Cookies escaped in login_script
Hello,
i am trying to implement a login script which simply logs into a form and sets the needed cookies accordingly.
The script is working and the browser logs in successfully but the subsequent requests seem not to be able to authenticate against the site. The problem however seems to be that the cookie returned from the server contains unencoded + characters. These characters are encoded to %20 (spaces) somewhere in the process.
As a result the cookies used to authenticate against the server are not valid as they contains spaces instead of +.
I also tried to set the Http request cookie header manually within the login script, but it appears to be overridden by the other login script cookie which gets written into the cookie jar if i am not mistaken.
framework.options.http.request_headers['Cookie'] = "cookiename=somevalue"
Already replicated on the nightlies.
Any ideas how to solve this?
Thanks
Lukas
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 29 Mar, 2017 03:14 PM
Would it be possible to send me the login script in private with some demo credentials so that I can try to debug this?
2 Posted by Lukas on 05 Apr, 2017 07:36 AM
sorry for my late response, i had a busy week.
Unfortunately i can't provide you with the actual application, but i built a dummy web server to replicate the problem, i will provide it & the script, as soon as I finish it.
Thanks
Lukas
3 Posted by Lukas on 05 Apr, 2017 08:56 AM
Ok so,
i made a dummy node application, which should replicate the problem.
The login page is under localhost:3000/login
When i use my script, it logs in correctly and sets cookies (you can see in the logs that it logs the cookie string as 'user authenticated' instead of 'user+authenticated'.
However this seems not to be the problem, as all the subsequent requests from arachni contain the + in the cookies. And i tested it without the + sign in the cookie string, but it did not work either.
Arachni seems not to use these cookies to scan the sitemap. it just uses variations of the value to try to inject some stuff on the site, but it gets a 401 on the index page.
I am thinking maybe my script is just wrong?
The script is also in the root folder of the repository.
Thanks
4 Posted by Lukas on 05 Apr, 2017 08:57 AM
oh and the application is here
https://github.com/lukasstanek/arachni_login_test
Support Staff 5 Posted by Tasos Laskos on 06 Apr, 2017 01:16 PM
Thanks a lot for setting this up, I'll look into it and let you know.
Cheers
6 Posted by Lukas on 25 Apr, 2017 08:52 AM
hey, just wanted to check in and ask if theres any news on the issue. I maybe revisit the problem this week and let you know if i find out more.
Support Staff 7 Posted by Tasos Laskos on 26 Apr, 2017 08:53 AM
Sorry I've been a little preoccupied, I'll have a look at it soon.
Support Staff 8 Posted by Tasos Laskos on 29 Apr, 2017 11:22 AM
I don't have much experience with NodeJS, I just run the executable under bin/ and that's it?
9 Posted by Lukas on 29 Apr, 2017 12:21 PM
Sorry that i used node then.
You have to have nodejs installed, then execute npm install in this directory and then npm run start.
Hope this helps
Support Staff 10 Posted by Tasos Laskos on 01 May, 2017 11:28 AM
No worries.
Turns out it's the URLs you're using inside the script, you can't use
localhost
or any other loopback interface as they're reserved, which is why they're not allowed as scan targets in the first place.I changed it to a hostname and it worked.
11 Posted by Lukas on 10 May, 2017 02:54 PM
Hey,
you were right with my demo application, the problem really was the hostname. Sadly
this does not apply to my production application. The problem persisted.
I took some time to dive into the arachni source code and tried to find the source of
the problem.
I outputted everytime the cookie_jar is updated.
During the login script the cookie jar is updated 2 times.
Once when the login sequence is recorded and once when it is executed for login.
When I scan my application it retrieves the correct cookies, but somehow retrieves
the session cookie 2 times, one time in the correct format (with +) and one time
urlencoded (+ become %20 ).
I used a kind of hacky approach and edited the cookie jar update method. I check if
a cookie has the correct name and then replace every %20 in its value with +.
This actually made my scan work. Sadly this is unfortunately no permanent solution. As
my knowledge of ruby is quite limited I am not really sure where the source of the problem
could be exactly.
Maybe you know more?
Anyway thanks for your help so far!
Lukas
Support Staff 12 Posted by Tasos Laskos on 12 May, 2017 12:39 PM
Unfortunately it's impossible for me to fix this without a reproducible case.
13 Posted by Lukas on 17 May, 2017 10:18 AM
hey,
i managed to workaround the "bug" from the login script so I can use it without modifying the arachni source. This should be good enough.
Also thanks a lot for your help.
Support Staff 14 Posted by Tasos Laskos on 18 May, 2017 01:19 PM
No problem, glad to hear it.
Tasos Laskos closed this discussion on 18 May, 2017 01:19 PM.