How to pass cookies file to REST API

khalidh's Avatar

khalidh

22 Feb, 2017 07:30 AM

Hi,

I am new to arachni,

how to pass cookies file to REST API to maintain login session
following :- https://github.com/Arachni/arachni/wiki/REST-API#example-client

  1. Support Staff 1 Posted by Tasos Laskos on 22 Feb, 2017 01:50 PM

    Tasos Laskos's Avatar

    Hello,

    It's better to use either the login_script of autologin plugins and don't forget to exclude logout URLs and such.

    For example:

    plugins : { "login_script" : { "script": "/path/my_login_script.rb" } }
    
  2. 2 Posted by khalidh on 23 Feb, 2017 08:50 AM

    khalidh's Avatar

    I have a cookies.txt and cookies.jar(Netscape), i have to pass the cookies to maintain valid session.

    In login_script we have to pass username and password. I have pass cookies file only, how to achieve ?

  3. Support Staff 3 Posted by Tasos Laskos on 23 Feb, 2017 10:41 AM

    Tasos Laskos's Avatar

    You can use the following option:

    {
        "http": {
            "cookie_string": "my_cookie=my_value; Path=/, other_cookie=other_value; Path=/test"
        }
    }
    

    Passing cookies will not maintain the session, i.e., if you get logged out the scanner won't be able to relogin.

  4. 4 Posted by khalidh on 23 Feb, 2017 11:22 AM

    khalidh's Avatar

    I added code in https://github.com/Arachni/arachni/wiki/REST-API#example-client in the ID like this

    id = post( '/scans',
        url:    'http://testfire.net',
    
        # Only scan a few pages.
        scope: {
            page_limit: 'inf'
        },
    {
        "http": {
            "cookie_string": "my_cookie=my_value; Path=/, other_cookie=other_value; Path=/test"
        }
    }
        audit: {
            elements: ['link', 'form']
        },
    
        # Load all checks.
        checks: ['-xss','-sql_injection']
    )['id']
    

    Changed to

    http: {
                cookie_string:['ASP.NET_SessionId=dsbthj45ysk5xzesptffrs45; Path='http://testfire.net/']
                  },
    

    Tried different types of code, but it will not work.

  5. Support Staff 5 Posted by Tasos Laskos on 24 Feb, 2017 11:17 AM

    Tasos Laskos's Avatar

    My example was in JSON, you need this:

    http: {
        cookie_string: 'ASP.NET_SessionId=dsbthj45ysk5xzesptffrs45; Path='http://testfire.net/'
    }
    

    Also, I don't see you excluding logout resources, which means you'll probably get immediately logged out.

    You can do it like so:

    scope: {
        exclude_path_patterns: ['logout']
    }
    
  6. 6 Posted by khalidh on 25 Feb, 2017 06:53 AM

    khalidh's Avatar

    Hi I tried but it wont work for me,
    Your code give error " arachnitest.rb:73: syntax error, unexpected tIDENTIFIER, expecting '}' ...avfmbypmxfnbw22fr55; Path='http://testfire.net'"
    I tried different ways, but no luck,

    http: {
                    cookie_string: 'ASP.NET_SessionId=lun2kavfmbypmxfnbw22fr55;', 'Path=http://testfire.net/bank/login.aspx'
                },
    
    and
    
          http: {
                    cookie_string: 'ASP.NET_SessionId=lun2kavfmbypmxfnbw22fr55; Path=http://testfire.net'
                },
    
    Please check my attached script
  7. 7 Posted by khalidh on 27 Feb, 2017 12:39 PM

    khalidh's Avatar

    I have tried different code samples for cookies_string but no luck,Please help.

  8. Support Staff 8 Posted by Tasos Laskos on 27 Feb, 2017 12:58 PM

    Tasos Laskos's Avatar

    You're not loading any checks and there's no 'inf' value for the page_limit option, you don't need to specify it at all.

    I'm sick at the moment but I'll take a closer look when I feel better.

  9. Tasos Laskos closed this discussion on 10 Mar, 2017 01:46 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac