Handling Challenge/Response Logins In HP WebInspect


About a week ago we posted some info about how we chained AppScan and BurpSuite together to handle a site with a somewhat complicated challenge/response login scheme. Apparently this got the Twitter-world all excited – you can read all about it on Dinis Cruz’s blog. A really cool outcome of all this discussion is that some of the scanner vendors have started publishing information about how their scanners can be configured to handle similar login situations based on some mock-up code we released on GitHub. This post is to highlight the response from the good folks at HP about how to configure WebInspect to handle this login scenario.

They put up a blog post about it here: Challenge-Response Authentication? No Problem

They also put together a rather extensive set of slides describing the target scenario as well as some more complicated twists here:

(Original slides link is here)

Many thanks to Rafal Los and Hans Enders from HP for putting this together and making it available. I agree with Dinis that talking about these real-world scenarios is really valuable and I appreciate you all taking the time to write-up and release this information. I’ve got stuff from a couple of the other scanner folks that I’ll be reviewing and posting soon.

Contact us for help getting the most out of your investment in web application scanners.


dan _at_ denimgroup.com


Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

Leave a reply