Cookies escaped in login_script

Lukas's Avatar

Lukas

28 Mar, 2017 02:57 PM

Hello,

i am trying to implement a login script which simply logs into a form and sets the needed cookies accordingly.

The script is working and the browser logs in successfully but the subsequent requests seem not to be able to authenticate against the site. The problem however seems to be that the cookie returned from the server contains unencoded + characters. These characters are encoded to %20 (spaces) somewhere in the process.
As a result the cookies used to authenticate against the server are not valid as they contains spaces instead of +.
I also tried to set the Http request cookie header manually within the login script, but it appears to be overridden by the other login script cookie which gets written into the cookie jar if i am not mistaken.

framework.options.http.request_headers['Cookie'] = "cookiename=somevalue"
Already replicated on the nightlies.

Any ideas how to solve this?

Thanks
Lukas

  1. Support Staff 1 Posted by Tasos Laskos on 29 Mar, 2017 03:14 PM

    Tasos Laskos's Avatar

    Would it be possible to send me the login script in private with some demo credentials so that I can try to debug this?

  2. 2 Posted by Lukas on 05 Apr, 2017 07:36 AM

    Lukas's Avatar

    sorry for my late response, i had a busy week.
    Unfortunately i can't provide you with the actual application, but i built a dummy web server to replicate the problem, i will provide it & the script, as soon as I finish it.

    Thanks
    Lukas

  3. 3 Posted by Lukas on 05 Apr, 2017 08:56 AM

    Lukas's Avatar

    Ok so,
    i made a dummy node application, which should replicate the problem.
    The login page is under localhost:3000/login
    When i use my script, it logs in correctly and sets cookies (you can see in the logs that it logs the cookie string as 'user authenticated' instead of 'user+authenticated'.

    However this seems not to be the problem, as all the subsequent requests from arachni contain the + in the cookies. And i tested it without the + sign in the cookie string, but it did not work either.
    Arachni seems not to use these cookies to scan the sitemap. it just uses variations of the value to try to inject some stuff on the site, but it gets a 401 on the index page.

    I am thinking maybe my script is just wrong?

    The script is also in the root folder of the repository.

    Thanks

  4. 4 Posted by Lukas on 05 Apr, 2017 08:57 AM

    Lukas's Avatar
  5. Support Staff 5 Posted by Tasos Laskos on 06 Apr, 2017 01:16 PM

    Tasos Laskos's Avatar

    Thanks a lot for setting this up, I'll look into it and let you know.

    Cheers

  6. 6 Posted by Lukas on 25 Apr, 2017 08:52 AM

    Lukas's Avatar

    hey, just wanted to check in and ask if theres any news on the issue. I maybe revisit the problem this week and let you know if i find out more.

  7. Support Staff 7 Posted by Tasos Laskos on 26 Apr, 2017 08:53 AM

    Tasos Laskos's Avatar

    Sorry I've been a little preoccupied, I'll have a look at it soon.

  8. Support Staff 8 Posted by Tasos Laskos on 29 Apr, 2017 11:22 AM

    Tasos Laskos's Avatar

    I don't have much experience with NodeJS, I just run the executable under bin/ and that's it?

  9. 9 Posted by Lukas on 29 Apr, 2017 12:21 PM

    Lukas's Avatar

    Sorry that i used node then.

    You have to have nodejs installed, then execute npm install in this directory and then npm run start.

    Hope this helps

  10. Support Staff 10 Posted by Tasos Laskos on 01 May, 2017 11:28 AM

    Tasos Laskos's Avatar

    No worries.

    Turns out it's the URLs you're using inside the script, you can't use localhost or any other loopback interface as they're reserved, which is why they're not allowed as scan targets in the first place.

    I changed it to a hostname and it worked.

  11. 11 Posted by Lukas on 10 May, 2017 02:54 PM

    Lukas's Avatar

    Hey,
    you were right with my demo application, the problem really was the hostname. Sadly
    this does not apply to my production application. The problem persisted.

    I took some time to dive into the arachni source code and tried to find the source of
    the problem.

    I outputted everytime the cookie_jar is updated.

    During the login script the cookie jar is updated 2 times.

    Once when the login sequence is recorded and once when it is executed for login.

    When I scan my application it retrieves the correct cookies, but somehow retrieves
    the session cookie 2 times, one time in the correct format (with +) and one time
    urlencoded (+ become %20 ).

    I used a kind of hacky approach and edited the cookie jar update method. I check if
    a cookie has the correct name and then replace every %20 in its value with +.

    This actually made my scan work. Sadly this is unfortunately no permanent solution. As
    my knowledge of ruby is quite limited I am not really sure where the source of the problem
    could be exactly.

    Maybe you know more?

    Anyway thanks for your help so far!
    Lukas

  12. Support Staff 12 Posted by Tasos Laskos on 12 May, 2017 12:39 PM

    Tasos Laskos's Avatar

    Unfortunately it's impossible for me to fix this without a reproducible case.

  13. 13 Posted by Lukas on 17 May, 2017 10:18 AM

    Lukas's Avatar

    hey,
    i managed to workaround the "bug" from the login script so I can use it without modifying the arachni source. This should be good enough.

    Also thanks a lot for your help.

  14. Support Staff 14 Posted by Tasos Laskos on 18 May, 2017 01:19 PM

    Tasos Laskos's Avatar

    No problem, glad to hear it.

  15. Tasos Laskos closed this discussion on 18 May, 2017 01:19 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac