Home → Questions →

Adding Custom Login Plugin to Web UI?

• Edit

Neha

08 Sep, 2015 06:06 PM

Hello,

I've seen at least one post on here that specifies using a custom plugin for logins, but that was done via cli. How can I create a plugin that's configurable or at least launchable from a Web profile or a Web UI initiated scan? Also, I'm attempting to craft a login script that submits username/password via JSON. Is there any particular approach I need to take for this? I think at this point, it looks like I can just use phantomjs's form.fill().

1. Support Staff 1 Posted by Tasos Laskos on 08 Sep, 2015 06:11 PM

   

   Hello,

   It's generally not allowed to run scripts remotely on the WebUI machine, so that feature only works via the CLI.

   About the login scripts, here are the various approaches you can take: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

   Let me know if you need further assistance.

   Cheers

   • Edit

2. 2 Posted by Neha on 10 Sep, 2015 06:22 PM

   

   Thank you for your response Tasos. I have attempted to get a functional login script working, but the arachni cli client seems to hang when I'm specifying my login script. Here's debug level 3 output, along with verbose ruby '-vvvv', and my login script. The login procedure never seems to complete, and there's not much information on what's happening under the hood. Any help appreciated.

   • log_3.log 112 KB
   • login_roo.rb 360 Bytes
   • Edit

3. 3 Posted by Neha on 10 Sep, 2015 06:27 PM

   

   Btw, the following CLI produced the output above:
   ruby -vvvv ./arachni https://app.dev.x.com/signin --plugin=login_script:script=../login_roo.rb --session-check-pattern=/.*/ --session-check-url="https://app.dev.dev.com/activity" --output-debug 3 > log_3.log 2>&1

   • Edit

4. Support Staff 4 Posted by Tasos Laskos on 10 Sep, 2015 06:33 PM

   

   How did you setup Arachni?
   You don't seem to be using the provided packages, and you really should be.

   Btw, better avoid the ruby -vvv flags in the future and just use --output-debug, otherwise the logs are flooded with noise and it's hard to tell what's going on.

   • Edit

5. 5 Posted by Neha on 10 Sep, 2015 06:50 PM

   

   Hello!

   I'm not using provided packages, as we're integrating arachni into our build stack - this is for the automated deployment of a scanner host. Effectively this is how arachni is built:

   git clone git@github.com:Arachni/arachni-ui-web.git src && \
   cd src && \
   git checkout -f $(FRAMEWORK_RELEASE)
   bundle install --path=./vendor

   The result is all tarred up as a tarball, and this is deployed with a persistent pgsql backend db. We have a set of ruby/rails based apps we install this way, so we don't consider the arachni app to be particularly special in this regard, and it seems to function without a login script - i.e. it will begin an unauthenticated scan of this site with no login script. I used ruby -vvvv becuase --output-debug 3 didn't seem to produce anything at all.. it just hangs forever on the alert 'Login script: Running the script.'

   Is there anyway I can get a sense of what Watir is doing? Any further debugging flags that can be used here?

   • Edit

6. Support Staff 6 Posted by Tasos Laskos on 10 Sep, 2015 07:03 PM

   

   Does the environment contain PhantomJS 1.9.2 in $PATH as phantomjs?

   • Edit

7. 7 Posted by Neha on 10 Sep, 2015 07:17 PM

   

   It does not - I've been installing the phantomjs gem instead. Let me try with the apt package, thanks for the tip!

   • Edit

8. Support Staff 8 Posted by Tasos Laskos on 10 Sep, 2015 07:28 PM

   

   In the future, if something doesn't work first try it with the official packages, that way you'll know if it's really a bug or a misconfiguration.

   Also, your login script isn't valid Ruby code:

   form.button( id:'form#login input[type=submit][value='Sign in']').click
   

   The above will produce a syntax error due to the wrong use of quotes.
   In addition, you're looking for the button using CSS, even though you're telling Watir to search by ID.

   • Edit

9. 9 Posted by Neha on 15 Sep, 2015 05:38 PM

   

   Hello,

   So. I'm still encountering issues with this. I've tried the custom script plugin and the autologin plugin. I was definitely missing a proper phantomjs, and I've installed that via apt package now. So I believe this is just a scripting issue at this point.

   For my site, there's a redirect to login page, and a basic sign-in form. The site is pretty JS heavy. When I'm not using the plugin, arachni appears to hit the login page without issue, and identifies the form parameters as a potential vectors. On auto-login, there's not workable response. With the login script, the form id is not discovered at all, and it would seem neither are the text field names. I've tried using a wait(60) after browser.goto in case this is a asynch/page load issue. No luck so far..

   • Edit

10. 10 Posted by Neha on 15 Sep, 2015 06:01 PM

    

    Apologies, I meant to attach the code the form code:

    <div id="signin">
      <form id="login" action="/signin" method="post">
        <h1><a href="/signin">Login</a></h1>
    
          <div id="login-fields-wrapper">
            <div id="login-fields">
              <input id="login_username" placeholder="username" autofocus="autofocus" tabindex="1" autocapitalize="off" autocorrect="off" autocomplete="off" class="validate-text validate-username validate-email-username" name="username" type="text" />
              <div class="error-msg">Hint: your username is separate from your email address.</div>
              <div class="password-field">
                <input id="login_password" placeholder="passphrase" tabindex="2" autocomplete="off" class="validate-text" name="password" type="password" />
                  <button id="pass-toggle" class="minor-btn" type="button" tabindex="2">show <span>pass</span></button>
              </div>
            </div>
            <input type="submit" id="signin-btn" class="submit-btn optional" value="Sign in" tabindex="3">
          </div>
    
          <div class="supplemental-links">
            <a id="reset-password" class="supplemental-link" href="/forgot-passphrase">Need to reset your passphrase?</a>
            <a id="forgot-username" class="supplemental-link" href="/forgot-username">Forgot your username?</a>
          </div>
    
        <input value="TM92uR/rMeqr9GwNzm7rUPraXZmfTvkk0IZe18VCQsU=" name="_csrf" type="hidden" />
      </form>
    </div>
    

    • Edit

11. 11 Posted by Neha on 15 Sep, 2015 07:53 PM

    

    I've tested via the nightly packages with the same login script, and in both cases the login script seems to hang. I'm going to attempt to launch the watir webdriver outside of arachni to test the script further, so I'll report back on that.

    I'm tempted to believe that the initial goto is not kicked off.. but there are no errors that the script can't find an id, or anything.. log attached.

    • arachni-phantomjs.log 6.01 KB
    • Edit

12. Support Staff 12 Posted by Tasos Laskos on 15 Sep, 2015 08:03 PM

    

    If it doesn't work in the nightlies then it's a problem, can you please send me the real login script and site URL via e-mail so that I can see what's going on?

    • Edit

13. 13 Posted by Neha on 15 Sep, 2015 08:45 PM

    

    Tasos,

    What's the best email address to reach you? I'll send asap.

    • Edit

14. Support Staff 14 Posted by Tasos Laskos on 15 Sep, 2015 08:51 PM

    

    [email blocked]

    • Edit

15. 15 Posted by Neha on 15 Sep, 2015 08:53 PM

    

    ah hm. email blocked. you can contact me at nchriss at gmail

    • Edit

16. Tasos Laskos closed this discussion on 20 Sep, 2015 07:53 AM.