Provide Additional Documentation When Dealing With Authentication Request

Edit

danmartinj

03 May, 2018 02:11 PM

Hello,

I do not like being the Noob however, from scanning some of the forums I do not think I am the only one who is having problems understanding how to use arachni when scanning web apps that require authentication. I think this tool has a lot of potential and is definitely well received from what I can tell within the security community but I have spent the majority of a week trying to understand how to use this tool on authenticated sites and so far I am not having a lot of good luck.

Perhaps it is possible to give step by step examples when using this with authenticated sites or post a couple of video tutorials or something like this? I feel personally there is something simple I am not understanding and I think it would help me out a lot if I could follow along and re-duplicate what someone has already done and I am betting I am not the only person who would benefit from this. This is just my opinion.

R
Joe

Support Staff 1 Posted by Tasos Laskos on 04 May, 2018 08:38 AM

Thing is that there's not more documentation to provide, once you're in a login script then you just use the Watir API to control the PhantomJS browser and interact with the webapp.

There could be bugs in Arachni if the script doesn't work or in Watir or maybe PhantomJS doesn't support the webapp for some reason (it's getting old, the new engine will have modern browsers), but there's really not much to document from my side.

To verify that your script is correct you can run it as a regular Ruby script that uses Watir and PhantomJS, completely outside Arachni; if it works, then the issue is with Arachni, if not then I can't do much about it.

Now, if you're unfamiliar with Ruby or Watir then that's way outside the scope of Arachni's documentation, you can educate yourself on those subjects as would anyone else that would like to use those tools.

Although, I guess I could add what I just wrote to the documentation to make things absolutely clear from the start, other than that though I don't see what else I can do.

Maybe also add a login script validation plugin that runs everything outside Arachni to make it easier to pinpoint where the issue lies?

Thoughts?
- Edit

Reply to this discussion

Internal reply

Name

Email

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

Remove

Attach File: You can attach files up to 10MB

Verify Human: Spam protection: What is the last month of the year?
If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

New Issue
Conversation Started

A conversation has been started with the Arachni staff to resolve this discussion.
Close the discussion Close the discussion

Private Permissions

This discussion is private. Only you and Arachni support staff can see and reply to it.

Public Permissions

This discussion is public. Everyone can see and reply to it.

Comments Feed

Keyboard shortcuts

Generic

?	Show this help
ESC	Blurs the current field

Comment Form

r	Focus the comment reply box
^ + ↩	Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

	19 Oct, 2023 06:03 PM	Error - Not able Scan /ruby/lib/ruby/gems/2.7.0/gems/arachni-1.6.1.3/lib/arachni/rpc/server/framework.rb:156:in `block in run'
	12 Aug, 2023 11:04 AM	Error when launching arachni_web
	08 May, 2023 05:30 PM	Security Assessment
	05 May, 2023 10:53 AM	REST API - Not detecting Any Issues
	16 Mar, 2023 02:43 AM	BITCOIN LOTTERY - SOFTWARE FREE

Recent Articles

	Logging in and maintaining a valid session
	Optimizing for faster scans
	Service scanning
	Software as a Service (Saas)

Arachni Support