How to add authentication to REST API call?
Hi, I am scanning a website by doing a call against the Arachni
REST API.
How can I add the authencation parameters so the REST API knows how
to scan with credentials against the website?
The example python script I now have;
#!/usr/bin/env python
# see the documentation how to use more options in the JSON call
# https://github.com/Arachni/arachni/wiki/REST-API
import json
import urllib2
import subprocess
URL='http://testhtml5.vulnweb.com'
AUDIT_OPTS=['link', 'form', 'cookie', 'headers']
SCAN_OPTS=['xss*', 'sql_injection*', 'csrf']
#SCAN_OPTS=['*'] # do every check
IP=subprocess.check_output(["docker", "inspect", "-f", '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}', "webscanner"]).rstrip()
SCANNERURL="http://" + str(IP) + ":7331/scans"
data = {
'url': URL, 'audit': {'elements': AUDIT_OPTS}, 'checks': SCAN_OPTS
}
req = urllib2.Request(SCANNERURL)
req.add_header('Content-Type', 'application/json')
response = urllib2.urlopen(req, json.dumps(data))
Thanks for your help!
Michiel
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 14 Dec, 2016 10:55 AM
It depends on the authentication type, are you talking about HTTP auth or webapp (form-based) auth?
2 Posted by Michiel on 14 Dec, 2016 11:50 AM
Hi, this is webapp (form-based) auth.
3 Posted by Michiel on 14 Dec, 2016 11:53 AM
To be more precies a form with Openid-Connect auth.
Support Staff 4 Posted by Tasos Laskos on 14 Dec, 2016 02:00 PM
You need to configure either the
autologin
orplugin_script
plugins.You can set plugin options with:
5 Posted by Michiel on 14 Dec, 2016 03:04 PM
Ok, so add that to the data that is being posted to the REST API call?
Support Staff 6 Posted by Tasos Laskos on 14 Dec, 2016 03:15 PM
Yes, and if you need to use the
login_script
plugin you can configure its options in a similar fashion.Tasos Laskos closed this discussion on 16 Dec, 2016 02:22 PM.