Error Logging into Web UI

[ghost]

Please search the Wiki for a solution before posting a ticket. Use the “New Support Request” button to the right of the screen to submit a ticket for technical support.

Issue Type

Can't login on WEB UI

Faraday version

Paste the output of the ./faraday.py --version command

Component Name

If you know where the problem lays indicate it: WebGui

Steps to reproduce

I just did the normal installation from git: 1) git clone https://github.com/infobyte/faraday 2) sudo apt install postgresql 2) cd faraday 3) sudo python (version 3.7.5) setup.py build && sudo python setup.py install 3) check if postegre is running and it is 4) sudo faraday-manage initdb 5) sudo faraday-server --bind_address 0.0.0.0 6) Went to Web UI but got error when logging in with faraday:generated_password

The server is running on Vagrant (latest) on latest version of virtualbox supported by vagrant.

I've tried may "fix" without luck like: ssh local tunnel: ssh -L 5985:localhost:5985 vagrant@127.0.0.1 -p 2222, not a chance reinstalling everyhing, not a chance dropping and recreating database, no luck changing faraday password with sudo faraday-manage change-password I've also tried to drop faraday db, recreate it, then i've run sudo faraday-manage create-tables and sudo faraday-manage create-superuser but still no luck.

Expected results

To log into Web UI

Debugging tracebacks (current results)

No error in logs nor in debug

If you need help on how to execute in debug mode click here for more information.

Please attach the result of:

Configuration files

[faraday_server]
port = 5985
bind_address = 192.168.1.9
websocket_port = 9000
debug = false
secret_key = **********************************
agent_token = *********************************

[ssl]
port = 6985
certificate =
keyfile =

[dashboard]
show_vulns_by_price = false

[logger]
use_rfc5424_formatter = false

[storage]
path = /home/vagrant/.faraday/storage

[database]
connection_string = postgresql+psycopg2://faraday_postgresql:***********@localhost/faraday

Password are the generated ones

Reports/Extra data

I attached faraday_support.zip The errors given are because i've killed faraday server with killall becuase i didn't saw it was open in another shell.

OS

Provide information on your operating system. Example:

$ cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"

if you need other data/info just ask!

Here the file faraday_support:

faraday_support.zip

Cheers!

[llazzaro]

Hi,

On your logs I found the error:

sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) FATAL:  password authentication failed for user "faraday_postgresql"
FATAL:  password authentication failed for user "faraday_postgresql"

It seems that you postgresql connection string is invalid. You will need to change the faraday_postgresql password and change it on server.ini file. Remember that the valid server.ini file is located at the HOME path of the user who executes faraday-server (in your case root).

For changing the password, open the sql shell and execute:

ALTER USER faraday_postgresql WITH PASSWORD 'new_password';

[ghost]

Hi again, actually i don't have anything under /root/ No .faraday/ directory.

But i'll try changing the password of faraday_postgresql and let you know. Thanks for now.

[ghost]

Hi, i'm here again. Even changing password doesn't work. Also, if the password was wrong before, i couldn't connect throught sudo faraday-manage sql-shell the other times, right? I've tried to change password to a simplier one, but got no luck. Any other ideas/advice?

[llazzaro]

Hi, If you can use sudo faraday-manage sql-shell then the connection to the database is correct.

Can you try to connect using curl to the api?

curl -s 'http://SERVER_IP:5985/_api/login' \
        -H 'Content-Type: application/json' \
        -H 'Accept: application/json, text/javascript, */*; q=0.01' \
        --data-binary '{"email":"faraday","password": "changeme"}'

Faraday login api should return more information on the error.

[ghost]

So, it seems that via API it works because in response i get the auth token correctly, but in web ui still got the error. Curl response: {"meta":{"code":200},"response":{"user":{"authentication_token":"TOKEN","name":my-email","username":"faraday"}}}

[llazzaro]

@h0nus that's great news. Could you try to login into the webui usign chrome with the developer tools open? Can send send me the a console tab screenshot after login?

[ghost]

So, there are errors that i've noted by debugging with Fiddler4, but I just skipped them because i thought those were for the bad authentication. But here is the screen for you:

[ghost]

By looking at errors it seem that the application doesn't set the header/session properly? I'm only guessing, not sure tho.

[llazzaro]

Hi, 401 error are ok, since the frontend uses the api to know if the user is already authenticated. Could you check at the network tab is the login returned 200 ok? We are trying to reproduce the issue from our side.

Thanks!

[dnadares]

Hi h0nus, We tried to reproduce the issue and we found that Werkzeug could be the cause of this login problem. Please run the following command to fix the issue:

pip install Werkzeug==0.16.0

Thanks!

[ghost]

Hi i've used fiddler for a better view of request and response, but still nothing. I've installed Werkzeug at the version you said, but sill got errors. Here is the screen of login. /_api/login gives a 302 as response, redirecting to /_api/session but without tokens or valid sessions.

[dnadares]

Hi h0nus,

We reproduced the issue and reinstalling flask-login might fix it. Please run:

pip install Flask-Login==0.4.1

Thanks again!

[ghost]

Hi, thanks! It finally works! I don't know what caused this, but i'm glad now it's fixed! Now i'll test Netsparker plugin asap.