[8.0.0][7.0.3] gsad gvm_validate: failed to match token

[kmahyyg]

Expected behavior

Using a clean install of OpenVAS 9 in Arch Linux,

After Login, it should show the correct and full dashboard.

Actual behavior

After checked the user credentials, while trying to get the public web front-end resources, the openvas_validate cannot validate the token due to a null passed. Log attached.

Web Page Notification: Cookie missing or bad.

I ensure that my browser configured properly.

Steps to reproduce

1. Install openvas 9 according to Arch wiki
2. Access it via webUI
3. You'll get denied.

GVM versions

gsa:

Greenbone Security Assistant 7.0.3
Copyright (C) 2010-2016 Greenbone Networks GmbH
License GPLv2+: GNU GPL version 2 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

openvas-scanner:

OpenVAS Scanner 5.1.3
Most new code since 2005: (C) 2016 Greenbone Networks GmbH
Nessus origin: (C) 2004 Renaud Deraison <deraison@nessus.org>
License GPLv2: GNU GPL version 2
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Environment

Operating system: Linux archlinux 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 GNU/Linux , Systemd-nspawn container inside Ubuntu 16.04.

Installation method / source: packages from the system built-in repo

Logfiles

Log Here: gsad.log

[kmahyyg]

Confirmed: Latest version 8.0.0 from GitHub Release Build. Also found this problem.

Client: Arch Linux + Windows 8

Client Browser: Firefox + Chrome dev/stable + Chromium

Sample:

Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

All can reproduce the problem.

[bjoernricks]

Hi,

for me it is impossible to reproduce your issue. I need a step by step instruction how to get a null token with GSA 8.

[kmahyyg]

1. Following the readme in each repo, compile and install scanner, gsad, manager
2. Deploy postgresql
3. Use the default account and password, latest version of Google Chrome.

Login, (do not logout manually), wait for a moment, relogin use the same browser. You cannot login again.

[kmahyyg]

I was trying to use https://github.com/kmahyyg/gvm10-docker to deploy it as a docker.

This repo contains the code I use,

Also, there's a bug I fixed but not pushed in this repo yet:

• not initialize pgsql DB correctly.

[kmahyyg]

Hi,

for me it is impossible to reproduce your issue. I need a step by step instruction how to get a null token with GSA 8.

I hope you read the log file I attached, the same error in GVM 8.

Just use grep -N NULL to filter message.

I deployed three VM to check if it can be reproduced, the result is true.

Or there's maybe another reason is I use docker or something like NAT?(Just guess)

[bjoernricks]

Login, (do not logout manually), wait for a moment, relogin use the same browser. You cannot login again.

Sorry I am still not able to reproduce the behavior.

• Login with username and password
• Wait for some secs at the dashboards page
• Open /login
• Login with username and password

Works for me

[kmahyyg]

Login, (do not logout manually), wait for a moment, relogin use the same browser. You cannot login again.

Sorry I am still not able to reproduce the behavior.

• Login with username and password
• Wait for some secs at the dashboards page
• Open /login
• Login with username and password

Works for me

Browser version? I use the default config of Chrome 74 on Windows. Close browser, Wait for much longer, or you can check the repo I attached above.

[kmahyyg]

I found some screenshots that may help:

[bjoernricks]

Could you check if the token param is send in the second request (the post request)?

Every request need to include the token as http param AND the GSAD_SID value in the cookie header.

[kmahyyg]

Could you check if the token param is send in the second request (the post request)?

Every request need to include the token as http param AND the GSAD_SID value in the cookie header.

Yes, the second request in the photo. The cookie is correct with the first response and token as a url parameter to passed to the server. However, I don't know why the third request suddenly 401ed.

I tried other browsers like Firefox Latest ESR and Chrome 76.

[kmahyyg]

I was trying to use https://github.com/kmahyyg/gvm10-docker to deploy it as a docker.

This repo contains the code I use,

Also, there's a bug I fixed but not pushed in this repo yet:

• not initialize pgsql DB correctly.

If you are free, you could check the code I use to deploy this instance.

[bjoernricks]

Please add a screenshot of the http params of POST request that returned the 401. I would like to see the token and cmd parameters.

[kmahyyg]

Please add a screenshot of the http params of POST request that returned the 401. I would like to see the token and cmd parameters.

Just this one. All information you wanted are here. This is the third request in the left list. The first request is send login credentials and then the following requests are sent automatically by your webUI.

[bjoernricks]

Your are missing the Form Data section from your screenshots.

[kmahyyg]

I'll try it some days later. These days are really busy, close now. Will reopen later.

[kmahyyg]

captured-har.zip

Check the HAR file above.

Form data attached here.

[bjoernricks]

I still can't reproduce your issue nor can I find an issue in the code yet.

Could you apply https://github.com/greenbone/gsa/pull/1394 and add the following section to your etc/gvm/gsad_log.conf?

[gsad vali]
prepend=%t %s %p
separator=:
prepend_time_format=%Y-%m-%d %Hh%M.%S %Z
file=${GVM_LOG_DIR}/gsad.log
level=128

Afterwards there should be some output about the validation of the cookie in the gsad.log file.

[bjoernricks]

A wild guess for the root of this issue: It could be some problem with the timezone handling.

[kmahyyg]

Have you checked the HAR file I attached above? All the requests and responses are logged in the file.

I will modify the logging control file and trying to give you a detailed log ASAP.

Timezones? Maybe... I will attach the timezone info.

[kmahyyg]

Should I use the master branch instead of release-8.0.0?

[bjoernricks]

The required patch is for the gsa-8.0 branch

[bjoernricks]

Have you checked the HAR file I attached above? All the requests and responses are logged in the file.

Yes but it doesn't show a cause for the issue. All requests seem to be fine, so gsad is doing something wrong.

[bjoernricks]

Timezones? Maybe... I will attach the timezone info.

You could try to use UTC as your local timezone. If that fixes your problem it's definitively a timezone issue.

[kmahyyg]

The required patch is for the gsa-8.0 branch

Got it. I Will NOT change to master.

[kmahyyg]

Timezones? Maybe... I will attach the timezone info.

You could try to use UTC as your local timezone. If that fixes your problem it's definitively a timezone issue.

This is just a temporary solution (if works). You should still make a patch.

[bjoernricks]

This is just a temporary solution (if works). You should still make a patch.

Of course! But it would help me to validate my impression.

[kmahyyg]

Wait, use UTC in Client browser or in Server?

[bjoernricks]

Wait, use UTC in Client browser or in Server?

Both

[kmahyyg]

Set Client Browser to UTC and then revert it back to UTC+8 (I'm in UTC+8), worked.

Maybe caused by dualboot and improper timedatectl settings.

What I have done in Client:

$ sudo timedatectl set-timezone UTC
$ sudo timedatectl set-local-rtc 0
$ sudo hwclock -w

What I have done in Server:

nothing

I'll keep watching.

[kmahyyg]

Same things happen again. After it works, I just put the server here without any activities.

[kmahyyg]

Use https://github.com/greenbone/gsa/archive/v8.0.0.tar.gz to build 7 days ago, 401ed at the same location get_settings, trying to change the timezone, not work.

logs2.zip

HAR and logs which using gvmd vali, level=128 attached here.