Can Arachni proxy handle https protocol?

Edit

Yanjin

18 Oct, 2012 03:26 PM

Hello Tasos,

I'm trying to use arachni's proxy plugin to help me sign into a website using https protocol. Since this website require not only username and password to login, but also an additional "account type" field, therefore "autologin" can't help here.

It seems that Arachni's proxy plugin isn't able to handle https protocol. Am I missing something?

Also what if I use "arachni https://www.example.com --plugin=proxy", but when I logged in, the domain changed to "https://secure.example.com", can arachni handle that?

Thank you.

Best,
Yanjin

Support Staff 1 Posted by Tasos Laskos on 18 Oct, 2012 03:36 PM

Lots of nice questions...

First of all, the autologin plugin can actually handle that, it will merge the inputs you provided with the ones of the form that matches them and then submit it.

Also, as of v0.4.1, HTTPS interception is supported by the proxy plugin, however your problem is that you're trying to follow a different subdomain, which can be allowed using the --follow-subodmains flag.

Closing now but feel free to reply/reopen if you need anything else.
- Edit
Tasos Laskos closed this discussion on 18 Oct, 2012 03:36 PM.
Yanjin re-opened this discussion on 18 Oct, 2012 06:34 PM
2 Posted by Yanjin on 18 Oct, 2012 06:34 PM

Hi Tasos,

Thank you for your help. However, the proxy server always return 500 server error when we are trying to use proxy plugin on the command line.

My command is:
/arachni https://google.com --plugin=proxy --follow-subdomains

I am attaching the result.
- Edit
Support Staff 3 Posted by Tasos Laskos on 18 Oct, 2012 06:41 PM

Can't see anything attached but I managed to reproduce it, thanks. Looking into it.
- Edit
4 Posted by Yanjin on 18 Oct, 2012 06:49 PM
It didn't attach successfully. Paste the output below. Thank you.

root@bt:~/arachni-0.4.1.1/bin# ./arachni https://google.com --plugin=proxy --follow-subdomains
Arachni - Web Application Security Scanner Framework v0.4.1.1
Author: Tasos "Zapotek" Laskos [email blocked]
```
       (With the support of the community and the Arachni Team.)
```
Website: http://arachni-scanner.com Documentation: http://arachni-scanner.com/wiki

[~] No modules were specified. [~] -> Will run all mods.

[~] No audit options were specified. [~] -> Will audit links, forms and cookies.

[] Initialising... [] Waiting for plugins to settle... [~] Proxy: System paused. [2012-10-18 14:17:49] INFO WEBrick 1.3.1 [2012-10-18 14:17:49] INFO ruby 1.9.3 (2012-04-20) [x86_64-linux] [] Proxy: Listening on: http://0.0.0.0:8282 [] Proxy: Shutdown URL: http://arachni.proxy.shutdown [~] Proxy: The scan will resume once you visit the shutdown URL. [~] Proxy: [~] Proxy: [~] Proxy: * You need to clear your browser's cookies for this site before using the proxy! * [~] Proxy: [~] Proxy: [2012-10-18 14:17:49] INFO Arachni::Plugins::Proxy::Server#start: pid=2236 port=8282 [*] Proxy: Requesting http://www.google.com/ [2012-10-18 14:17:55] ERROR NoMethodError: undefined method `headers' for nil:NilClass
```
    /root/Download/arachni-0.4.1.1/gems/gems/arachni-0.4.1.1/lib/arachni/parser.rb:219:in `page'
    /root/Download/arachni-0.4.1.1/gems/gems/arachni-0.4.1.1/lib/arachni/page.rb:119:in `from_response'
    /root/Download/arachni-0.4.1.1/gems/gems/arachni-0.4.1.1/lib/arachni/utilities.rb:105:in `page_from_response'
    /root/Download/arachni-0.4.1.1/gems/gems/arachni-0.4.1.1/plugins/proxy.rb:392:in `response_handler'
    /root/Download/arachni-0.4.1.1/usr/lib/ruby/1.9.1/webrick/httpproxy.rb:98:in `call'
    /root/Download/arachni-0.4.1.1/usr/lib/ruby/1.9.1/webrick/httpproxy.rb:98:in `proxy_service'
    /root/Download/arachni-0.4.1.1/usr/lib/ruby/1.9.1/webrick/httpproxy.rb:64:in `service'
    /root/Download/arachni-0.4.1.1/gems/gems/arachni-0.4.1.1/plugins/proxy.rb:199:in `service'
    /root/Download/arachni-0.4.1.1/usr/lib/ruby/1.9.1/webrick/httpserver.rb:94:in `run'
    /root/Download/arachni-0.4.1.1/usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread'
```
- output_proxy.txt 4.65 KB
- Edit
Support Staff 5 Posted by Tasos Laskos on 18 Oct, 2012 07:08 PM

Fixed, it will be in the nightly builds in a couple of hours.
- Edit
Tasos Laskos closed this discussion on 18 Oct, 2012 07:08 PM.
Yanjin re-opened this discussion on 18 Oct, 2012 07:43 PM
6 Posted by Yanjin on 18 Oct, 2012 07:43 PM

Will give it a try when the new build come out. Thank you very much!
- Edit
Support Staff 7 Posted by Tasos Laskos on 18 Oct, 2012 08:11 PM

I figured I'd save you an hour of waiting and push now, you can grab the updated packages, they're ready.

Let me know if you come across anything...weird.
- Edit
Tasos Laskos closed this discussion on 18 Oct, 2012 08:11 PM.
Yanjin re-opened this discussion on 18 Oct, 2012 09:55 PM
8 Posted by Yanjin on 18 Oct, 2012 09:55 PM

Thank you so much. Just want to confirm the nightly builds are here: http://downloads.arachni-scanner.com/nightlies/. I see three packages modified around 14:00 today.

Best,
Yanjin
- Edit
Support Staff 9 Posted by Tasos Laskos on 18 Oct, 2012 10:01 PM

No problem, yeah these are the ones. Don't get confused by the timestamps, they're built every night GMT+2 while the hosting server is on a different timezone.
- Edit
Tasos Laskos closed this discussion on 18 Oct, 2012 10:01 PM.
Yanjin re-opened this discussion on 19 Oct, 2012 06:48 PM
10 Posted by Yanjin on 19 Oct, 2012 06:48 PM

Hello Tasos,

Sorry to bother you again. The new arachni build works fine for some sites.

For some other sites, like "https://www.citi.com", it gives time out error, sometimes print directly the html code onto the web page. I'm trying to login into a website using https protocol with the help of arachni proxy plugin.

Another question is that can autologin handle login form submitted by javascript? In my memory the answer is no.

Best,
Yanjin
- Edit
Support Staff 11 Posted by Tasos Laskos on 19 Oct, 2012 07:04 PM

Hey,

Thanks for the feedback, I'll try and sort it out.
And yeah you remember correctly, DOM/JS support is scheduled for v0.5, which will take a while.
- Edit
12 Posted by Wei An on 19 Oct, 2012 07:06 PM

Hi Tasos,

It seems that you would like to insert an iframe into the original code. This operation may not be compatible with the SSL certificate of the original page, and lead to the phenomenon we encountered. Did you consider this issue before?

Best,
Wei
- Edit
Support Staff 13 Posted by Tasos Laskos on 19 Oct, 2012 07:50 PM
When trying to connect to an SSL site via a proxy the proxy has no idea of what's going on, it just creates a point-to-point TCP tunnel between your browser and the SSL server.

So, in order for the proxy to work with SSL servers what's going on is that a secondary proxy is silently started which acts as an SSL interceptor between the first proxy and the SSL server and handles encryption and decryption and passes the resulting data back and forth.

To illustrate this:

HTTP
```
Browser --> Proxy --> Server
Browser <-- Proxy <-- Server
```
HTTPS
```
Browser --> Proxy --> SSL Interceptor --> Server
Browser <-- Proxy <-- SSL Interceptor <-- Server
```
So your browser never sees the original SSL cert but only the cert of the SSL interceptor.

As for the panel, it's injected by the first proxy and doesn't interfere with any SSL stuff.

Your problem has more likely to do with the fact the the URL redirects to a different domain (www.citi.com -> online.citibank.com), which is not allowed.

However, you should have seen a nice and friendly page informing you of that fact, but, again, because this scope violation was caused by a redirection this may have been a corner case for which I had not accounted.

Does that make sense?
- Edit
Support Staff 14 Posted by Tasos Laskos on 23 Oct, 2012 01:55 PM

Fixed: https://github.com/Arachni/arachni/commit/856a82992f2ff10af6c68ea50...

For some reason images don't appear correctly over HTTP (but not HTTPS) and I'll keep looking into that but I fixed the previous issues.

Please do let me know if you come across any new problems.
- Edit
Tasos Laskos closed this discussion on 23 Oct, 2012 01:55 PM.
Yanjin re-opened this discussion on 23 Oct, 2012 02:29 PM
15 Posted by Yanjin on 23 Oct, 2012 02:29 PM

Hi Tasos,

That's a good news. Thank you very much for your efforts. I'll definitely try it.

Best,
Yanjin
- Edit
Tasos Laskos closed this discussion on 24 Oct, 2012 08:52 PM.

Comments are currently closed for this discussion. You can start a new one.

New Issue
Conversation Started
The discussion is closed

No more actions from Arachni or the discussion starter are required.
Re-open the discussion Re-open the discussion

Private Permissions

This discussion is private. Only you and Arachni support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Comments Feed

Keyboard shortcuts

Generic

?	Show this help
ESC	Blurs the current field

Comment Form

r	Focus the comment reply box
^ + ↩	Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

	19 Oct, 2023 06:03 PM	Error - Not able Scan /ruby/lib/ruby/gems/2.7.0/gems/arachni-1.6.1.3/lib/arachni/rpc/server/framework.rb:156:in `block in run'
	12 Aug, 2023 11:04 AM	Error when launching arachni_web
	08 May, 2023 05:30 PM	Security Assessment
	05 May, 2023 10:53 AM	REST API - Not detecting Any Issues
	16 Mar, 2023 02:43 AM	BITCOIN LOTTERY - SOFTWARE FREE

Recent Articles

	Logging in and maintaining a valid session
	Optimizing for faster scans
	Service scanning
	Software as a Service (Saas)

Arachni Support

Can Arachni proxy handle https protocol?

Yanjin

It didn't attach successfully. Paste the output below. Thank you.

New Issue

Conversation Started

The discussion is closed

Re-open the discussion Re-open the discussion