Login to a website not working
Closed this issue · 3 comments
karkota commented
I tried to give the valid username and password as below for my website.
-c username=**;password=
But SSRFire not able to login and just checking as unauthenticated user for done.
Please let me know if i am doing anything wrong here.
ksharinarayanan commented
Hi,
I think you probably misunderstood the -c flag. It is for sending cookies with the request. It does not accept the username and password directly.
Rather what you can do is, after logging into the website, intercept any request and copy the cookies and pass it as argument like -c "cookiesHere".
Hope it helps!
karkota commented
Hi Hari,
Thanks for your reply.
As mentioned by you I have tried the same but still I am getting the same,
the tool is checking only for login url, it's not going inside and crawling
all the links.
My cookies looks like this,
amplitude_id_75026068549b9aabfe51d20c859f8c36redact.com=eyJkZXZpY2VJZCI6IjE3ZDIwNDQ2LTFmMGYtNGQzYi1hYjdhLWFkZGM0YmE5NjcwNlIiLCJ1c2VySWQiOiJkZmU4MTY3ZGEwYzM0NjYyYjYxMDYyNWI3ZjBiMDc1NiIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1NTIyODA4MzM4OSwibGFzdEV2ZW50VGltZSI6MTY1NTIyODA4MzM5MSwiZXZlbnRJZCI6MTEzOCwiaWRlbnRpZnlJZCI6MTgwNywic2VxdWVuY2VOdW1iZXIiOjI5NDV9;
_biz_uid=64e649265ff04507e8f4f1f230b63748; _biz_nA=40;
_biz_pendingA=%5B%5D;
__q_state_x71cZdTc7coTsVmc=eyJ1dWlkIjoiMTM0MDJmZGQtNWMwNi00ODFmLTliNTEtNzFhODgwZGZiMTMzIiwiY29va2llRG9tYWluIjoienVvcmEuY29tIiwibWVzc2VuZ2VyRXhwYW5kZWQiOmZhbHNlLCJwcm9tcHREaXNtaXNzZWQiOmZhbHNlLCJjb252ZXJzYXRpb25JZCI6Ijg5MDE1NDc3NDYwMDYwNjM3MSJ9;
_biz_flagsA=%7B%22Version%22%3A1%2C%22XDomain%22%3A%221%22%2C%22ViewThrough%22%3A%221%22%2C%22Mkto%22%3A%221%22%7D;
_ga=GA1.2.1911275049.1633014605;
_mkto_trk=id:602-QGZ-447&token:_mch-redact.com-1633014606360-70673;
_fbp=fb.1.1633014606582.160855026;
_ga_MY8CQ650DH=GS1.1.1655177180.20.0.1655177193.0;
_rtfl_s_unique_visitor_session=X29lSUN0UnlZRlprVTZBODljSUNyQzBfNDg0ZTEwNTZiNjJiYmYzZjhjNGNjMTM1MjRmOTQ0Y2I0YjgyY2I4YQ==;
amplitude_id_df990c09ea455f6305ea2391e1adcd5dredact.com=eyJkZXZpY2VJZCI6ImIxY2QxOWVmLTUyNmEtNDZiYy1hN2FjLWMyZGRjNWIzYzJkZFIiLCJ1c2VySWQiOiJiZmI4MjMwOGM4NDA0OTQ1YmQ1MWYxNjkzMmRkY2QzMCIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1NDIzODI2Mjg1MCwibGFzdEV2ZW50VGltZSI6MTY1NDIzODI2Mjg1MiwiZXZlbnRJZCI6MjM1LCJpZGVudGlmeUlkIjozNzgsInNlcXVlbmNlTnVtYmVyIjo2MTN9;
_hjSessionUser_2195139=eyJpZCI6ImZlYWZjMGE4LTQwZTQtNTBhYy04NmI1LWNmNmU3ZDg5NDdlMyIsImNyZWF0ZWQiOjE2MzcyMzQxMDU2NzAsImV4aXN0aW5nIjp0cnVlfQ==;
amplitude_id_91bc0a89d52e79f0d21a9f9ab69d75e8redact.com=eyJkZXZpY2VJZCI6IjlkNTVkZTlhLTA0NmMtNDEwZC05MjE2LTk2ZDU4OWJkZWNkN1IiLCJ1c2VySWQiOiI4YWQwOTY1ZDdjYzI2NTk0MDE3Y2M2NzM5MWI1NjQxMSIsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY1MjM3NjYxMjUzNCwibGFzdEV2ZW50VGltZSI6MTY1MjM3NzY4ODE3NiwiZXZlbnRJZCI6NDAsImlkZW50aWZ5SWQiOjAsInNlcXVlbmNlTnVtYmVyIjo0MH0=;
wovn_selected_lang=en; mop_ga=GA1.2.1911275049.1633014605;
wovn_uuid=xv597skkm;
_sp_id.74af=7e7660db-ed41-4877-a31c-77e587c33d88.1641834746.1.1641834746.1641834746.d78d58d7-75eb-47a2-976a-c8767a35c3fc;
mp_412f41b9a2f5b1a17e172e08ee7b3691_mixpanel=%7B%22distinct_id%22%3A%20%2217e44fa161128a-034fdc7497d1e08-45586b-1ea000-17e44fa1612b43%22%2C%22%24device_id%22%3A%20%2217e44fa161128a-034fdc7497d1e08-45586b-1ea000-17e44fa1612b43%22%2C%22Platform%22%3A%20%22Web-Attendee%22%2C%22Event%22%3A%20%22The%20Journey%20to%20Usership%E2%84%A2%3A%20A%20Day%20for%20redact%20Customers%22%2C%22EventID%22%3A%20338366%2C%22EventStatus%22%3A%20%22published%22%2C%22BizzaboID%22%3A%20%22NonUser%22%2C%22isBizzaboer%22%3A%20false%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D;
optimizelyEndUserId=oeu1643005977922r0.394686448875313;
fpestid=KqU5vuBeOctJ7cRrqkHv_YyiE1P_2a_LkHhgUyqC7bdNHTSQwHZ78XTNA1GW9yQpiSZlqw;
_fbc=fb.1.1643006227338.'IwAR3nBdL28-DQ7tdIsdzdgX8uxAWn38SHhboE_L_ybDey-VzTHMZpcxcCw_I;
amplitude_id_2c37b0cc38de9eb1e4f86f26e76371f5redact.com=eyJkZXZpY2VJZCI6ImRhMmYwY2ViLWZkMzctNGNmNy1iZTU3LTEyYzhmYjQ2MDA4NFIiLCJ1c2VySWQiOm51bGwsIm9wdE91dCI6ZmFsc2UsInNlc3Npb25JZCI6MTY0MzAwNzU4NjU3NCwibGFzdEV2ZW50VGltZSI6MTY0MzAwNzU4NjU3NCwiZXZlbnRJZCI6MSwiaWRlbnRpZnlJZCI6MCwic2VxdWVuY2VOdW1iZXIiOjF9;
_rtfl_s_600706_specific_site_session=X3dXSFluUll3ZHJKVU1mSGlab055c0xfN2ZkNThjYmU2ZTM3N2ZjNDRiMTllMmI1ZWRiMTBiMTg4YTcwYmNjOQ==;
_gcl_au=1.1.790022883.1649751638;
_ga_21NV2LS8PH=GS1.1.1649773649.2.0.1649773649.0;
amp_a3b0f0=4KG3QwwR7GW1Bf_9UsXaDS...1g4iqigsa.1g4iqj35k.4.4.8;
amplitude_id_70d702bf4714255a28aecca9bb0fc68credact.com=eyJkZXZpY2VJZCI6ImE5YzYxZjk1LTEzZjktNGUwOS04M2JlLTE0MzViOTAxODRmMVIiLCJ1c2VySWQiOiIxNDIwIiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxNjU0MTk0NjY3NTI3LCJsYXN0RXZlbnRUaW1lIjoxNjU0MTk0NjY4MjA0LCJldmVudElkIjoxMCwiaWRlbnRpZnlJZCI6Miwic2VxdWVuY2VOdW1iZXIiOjEyfQ==;
amplitude_id_1ef325fdfd9c3e9c8a5774bd3d63fe98redact.com=eyJkZXZpY2VJZCI6IjUwMDg5ZTllLWZlOGMtNDIyOS1hZmI0LWQyNjFlYTBkOTU0NFIiLCJ1c2VySWQiOiI4NzYyIiwib3B0T3V0IjpmYWxzZSwic2Vzc2lvbklkIjoxNjUyNDMxODQxMDA0LCJsYXN0RXZlbnRUaW1lIjoxNjUyNDMxODk0ODk4LCJldmVudElkIjowLCJpZGVudGlmeUlkIjowLCJzZXF1ZW5jZU51bWJlciI6MH0=;
__utma=261884166.1911275049.1633014605.1653925259.1653925259.1;
__utmz=261884166.1653925259.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);
_gid=GA1.2.861250606.1655177181; notice_behavior=implied,us;
ZUNISESSION=MzE4NjlhN2EtYTkxOS00MGFhLTgyMDItOWUxNWE1MmY2ZjUw; ZAUTH=true
These are cookies generated during the active session and we need
everything to maintain the active session, and I have given the same as
mentioned.
./ssrfire.sh -d https://apisandbox.zuora.com/apps/newlogin.do -s
http://x75nde6ld44b9dvyn1flokhc73dt1i.oastify.com -c cookies
This is the command I am using to start scan.
Can you please look into this.
Regards,
Kartheek.
Message ID: ***@***.***>
…ksharinarayanan commented
Hi,
Unfortunately since I do not have access to the apisandbox credentials, I won't be able to test it. Further to add on to it, I am not actively involved in bug bounty. So, I think I won't be able to solve your issue. Maybe if I have some free time, I'll look into this later.