Home → Questions →

Create Logon Script for Angular.js

• Edit

marcio.rocha

17 Oct, 2016 09:42 PM

Hello again Tassos, I am running the insecure application Owasp Juice Shop, which is written completely in JavaScript, in the following link there is more detail.
https://www.owasp.org/index.php/OWASP_Juice_Shop_Project

I´d like your help with creating a working logon script for this, as this would also probably help us with an internal application which is also written in Javascript, with node.js an angular.js.
I have tried all options at Logging in and maintaining a valid session page to no avail. In applications writen with other languages, i was able to make it work.

Thanks.

1. Support Staff 1 Posted by Tasos Laskos on 18 Oct, 2016 07:26 PM

   

   Have you tried the nightlies?

   • Edit

2. 2 Posted by marcio.rocha on 18 Oct, 2016 10:08 PM

   

   Yes, i have tried both stable and nightlies. I believe i has something to do with the # in the path.

   • Edit

3. 3 Posted by Aladdin on 19 Oct, 2016 06:35 AM

   

   Hey Folks

   Yes, it looks like web applications built by using those technologies are invisible for Arachni hm.. I have lots of pages but Arachni is not able to find it, only one page used as parameter with stored in code links to assets. Arachni has serious problem to crawl between pages when application base only on JS technologies hm..

   URL raised by me discussion about # issue related to using JS technologies:
   http://support.arachni-scanner.com/discussions/questions/13045-how-...

   Thanks Marcio

   • Edit

4. Support Staff 4 Posted by Tasos Laskos on 19 Oct, 2016 06:39 AM

   

   Aladdin please don't confuse the situation, these technologies should be supported.
   I haven't gotten a chance to look into your particular issues yet, but when I do I'll let you know what I find.

   • Edit

5. Support Staff 5 Posted by Tasos Laskos on 19 Oct, 2016 07:41 AM

   

   Worked for me (using nightlies):

   ./bin/arachni https://juice-shop.herokuapp.com --checks - --plugin=login_script:script=tmp/support/13047/login.rb --session-check-url=https://juice-shop.herokuapp.com/rest/basket/4 --session-check-pattern=success
   

   Login script:

   # Extract the JWT auth token and set it system-wide.
   http.on_complete do |response|
       request = response.request
       next if !request.headers['Authorization']
   
       http.headers['Authorization'] = request.headers['Authorization']
   end
   
   browser.goto 'https://juice-shop.herokuapp.com/#/login'
   
   browser.button( id: 'loginButton' ).wait_until_present( 30 )
   
   browser.text_field( id: 'userEmail' ).set '[email blocked]'
   browser.text_field( id: 'userPassword' ).set 'blah1'
   
   browser.button( id: 'loginButton' ).click
   
   browser.element( css: 'a[href="#/logout"]' ).wait_until_present
   

   • Edit

6. 6 Posted by marcio.rocha on 19 Oct, 2016 03:10 PM

   

   Thank you for the reply. I´ll try it tonight and let you know if it has also worked here.

   • Edit

7. 7 Posted by Aladdin on 20 Oct, 2016 08:08 AM

   

   Really well done Tasos. Latest nightly code was able to crawl by pages.
   Thanks for Your patience!
   Kind Regards

   • Edit

8. Support Staff 8 Posted by Tasos Laskos on 20 Oct, 2016 08:32 AM

   

   Sorry for the mixup, the previous nightly had a bug that went unnoticed.
   I fixed it yesterday.

   • Edit

9. Tasos Laskos closed this discussion on 20 Oct, 2016 08:32 AM.