Form Authentication Bug
GoogleCodeExporter opened this issue · comments
Skipfish will attempt to submit forms for authentication. However, there is no
way to specify exactly which fields should be sent during form submission. As
such, Skipfish will submit all fields, potentially causing authentication
failures.
Additionally, it will try to populate fields automagically with what appear to
be default static values even though user/password combinations are explicitly
set in the config. Because these values are explicitly set in the config the
expected behavior is one that would not auto populate fields.
Example: (Broken apart for readability and slightly modified for
confidentiality):
This is the form fields submitted via a browser:
master%24txtLoginEmailAddress_Header=&
master%24txtLoginPassword_Header=&
master%24masterContent%24txtLoginEmailAddress=test@test.com&
master%24masterContent%24txtLoginPassword=testpassword
How Skipfish is submitting them:
master%24txtLoginEmailAddress_Header=skipfish@example.com&
master%24txtLoginPassword_Header=skipfish&
master%24chkRememberLogin_Header=on&
master%24btnLogin_Header=skipfish&
master%24masterContent%24txtLoginEmailAddress=test@test.com&
master%24masterContent%24txtLoginPassword=testpassword&
master%24masterContent%24btnLogin=skipfish&
master%24masterContent%24chkRememberLogin=on
It would be nice if there was a way to specify exactly which fields should be
submitted and if they should use a config/commandline provided value or the
default value sent by the application for cases such as ViewState.
Original issue reported on code.google.com by lafk...@gmail.com
on 22 Mar 2013 at 6:03
Hey, thanks for the report. You can actually specify the form field by using
the --auth-user-field and --auth-pass-field flags:
https://code.google.com/p/skipfish/wiki/Authentication#Login_field_names_not_rec
ognized
Could you give this a try ? If it doesn't work, please re-open the bug and
share the command-line (or config) with credentials sanitized ;-)
Niels
Original comment by niels.he...@gmail.com
on 27 Mar 2013 at 6:35
- Changed state: Invalid