developerWorks

AIX and UNIX
Information Mgmt
Lotus
Rational
	New to Rational
	Products
	How to buy
	Downloads
	Technical library
	Training
	Support
	Forums & community
	News
	Events
Tivoli
WebSphere

Java™ technology
Linux
Open source
SOA and Web services
Web development
XML

My developerWorks
About dW
Submit content
Feedback

Related links
	ISV resources
	alphaWorks (emerging technologies)
	IBM Academic Initiative
	IBM Student Portal
	IBM Virtual Innovation Center (Bus. Partners)
	IBM Redbooks
	IBM Press books
	IBM communities

Local sites
	developerWorks 中国
	developerWorks Japan
	developerWorks 한국
	developerWorks Россия
	developerWorks Brasil
	developerWorks en español
	developerWorks Việt Nam

developerWorks > Rational >

Login Expert

31 Mar 2009
Updated 14 May 2009


	Get the download

The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems.

System requirements

Rational AppScan version 7.8 and above.

Overview

Making a program being able log in into a site like a human would do can be sometimes difficult. Example of challenges are discovering session identifiers correctly, handling JavaScript execution, bypassing security controls or identifying an "in-session page".

Since AppScan is an automated security scanning tool it has come across these challenges as well. Enter Login Expert.

The purpose of the Login Expert Extension is to assist in the troubleshooting of login problems. The tool contains a set of heuristics based on best practices recommended by AppScan experts.

After quick installation the tool can be accessed directly from Tools > Extensions or will automatically launch when a scan stops due to out of session. After analyzing the login sequence the tool will automatically make all necessary configuration settings to insure a successful session handling.

Instructions

The Login Expert heuristics can be grouped in three main categories or modules: identifying Unnecessary Pages, settings for Parameters and Cookies and In-Session Page and Pattern detection.

Unnecessary Pages

This module will remove pages that are not important for acquiring the session. While it doesn't resolve the Out of Session problems it will improve the scan performance and the performance of the following modules.

If no unnecessary pages are detected the user doesn't even notice the presence of this module. Otherwise the user can choose which pages to keep or to delete.

Parameters and Cookies

This section mainly identifies which parameters and cookies should be tracked during a scan. Tracking means that AppScan will update the values of these entities from the target site's responses.

Also during this portion of the evaluation the tool identifies the username and password parameters and if JavaScript execution is required during login.

Figure 1. The Parameters and Cookies dialog box
An image of the parameters and cookies dialog box.

Explanation of parameter roles:

Duplicate - parameter/cookie appears across two different domains and is tracked separately by default. It will be removed and the remaining instance will be tracked across all domains.
Navigational - parameter used in navigating to new pages or retrieving new content. This should not be tracked.
Username and Password - parameters that identify the credentials. This should not be tracked.
Set by User - other parameters that the user provides values for during login and are not credentials. They should not be tracked since they will always be the same.
Set by JS - parameters or cookies that are configured by the user without their knowledge through the intervention of JavaScript. They should be tracked if they are session identifiers. They also require the execution of JavaScript during the login sequence.
Set by Server - parameters or cookies that had a predefined value that was not changed by the user or JavaScript code. These entities should be tracked

In-Session Page and Pattern

This module first tries to identify the best page to be used for In-Session detection. It then extracts a string from this page that will identify this page as being a logged in page.

Figure 2. The In Session Page and Pattern dialog box.
An image of the In Session Page and Pattern dialog box.

After running the analysis modules the tool produces a convenient log that be provided to IBM Support or be kept for later reference.

Figure 3. The Evaluation Complete review log.
An image that shows the Evaluation Complete review log.

While this tool doesn't aim to eradicate In-Session Detection issues it will definitely be a valuable help in the configuration of scans for complex sites with difficult login mechanisms. The tool was created by Paul Ionescu from IBM.

Installation

Download the eXtension zip package, launch Rational AppScan, go to Tools > Extensions > Extension Manager and choose Install, then point to the zip package.

Supported

No, this eXtension is provided "as-is" by IBM.

Download

Description	Name	Size	Download method
eXtension	LoginExpert_1.2.2.zip	32KB	HTTP


	Information about download methods

Resources

Learn

In the Rational AppScan area on developerWorks, get the resources you need to advance your skills in the testing arena.
Browse the technology bookstore for books on these and other technical topics.

Get products and technologies

Download trial versions of IBM Rational software.
Download IBM product evaluation versions and get your hands on application development tools and middleware products from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.

Discuss

Check out developerWorks blogs and get involved in the developerWorks community.

Back to top

Document options

Document options requiring JavaScript are not displayed

Sample code

My developerWorks needs you!

Connect to your technical community