Get "Invalid Signup Information" when trying to sign up
Closed this issue · 21 comments
Hi there,
Many thanks for this great tool and for Open Sourcing it. I'm having some issues with setting it up. The webservice starts without any problems and I get a nicely working version of xsshunter. However when I try to sign up I get "Invalid Signup Information" in the registration screen. I tried a couple of different variations but all give the same problem.
I've tried searching for errorlogs but there do not seem to be any, (api/logs is empty) also if I run guiserver.py manually it does not echo any errors.
Anything I can do to debug further?
Hey @rogierg can you provide the information you used when you signed up? This would be helpful for attempting to reproduce this on my end. Thanks.
@mandatoryprogrammer: basically anything I enter gives the same error. Different usernames, e-mail addresses, password lengths, anything. :-(
Is there a flag or configuration option I can set to get logging information? I tried setting logging.basicConfig(filename="logs/detailed.log",level=logging.INFO) in apiserver.py but still access.log and detailed.log are empty.
I rebuilt everything on Ubuntu 16.04.1 (Was using docker container before) same error...
How bizarre - have you tried providing a Full Name?
I also have this problem... I've tried various entries for each input box...
I experienced the same issue when I was trying to sign up via the internal host IP over port 1234. Everything worked after I visited to the domain I set in generate_config.py over 443. Not sure if that will help, just throwing it out there.
I'll try to set this thing up from scratch and see if I can reproduce.
Does the port 1234 effect the signup process somehow?
[error] 10244#0: *1 connect() failed (111: Connection refused) while connecting to upstream, clie
nt: 1.2.3.4, server: www.example.com, request: "GET / HTTP/1.1", upstream: "http://127.0.0.1:1234/", host: "www.
example.com"
Its open and listening:
tcp 0 0 :1234 *: LISTEN 20793/python
Sorry I haven't had time to set up a test instance yet but are all of you using HTTPS with valid certificates/domains? Excerpts from configs would be useful I think.
I'm using self signed certificates, below are the nginx config files:
/etc/nginx/sites-available/default
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name myexternaliphere;
return 302 https://$server_name$request_uri;
}
server {
#SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
/etc/nginx/nginx.conf
user www-data;
worker_processes 4;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application
/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
@Dabuek are you using the nginx config created by generate_config.py? That config doesn't look like it'll work (I don't see a reverse proxy for the API and GUI?).
Additionally are all of you following the guide here: https://thehackerblog.com/xss-hunter-is-now-open-source-heres-how-to-set-it-up/ ?
Sorry, my mistake. I was doing troubleshooting. I had tried the original default which was output from the generate_config.py but no joy. This is the default file which it produces.
server {
# Redirect HTTP to www
listen 80;
server_name example.com;
location / {
rewrite ^/(.*)$ https://www.example.com/$1 permanent;
}
}
server {
# Redirect payloads to HTTPS
listen 80;
server_name *.example.com;
proxy_set_header X-Forwarded-For $remote_addr;
return 307 https://$host$request_uri;
client_max_body_size 500M; # In case we have an extra large payload capture
}
server {
# Redirect HTTPS to www
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/example.com.crt; # Wildcard SSL certificate
ssl_certificate_key /etc/nginx/ssl/example.com.key; # Wildcard SSL certificate key
server_name example.com;
location / {
rewrite ^/(.*)$ https://www.example.com/$1 permanent;
}
}
server {
# API proxy
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/example.com.crt; # Wildcard SSL certificate
ssl_certificate_key /etc/nginx/ssl/example.com.key; # Wildcard SSL certificate key
server_name *.example.com;
access_log /var/log/nginx/example.com.vhost.access.log;
error_log /var/log/nginx/example.com.vhost.error.log;
client_max_body_size 500M;
location / {
proxy_pass http://localhost:8888;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
}
server {
# Redirect api to HTTPS
listen 80;
server_name api.example.com; # Subdomain for API server
proxy_set_header X-Forwarded-For $remote_addr;
return 307 https://api.example.com$request_uri;
client_max_body_size 500M; # In case we have an extra large payload capture
}
server {
# Redirect www to HTTPS
listen 80;
server_name www.example.com;
location / {
rewrite ^/(.*)$ https://www.example.com/$1 permanent;
}
}
server {
# GUI proxy
listen 443;
server_name www.example.com;
client_max_body_size 500M;
ssl on;
ssl_certificate /etc/nginx/ssl/example.com.crt; # Wildcard SSL certificate
ssl_certificate_key /etc/nginx/ssl/example.com.key; # Wildcard SSL certificate key
location / {
proxy_pass http://localhost:1234;
proxy_set_header Host $host;
}
}
Also - Yes I have been following the linked guide from thehackerblog.com
I have the same problem too. Followed the instructions in the guide precisely.
This may sound weird, but I've tried to signup via Firefox/Burp and everything went well.
Sounds like it is an SSL issue then? I'm not able to reproduce this on my end. Have you tried visiting the API server directly and seeing if you get an SSL error?
I too have a self signed cert, but I don't think that's the issue.
I get a 404 not found when I try to access /api or /api/register, no matter if it's a GET or a POST request.
I see these errors in the shell where ./guiserver.py runs.
./apiserver.py gives me no feedback.
Plus, api.mydomain.com url gives me another 404, resource not found.
Sorry about the late response. Issue was that I was using an selfsigned certificate.
Guys I'm having same error here, and i'm using Let's encrypt free trusted Cert.
any hints what might be the problem?
Got same "Invalid Signup Information" right after install, according to Burp, SignUp procedure sent bunch of requests to the https://api.domain.com, after I've added "api." subdomain to my DNS all goes smooth.
Got same "Invalid Signup Information" right after install, according to Burp, SignUp procedure sent bunch of requests to the https://api.domain.com, after I've added "api." subdomain to my DNS all goes smooth.
where u add at? only ad registar? or in file too?