[Arachni::Session::Error::FormNotFound]
Evaluating arachni and seeing the following errors. Is it having an issue maintaining it's session with the site? I'm seeing this error pop up about every 45-60 minutes. The first time it came up was about 30 minutes after starting the scan.
[2017-08-24 15:08:29 -0400] [Arachni::Session::Error::FormNotFound] Login form could not be found with: {:url=>"https://server-url/directory/Default.aspx", :inputs=>{"ctl00$LoginView1$Login1$UserName"=>"username", "ctl00$LoginView1$Login1$Password"=>"password"}}
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:356:in `login_from_configuration'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:245:in `block in login'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:204:in `block in ensure_logged_in'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:203:in `times'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:203:in `ensure_logged_in'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:221:in `audit_queues'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/rpc/server/framework/multi_instance.rb:222:in `audit_queues'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:202:in `block in audit'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:177:in `loop'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:177:in `audit'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework.rb:117:in `block in run'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework.rb:117:in `run'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:156:in `block in run'
[2017-08-24 15:08:29 -0400]
[2017-08-24 15:08:29 -0400] Parent:
[2017-08-24 15:08:29 -0400] Arachni::Session
[2017-08-24 15:08:29 -0400]
[2017-08-24 15:08:29 -0400] Block:
[2017-08-24 15:08:29 -0400] #<Proc:0x000000100ea3e8@C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:244>
[2017-08-24 15:08:29 -0400]
[2017-08-24 15:08:29 -0400] Caller:
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:244:in `login'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:204:in `block in ensure_logged_in'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:203:in `times'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/session.rb:203:in `ensure_logged_in'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:221:in `audit_queues'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/rpc/server/framework/multi_instance.rb:222:in `audit_queues'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:202:in `block in audit'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:177:in `loop'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework/parts/audit.rb:177:in `audit'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework.rb:117:in `block in run'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `call'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/utilities.rb:425:in `exception_jail'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/framework.rb:117:in `run'
[2017-08-24 15:08:29 -0400] C:/arachni/system/ruby/lib/ruby/gems/2.2.0/gems/arachni-1.5.1/lib/arachni/rpc/server/framework.rb:156:in `block in run'
[2017-08-24 15:08:29 -0400] --------------------------------------------------------------------------------
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 26 Aug, 2017 04:49 PM
Is there any chance that the login form disappears or fails to show intermittently?
2 Posted by Chris on 28 Aug, 2017 03:33 PM
I've not ever experienced the login form not showing when viewing via a webbrowser. One annoyance I've noted; the developers have a timeout on the login page. If you do not log in within a set time the login screen session expires and you have to click to go back to the login screen; don't think this would affect arachni but thought I'd mention it.
The scan does seem to complete but I see these errors periodically it runs about 3 of them then it's good for an hour. I setup arachni on a linux box and ran from the command line and the scan ran much faster. It had not completed in 21 hours when run from a windows 10 system, completed in 2hrs 45 mins from the command line of the linux box; I also used the command instead of webgui on the linux box, don't know which made the difference. I'm running a scan from the gui now as a comparison.
3 Posted by Chris on 29 Aug, 2017 01:30 PM
The report I received from running Arachni from the CLI has a sitemap of 25 pages and a total of 25 issues, 10 High Severity (Cross-Site Request Forgery). The scan being done by the WebUI, still not complete after 22 hours, shows 62 pages discovered, 72 issues, 39 High Severity (Cross-Site Request Forgery). Why the descrepency between the CLI and WebUI?
4 Posted by Chris on 30 Aug, 2017 07:47 PM
The scan from the webUI is still running at 52 hours now. 82 pages discovered, 71 cross-site request forgery. I still don't understand why the webui is finding and followed paths that the CLI did not. Any thoughts?
Support Staff 5 Posted by Tasos Laskos on 30 Aug, 2017 07:52 PM
There's no difference in operation between the 2, are you sure the configuration is identical for both interfaces?
Also, the timeout thing sounds like the cause for the errors you've been getting.
6 Posted by Chris on 01 Sep, 2017 02:37 PM
With the CLI scan I did no configuration besides passing the credentials for the autologin plugin and telling it to ignore "Logout". Utilizing the command structure "arachni http://testfire.net --plugin=autologin:url=http://testfire.net/bank/login.aspx,parameters="uid=jsmith&... Off|MY ACCOUNT" --scope-exclude-pattern=logout" as provided by your website.
With the WebUI I made a copy of the default profile and enabled the autologin plugin, passing the same information as in the CLI. I did not see a place in the WebUI to exclude 'Logout' in the scanning. Going back I did find this and adding it now.
Would that have caused the system to find more pages by not having that exclusions? At 94 hours the scan still was not complete and the web interface was very slow to unresponsive. I'm starting over with the exclusions to see what happens.
7 Posted by Chris on 05 Sep, 2017 01:32 PM
So to ensure there was no difference when running the CLI scan vs the WebUI I exported the profile built in the WebUI and used it in the CLI. I had similar results as previous. The WebUI ran over a 3 day weekend and did not complete, I cancelled the scan this morning. When attempting to view the scan I'm told an error has occurred. The summary of the scan says it found 76 issues. The CLI scan indicates 18 issues were found and completed in about an hour.
Again there seems to a large discrepancy between results in the CLI and WebUI.
Support Staff 8 Posted by Tasos Laskos on 06 Sep, 2017 03:08 PM
This is strange, it's the same exact engine underneath, the interfaces just configure it and monitor progress, this shouldn't have happened.
I'm thinking that at some point the configuration gets corrupted.
Any chance I can be given access to the webapp and your config to try and reproduce this issue?
9 Posted by Chris on 07 Sep, 2017 02:52 PM
I tried running it from the WebUI on a windows box before moving it to a linux system. Hoped the performance would be better but it behaved about how I am describing. Unfortunately this is an internal test site that has PII in it. I'd be happy to provide any logs that may be useful, I can scrub them for any private data that may be included first.
It seems the WebUI finds more links than the CLI, but the WebUI grinds until it finally becomes unresponsive.
Support Staff 10 Posted by Tasos Laskos on 12 Sep, 2017 04:36 PM
I'm afraid I need to try this for myself.
However, it wouldn't hurt to have a look at the exported profile, can you please attach it?
11 Posted by Chris on 15 Sep, 2017 06:34 PM
Find attached the exported profile.