king155 / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

Session and cookies has been delete and can't access to scan specific path/URL #124

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
When I specify web location to scan, such as 
'http://172.19.20.22/settingUserInformation/' and
I  specify system authentication using -A username:password, use -I to specific 
path and using -N option to prevent cookied deleted.
However, When skipfish run the scanner and then
access to first parent directory (http://172.19.20.22/). It's can access this 
parent path as normally. 
But when it send request to run next path location 
('http://172.19.20.22/settingUserInformation/'). 
Cookies has been deleted and Session logout from this site. (Session and 
cookies has encrypt)
Finally, the result of skipfish scan for the system is only access at root 
directory, 
but Access denied in specified path as following

Set-Cookie: CakeCookie[COOKIE_USER_HELP]=deleted
Set-Cookie: CakeCookie[COOKIE_USER_NAME]=deleted
Set-Cookie: CakeCookie[COOKIE_CLOSE_WINDOW]=deleted
Set-Cookie: CakeCookie[COOKIE_CRITERIA_ZONE]=deleted
Location: http://172.19.20.22/Authenticate/access_denied   <-- It's can't to 
access specified path

Please give advice to me

Original issue reported on code.google.com by wiriya...@gmail.com on 18 Jul 2011 at 9:14

Attachments:

GoogleCodeExporter commented 8 years ago
I'm sorry, I'm not sure I understand.

The -A option has nothing to do with cookies or form-based authentication. You 
can use -C to specify predefined cookies, instead. Do you see skipfish deleting 
-C cookies despite the use of -N?

With -I, skipfish will still access some directories outside the specified scan 
scope to, for example, examine 404 behaviors; but it will not perform extensive 
crawling / brute-forcing of such URLs. Are you seeing the scanner access 
something completely out of scope?

Original comment by lcam...@gmail.com on 18 Jul 2011 at 4:14

GoogleCodeExporter commented 8 years ago
In case of cookie and session has change value everytime when change URL and 
value has encryption. How to solve this problem to prevent cookie-session 
deleted. (can't use -C to specify predefined cookies).

Thank you in advance.

Original comment by wiriya...@gmail.com on 19 Jul 2011 at 6:41

GoogleCodeExporter commented 8 years ago
I really don't quite follow, but I suspect there is nothing I can do. If your 
web application uses a very unorthodox authentication model, and logs you out 
at the slightest whim, you probably won't be able to scan it easily with any 
automated tool.

Original comment by lcam...@gmail.com on 19 Jul 2011 at 7:11

GoogleCodeExporter commented 8 years ago
Thank you!!

Original comment by wiriya...@gmail.com on 22 Jul 2011 at 2:07