Handling Challenge/Response Logins in Mavituna Netsparker

This is the latest in a series of posts we've been doing looking at how different web application scanning tools can be configured to handle a somewhat complicated login routine we ran into a while back. We originally posted a solution that chained IBM Rational AppScan with BurpSuite, the IBM folks demonstrated how it could be done natively within AppScan and the HP folks also sent along info on how WebInspect could be configured to handle it as well. This even inspired us to put a mock-up of the authentication routine up on GitHub.
So – now the folks at Mavituna Security sent along some notes on how to configure their Netsparker scanner to handle a login scenario like this. You can see a screencast showing the configuration of the tool here:
They also send along example C# and XML configuration files.
The C# code from the video is:
using System;

using System.Text;

using System.Text.RegularExpressions;

using MSL.Core.Components.Forms;

using MSL.Core.Process.Authentication;

using MSL.Core.Process.Extensibility;

using MSL.Core.Process.Network.Http;

 

[ExtensibilityClass]

public static class MyScriptMethods

{

    private static string TwoFactorAnswer;

    private static string TwoFactorQuestion;

 

    [ExtensibilityMethod(typeof(FormAuthenticationBeforeRequestHandler))]

    public static void BeforeAuthenticationMacroRequest(IHttpRequest request)

    {

        if (request.Id == "Request2")

        {

            request.Body = request.Body.Replace("{{q}}", TwoFactorQuestion);

            request.Body = request.Body.Replace("{{a}}", TwoFactorQuestion);

            request.Body = request.Body.Replace("{{answer}}", TwoFactorAnswer);

            TwoFactorAnswer = string.Empty;

        }

        else

        {

            return;

        }

    }

 

    [ExtensibilityMethod(typeof(FormAuthenticationAfterResponseHandler))]

    public static void AfterAuthenticationMacroResponse(IHttpRequest request)

    {

        if (request.Id == "Request1")

        {

            string TwoFactorHttpResponseBody;

            string TwoFactorString = "";

            TwoFactorHttpResponseBody = request.Response.Body.ToString();

 

            Match TwoFactorChar = Regex.Match(TwoFactorHttpResponseBody, "answer_[0-9]*", RegexOptions.IgnoreCase);

 

            if (TwoFactorChar.ToString() == "answer_1234")

            {

                TwoFactorAnswer = "apple1";

                TwoFactorQuestion = "1234";

            }

            else if (TwoFactorChar.ToString() == "answer_817")

            {

                TwoFactorAnswer = "apple2";

                TwoFactorQuestion = "817";

            }

            else if (TwoFactorChar.ToString() == "answer_423")

            {

                TwoFactorAnswer = "apple3";

                TwoFactorQuestion = "423";

            }

 

            TwoFactorString = "";

        }

        else

        {

            return;

        }

    }

}

 

 

And the XML login macro used in the video is:
<?

xml version="1.0" encoding="utf-8"?>

<request>

<headers>

      <header>

        <name>Accept-Language</name>

        <value>tr-TR</value>

      </header>

      <header>

        <name>UA-CPU</name>

        <value>AMD64</value>

      </header>

</headers>

    <body />

    <id>33520784-0434-496d-be2c-c16da42fcfb5</id>

<method>GET</method>

</request>

<request>

<headers>

      <header>

        <name>Accept-Language</name>

        <value>tr-TR</value>

      </header>

      <header>

        <name>UA-CPU</name>

        <value>AMD64</value>

      </header>

      <header>

        <name>Pragma</name>

        <value>no-cache</value>

      </header>

</headers>

    <body>username=testuser&amp;password=password</body>

    <id>Request1</id>

<method>POST</method>

</request>

<request>

<headers>

      <header>

        <name>Accept-Language</name>

        <value>tr-TR</value>

      </header>

      <header>

        <name>UA-CPU</name>

        <value>AMD64</value>

      </header>

      <header>

        <name>Pragma</name>

        <value>no-cache</value>

      </header>

</headers>

    <body>questions={{q}}&amp;answer_{{a}}={{answer}}</bo

 

Contact us for help getting the most out of your investment in web application scanners.

–Dan

dan _at_ denimgroup.com

@danielcornell

 

Posted via email from Denim Group's Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *