Denim Group has been acquired by Coalfire. Learn More>>

Handling Challenge/Response Logins In HP WebInspect

About a week ago we posted some info about how we chained AppScan and BurpSuite together to handle a site with a somewhat complicated challenge/response login scheme. Apparently this got the Twitter-world all excited – you can read all about it on Dinis Cruz’s blog. A really cool outcome of all this discussion is that some of the scanner vendors have started publishing information about how their scanners can be configured to handle similar login situations based on some mock-up code we released on GitHub. This post is to highlight the response from the good folks at HP about how to configure WebInspect to handle this login scenario.

They put up a blog post about it here: Challenge-Response Authentication? No Problem

They also put together a rather extensive set of slides describing the target scenario as well as some more complicated twists here:

(Original slides link is here)

Many thanks to Rafal Los and Hans Enders from HP for putting this together and making it available. I agree with Dinis that talking about these real-world scenarios is really valuable and I appreciate you all taking the time to write-up and release this information. I’ve got stuff from a couple of the other scanner folks that I’ll be reviewing and posting soon.

Contact us for help getting the most out of your investment in web application scanners.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *