The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems.
Security AppScan version 7.8 and above.
Since AppScan is an automated security scanning tool it has come across these challenges as well. Enter Login Expert.
The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems. The tool contains a set of heuristics based on best practices recommended by AppScan experts.
After quick installation the tool can be accessed directly from Tools > Extensions or will automatically launch when a scan stops due to out of session. After analyzing the login sequence the tool will automatically make all necessary configuration settings to insure a successful session handling.
The Login Expert heuristics can be grouped in three main categories or modules: identifying Unnecessary Pages, settings for Parameters and Cookies and In-Session Page and Pattern detection.
This module will remove pages that are not important for acquiring the session. While it doesn't resolve the Out of Session problems it will improve the scan performance and the performance of the following modules.
If no unnecessary pages are detected the user doesn't even notice the presence of this module. Otherwise the user can choose which pages to keep or to delete.
Parameters and Cookies
This section mainly identifies which parameters and cookies should be tracked during a scan. Tracking means that AppScan will update the values of these entities from the target site's responses.
Figure 1. The Parameters and Cookies dialog box
Explanation of parameter roles:
- Duplicate - parameter/cookie appears across two different domains and is tracked separately by default. It will be removed and the remaining instance will be tracked across all domains.
- Navigational - parameter used in navigating to new pages or retrieving new content. This should not be tracked.
- Username and Password - parameters that identify the credentials. This should not be tracked.
- Set by User - other parameters that the user provides values for during login and are not credentials. They should not be tracked since they will always be the same.
In-Session Page and Pattern
This module first tries to identify the best page to be used for In-Session detection. It then extracts a string from this page that will identify this page as being a logged in page.
Figure 2. The In Session Page and Pattern dialog box.
After running the analysis modules the tool produces a convenient log that be provided to IBM Support or be kept for later reference.
Figure 3. The Evaluation Complete review log.
While this tool doesn't aim to eradicate In-Session Detection issues it will definitely be a valuable help in the configuration of scans for complex sites with difficult login mechanisms. The tool was created by Paul Ionescu from IBM.
Download the eXtension zip package, launch Security AppScan, go to Tools > Extensions > Extension Manager and choose Install, then point to the zip package.
No, this eXtension is provided "as-is" by IBM.
- In the Security AppScan area on developerWorks, get the resources you need to advance your skills in the testing arena.
- Browse the technology bookstore for books on these and other technical topics.
Get products and technologies
- Download trial versions of IBM Rational software.
- Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.