Cybersecurity

Automated Application Scanning: Handling Complicated Logins with AppScan (Only!)

Coalfire Cybersecurity Team

February 2, 2021
Blog Images 2022 App Sec tile

This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free. Please see the latest on this topic here.

We put up a blog post two days ago demonstrating how to get IBM Rational AppScan to perform a complex login routine by chaining it together with BurpSuite. Ory Segal (@orysegal) from IBM Rational reached out with a simpler method to handle this natively in AppScan. It involves configuring AppScan to add a custom parameter to each request. For the sample case in the authexamples GitHub repository, it would be handled like this:

This then handles the same gymnastics we were doing with BurpSuite’s inline editing before – resulting in a successful login sequence and a valid session:

Fun stuff! Many thanks to Ory for sending this along – we really appreciate the insight. For other scanner tool vendors – how would YOU recommend your users accomplish this same task? Either put up a blog post about it and send me the link, or if you send me some notes and a screenshot or two, I am happy to do it.

Also, I’ve been talking with our web application pen test folks to get more examples to add to the authexamples GitHub repository. If you have any suggestions, please send them my way.

Contact us for help getting the most out of your application scanning tools.