Handling Challenge/Response Logins in NTOSpider

This is the latest in a series of blog posts we’ve been doing looking at how various web application scanning tools handle different real-world application login scenarios. You can see the previous posts we’ve done:

We also set up a GitHub repository with a mock-up of the example login so you can try it out on your own.
This post looks at handling that login example using NTObjectives NTOSpider to handle the same login – many thanks to Dan Kuykendall and Drew Flickema from NTO for putting this together and sending it along.
The first part of the login can be handled by NTO’s standard Forms Authentication handling – just enter the username and password.
PastedGraphic-3.tiff.converted

 

Then to handle the second login question you use a regex for the input population name/value customization like this:
PastedGraphic-1.tiff.converted

 

Note that if you wanted to handle different login questions (answer_1, answer_2 and so on) you could enter those values specifically rather than using the blanket regex.
So – thanks again to the NTO folks for sending this along. If any other scanner vendors want to weigh in please take a look at the GitHub site, give it a try and send the info my way. I’ll get it posted online for you.

Contact us for help getting the most out of your web application scanner.

–Dan dan _atdenimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *