WebUI and login_script

[Indigo744]

Dear dev,

After some research, I've found out the the login_script plugin (and some others) are not supported through the WebUI.

I understand the rationale behind it, as it would be a security issue to let anyone execute script on the host.

However, there are some valid use case: when Arachni WebUI is run and accessed only on localhost.
I think some people are just using the WebUI as a desktop interface on their machine, and not for mounting on a server accessible from the Intranet (or worse, Internet). This is actually how I use Arachni (because I like the WebUI).

As such, activation of these unsafe plugins could be offered through an option (disabled by default obviously) with all the proper security warning message and such.
At run time, a sanity check could be added to verify that the command is coming from localhost and not from elsewhere.

What do you think?

Thanks for your consideration.

[Zapotek]

There are proper ways to do this of course, but unfortunately it won't get done. The WebUI isn't under active development.

[Indigo744]

That is unfortunate. But I guess you are waiting to finish up on the new engine before reworking the WebUI? User interfaces are time-consuming development...