arachni rpcd cookie problem
Dear Tasos,
Yesterday I asked about using cookie-jar to do authenticated scan. Thanks for your responsive reply. I already passed cookies to arachni rpcd following your instructions. But it seems that arachni didn't use the cookie-jar I provided. It still acquired a new session id instead of using the session id I passed in. Below is part of the report:
audit_cookies: true
audit_links: true
cookie_jar:
PHPSESSID: 772e407faf6ef441ff939f4b7517aa0c
audit_forms: true
audit_headers: true
url: http://crackme.cenzic.com/Kelev/php/accttransaction.php
start_datetime: 2012-11-06 11:28:32.258807 -05:00
cookies:
PHPSESSID: 8c8324efad9268036f657093351b2cd1
finish_datetime: 2012-11-06 11:28:33.544597 -05:00
delta_time: 1.285789676
version: 0.4.1.2 revision: 0.2.7 start_datetime: Tue Nov 6 11:28:32 2012 finish_datetime: Tue Nov 6 11:28:33 2012 delta_time: "00:00:01"
The "PHPSESSID" below "cookie-jar" is the logged-in session id which I expect arachni to use. But it seems arachni used the "PHPSESSID" under "cookies". Any comments?
Thanks in advance.
Best,
Yanjin
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 06 Nov, 2012 04:55 PM
I'm guessing that you didn't exclude paths that can invalidate the session (like logout links) so Arachni followed them and inadvertently ended up with a new session.
See: https://github.com/Arachni/arachni/wiki/RPC-API#wiki-options_exclude
Feel free to re-open if I'm wrong or if you need further help.
Tasos Laskos closed this discussion on 06 Nov, 2012 04:55 PM.
Yanjin re-opened this discussion on 06 Nov, 2012 05:13 PM
2 Posted by Yanjin on 06 Nov, 2012 05:13 PM
As you said the target url is followed by a sign out link. But scan from commandline, that is, "arachni http://www.example.com/account.php" --cookie-jar=cookies.txt" works perfectly. I didn't exclude the sign out link here too.
The target url of scan is set to the url after logged in, for example, "http://www.example.com/account.php". The session id in cookie is extracted after logged in. It should be used to authenticate. Only in the case arachni can't login will it follow the sign out link and be given a new session id.
Do you have any idea in mind why arachni can't login using provided session id?
Best,
Yanjin
Support Staff 3 Posted by Tasos Laskos on 06 Nov, 2012 05:18 PM
The fact that it worked from the CLI will have probably been pure luck, it may have left the log-out link for last so you didn't notice or something like that.
You should always exclude logout links so give that a shot and let me know how it works.
4 Posted by Yanjin on 06 Nov, 2012 05:40 PM
I tried using command "arachni http://crackme.cenzic.com/Kelev/php/accttransaction.php --cookie-jar=cookies.txt --exclude=signout". Still can not work and acquired a new session id. Maybe I should describe the situation further.
As you may noticed, I tested with "crackme.cenzic.com". Target url is "http://crackme.cenzic.com/Kelev/php/accttransaction.php".
1. CLI works perfectly.
[~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2
[*] Audited elements: [~] * Links [~] * Forms [~] * Cookies
[*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories
[*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264
[~] ===========================
[+] 0 issues were detected.
[+] Plugin data: [~] ---------------
[~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--
[~] Crawling, discovered 0 pages and counting.
[~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.
[~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20
[~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2
[*] Audited elements: [~] * Links [~] * Forms [~] * Cookies
[*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories
[*] Filters: [~] Exclude: [~] (?-mix:signout)
[*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264
[~] ===========================
[+] 0 issues were detected.
[+] Plugin data: [~] ---------------
[~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--
[~] Crawling, discovered 0 pages and counting.
[~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.
[~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20
5 Posted by Yanjin on 06 Nov, 2012 05:47 PM
Sorry for the poor formatting. Reformat as below:
1 CLI works perfectly
2 CLI with a arachni_rpcd running at background failed. Output is like:
3 CLI with arachni_rpcd running and exclude signout link also failed. Output is like:
4 Pass cookies to arachni_rpcd failed. The output is just like above. The scan finished immediately after started.
Support Staff 6 Posted by Tasos Laskos on 06 Nov, 2012 05:53 PM
Ok, I've got just one more question for you and then I'll start digging, did you use a fresh cookie-jar for each of these runs?
Otherwise things went like this:
Rgiht? Wrong?
7 Posted by Yanjin on 06 Nov, 2012 06:11 PM
I did check the cookies each time before running. Yes, they're valid. Since you may noticed from the 4 experiments in my last post, the authenticated scan failed when arachni_rpcd involved. I'm not sure whether it's arachni_rpcd's problem.
Looking forward to good news.
Best,
Yanjin
Support Staff 8 Posted by Tasos Laskos on 07 Nov, 2012 01:27 PM
Ok then, looking into it now.
9 Posted by Yanjin on 07 Nov, 2012 03:29 PM
Glad to hear that. I did more experiments yesterday. The CLI works well. So the problem really is that arachni_rpcd can't apply the cookies I provided. Aren't CLI and arachni_rpcd using same strategy to handle cookies? Why is the difference?
Thanks.
Best,
Yanjin
Support Staff 10 Posted by Tasos Laskos on 07 Nov, 2012 03:35 PM
Yes this was an oversight on my part you are 100% right, I do apologize.
The difference is that the initialisation order is different when running over RPC -- the cookie options were being set after the HTTP class was being configured so it never had a chance to take them into account.
I've fixed this and will push the updated code today after I'm done testing.
I'll update this ticket when I do.
11 Posted by Yanjin on 07 Nov, 2012 04:14 PM
That explains my question. Thank you very much for the rapid fix! So when you're done, please give me a link to the lastest version that I can try it out. Thanks again.
Best,
Yanjin
Support Staff 12 Posted by Tasos Laskos on 07 Nov, 2012 07:22 PM
Here's the commit: https://github.com/Arachni/arachni/commit/7678ead8597c890d3270a48c7...
The code is in the experimental branch.
Tasos Laskos closed this discussion on 07 Nov, 2012 07:22 PM.
Yanjin re-opened this discussion on 07 Nov, 2012 10:15 PM
13 Posted by Yanjin on 07 Nov, 2012 10:15 PM
Dear Tasos,
The new version works perfectly! Really thank you for the quick reply and continuous effort.
Best,
Yanjin
Support Staff 14 Posted by Tasos Laskos on 08 Nov, 2012 09:57 AM
No problem, thanks for reporting it and for helping to narrow it down.
Tasos Laskos closed this discussion on 08 Nov, 2012 09:57 AM.
Yanjin re-opened this discussion on 16 Nov, 2012 06:54 PM
15 Posted by Yanjin on 16 Nov, 2012 06:54 PM
Dear Tasos,
Sorry to bother you again. The new version(under github experimental branch) works great. I would like to run it on a machine without network connection. Is the newest nightly build(Nov 15) fix arachni_rpcd cookie problem? Or there are other ways to install the fixed version without internet connection.
Thank you very much.
Best,
Yanjin
Support Staff 16 Posted by Tasos Laskos on 16 Nov, 2012 06:56 PM
Yep, grab one of the nightlies and you'll be fine.
Tasos Laskos closed this discussion on 16 Nov, 2012 06:56 PM.
Yanjin re-opened this discussion on 16 Nov, 2012 08:04 PM
17 Posted by Yanjin on 16 Nov, 2012 08:04 PM
I tried nightly build posted last night. and got a exception:
Then arachni stuck at 0%. Also the url is strange, 0.0.0.0:30523, it's the ip address the arachni_rpcd listen on. The correct url I gave to arachni is ignored.
Do you know what might cause this problem?
Support Staff 18 Posted by Tasos Laskos on 16 Nov, 2012 09:28 PM
Could you give me the full backtrace? It's going to be in the console output.
19 Posted by Yanjin on 17 Nov, 2012 12:05 AM
Well, I wonder this exception is because arachni_rpcd in nightlies still has the cookie problem. I tried both i386 and x86_64 version of nightly build(NOV 16) , got different results. It seems that i386 version works but has no luck with x86_64.
Is there any difference between these two versions? Are they built from the same source code? Thanks in advance.
Best,
Yanjin
Support Staff 20 Posted by Tasos Laskos on 17 Nov, 2012 10:57 AM
Hi, the code is the same.
Can you reproduce this? I hope so because I can't do anything without the full backtrace -- which you'll find in the output of the arachni_rpcd process.
I may have introduced a bug while resolving the cookie issue so this will help me fix it.
21 Posted by Yanjin on 17 Nov, 2012 07:29 PM
Dear Tasos,
The problem is solved. I installed gem which is built from experimental source code and it works fine. And nightly arachni command line also works. Does arachni_rpcd has backtrace log?
Best,
Yanjin
Support Staff 22 Posted by Tasos Laskos on 18 Nov, 2012 03:21 PM
Check for an error.log file in the working dir.
23 Posted by Yanjin on 19 Nov, 2012 07:03 PM
I attached error.log. It's probably because I used expired cookies to do authentication.
BTW, as to report, is it possible for arachni_rpcd to return report as a json format string? If can, what the rpc api should be instead of "instance.call( "framework.report" )"?
Best,
Yanjin
Support Staff 24 Posted by Tasos Laskos on 19 Nov, 2012 07:10 PM
Stupid bug, it was a namespace error, it used the default URI class (which is not that trustworthy) instead of mine. I fixed it now.
And yes, the call is:
instance.call( 'framework.report_as', 'json' )
It's sort of new so it's not documented that well.
Re-open if you need further help.
Tasos Laskos closed this discussion on 19 Nov, 2012 07:10 PM.