Automated Application Scanning: Handling Complicated Logins with AppScan (Only!)

We put up a blog post two days ago demonstrating how to get IBM Rational AppScan to perform a complex login routine by chaining it together with BurpSuite. Ory Segal (@orysegal) from IBM Rational reached out with a simpler method to handle this natively in AppScan. It involves configuring AppScan to add a custom parameter to each request. For the sample case in the authexamples GitHub repository it would be handled like this:

app_scan_login_screenshot.png.scaled.500

This then handles the same gymnastics we were doing with BurpSuite’s inline editing before – resulting in a successful login sequence and a valid session:

app_scan_login_screenshot_2.png.scaled.500

Fun stuff! Many thanks to Ory for sending this along – we really appreciate the insight. For other scanner tool vendors – how would YOU recommend your users accomplish this same task? Either put up a blog post about it and send me the link or if you send me some notes and a screenshot or two I am happy to do it.

Also I’ve been talking with our web application pen test folks to get more examples to add to the authexamples GitHub repository. If you have any suggestions please send them my way.

Contact us for help getting the most out of your application scanning tools.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “Automated Application Scanning: Handling Complicated Logins with AppScan (Only!)”

  1. Sri Sriniwass

    Hi Dan,

    Could you please relink the images in this post? It seems that they are no longer in Posterous. Thanks.

    Regards,
    -Sri

Leave a Reply

Your email address will not be published. Required fields are marked *