diff --git a/scripts/multi-cookie-auth.sh b/scripts/multi-cookie-auth.sh new file mode 100755 index 00000000..de3fc628 --- /dev/null +++ b/scripts/multi-cookie-auth.sh @@ -0,0 +1,21 @@ +#!/usr/bin/env bash + +# Request login (XLOGINID) and session (JSESSIONID) cookies from server +curl -k -c cookie-jar.txt https://localhost:9000/login-code +# Set local JSESSIONID variable to the JSESSIONID cookie +JSESSIONID=$(awk 'match($0, /JSESSIONID.*/){print substr($0, RSTART + 11, RLENGTH)}' cookie-jar.txt ) +# Set local XLOGINID variable to the XLOGINID cookie +XLOGINID=$(awk 'match($0, /XLOGINID.*/){print substr($0, RSTART + 9, RLENGTH)}' cookie-jar.txt) +# Request page with XLOGINID and JSESSIONID cookies and extract the _csrf token +CSRF=$(curl -k -b cookie-jar.txt \ + https://localhost:9000/login-form-multi | awk 'match($0,/_csrf".*/) { print substr($0, RSTART+14, RLENGTH -17)}') +# Log into the mutli cooke endpoint using XLOGINID and JSESSIONID cookies and username/password +curl -v -k \ + -d "_csrf=${CSRF}&loginCode=${XLOGINID}&username=user&password=password&remember=on" \ + -b cookie-jar.txt \ + -H "Content-Type: application/x-www-form-urlencoded" \ + "https://localhost:9000/login-form-multi" + +# Run HawkScan injecting local variables as environment variables +hawk scan -e JSESSIONID=${JSESSIONID} -e XLOGINID=${XLOGINID} ./stackhawk.d/stackhawk-multi-cookie-auth.yml + diff --git a/stackhawk.d/stackhawk-multi-cookie-auth.yml b/stackhawk.d/stackhawk-multi-cookie-auth.yml new file mode 100644 index 00000000..56f2021f --- /dev/null +++ b/stackhawk.d/stackhawk-multi-cookie-auth.yml @@ -0,0 +1,26 @@ +app: + applicationId: ${APP_ID:test-app} + env: ${APP_ENV:Multi Cookie Auth} + openApiConf: + path: /openapi + host: ${HOST:https://localhost:9000} + excludePaths: + - "/logout" + - "/login-form-multi" + - "/login-code" + authentication: + external: + values: + - type: COOKIE + value: + name: "XLOGINID" + val: ${XLOGINID} + - type: COOKIE + value: + name: "JSESSIONID" + val: ${JSESSIONID} + testPath: + path: /login-multi-check + success: ".*200.*" + loggedInIndicator: "\\QSign Out\\E" + loggedOutIndicator: ".*Location:.*/login.*"