If at first you don’t succeed, you’re hosed: The criticality of authentication in web scanning

We appreciate Kevin Beaver’s recent blog post about NTOSpider’s unique ability to authenticate on some of the trickiest applications and stay properly logged-in throughout the scan.

At NTO we take pride in helping our customers by solving the automation problems that limit most scanners. While, we strongly believe that there are things in applications that must be tested by human hands with human logic, the more that we can automate the better. Web applications continue to proliferate and become more complex. Even with comprehensive and advanced automation, there is too much for even the most sophisticated application security teams to do. I believe the vendor community’s responsibility is to continue to innovate against even the toughest application security scanning challenges.

application authentication

First of all, many thanks to Kevin for sharing his feedback on NTOSpider! It gives me a great opportunity to discuss the topic of automated logins. In a blog post earlier this year, “Web Application Security Scanning: The Art of Automation,” I enumerated several challenges in automated web application scanning, which included authentication, but here is a summary of some of the challenges when dealing with authentication:

  • Reliable automated detection of the login form. There are many possible formats, and they must be distinguished from other forms.

  • Automate the determination of a successful login vs. failed login (diff flavors of failures). This is one of the more challenging tasks that give web application security scanning vendors all sorts of headaches.

  • Deal with login forms that include onsubmit events that do crazy stuff such as client-side encryption of the password to “protect” it over the wire, or calculate some predetermined key based on some other token.

  • Handling Single-Sign On (SSO) solutions which require going to another domain/host for the login process.

    • Only send credentials to the intended SSO site

    • Properly handle the cookies from each domain, including those added by javascript routines

    • Must not attack the SSO site, but only use it for the login process.

  • Providing flexible backup solutions for instances where automation fails.

By creating technologies for the various problems, we make it possible for most scans to run successfully when just providing a URL and credentials. For example; for one of our customers has hundreds of complex applications, it simply is not possible to manually test each application. With one of their very large applications, they were challenged to reach the desired level of automation with their previous solution. It was very difficult to configure a scan which typically required weeks of trial and error to get the right configuration. Once the scanner was finally configured, the scan ran for more than a week and often crashed before it was complete. In many instances, the login training had to be re-done for each new scan. When the scan was performed by NTOSpider, it was able to automate the login and run to completion in a few days and with almost no training.

 One of the things that makes NTO different is our support. We understand that you are dealing with custom applications. You’ll often hear me say that every application is an edge case. These edge cases often require a customized solutions. When needed, we work directly with you to enhance NTOSpider to handle custom applications. The same customer I mentioned above had another application that had a form of two-factor authentication which asked the user to answer a revolving question, such as the color of your first car. Since the question would be randomly selected from five revolving possibilities, they needed a custom login macro. At the time, our existing login macro did not support such a situation. In response our support & development team took on the challenge and within a week we had extended our login macro solution to be able to figure out the question being asked and answer accordingly!

Another example of NT OBJECTives, innovating the art of automation!

About Dan Kuykendall 2535 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.