qasta / skipfish

Automatically exported from code.google.com/p/skipfish
Apache License 2.0
0 stars 0 forks source link

Form Authentication Bug #174

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Skipfish will attempt to submit forms for authentication. However, there is no 
way to specify exactly which fields should be sent during form submission. As 
such, Skipfish will submit all fields, potentially causing authentication 
failures.

Additionally, it will try to populate fields automagically with what appear to 
be default static values even though user/password combinations are explicitly 
set in the config. Because these values are explicitly set in the config the 
expected behavior is one that would not auto populate fields. 

Example: (Broken apart for readability and slightly modified for 
confidentiality): 

This is the form fields submitted via a browser: 

master%24txtLoginEmailAddress_Header=&
master%24txtLoginPassword_Header=&
master%24masterContent%24txtLoginEmailAddress=test@test.com&
master%24masterContent%24txtLoginPassword=testpassword

How Skipfish is submitting them:

master%24txtLoginEmailAddress_Header=skipfish@example.com&
master%24txtLoginPassword_Header=skipfish&
master%24chkRememberLogin_Header=on&
master%24btnLogin_Header=skipfish&
master%24masterContent%24txtLoginEmailAddress=test@test.com&
master%24masterContent%24txtLoginPassword=testpassword&
master%24masterContent%24btnLogin=skipfish&
master%24masterContent%24chkRememberLogin=on

It would be nice if there was a way to specify exactly which fields should be 
submitted and if they should use a config/commandline provided value or the 
default value sent by the application for cases such as ViewState. 

Original issue reported on code.google.com by lafk...@gmail.com on 22 Mar 2013 at 6:03

GoogleCodeExporter commented 9 years ago

Hey, thanks for the report.  You can actually specify the form field by using 
the --auth-user-field and --auth-pass-field flags:

https://code.google.com/p/skipfish/wiki/Authentication#Login_field_names_not_rec
ognized

Could you give this a try ?  If it doesn't work, please re-open the bug and 
share the command-line (or config) with credentials sanitized ;-)

Niels

Original comment by niels.he...@gmail.com on 27 Mar 2013 at 6:35