This is the latest in a series of blog posts we’ve been doing looking at how various web application scanning tools handle different real-world application login scenarios. You can see the previous posts we’ve done:
- Chaining IBM Rational AppScan with BurpSuite
- Using IBM Rational AppScan on its own
- Using HP WebInspect
- Using Mavituna Security Netsparker
We also set up a GitHub repository with a mock-up of the example login so you can try it out on your own.
This post looks at handling that login example using NTObjectives NTOSpider to handle the same login – many thanks to Dan Kuykendall and Drew Flickema from NTO for putting this together and sending it along.
The first part of the login can be handled by NTO’s standard Forms Authentication handling – just enter the username and password.
Then to handle the second login question you use a regex for the input population name/value customization like this:
Note that if you wanted to handle different login questions (answer_1, answer_2 and so on) you could enter those values specifically rather than using the blanket regex.
So – thanks again to the NTO folks for sending this along. If any other scanner vendors want to weigh in please take a look at the GitHub site, give it a try and send the info my way. I’ll get it posted online for you.
Contact us for help getting the most out of your web application scanner.
–Dan dan _at_ denimgroup.com
