arachni rpcd cookie problem

Yanjin's Avatar

Yanjin

06 Nov, 2012 04:48 PM

Dear Tasos,

Yesterday I asked about using cookie-jar to do authenticated scan. Thanks for your responsive reply. I already passed cookies to arachni rpcd following your instructions. But it seems that arachni didn't use the cookie-jar I provided. It still acquired a new session id instead of using the session id I passed in. Below is part of the report:

audit_cookies: true
audit_links: true
cookie_jar: 
  PHPSESSID: 772e407faf6ef441ff939f4b7517aa0c
audit_forms: true
audit_headers: true
url: http://crackme.cenzic.com/Kelev/php/accttransaction.php
start_datetime: 2012-11-06 11:28:32.258807 -05:00
cookies: 
  PHPSESSID: 8c8324efad9268036f657093351b2cd1
finish_datetime: 2012-11-06 11:28:33.544597 -05:00
delta_time: 1.285789676

version: 0.4.1.2 revision: 0.2.7 start_datetime: Tue Nov 6 11:28:32 2012 finish_datetime: Tue Nov 6 11:28:33 2012 delta_time: "00:00:01"

The "PHPSESSID" below "cookie-jar" is the logged-in session id which I expect arachni to use. But it seems arachni used the "PHPSESSID" under "cookies". Any comments?

Thanks in advance.

Best,
Yanjin

  1. Support Staff 1 Posted by Tasos Laskos on 06 Nov, 2012 04:55 PM

    Tasos Laskos's Avatar

    I'm guessing that you didn't exclude paths that can invalidate the session (like logout links) so Arachni followed them and inadvertently ended up with a new session.

    See: https://github.com/Arachni/arachni/wiki/RPC-API#wiki-options_exclude

    Feel free to re-open if I'm wrong or if you need further help.

  2. Tasos Laskos closed this discussion on 06 Nov, 2012 04:55 PM.

  3. Yanjin re-opened this discussion on 06 Nov, 2012 05:13 PM

  4. 2 Posted by Yanjin on 06 Nov, 2012 05:13 PM

    Yanjin's Avatar

    As you said the target url is followed by a sign out link. But scan from commandline, that is, "arachni http://www.example.com/account.php" --cookie-jar=cookies.txt" works perfectly. I didn't exclude the sign out link here too.

    The target url of scan is set to the url after logged in, for example, "http://www.example.com/account.php". The session id in cookie is extracted after logged in. It should be used to authenticate. Only in the case arachni can't login will it follow the sign out link and be given a new session id.

    Do you have any idea in mind why arachni can't login using provided session id?

    Best,
    Yanjin

  5. Support Staff 3 Posted by Tasos Laskos on 06 Nov, 2012 05:18 PM

    Tasos Laskos's Avatar

    The fact that it worked from the CLI will have probably been pure luck, it may have left the log-out link for last so you didn't notice or something like that.

    You should always exclude logout links so give that a shot and let me know how it works.

  6. 4 Posted by Yanjin on 06 Nov, 2012 05:40 PM

    Yanjin's Avatar

    I tried using command "arachni http://crackme.cenzic.com/Kelev/php/accttransaction.php --cookie-jar=cookies.txt --exclude=signout". Still can not work and acquired a new session id. Maybe I should describe the situation further.

    As you may noticed, I tested with "crackme.cenzic.com". Target url is "http://crackme.cenzic.com/Kelev/php/accttransaction.php".
    1. CLI works perfectly.

    1. CLI with a arachni_rpcd running at background failed. Output is like:
      [~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2

    [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies

    [*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories

    [*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264

    [~] ===========================

    [+] 0 issues were detected.

    [+] Plugin data: [~] ---------------

    [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--

    [~] Crawling, discovered 0 pages and counting.

    [~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.

    [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20

    1. CLI with arachni_rpcd running and exclude signout link also failed. Output is like:
      [~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2

    [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies

    [*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories

    [*] Filters: [~] Exclude: [~] (?-mix:signout)

    [*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264

    [~] ===========================

    [+] 0 issues were detected.

    [+] Plugin data: [~] ---------------

    [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--

    [~] Crawling, discovered 0 pages and counting.

    [~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.

    [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20

    1. Pass cookies to arachni_rpcd failed. The output is just like above. The scan finished immediately after started.
  7. 5 Posted by Yanjin on 06 Nov, 2012 05:47 PM

    Yanjin's Avatar

    Sorry for the poor formatting. Reformat as below:

    1 CLI works perfectly

    2 CLI with a arachni_rpcd running at background failed. Output is like:

    [~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2
    [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies
    
    [*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories
    
    [*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264
    
    [~] ===========================
    
    [+] 0 issues were detected.
    
    [+] Plugin data: [~] ---------------
    
    [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--
    
    [~] Crawling, discovered 0 pages and counting.
    
    [~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.
    
    [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20
    

    3 CLI with arachni_rpcd running and exclude signout link also failed. Output is like:

    [~] URL: http://crackme.cenzic.com/Kelev/php/accttransaction.php [~] User agent: Arachni/v0.4.1.2
    [*] Audited elements: [~] * Links [~] * Forms [~] * Cookies
    
    [*] Modules: session_fixation, sqli_blind_rdiff, xss_uri, xss_tag, code_injection, trainer, xss_script_tag, rfi, sqli, xss, os_cmd_injection, csrf, code_injection_timing, ldapi, sqli_blind_timing, response_splitting, xpath, xss_path, path_traversal, unvalidated_redirect, os_cmd_injection_timing, xss_event, directory_listing, webdav, backdoors, ssn, unencrypted_password_forms, captcha, emails, http_only_cookies, credit_card, private_ip, insecure_cookies, cvs_svn_users, html_objects, mixed_resource, backup_files, htaccess_limit, xst, http_put, interesting_responses, allowed_methods, common_files, common_directories
    
    [*] Filters: [~] Exclude: [~] (?-mix:signout)
    
    [*] Cookies: [~] PHPSESSID = 1a7c542e6f1c81925930498aa38f9264
    
    [~] ===========================
    
    [+] 0 issues were detected.
    
    [+] Plugin data: [~] ---------------
    
    [~] -0.0% [=> ] 100% [~] Est. remaining time: --:--:--
    
    [~] Crawling, discovered 0 pages and counting.
    
    [~] Sent 1 requests. [~] Received and analyzed 1 responses. [~] In 00:00:01 [~] Average: 0 requests/second.
    
    [~] Burst response time total 0 [~] Burst response count total 0 [~] Burst average response time 0 [~] Burst average 0 requests/second [~] Timed-out requests 0 [~] Original max concurrency 20 [~] Throttled max concurrency 20
    

    4 Pass cookies to arachni_rpcd failed. The output is just like above. The scan finished immediately after started.

  8. Support Staff 6 Posted by Tasos Laskos on 06 Nov, 2012 05:53 PM

    Tasos Laskos's Avatar

    Ok, I've got just one more question for you and then I'll start digging, did you use a fresh cookie-jar for each of these runs?

    Otherwise things went like this:

    1. First run (without excluding the logout link) seems perfect but not really, it eventually logs itself out and invalidates the session, rendering the PHPSESSID invalid.
    2. You use the same (no longer valid) cookie-jar and the subsequent runs fail.

    Rgiht? Wrong?

  9. 7 Posted by Yanjin on 06 Nov, 2012 06:11 PM

    Yanjin's Avatar

    I did check the cookies each time before running. Yes, they're valid. Since you may noticed from the 4 experiments in my last post, the authenticated scan failed when arachni_rpcd involved. I'm not sure whether it's arachni_rpcd's problem.
    Looking forward to good news.

    Best,
    Yanjin

  10. Support Staff 8 Posted by Tasos Laskos on 07 Nov, 2012 01:27 PM

    Tasos Laskos's Avatar

    Ok then, looking into it now.

  11. 9 Posted by Yanjin on 07 Nov, 2012 03:29 PM

    Yanjin's Avatar

    Glad to hear that. I did more experiments yesterday. The CLI works well. So the problem really is that arachni_rpcd can't apply the cookies I provided. Aren't CLI and arachni_rpcd using same strategy to handle cookies? Why is the difference?

    Thanks.

    Best,
    Yanjin

  12. Support Staff 10 Posted by Tasos Laskos on 07 Nov, 2012 03:35 PM

    Tasos Laskos's Avatar

    Yes this was an oversight on my part you are 100% right, I do apologize.

    The difference is that the initialisation order is different when running over RPC -- the cookie options were being set after the HTTP class was being configured so it never had a chance to take them into account.

    I've fixed this and will push the updated code today after I'm done testing.
    I'll update this ticket when I do.

  13. 11 Posted by Yanjin on 07 Nov, 2012 04:14 PM

    Yanjin's Avatar

    That explains my question. Thank you very much for the rapid fix! So when you're done, please give me a link to the lastest version that I can try it out. Thanks again.

    Best,
    Yanjin

  14. Support Staff 12 Posted by Tasos Laskos on 07 Nov, 2012 07:22 PM

    Tasos Laskos's Avatar
  15. Tasos Laskos closed this discussion on 07 Nov, 2012 07:22 PM.

  16. Yanjin re-opened this discussion on 07 Nov, 2012 10:15 PM

  17. 13 Posted by Yanjin on 07 Nov, 2012 10:15 PM

    Yanjin's Avatar

    Dear Tasos,

    The new version works perfectly! Really thank you for the quick reply and continuous effort.

    Best,
    Yanjin

  18. Support Staff 14 Posted by Tasos Laskos on 08 Nov, 2012 09:57 AM

    Tasos Laskos's Avatar

    No problem, thanks for reporting it and for helping to narrow it down.

  19. Tasos Laskos closed this discussion on 08 Nov, 2012 09:57 AM.

  20. Yanjin re-opened this discussion on 16 Nov, 2012 06:54 PM

  21. 15 Posted by Yanjin on 16 Nov, 2012 06:54 PM

    Yanjin's Avatar

    Dear Tasos,

    Sorry to bother you again. The new version(under github experimental branch) works great. I would like to run it on a machine without network connection. Is the newest nightly build(Nov 15) fix arachni_rpcd cookie problem? Or there are other ways to install the fixed version without internet connection.

    Thank you very much.

    Best,
    Yanjin

  22. Support Staff 16 Posted by Tasos Laskos on 16 Nov, 2012 06:56 PM

    Tasos Laskos's Avatar

    Yep, grab one of the nightlies and you'll be fine.

  23. Tasos Laskos closed this discussion on 16 Nov, 2012 06:56 PM.

  24. Yanjin re-opened this discussion on 16 Nov, 2012 08:04 PM

  25. 17 Posted by Yanjin on 16 Nov, 2012 08:04 PM

    Yanjin's Avatar

    I tried nightly build posted last night. and got a exception:

    stats: 
    requests: 1
    responses: 1
    time_out_count: 0
    time: "00:02:16"
    avg: 0
    sitemap_size: 0
    auditmap_size: 0
    progress: -0.0
    curr_res_time: 0
    curr_res_cnt: 0
    curr_avg: 0
    average_res_time: 0
    max_concurrency: 20
    current_page: ""
    eta: --:--:--
    status: crawling
    busy: true
    messages: 
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-  1.0dev/lib/arachni/http.rb:584:in `method_missing'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/spider.rb:129:in `run'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/framework.rb:626:in `audit'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/framework.rb:188:in `block in run'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/utilities.rb:276:in `call'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/utilities.rb:276:in `exception_jail'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/framework.rb:188:in `run'"
    - :error: "HTTP: /root/arachni-1.0dev/gems/gems/arachni-1.0dev/lib/arachni/rpc/server/framework.rb:268:in `block in run'"
    - :error: "HTTP: --------------------------------------------------------------------------------"
    issues: []
    
    instances: 
    - requests: 1
    responses: 1
    time_out_count: 0
    time: "00:02:16"
    avg: 0
    sitemap_size: 0
    auditmap_size: 0
    progress: -0.0
    curr_res_time: 0
    curr_res_cnt: 0
    curr_avg: 0
    average_res_time: 0
    max_concurrency: 20
    current_page: ""
    eta: --:--:--
    url: 0.0.0.0:30523
    status: crawling
    

    Then arachni stuck at 0%. Also the url is strange, 0.0.0.0:30523, it's the ip address the arachni_rpcd listen on. The correct url I gave to arachni is ignored.

    Do you know what might cause this problem?

  26. Support Staff 18 Posted by Tasos Laskos on 16 Nov, 2012 09:28 PM

    Tasos Laskos's Avatar

    Could you give me the full backtrace? It's going to be in the console output.

  27. 19 Posted by Yanjin on 17 Nov, 2012 12:05 AM

    Yanjin's Avatar

    Well, I wonder this exception is because arachni_rpcd in nightlies still has the cookie problem. I tried both i386 and x86_64 version of nightly build(NOV 16) , got different results. It seems that i386 version works but has no luck with x86_64.

    Is there any difference between these two versions? Are they built from the same source code? Thanks in advance.

    Best,
    Yanjin

  28. Support Staff 20 Posted by Tasos Laskos on 17 Nov, 2012 10:57 AM

    Tasos Laskos's Avatar

    Hi, the code is the same.

    Can you reproduce this? I hope so because I can't do anything without the full backtrace -- which you'll find in the output of the arachni_rpcd process.

    I may have introduced a bug while resolving the cookie issue so this will help me fix it.

  29. 21 Posted by Yanjin on 17 Nov, 2012 07:29 PM

    Yanjin's Avatar

    Dear Tasos,

    The problem is solved. I installed gem which is built from experimental source code and it works fine. And nightly arachni command line also works. Does arachni_rpcd has backtrace log?

    Best,
    Yanjin

  30. Support Staff 22 Posted by Tasos Laskos on 18 Nov, 2012 03:21 PM

    Tasos Laskos's Avatar

    Check for an error.log file in the working dir.

  31. 23 Posted by Yanjin on 19 Nov, 2012 07:03 PM

    Yanjin's Avatar

    I attached error.log. It's probably because I used expired cookies to do authentication.

    BTW, as to report, is it possible for arachni_rpcd to return report as a json format string? If can, what the rpc api should be instead of "instance.call( "framework.report" )"?
    Best,
    Yanjin

  32. Support Staff 24 Posted by Tasos Laskos on 19 Nov, 2012 07:10 PM

    Tasos Laskos's Avatar

    Stupid bug, it was a namespace error, it used the default URI class (which is not that trustworthy) instead of mine. I fixed it now.

    And yes, the call is:
    instance.call( 'framework.report_as', 'json' )

    It's sort of new so it's not documented that well.

    Re-open if you need further help.

  33. Tasos Laskos closed this discussion on 19 Nov, 2012 07:10 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac