99 lines
3.2 KiB
Plaintext
99 lines
3.2 KiB
Plaintext
|
|
|
|
This document describes 3 different methods you can use to run
|
|
authenticated skipfish scans.
|
|
|
|
1) Form authentication
|
|
2) Cookie authentication
|
|
3) Basic HTTP authentication
|
|
|
|
|
|
|
|
-----------------------
|
|
1. Form authentication
|
|
----------------------
|
|
|
|
With form authentication, skipfish will submit credentials using the
|
|
given login form. The server is expected to reply with authenticated
|
|
cookies which will than be used during the rest of the scan.
|
|
|
|
An example to login using this feature:
|
|
|
|
$ ./skipfish --auth-form http://example.org/login \
|
|
--auth-user myuser \
|
|
--auth-pass mypass \
|
|
--auth-verify-url http://example.org/profile \
|
|
[...other options...]
|
|
|
|
This is how it works:
|
|
|
|
1. Upon start of the scan, the authentication form at /login will be
|
|
fetched by skipfish. We will try to complete the username and password
|
|
fields and submit the form.
|
|
|
|
2. Once a server response is obtained, skipfish will fetch the
|
|
verification URL twice: once with the new session cookies and once
|
|
without any cookies. Both responses are expected to be different.
|
|
|
|
3. During the scan, the verification URL will be used many times to
|
|
test whether we are authenticated. If at some point our session has
|
|
been terminated server-side, skipfish will re-authenticate using the
|
|
--auth-form (/login in our example) .
|
|
|
|
Verifying whether the session is still active requires a good verification
|
|
URL where an authenticated request is going to get a different response
|
|
than an anonymous request. For example a 'profile' or 'my account' page.
|
|
|
|
Troubleshooting:
|
|
----------------
|
|
|
|
1. Login field names not recognized
|
|
|
|
If the username and password form fields are not recognized, skipfish
|
|
will complain. In this case, you should specify the field names using
|
|
the --auth-user-field and --auth-pass-field flags.
|
|
|
|
2. The form is not submitted to the right location
|
|
|
|
If the login form doesn't specify an action="" location, skipfish
|
|
will submit the form's content to the form URL. This will fail in some
|
|
occasions. For example, when the login page uses Javascript to submit
|
|
the form to a different location.
|
|
|
|
Use the --auth-form-target flag to specify the URL where you want skipfish
|
|
to submit the form to.
|
|
|
|
3. Skipfish keeps getting logged out
|
|
|
|
Make sure you blacklist any URLs that will log you out. For example,
|
|
using the " -X /logout"
|
|
|
|
|
|
-------------------------
|
|
2. Cookie authentication
|
|
-------------------------
|
|
|
|
Alternatively, if the site relies on HTTP cookies you can also feed these
|
|
to skipfish manually. To do this log in using your browser or using a
|
|
simple curl script, and then provide skipfish with a session cookie:
|
|
|
|
$ ./skipfish -C name=val [...other options...]
|
|
|
|
Other session cookies may be passed the same way, one per each -C option.
|
|
|
|
The -N option, which causes new cookies to be rejected by skipfish,
|
|
is almost always a good choice when running cookie authenticated scans
|
|
(e.g. to avoid your precious cookies from being overwritten).
|
|
|
|
$ ./skipfish -N -C name=val [...other options...]
|
|
|
|
-----------------------------
|
|
3. Basic HTTP authentication
|
|
-----------------------------
|
|
|
|
For simple HTTP credentials, you can use the -A option to pass the
|
|
credentials.
|
|
|
|
$ ./skipfish -A user:pass [...other options...]
|
|
|