    Added Attachment with better names....

  2. Support Staff 2 Posted by Tasos Laskos on 08 Jul, 2013 01:55 PM

    Tasos Laskos's Avatar

    That's my mistake, I assumed that the login procedure would reset the session cookie so the original cookies (for when looking for the login form) are not stored.
    Unfortunately, you won't be able use the autologin plugin for your webapp until I fix this, at least not without some more manual configuration.

    You can either:

    • Try logging in using the proxy plugin.
    • Log in using curl and pass curl's cookiejar to arachni.
    • Do what you're doing but add --cookie-string="JSESSIONID=<value here>", which will explicitly set the session cookie and will thus be present during the login procedure.
  3. Support Staff 3 Posted by Tasos Laskos on 08 Jul, 2013 02:06 PM

    Tasos Laskos's Avatar

    Fixing it now btw, if you're willing to wait for a few ours you'll be able to use the nightly build.

  4. 4 Posted by o.flebbe on 08 Jul, 2013 02:12 PM

    o.flebbe's Avatar

    Fine. Can wait a few days...

  5. Support Staff 5 Posted by Tasos Laskos on 08 Jul, 2013 02:36 PM

    Tasos Laskos's Avatar
  6. Support Staff 6 Posted by Tasos Laskos on 08 Jul, 2013 08:40 PM

    Tasos Laskos's Avatar

    Ok, grab one of these and you should be good to go:
    http://downloads.arachni-scanner.com/nightlies/

    Let me know how it works.

  7. 7 Posted by o.flebbe on 09 Jul, 2013 03:19 PM

    o.flebbe's Avatar

    Thanks, this worked around the first issue.

    Now it fails because the JSESSION Cookie is changed after successful login to something different in order to provent session fixation ( This is standard tomcat and some other Java Servlet Container). arachni should use this new JSESSION Cookie for all other request (until relogin is required).

    I Added a --debug log showing the problem.

    #0 First Request without Cookie to FORM. o.k.
    #1 Get the Cookie and Submit Cookie with Form. Result 302 get redirect. o.k.
    #2 Get Page with Cookie : Result 200 and new Cookie o.k.

    #3 and .... Should use Authenticated Cookie from Response #2 !
    (Response from #3 gets erroneous Cookie ...)

  8. 8 Posted by o.flebbe on 09 Jul, 2013 03:23 PM

    o.flebbe's Avatar

    Different problem:

    --cookie-string="JSESSIONID=<value here>" does only set the cookie for the first Request, not all subsequent.

  9. Support Staff 9 Posted by Tasos Laskos on 09 Jul, 2013 03:39 PM

    Tasos Laskos's Avatar

    Should be an easy fix, I'll set all requests originating from the autologin plugin to update the framework cookies. Will update this ticket when there are some fresh nightlies for you to try out.

  10. Support Staff 10 Posted by Tasos Laskos on 09 Jul, 2013 04:36 PM

    Tasos Laskos's Avatar
  11. Support Staff 11 Posted by Tasos Laskos on 09 Jul, 2013 06:29 PM

    Tasos Laskos's Avatar

    All done, give these a shot and let me know: http://downloads.arachni-scanner.com/nightlies/

  12. 12 Posted by o.flebbe on 10 Jul, 2013 06:51 AM

    o.flebbe's Avatar

    Thank you for your support! Works now.

    Unfortunately the spider does not work as I expected and I am seriously running out of time ...

  13. Support Staff 13 Posted by Tasos Laskos on 10 Jul, 2013 11:32 AM

    Tasos Laskos's Avatar

    I may be able to help with that, unless the links use JS or something, What did you expect? What do you need?

  14. Support Staff 14 Posted by Tasos Laskos on 18 Jul, 2013 08:18 PM

    Tasos Laskos's Avatar

    Closing this since the autologin issue was solved. If there's anything wrong with the spider or some other component please start a new discussion.

  15. Tasos Laskos closed this discussion on 18 Jul, 2013 08:18 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac