This is a quick & dirty patch.
http_login has 3 "Prefs":
- "Login form" is the name of the form that will be called (POST) to
authenticate
- "Login fields" is the data that will be posted. %USER% and %PASS% will
be replace by the HTTP data from logins.nasl
- "Login page" is a page that will simply be read (GET) before the form
is called. Some systems (e.g. webmin) want to set a cookie first.
(we would not need this if we implemented a cookie jar)
The script extracts a cookie from the result of the POST and stores it
in the KB under /tmp/http/auth/<port> ; that's why I had to change
_http_req (and why this will NOT work with old Nessus servers,
unfortunately)
Setting http/auth is not a good idea:
- this creates a list and all scripts fork, once with Basic
authentication, then with the Cookie.
- if there are several servers on the machine, the Cookie will
definitely be different on each port, unless the authentication scheme
is really weak.
To be done:
- rewrite dependencies in most HTTP scripts so that they are run
after http_login.nasl
- this seems to work with webmin but probably need to be adapted to
many other systems
- implement other schemes, e.g. NTLM auth?
- find & fix all the bugs & design flaws :-]
http_login has 3 "Prefs":
- "Login form" is the name of the form that will be called (POST) to
authenticate
- "Login fields" is the data that will be posted. %USER% and %PASS% will
be replace by the HTTP data from logins.nasl
- "Login page" is a page that will simply be read (GET) before the form
is called. Some systems (e.g. webmin) want to set a cookie first.
(we would not need this if we implemented a cookie jar)
The script extracts a cookie from the result of the POST and stores it
in the KB under /tmp/http/auth/<port> ; that's why I had to change
_http_req (and why this will NOT work with old Nessus servers,
unfortunately)
Setting http/auth is not a good idea:
- this creates a list and all scripts fork, once with Basic
authentication, then with the Cookie.
- if there are several servers on the machine, the Cookie will
definitely be different on each port, unless the authentication scheme
is really weak.
To be done:
- rewrite dependencies in most HTTP scripts so that they are run
after http_login.nasl
- this seems to work with webmin but probably need to be adapted to
many other systems
- implement other schemes, e.g. NTLM auth?
- find & fix all the bugs & design flaws :-]
Attached Files:
-
p (2.42 KB)
-
http_login.nasl (3.38 KB)