AutoLogin suggestions

rrich's Avatar

rrich

24 Sep, 2013 03:44 PM

First of all, I want to say that I'm incredibly impressed with this project! I really like the overall architecture and can't believe it's (as far as I can tell) a one-man show. Fine work Tasos!

So, I'm tinkering with Arachni (1.0-dev) on a couple of web applications just to get a feel for it and ran into some problems with AutoLogin. I thought it was related to a CSRF token, but it turns out that it was simply due to both applications using an image for their login form. This caused the POST values that I was copying to have parameters like 'loginBtn.x=33&loginBtn.y=17', when Arachni was just looking for a single value of 'loginBtn'. Fortunately the application just throws these values away, so I just forced it in the AutoLogin config and it worked.

So I guess the suggestion would be to do one or more of the following:

a) allow people to identify the form by id or name and just force the values that they supply
b) spit out the expected params from forms listed on the screen when Arachni can't find any applicable ones

Related to the above, i wouldn't have known this if i hadn't seen a note from you in another post to try via the CLI as the Web UI (which is awesome) might be eating the error. It was (?) in this case. It might be cool to have a 'CLI generator' in the scan profile (if such a thing is possible). Love the CLI live update, too, btw.

Looking forward to tinkering more!

  1. Support Staff 1 Posted by Tasos Laskos on 24 Sep, 2013 04:01 PM

    Tasos Laskos's Avatar

    Hi man, thanks for the kind words,

    When you're dealing with more complex login scenarios then it's better to use the proxy plugin or just script it yourself, like you did.

    Using the actual form inputs to identify it would be a safer bet as most forms have those but there are a lot without an id and name.

    I'd really like to look into that particular case though because I'm not sure I understand how it works. You can send me the details in private if you wish: tasos.laskos at gmail

    About having to use the CLI to confirm the configuration, that's my fault. For some reason the autologin plugin was't sending its errors to the error log, if it had you'd have seen these errors via the WebUI.
    Also, it may be a good idea to update it to abort the scan if the login fails instead of just printing the error and letting the scan start.

    About exporting the WebUI profiles to a CLI config, you can do this as of a few days ago. You can export a Profile as YAML and then pass it to the CLI via the --load-profile option.

    Thanks for the feedback. :)

  2. Support Staff 2 Posted by Tasos Laskos on 24 Sep, 2013 04:33 PM

    Tasos Laskos's Avatar
  3. 3 Posted by rrich on 24 Sep, 2013 05:35 PM

    rrich's Avatar

    That was fast! lol

    I will definitely be testing the proxy plugin as well. I did run into issues with it not being able to verify the login page for these same two applications after recording it (popup would appear, prompt for url and something else, and would indicate a failure in testing). I'm assuming it's related to the above and will tinker with it.

    Regarding the case I'm talking about, you can reproduce by simply adding an input of the form:

    <input type="image" src="/someimageornot.jpg" name="imageInput">

    When you click on the image (or broken image icon, you'll see two parameters in the subsequent request: imageInput.x=..&imageInput.y=.. where the values correlate to the x and y values of your mouse cursor when you clicked on the image.

    Here's a live example: http://www.w3schools.com/tags/tryit.asp?filename=tryhtml5_input_typ...

    Before I realized what AutoLogin was doing, I was just blindly pasting previous proxy-intercepted posts to the login form into the AutoLogin configuration. When AutoLogin saw these parameters, it tried to match them to the form in the HTML and couldn't find a home for the .x and .y variants.

    Hope that helps...thanks again!

  4. Support Staff 4 Posted by Tasos Laskos on 24 Sep, 2013 05:42 PM

    Tasos Laskos's Avatar

    Ah, so it's using JS, yeah until v0.5 comes out there's nothing I can do about that.

    And even though the proxy will let you login and get a session, it won't be able figure out how to re-login on its own if its session ends during the scan, which is the bit that failed while you were testing it.

  5. 5 Posted by rrich on 24 Sep, 2013 05:58 PM

    rrich's Avatar

    No javascript required or used in the apps I was testing. It's an image alternate to the standard 'submit' input type. I posted a sample here:

    http://jsbin.com/UYUkAHo/3/

    (http://jsbin.com/UYUkAHo/3/edit if you want to see the source first, the JS crud at the bottom of the raw view above isn't used)

  6. Support Staff 6 Posted by Tasos Laskos on 24 Sep, 2013 06:04 PM

    Tasos Laskos's Avatar

    Huh, I didn't know the browser did that on its own. Anyhow, this will still have to wait 'till v0.5, where a real browser will be used for these things.

  7. 7 Posted by rrich on 24 Sep, 2013 06:10 PM

    rrich's Avatar

    Awesome! Sorry for dragging it out, it's just a wonky behavior from the browser and pretty obscure, so I figured I'd point it out...lol

    Thanks again!

  8. Support Staff 8 Posted by Tasos Laskos on 24 Sep, 2013 07:12 PM

    Tasos Laskos's Avatar

    No no that's good. Now I know to add some browser tests for it in the v0.5 development branch.

    Thanks again for the feedback man.

  9. Tasos Laskos closed this discussion on 24 Sep, 2013 07:12 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac