Login to a website not working

[karkota]

I tried to give the valid username and password as below for my website.

-c username=**;password=

But SSRFire not able to login and just checking as unauthenticated user for done.

Please let me know if i am doing anything wrong here.

[ksharinarayanan]

Hi,

I think you probably misunderstood the -c flag. It is for sending cookies with the request. It does not accept the username and password directly.

Rather what you can do is, after logging into the website, intercept any request and copy the cookies and pass it as argument like -c "cookiesHere".

Hope it helps!

[karkota]

Hi Hari,

Thanks for your reply. As mentioned by you I have tried the same but still I am getting the same, the tool is checking only for login url, it's not going inside and crawling all the links.

My cookies looks like this,

amplitude_id_75026068549b9aabfe51d20c859f8c36redact.com=eyJkZXZpY2VJZCI6IjE3ZDIwNDQ2LTFmMGYtNGQzYi1hYjdhLWFkZGM0YmE5NjcwNlIiLCJ1c2VySWQiOiJkZmU4MTY3ZGEwYzM0NjYyYjYxMDYyNWI3ZjBiMDc1NiIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1NTIyODA4MzM4OSwibGFzdEV2ZW50VGltZSI6MTY1NTIyODA4MzM5MSwiZXZlbnRJZCI6MTEzOCwiaWRlbnRpZnlJZCI6MTgwNywic2VxdWVuY2VOdW1iZXIiOjI5NDV9; _biz_uid=64e649265ff04507e8f4f1f230b63748; _biz_nA=40; _biz_pendingA=%5B%5D; q_state_x71cZdTc7coTsVmc=eyJ1dWlkIjoiMTM0MDJmZGQtNWMwNi00ODFmLTliNTEtNzFhODgwZGZiMTMzIiwiY29va2llRG9tYWluIjoienVvcmEuY29tIiwibWVzc2VuZ2VyRXhwYW5kZWQiOmZhbHNlLCJwcm9tcHREaXNtaXNzZWQiOmZhbHNlLCJjb252ZXJzYXRpb25JZCI6Ijg5MDE1NDc3NDYwMDYwNjM3MSJ9; _biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22ViewThrough%22%3A%221%22%2C%22Mkto%22%3A%221%22%7D; _ga=GA1.2.1911275049.1633014605; _mkto_trk=id:602-QGZ-447&token:_mch-redact.com-1633014606360-70673; _fbp=fb.1.1633014606582.160855026; _ga_MY8CQ650DH=GS1.1.1655177180.20.0.1655177193.0; _rtfl_s_unique_visitor_session=X29lSUN0UnlZRlprVTZBODljSUNyQzBfNDg0ZTEwNTZiNjJiYmYzZjhjNGNjMTM1MjRmOTQ0Y2I0YjgyY2I4YQ==; amplitude_id_df990c09ea455f6305ea2391e1adcd5dredact.com=eyJkZXZpY2VJZCI6ImIxY2QxOWVmLTUyNmEtNDZiYy1hN2FjLWMyZGRjNWIzYzJkZFIiLCJ1c2VySWQiOiJiZmI4MjMwOGM4NDA0OTQ1YmQ1MWYxNjkzMmRkY2QzMCIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1NDIzODI2Mjg1MCwibGFzdEV2ZW50VGltZSI6MTY1NDIzODI2Mjg1MiwiZXZlbnRJZCI6MjM1LCJpZGVudGlmeUlkIjozNzgsInNlcXVlbmNlTnVtYmVyIjo2MTN9; _hjSessionUser_2195139=eyJpZCI6ImZlYWZjMGE4LTQwZTQtNTBhYy04NmI1LWNmNmU3ZDg5NDdlMyIsImNyZWF0ZWQiOjE2MzcyMzQxMDU2NzAsImV4aXN0aW5nIjp0cnVlfQ==; amplitude_id_91bc0a89d52e79f0d21a9f9ab69d75e8redact.com=eyJkZXZpY2VJZCI6IjlkNTVkZTlhLTA0NmMtNDEwZC05MjE2LTk2ZDU4OWJkZWNkN1IiLCJ1c2VySWQiOiI4YWQwOTY1ZDdjYzI2NTk0MDE3Y2M2NzM5MWI1NjQxMSIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1MjM3NjYxMjUzNCwibGFzdEV2ZW50VGltZSI6MTY1MjM3NzY4ODE3NiwiZXZlbnRJZCI6NDAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjo0MH0=; wovn_selected_lang=en; mop_ga=GA1.2.1911275049.1633014605; wovn_uuid=xv597skkm; _sp_id.74af=7e7660db-ed41-4877-a31c-77e587c33d88.1641834746.1.1641834746.1641834746.d78d58d7-75eb-47a2-976a-c8767a35c3fc; mp_412f41b9a2f5b1a17e172e08ee7b3691_mixpanel=%7B%22distinct_id%22%3A%20%2217e44fa161128a-034fdc7497d1e08-45586b-1ea000-17e44fa1612b43%22%2C%22%24device_id%22%3A%20%2217e44fa161128a-034fdc7497d1e08-45586b-1ea000-17e44fa1612b43%22%2C%22Platform%22%3A%20%22Web-Attendee%22%2C%22Event%22%3A%20%22The%20Journey%20to%20Usership%E2%84%A2%3A%20A%20Day%20for%20redact%20Customers%22%2C%22EventID%22%3A%20338366%2C%22EventStatus%22%3A%20%22published%22%2C%22BizzaboID%22%3A%20%22NonUser%22%2C%22isBizzaboer%22%3A%20false%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D; optimizelyEndUserId=oeu1643005977922r0.394686448875313; fpestid=KqU5vuBeOctJ7cRrqkHv_YyiE1P_2a_LkHhgUyqC7bdNHTSQwHZ78XTNA1GW9yQpiSZlqw; _fbc=fb.1.1643006227338.'IwAR3nBdL28-DQ7tdIsdzdgX8uxAWn38SHhboE_L_ybDey-VzTHMZpcxcCw_I; amplitude_id_2c37b0cc38de9eb1e4f86f26e76371f5redact.com=eyJkZXZpY2VJZCI6ImRhMmYwY2ViLWZkMzctNGNmNy1iZTU3LTEyYzhmYjQ2MDA4NFIiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY0MzAwNzU4NjU3NCwibGFzdEV2ZW50VGltZSI6MTY0MzAwNzU4NjU3NCwiZXZlbnRJZCI6MSwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjF9; _rtfl_s_600706_specific_site_session=X3dXSFluUll3ZHJKVU1mSGlab055c0xfN2ZkNThjYmU2ZTM3N2ZjNDRiMTllMmI1ZWRiMTBiMTg4YTcwYmNjOQ==; _gcl_au=1.1.790022883.1649751638; _ga_21NV2LS8PH=GS1.1.1649773649.2.0.1649773649.0; amp_a3b0f0=4KG3QwwR7GW1Bf_9UsXaDS...1g4iqigsa.1g4iqj35k.4.4.8; amplitude_id_70d702bf4714255a28aecca9bb0fc68credact.com=eyJkZXZpY2VJZCI6ImE5YzYxZjk1LTEzZjktNGUwOS04M2JlLTE0MzViOTAxODRmMVIiLCJ1c2VySWQiOiIxNDIwIiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxNjU0MTk0NjY3NTI3LCJsYXN0RXZlbnRUaW1lIjoxNjU0MTk0NjY4MjA0LCJldmVudElkIjoxMCwiaWRlbnRpZnlJZCI6Miwic2VxdWVuY2VOdW1iZXIiOjEyfQ==; amplitude_id_1ef325fdfd9c3e9c8a5774bd3d63fe98redact.com=eyJkZXZpY2VJZCI6IjUwMDg5ZTllLWZlOGMtNDIyOS1hZmI0LWQyNjFlYTBkOTU0NFIiLCJ1c2VySWQiOiI4NzYyIiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxNjUyNDMxODQxMDA0LCJsYXN0RXZlbnRUaW1lIjoxNjUyNDMxODk0ODk4LCJldmVudElkIjowLCJpZGVudGlmeUlkIjowLCJzZXF1ZW5jZU51bWJlciI6MH0=; utma=261884166.1911275049.1633014605.1653925259.1653925259.1; __utmz=261884166.1653925259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _gid=GA1.2.861250606.1655177181; notice_behavior=implied,us; ZUNISESSION=MzE4NjlhN2EtYTkxOS00MGFhLTgyMDItOWUxNWE1MmY2ZjUw; ZAUTH=true

These are cookies generated during the active session and we need everything to maintain the active session, and I have given the same as mentioned. ./ssrfire.sh -d https://apisandbox.zuora.com/apps/newlogin.do -s http://x75nde6ld44b9dvyn1flokhc73dt1i.oastify.com -c cookies

This is the command I am using to start scan.

Can you please look into this.

Regards, Kartheek.

Message ID: @.***>

[ksharinarayanan]

Hi,

Unfortunately since I do not have access to the apisandbox credentials, I won't be able to test it. Further to add on to it, I am not actively involved in bug bounty. So, I think I won't be able to solve your issue. Maybe if I have some free time, I'll look into this later.