Closed GoogleCodeExporter closed 9 years ago
GoogleCodeExporter
commented
9 years ago Cheers, this is a bug that's caused by HTTP form auth. We'll try to get 2.10b
out within a week and it's got this bug fixed.Original comment by niels.he...@gmail.com on 30 Oct 2012 at 7:42
GoogleCodeExporter
commented
9 years ago Thanks will look forward to itOriginal comment by michael....@dianomi.com on 30 Oct 2012 at 10:05
GoogleCodeExporter
commented
9 years ago Hi, I have the same bug with Form authentication. Original comment by nikolay...@gmail.com on 1 Nov 2012 at 5:58
GoogleCodeExporter
commented
9 years ago Form authentication ? Have you tried debugging is with "skipfish -uv" to see
the reason for authentication failure (e.g. form fields are not found). Original comment by niels.he...@gmail.com on 2 Nov 2012 at 8:10
GoogleCodeExporter
commented
9 years ago Hi, here is log
*- Authentication starts
*-- Submitting authentication form
*-- Received form response
*- Unable to verify authentication using provided URL.
*- Authentication starts
[-] PROGRAM ABORT : Authentication failed (use -uv for more info)
Stop location : main(), src/skipfish.c:740
what the problem may it be? (sorry for my english)
my comand is: ./skipfish --auth-form http://domain.name/admin/login.php
--auth-user test --auth-pass test --auth-verify-url
http://domain.name/admin/action_list.php --auth-user-field login
--auth-pass-field psw -uv ....
Is the page ought to return error 403, when the user have no access?
There is a redirect to the login.php page, when a user have no access, but
there are not 403 error.Original comment by nikolay...@gmail.com on 5 Nov 2012 at 11:52
GoogleCodeExporter
commented
9 years ago Heya,
This is fixed in 2.10b which is now in SVN. Could you please test this ?
1) svn checkout http://skipfish.googlecode.com/svn/trunk/ skipfish-read-only
2) cd skipfish-read-only ; make; ./skipfish [....]
Cheers!
NielsOriginal comment by niels.he...@gmail.com on 23 Nov 2012 at 8:49
GoogleCodeExporter
commented
9 years ago tested, it worksOriginal comment by michael....@dianomi.com on 23 Nov 2012 at 9:42
GoogleCodeExporter
commented
9 years ago Thanks for the quick response! The form authentication and basic
authentication seemed to have broken each other in the 2.09b version. Glad to
hear it works now ! Do check out the option now for using a configuration file
which prevents you from typing huge command-lines (especially with
authentication).
Cheers,
Niels Original comment by niels.he...@gmail.com on 23 Nov 2012 at 10:16
GoogleCodeExporter
commented
9 years ago Hi, here my response:
skipfish web application scanner - version 2.10b
*- Authentication starts
*-- Authentication - auth_user field set (login)
*-- Authentication - auth_pass field set (psw)
*-- Submitting authentication form
*-- Received form response
*- Authenticated
*- Unable to verify authentication using provided URL.
*- Authentication starts
[-] PROGRAM ABORT : Authentication failed (use -uv for more info)
Stop location : main(), src/skipfish.c:714
I attached my config file.
What the reason of this problem could it be?Original comment by nikolay...@gmail.com on 12 Dec 2012 at 6:16
Attachments:
GoogleCodeExporter
commented
9 years ago
Are you sure the fields are correct and that the URL at --auth-verify-url gives
a response that is different when authenticated ? (e.g. maybe in both cases it
gives a redirect to the https:// location).
Last, you could check if we're submitting to the right location. When there is
no action="" in the form, we will submit to the form URL, which is
http://mysite.kz/login.php. You can specify an alternate URL for submitting the
credentials.
Hope this helps!
Niels
(ps, you can consider using a config and get rid of all those flags ;p)Original comment by niels.he...@gmail.com on 12 Dec 2012 at 3:39
Original issue reported on code.google.com by
michael....@dianomi.comon 25 Oct 2012 at 5:05