Fix Issue #396

doc/wapiti.ronn

@@ -38,8 +38,12 @@ PROXY AND AUTHENTICATION OPTIONS:
   * `--tor`
   * `--mitm-port` <PORT>
   * `-a`, `--auth-cred` <CREDENTIALS>
+  * `--auth-user` <USERNAME>
+  * `--auth-password` <PASSWORD>
   * `--auth-method` {basic,digest,ntlm}
   * `--form-cred` <CREDENTIALS>
+  * `--form-user` <USERNAME>
+  * `--form-password` <PASSWORD>
   * `--form-url` <URL>
   * `--form-enctype` <ENCTYPE>
   * `--form-script` <FILENAME>
@@ -154,17 +158,29 @@ OTHER OPTIONS:
     Configure your browser to use the intercepting proxy then explore the target manually. Ctrl+C in the console when you are done.
 
   * `-a`, `--auth-cred` <CREDENTIALS>  
-    Set credentials to use for HTTP authentication on the target (see available methods bellow).
+    (DEPRECATED) Set credentials to use for HTTP authentication on the target (see available methods bellow).
     Given value should be in the form login%password (% is used as a separator)
-
+
+  * `--auth-user` <USERNAME>  
+    Set username to use for HTTP authentication on the target (see available methods bellow).
+
+    * `--auth-password` <PASSWORD>  
+    Set password to use for HTTP authentication on the target (see available methods bellow).
+
   * `--auth-method` <TYPE>  
     Set the authentication mechanism to use. Valid choices are basic, digest and ntlm.
     NTLM authentication may require you to install an additional Python module.
 
   * `--form-cred` <CREDENTIALS>  
-    Set credentials to use for web form authentication on the target.
+    (DEPRECATED) Set credentials to use for web form authentication on the target.
     Given value should be in the form login%password (% is used as a separator)
 
+  * `--form-user` <USERNAME>  
+    Set username to use for web form authentication on the target.
+
+    * `--form-password` <PASSWORD>  
+    Set password to use for web form authentication on the target.
+
   * `--form-url` <URL>  
     If `--form-data` is not set, Wapiti will extract the login form at the given URL and fill it with the provided credentials.
     Otherwise raw credentials are sent directly to the given URL.

tests/cli/test_options.py

@@ -135,7 +135,7 @@ async def test_update_with_proxy():
 @mock.patch("wapitiCore.main.wapiti.check_http_auth", return_value=True)
 async def test_use_http_creds(mock_check_http_auth, _, __):
     """Let's ensure that the proxy is used when updating modules resources."""
-    testargs = ["wapiti", "-a", "test%test", "--url", "http://testphp.vulnweb.com/", "-m", "", "--scope", "url"]
+    testargs = ["wapiti", "--auth-user", "test", "--auth-password", "test", "--url", "http://testphp.vulnweb.com/", "-m", "", "--scope", "url"]
 
     with mock.patch.object(sys, "argv", testargs):
         await wapiti_main()
@@ -150,7 +150,8 @@ async def test_use_web_creds(mock_async_try_form_login, _, __):
     """Let's ensure that the proxy is used when updating modules resources."""
     testargs = [
         "wapiti",
-        "--form-cred", "test%test",
+        "--form-user", "test",
+        "--form-password", "test",
         "--form-url", "http://testphp.vulnweb.com/login.php",
         "--url", "http://testphp.vulnweb.com/",
         "-m", "",

tests/cookies/test_getcookie.py

@@ -164,7 +164,7 @@ async def test_getcookie_basic_auth():
         url = "https://lundberg.github.io/respx/guide/"
         respx.get(url).mock(return_value=httpx.Response(200))
 
-        await getcookie_main(["-u", url, "-c", json_fd.name, "--auth-cred", "john%doe"])
+        await getcookie_main(["-u", url, "-c", json_fd.name, "--auth-user", "john", "--auth-password", "doe"])
 
         assert "Authorization" in respx.calls.last.request.headers
         assert respx.calls.last.request.headers["Authorization"] == "Basic am9objpkb2U="

wapitiCore/main/getcookie.py

@@ -57,11 +57,21 @@ def args_to_crawlerconfiguration(arguments) -> CrawlerConfiguration:
         crawler_configuration.user_agent = arguments.user_agent
 
     if "http_credentials" in arguments:
+            # This option is deprecated, but we still support it
+            # Should be removed in the future
         if "%" in arguments.http_credentials:
             username, password = arguments.http_credentials.split("%", 1)
             crawler_configuration.http_credential = HttpCredential(username, password, arguments.auth_method)
         else:
             raise InvalidOptionValue("-a", arguments.http_credentials)
+    elif "http_user" in arguments and "http_password" in arguments:
+        crawler_configuration.http_credential = HttpCredential(arguments.http_user, arguments.http_password,
+                                                               arguments.auth_method)
+
+    if ("http_user" in arguments and "http_password" not in arguments) or ("http_user" not in arguments
+                                                                           and "http_password" in arguments):
+        raise InvalidOptionValue("--auth-user and --auth-password", arguments.http_credentials)
+
 
     headers = {}
     for custom_header in arguments.headers:
@@ -101,14 +111,35 @@ async def getcookie_main(arguments):
         help="Use Tor listener (127.0.0.1:9050)",
     )
 
+    # This option is deprecated
+    # Should be removed in a future version
     parser.add_argument(
         "-a", "--auth-cred",
         dest="http_credentials",
+        action="store",
         default=argparse.SUPPRESS,
-        help="Set HTTP authentication credentials",
+        help="(DEPRECATED) Set HTTP authentication credentials",
         metavar="CREDENTIALS",
     )
 
+    parser.add_argument(
+        "--auth-user",
+        dest="http_user",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set HTTP authentication credentials",
+        metavar="USERNAME",
+    )
+
+    parser.add_argument(
+        "--auth-password",
+        dest="http_password",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set HTTP authentication credentials",
+        metavar="PASSWORD",
+    )
+
     parser.add_argument(
         "--auth-method",
         default="basic",

wapitiCore/main/wapiti.py

@@ -181,11 +181,20 @@ async def wapiti_main():
             wap.set_drop_cookies()
 
         if "http_credentials" in args:
+            # This option is deprecated, but we still support it
+            # Should be removed in the future
             if "%" in args.http_credentials:
                 username, password = args.http_credentials.split("%", 1)
                 wap.set_http_credentials(HttpCredential(username, password, args.auth_method))
             else:
                 raise InvalidOptionValue("-a", args.http_credentials)
+        elif "http_user" in args and "http_password" in args:
+            wap.set_http_credentials(HttpCredential(args.http_user, args.http_password, args.auth_method))
+
+        if ("http_user" in args and "http_password" not in args) or ("http_user" not in args
+                                                                     and "http_password" in args):
+            raise InvalidOptionValue("--auth-user and --auth-password",
+                                     "Both options are required when one is used")
 
         for bad_param in args.excluded_parameters:
             wap.add_bad_param(bad_param)
@@ -281,26 +290,41 @@ async def wapiti_main():
 
     assert os.path.exists(wap.history_file)
 
-    if "http_credentials" in args:
+    if "http_credentials" in args or ("http_user" in args and "http_password" in args):
         if not await check_http_auth(wap.crawler_configuration):
             logging.warning("[!] HTTP authentication failed, a 4xx status code was received")
             return
 
     form_credential = None
     if "form_credentials" in args:
-        # If the option is set it MUST have valid requirements
-        if "%" not in args.form_credentials:
-            raise InvalidOptionValue("--form-cred", args.form_credentials)
-
         if "form_url" not in args:
-            raise InvalidOptionValue("--form-url", "This option is required when --form-cred is used")
-
-        username, password = args.form_credentials.split("%", 1)
-        form_credential = FormCredential(
+            raise InvalidOptionValue("--form-url", "This option is required when --form-user \
+                                     and --form-password or form-cred is used")
+        # This option is deprecated, but we still support it
+        # Should be removed in the future
+        username, password = None, None
+        if "%" in args.form_credentials:
+            username, password = args.form_credentials.split("%", 1)
+            form_credential = FormCredential(
             username,
             password,
             args.form_url,
         )
+        else:
+            raise InvalidOptionValue("--form-cred", args.form_credentials)
+    elif "form_user" in args and "form_password" in args:
+        if "form_url" not in args:
+            raise InvalidOptionValue("--form-url", "This option is required when --form-user \
+                                     and --form-password or form-cred is used")
+        form_credential = FormCredential(
+            args.form_user,
+            args.form_password,
+            args.form_url,
+        )
+
+    if ("form_user" in args and "form_password" not in args) or ("form_user" not in args and "form_password" in args):
+        raise InvalidOptionValue("--form-user and --form-password", "Both options are required when one is used")
+
 
     if "form_script" in args:
         await load_form_script(

wapitiCore/parsers/commandline.py

@@ -112,29 +112,71 @@ def parse_args():
         type=float
     )
 
+    # This option is deprecated
+    # Should be removed in a future version
     parser.add_argument(
         "-a", "--auth-cred",
         dest="http_credentials",
+        action="store",
         default=argparse.SUPPRESS,
-        help="Set HTTP authentication credentials",
+        help="(DEPRECATED) Set HTTP authentication credentials",
         metavar="CREDENTIALS"
     )
 
+    parser.add_argument(
+        "--auth-user",
+        dest="http_user",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set HTTP authentication username credentials",
+        metavar="USERNAME",
+    )
+
+    parser.add_argument(
+        "--auth-password",
+        dest="http_password",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set HTTP authentication password credentials",
+        metavar="PASSWORD",
+    )
+
     parser.add_argument(
         "--auth-method",
         default="basic",
         help="Set the HTTP authentication method to use",
         choices=["basic", "digest", "ntlm"]
     )
 
+    # This option is deprecated
+    # Should be removed in a future version
     parser.add_argument(
         "--form-cred",
         dest="form_credentials",
+        action="store",
         default=argparse.SUPPRESS,
-        help="Set login form credentials",
+        help="(DEPRECATED) Set login form credentials",
         metavar="CREDENTIALS"
     )
 
+    parser.add_argument(
+        "--form-user",
+        dest="form_user",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set login form credentials",
+        metavar="USERNAME"
+    )
+
+    parser.add_argument(
+        "--form-password",
+        dest="form_password",
+        action="store",
+        default=argparse.SUPPRESS,
+        help="Set password form credentials",
+        metavar="PASSWORD"
+    )
+
     parser.add_argument(
         "--form-url",
         dest="form_url",