How to add authentication to REST API call?

Michiel's Avatar

Michiel

13 Dec, 2016 04:47 PM

Hi, I am scanning a website by doing a call against the Arachni REST API.
How can I add the authencation parameters so the REST API knows how to scan with credentials against the website?
The example python script I now have;

#!/usr/bin/env python

# see the documentation how to use more options in the JSON call
# https://github.com/Arachni/arachni/wiki/REST-API

import json
import urllib2
import subprocess

URL='http://testhtml5.vulnweb.com'
AUDIT_OPTS=['link', 'form', 'cookie', 'headers']
SCAN_OPTS=['xss*', 'sql_injection*', 'csrf']
#SCAN_OPTS=['*'] # do every check
IP=subprocess.check_output(["docker", "inspect", "-f", '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}', "webscanner"]).rstrip()
SCANNERURL="http://" + str(IP) + ":7331/scans"
data = {
        'url': URL, 'audit': {'elements': AUDIT_OPTS}, 'checks': SCAN_OPTS
}

req = urllib2.Request(SCANNERURL)
req.add_header('Content-Type', 'application/json')

response = urllib2.urlopen(req, json.dumps(data))

Thanks for your help!

Michiel

  1. Support Staff 1 Posted by Tasos Laskos on 14 Dec, 2016 10:55 AM

    Tasos Laskos's Avatar

    It depends on the authentication type, are you talking about HTTP auth or webapp (form-based) auth?

  2. 2 Posted by Michiel on 14 Dec, 2016 11:50 AM

    Michiel's Avatar

    Hi, this is webapp (form-based) auth.

  3. 3 Posted by Michiel on 14 Dec, 2016 11:53 AM

    Michiel's Avatar

    To be more precies a form with Openid-Connect auth.

  4. Support Staff 4 Posted by Tasos Laskos on 14 Dec, 2016 02:00 PM

    Tasos Laskos's Avatar

    You need to configure either the autologin or plugin_script plugins.
    You can set plugin options with:

    {
      "plugins": {
        "autologin": {
          "url": "http://stuff.com/login",
          "parameters": "user=admin&pass=secret",
          "check": "logout"
        }
      }
    }
    
  5. 5 Posted by Michiel on 14 Dec, 2016 03:04 PM

    Michiel's Avatar

    Ok, so add that to the data that is being posted to the REST API call?

  6. Support Staff 6 Posted by Tasos Laskos on 14 Dec, 2016 03:15 PM

    Tasos Laskos's Avatar

    Yes, and if you need to use the login_script plugin you can configure its options in a similar fashion.

  7. Tasos Laskos closed this discussion on 16 Dec, 2016 02:22 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac