The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems.

14 May 2009 (First published 31 March 2009)

The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems.

System requirements

Security AppScan version 7.8 and above.

Overview

Making a program being able log in into a site like a human would do can be sometimes difficult. Example of challenges are discovering session identifiers correctly, handling JavaScript execution, bypassing security controls or identifying an "in-session page".

Since AppScan is an automated security scanning tool it has come across these challenges as well. Enter Login Expert.

The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems. The tool contains a set of heuristics based on best practices recommended by AppScan experts.

After quick installation the tool can be accessed directly from Tools > Extensions or will automatically launch when a scan stops due to out of session. After analyzing the login sequence the tool will automatically make all necessary configuration settings to insure a successful session handling.

Instructions

The Login Expert heuristics can be grouped in three main categories or modules: identifying Unnecessary Pages, settings for Parameters and Cookies and In-Session Page and Pattern detection.

Unnecessary Pages

This module will remove pages that are not important for acquiring the session. While it doesn't resolve the Out of Session problems it will improve the scan performance and the performance of the following modules.

If no unnecessary pages are detected the user doesn't even notice the presence of this module. Otherwise the user can choose which pages to keep or to delete.

Parameters and Cookies

This section mainly identifies which parameters and cookies should be tracked during a scan. Tracking means that AppScan will update the values of these entities from the target site's responses.

Also during this portion of the evaluation the tool identifies the username and password parameters and if JavaScript execution is required during login.

Figure 1. The Parameters and Cookies dialog box
An image of the parameters and cookies dialog box.

Explanation of parameter roles:

  • Duplicate - parameter/cookie appears across two different domains and is tracked separately by default. It will be removed and the remaining instance will be tracked across all domains.
  • Navigational - parameter used in navigating to new pages or retrieving new content. This should not be tracked.
  • Username and Password - parameters that identify the credentials. This should not be tracked.
  • Set by User - other parameters that the user provides values for during login and are not credentials. They should not be tracked since they will always be the same.
  • Set by JS - parameters or cookies that are configured by the user without their knowledge through the intervention of JavaScript. They should be tracked if they are session identifiers. They also require the execution of JavaScript during the login sequence.
  • Set by Server - parameters or cookies that had a predefined value that was not changed by the user or JavaScript code. These entities should be tracked

In-Session Page and Pattern

This module first tries to identify the best page to be used for In-Session detection. It then extracts a string from this page that will identify this page as being a logged in page.

Figure 2. The In Session Page and Pattern dialog box.
An image of the In Session Page and Pattern dialog box.

After running the analysis modules the tool produces a convenient log that be provided to IBM Support or be kept for later reference.

Figure 3. The Evaluation Complete review log.
An image that shows the Evaluation Complete review log.

While this tool doesn't aim to eradicate In-Session Detection issues it will definitely be a valuable help in the configuration of scans for complex sites with difficult login mechanisms. The tool was created by Paul Ionescu from IBM.

Installation

Download the eXtension zip package, launch Security AppScan, go to Tools > Extensions > Extension Manager and choose Install, then point to the zip package.

Supported

No, this eXtension is provided "as-is" by IBM.

Download

DescriptionNameSize
eXtensionLoginExpert_1.2.2.zip32KB

Resources

Learn

Get products and technologies

Discuss

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Rational
ArticleID=379051
SummaryTitle=Login Expert
publish-date=05142009