NXI 5.4.10: Webinject is 1.41 but current is 1.94

[gormank]

Hi,
It seems that the webinject page is the old 1.41 version but care and feeding of webinject is in CPAN/git now.

https://www.webinject.org/
https://github.com/sni/Webinject
https://metacpan.org/pod/Webinject

Should it be updated from CPAN? I did a yum list perl-webinject and got nothing.

I'm trying to log into web forms, authenticate, and then verify strings but the login alsways seems to fail. I've used numerous plugins from exchange, a script I wrote and finally webinject, which also fails to authenticate. I've also tried multiple different pages to test on.

I'm looking at page sources in an attempt to get the uname/passwd field names and populate them.
Here's the XML and command output. The strings seem fine based on those seen whel there's a successful and failed login. Case 1 can probably be eliminated since it just shows the login page can be displayed.

Any suggestions?

Code: Select all

<testcasefile>login.prov.xml</testcasefile>

<useragent>WebInject Application Tester</useragent>
<timeout>10</timeout>
<globaltimeout>20</globaltimeout>

<comment>
<reporttype>nagios</reporttype>
</comment>
<reporttype>standard</reporttype>

Code: Select all

<testcases repeat="1">

<comment>case 2 should probably be case 1 and the get an additional check after logging in--had it worked</comment>

<case
    id="1"
    description1="Connecting to Satellite"
    method="get"
    url="https://solktxeshgw-v-pmeprov-01/users/login"
    parseresponse='mykey="|"'
    verifypositive="Welcome to Satellite"
    errormessage="Unable to connect to the Satellite login page"
/>

<case
    id="2"
    description1="Authentication on Satellite"
    method="post"
    url="https://solktxeshgw-v-pmeprov-01/users/login"
    postbody="login_login=nagiosadmin&login_password=5t6y%T^Ygrid&mykey={PARSEDRESULT}"
    verifynegative="Error: Incorrect username or password"
    errormessage="Unable to authenticate user in Satellite"
/>

</testcases>

Code: Select all

$ ./webinject.pl --config login.prov.global.xml

Starting WebInject Engine...

-------------------------------------------------------
Test:  login.prov.xml - 1
Connecting to Satellite
Verify : "Welcome to Satellite"
Passed Positive Verification
Passed HTTP Response Code Verification (not in error range)
TEST CASE PASSED
Response Time = 0.123 sec
-------------------------------------------------------
Use of uninitialized value in substitution (s///) at ./webinject.pl line 1148.
Test:  login.prov.xml - 2
Authentication on Satellite
Verify Negative: "Error: Incorrect username or password"
Passed Negative Verification
Failed HTTP Response Code Verification (HTTP/1.1 400 Bad Request)
TEST CASE FAILED : Unable to authenticate user in Satellite
Response Time = 0.025 sec
-------------------------------------------------------

Start Time: Wed Oct  3 21:36:48 2018
Total Run Time: 0.229 seconds

Test Cases Run: 2
Test Cases Passed: 1
Test Cases Failed: 1
Verifications Passed: 3
Verifications Failed: 1

[tacolover101]

hi gormank,

it looks like XI may be packaged with the previous version still, it'd make a great feature request to get this updated.

in the mean time, you should be able to download + update webinject yourself, and then reference the plugin to use your local copy vs. installed. then create and leverage /usr/local/nagios/libexec/webinject194.pl for example.

[scottwilkerson]

I want to point out that while you have found a source of updated plugins, they are not from the original author and have not been tested.

https://www.webinject.org/ is the original and the download page has 1.41 and documentation for it, the others you listed have not been tested by nagios staff and may work but we cannot guarantee that.

[gormank]

Still hoping for suggestions as to how to make the login check work...

[scottwilkerson]

I'm not 100% sure your query is parsing the parseresponse for mykey correctly, usually they looks something like this

Code: Select all

parseresponse='__VIEWSTATE" value="|"|escape'

This will grab whatever is between the left boundary (__VIEWSTATE" value=") and the right boundary (") and assign to the system variable named {PARSEDRESULT}. Since the 'escape' argument was used, it will also escape all of the non-alphanumeric characters with their url hex values (.NET requires this). (Notice I switched to using single quotes for the parameter value so it wouldn't get confused with the double quotes I was using in my boundaries.)

https://www.webinject.org/manual.html#sessid

Additionally, you may need to urlencode your password making it something like this

Code: Select all

5t6y%25T%5EYgrid

[gormank]

Thanks for the suggestion tacolover101. I grabbed the newer version but as suggested didn't replace the original. It seems to handle things a bit better.
It took a bit of rereading that section of the documentation to get the parseresponse feature and usage...
Regardless of the version used my parseresponse isn't working. I tried escaping and not escaping but since the value isn't found I doubt it matters at the moment. Here's the form hidden input that should be sent back. The string changes each time the form is accessed.

Code: Select all

<input type="hidden" name="authenticity_token" value="t+7odfVovvE+GUA4teFAD1JfvGSzAwoKd3LAyvdfTBA6pevlViEqRpRo8lbzbaVTKAIRaqgQQKCVky/JqxJOaA==" />

I don't see anything wrong with the parseresponse definition:

Code: Select all

<case
    id="2"
    description1="Authentication on Satellite"
    logrequest="yes"
    logresponse="yes"
    method="post"
    url="https://solktxeshgw-v-pmeprov-01/users/login"
    postbody="login_login=admin&login_password=5t6y%2525T%255EYgrid&authenticity_token={PARSEDRESULT}"
    posttype="application/x-www-form-urlencoded"
    parseresponse='name="authenticity_token" value="|"'
    verifynegative="Error: Incorrect username or password"
    errormessage="Unable to authenticate user in Satellite"
/>

The uninitialized value seems to be the missing PARSEDRESULT. Output from webinject.pl

Code: Select all

Use of uninitialized value in substitution (s///) at ./webinject.pl line 1148.
Test:  login.prov.xml - 2
Authentication on Satellite
Verify Negative: "Error: Incorrect username or password"
Passed Negative Verification
Failed HTTP Response Code Verification (HTTP/1.1 500 Internal Server Error)
TEST CASE FAILED : Unable to authenticate user in Satellite

Here's the output from the newer version of the script. It sates that the text wasn't found. Is my definition of the string somehow incorrect?

Code: Select all

Test: login.prov.xml - 2
Desc: Authentication on Satellite
POST Request: https://solktxeshgw-v-pmeprov-01/users/login
Failed HTTP Response Code Verification (HTTP/1.1 500 Internal Server Error)
Verify Negative: 'Error: Incorrect username or password'
Passed Negative Verification
Failed Parseresult, cannot find name="authenticity_token" value="(*)"
TEST CASE FAILED : Unable to authenticate user in Satellite

[gormank]

I forgot to mention that the HTML response from the server says that the authenticity token is bad:

<strong>ERF42-4995 [Foreman::Exception]: Invalid authenticity token</strong><br>

[gormank]

I see the issue now. I would need to be able to do a get to snag the authenticity_token string, store it and only then post my login info with the stored authenticity token. I think.
I tried doing this by moving the parseresponse line up to test 1 and using PARSEDRESULT but no luck. I think I'd need to write a script, or add features to webinject to save variables and use them in other test cases.

[gormank]

Hi,
Sorry for that last nonsense post. I moved the parseresponse up and while it didn't work at first, apparently I tweaked something and now it grabs the string and puts it in PARSEDRESULT.
Of course now I get what I guess is a javascript error, but it's progress.

Code: Select all

<testcases repeat="1">
<case
    id="10"
    description1="Connecting to Satellite"
    method="get"
    url="https://solktxeshgw-v-pmeprov-01/users/login"
    parseresponse='name="authenticity_token" value="|"|escape'
    verifypositive="Welcome to Satellite"
    errormessage="Unable to connect to the Satellite login page"
/>

<case
    id="20"
    description1="Authentication on Satellite"
    logrequest="yes"
    logresponse="yes"
    method="post"
    url="https://solktxeshgw-v-pmeprov-01/users/login"
    postbody="login_login=admin&login_password=5t6y%25T%5EYgrid&authenticity_token={PARSEDRESULT}"
    posttype="application/x-www-form-urlencoded"
    verifynegative="Error: Incorrect username or password"
    errormessage="Unable to authenticate user in Satellite"
/>
</testcases>

[scottwilkerson]

looks like you are moving in the right direction