Skip to content
GitLab
Closed
Issue created by Administrator@rootContributor

Arachni simple scan throws error "Could not get cookies for URL"

Created by: r-31415

I'm a newbie using Arachni, so there is a very good change I'm making an elementary mistake. However, after having read and tried several working examples, I can't figure out what's wrong in this case.

Basically, I'm trying to scan a target that requires a session, so I thought I would be able to scan it by using the --http-cookie-jar flag (or --htp-cookie-string). Unfortunately, both give the same issue and even after changing the target to another site that doesn't necessarily requires a session, I'm still facing the same error.

This is the traceback (I replaced the real target and put a placeholder in its place):

[user:~/arachni-2.0dev-1.0dev/bin]$ ./arachni https://target.com --http-cookie-jar=cookies.txt            
Arachni - Web Application Security Scanner Framework v2.0dev
   Author: Tasos "Zapotek" Laskos <tasos.laskos@arachni-scanner.com>

           (With the support of the community and the Arachni Team.)

   Website:       http://arachni-scanner.com
   Documentation: http://arachni-scanner.com/wiki


 [~] No checks were specified, loading all.
 [~] No element audit options were specified, will audit links, forms, cookies, UI inputs, UI forms, JSONs and XMLs.

 [*] Initializing...
 [*] Preparing plugins...
 [*] ... done.
 [*] BrowserCluster: Initializing 6 browsers...
 [*] BrowserCluster: Spawned #1 with PID 10375 [lifeline at PID 10372].
 [*] BrowserCluster: Spawned #2 with PID 10400 [lifeline at PID 10397].
 [*] BrowserCluster: Spawned #3 with PID 10425 [lifeline at PID 10422].
 [*] BrowserCluster: Spawned #4 with PID 10450 [lifeline at PID 10447].
 [*] BrowserCluster: Spawned #5 with PID 10475 [lifeline at PID 10472].
 [*] BrowserCluster: Spawned #6 with PID 10500 [lifeline at PID 10497].
 [*] BrowserCluster: Initialization completed with 6 browsers in the pool.
 [-] [http/client#request:374] Client: Could not get cookies for URL 'http://target.com' from Cookiejar (Complete absolute URL required, got: http://target.com).
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/cookie_jar.rb:213:in `to_uri'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/cookie_jar.rb:112:in `for_url'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/client.rb:370:in `block in request'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/utilities.rb:425:in `call'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/utilities.rb:425:in `exception_jail'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/client.rb:367:in `request'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/client.rb:425:in `get'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/http/client.rb:500:in `method_missing'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/page.rb:42:in `block in from_url'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/page.rb:41:in `times'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/page.rb:41:in `from_url'
 [-] [http/client#request:375] Client: /home/user/arachni-2.0dev-1.0dev/system/gems/bundler/gems/arachni-c2c253c3a134/lib/arachni/framework/parts/data.rb:124:in `pop_page_from_url_queue'
...

As you see, I downloaded the 2.0-dev version. The full traceback can be found here. In the previous command, I tried to use http-cookie-jar with a cookies.txt file exported from Firebug. However, even if I remove that flag, I still get the same error.

I noticed in the traceback that even though I used https in the URL, the non-secure version of the site is being used. The format of the URL is something like this: https://target.com/a/index/. I believe this is not the main issue because the other domain I tested (with URL https://target.com/) also outputs the same error, although the traceback doesn't show redirections or usage of the non-secure domain.

Is this a bug?

Thank you in advance