Page 1 of 1

ASPXAUTH Authentication

Posted: Mon Nov 14, 2016 5:26 pm
by DaveClick
Does webinject work with ASP.NET Forms Authentication. Upon posting to the login page I do not receive a redirect. Does webinject v1.41 handle the .ASPXAUTH cookie?
I do receive and follow the original redirect in the forms authentication flow but upon posting the credentials I simply receive 200 and the login page, not a redirect.

Forms Authentication flow can be found in figure 1 of this reference:
https://msdn.microsoft.com/en-us/library/ff647070.aspx

Thanks, Dave

Re: ASPXAUTH Authentication

Posted: Mon Nov 14, 2016 5:47 pm
by rkennedy
Based on their documentation, I would imagine it's possible - this question may be better asked to them though. This part of the documentation refers to it - http://www.webinject.org/manual.html#sessstate

Code: Select all

Does WebInject support HTTP Authentication?
Yes. HTTP Basic Authentication is supported.

Can WebInject handle Cookies for state management between requests?
Yes. WebInject automatically handles HTTP Cookies for you. When a "Set-Cookie" is sent back in the HTTP header from the web server, the Cookie is stored and sent back with subsequent requests to the domain it was set from.

Can WebInject handle embedded Session ID's, .NET ViewStates, and other dynamic URL rewriting?
Yes. Cookieless session handling and state management is possible by parsing data from an HTTP response and storing it to be resent in subsequent requests. See the Manual section on "Session Handling and State Management" for information. 

Re: ASPXAUTH Authentication

Posted: Tue Nov 15, 2016 2:16 pm
by DaveClick
Thank you for your reply. I am aware of the information from the webinject manual you pointed out. Is there an example you can point be to for a testcase file that works with ASP.NET Forms Authentication?

Re: ASPXAUTH Authentication

Posted: Tue Nov 15, 2016 5:41 pm
by tmcdonald
This is a question that would be better asked of someone who actively maintains WebInject, as it is not our software. The plugin that is most often used with WebInject is basically just a wrapper around the core engine.

Unfortunately, the forums for WebInject look like they have not been in use for some time: https://groups.google.com/forum/#!forum/webinject

There is some information about the development on the webpage: http://www.webinject.org/dev.html