-
Notifications
You must be signed in to change notification settings - Fork 52
Authentication
Currently ADAPT is setup only for a particular type of authentication, namely to push the login responsibility to the user. The reason for doing this is that websites are too disparate to make an effective generic login script. In order to get graybox testing for ADAPT, the user must provide a python script that gives back the relevant header and cookie information that ADAPT uses.
Many websites require authentication for ADAPT to use its complete functionality. For this, it is required to write a python authentication script. To use an authentication file, the setting in adapt.config under [AUTH_OPTIONS] named “authmodule” needs to be set to the relative path to the script.
The easiest way to create a script is to modify the existing example named login_format.py. The requirements for the authentication script file is that it must contain a function named “service_auth,” with the username as the first parameter, and the passwords as the second. The script must also return a python dictionary type with several different keys present. This is described in more detail at the header of login_format.py.
Before the script can be properly written, the authentication values and names must first be found. The process to finding these values is described in detail at doc/login_cookie_information.md for the most popular browsers. The cookie information should also be noted, as it will be used as well. Once these values have been obtained, they may now be put into the script. Inside login_format.py (note that the login module can be renamed), the payload variable should be modified so that it matches the format:
payload = {“name_of_parameter”:value, “name_of_parameter2”:value2}
The payload may contain as many parameters as necessary for authentication. Also, the username and password parameter of the function is defined in adapt.config, under [AUTH_OPTIONS].
Then, the variable “login_url” must be changed to the location of the post method, not the page of the authentication. This URL will be shown as the Request URL at the same location the parameters were found.
Next, the session needs to be maintained, which is most often done by cookies. To do this, the variable session_id may need to be modified. The most important part about this is ensure that the correct cookie type is defined. This may take the form of PHPID, JSESSIONID, and several other formats. Whichever type the website uses, session_id needs to be modified such that the first parameter of re.match(…) is “<cookie_type>=(.*?);”, where <cookie_type> is the cookie type, and the quotes are included. This needs to be matched in a later variable named cookie, where the name of the first parameter must also be changed to the correct cookie type.
The last if statement before the return statement is to check if the authentication was successful. This if statement should be changed to check for a specific website if authentication was successful, or if it instead returned an error message.
Not all websites have a csrf token, so please follow the according steps below depending on the website you are trying to access:
No CSRF token:
Place a number sign (#) directly before the variables user_token and payload[“user_token”], as they are not required and will cause the script to crash
Has CSRF token:
For the variable user_token, the value that currently contains {“name”:”user_token”} must be changed so it follows the format {“name”:””}, where is the name of the cookie, not the value of it. Similarly, for the variable payload[“user_token”], the name must be changed to payload[“”] as defined in the previous sentence.
Once these steps have been completed, simply run adapt.py, and if successful a message (“Authentication is available!”) should appear during the authentication process, otherwise an error message will appear, indicating something went wrong.