Scan Settings: Authentication

To access this feature in a Basic Scan, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Authentication.

Authentication is the verification of identity as a security measure. Passwords and digital signatures are forms of authentication. You can configure automatic authentication so that a user name and password will be entered whenever Fortify WebInspect encounters a server or form that requires authentication. Otherwise, a crawl might be prematurely halted for lack of logon information.

Scan Requires Network Authentication

Select this check box if users must log on to your Web site or application.

Authentication Method

If authentication is required, select the authentication method as follows:

ADFS CBT
Automatic
Basic
Digest
Kerberos
NT LAN Manager (NTLM)

Authentication Credentials

Type a user ID in the User name box and the user's password in the Password box. To guard against mistyping, repeat the password in the Confirm Password box.

Caution! Fortify WebInspect will crawl all servers granted access by this password (if the sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your administrative systems, do not use a user name and password that has administrative rights. If you are unsure about your access rights, contact your System Administrator or internal security professional, or contact Fortify Customer Support.

Client Certificates

Client certificate authentication allows users to present client certificates rather than entering a user name and password. You can select a certificate from the local machine or a certificate assigned to a current user. You can also select a certificate from a mobile device, such as a common access card (CAC) reader that is connected to your computer. To use client certificates:

In the Client Certificates area, select the Enable check box.
Click Select.

The Client Certificates window opens.
Do one of the following:
- To use a certificate that is local to the computer and is global to all users on the computer, select Local Machine.
- To use a certificate that is local to a user account on the computer, select Current User.
  
  Note: Certificates used by a common access card (CAC) reader are user certificates and are stored under Current User.
Do one of the following:
- To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down list.
- To select a trusted root certificate, select Root from the drop-down list.
Does the website use a CAC reader?
- If yes, do the following:
  1. Select a certificate that is prefixed with “(SmartCard)” from the Certificate list.
    
    Information about the selected certificate and a PIN field appear in the Certificate Information area.
  2. If a PIN is required, type the PIN for the CAC in the PIN field.
  3. Click Test.
    
    If you entered the correct PIN, a Success message appears.
- If no, select a certificate from the Certificate list.
  
  Information about the selected certificate appears below the Certificate list.
Click OK.

Editing the Proxy Config File for WebInspect Tools

When using tools that incorporate a proxy (specifically Web Macro Recorder, Web Proxy, and Web Form Editor), you may encounter servers that do not ask for a client certificate even though a certificate is required. To accommodate this situation, you must perform the following tasks to edit the SPI.Net.Proxy.Config file.

Task 1: Find your certificate's serial number

Open Microsoft Internet Explorer.
From the Tools menu, click Internet Options.
On the Internet Options window, select the Content tab and click Certificates.
On the Certificates window, select a certificate and click View.
On the Certificate window, click the Details tab.
Click the Serial Number field and copy the serial number that appears in the lower pane (highlight the number and press Ctrl + C).
Close all windows.

Task 2: Create an entry in the SPI.Net.Proxy.Config file

Open the SPI.Net.Proxy.Config file for editing. The default location is C:\Program Files\Fortify\Fortify WebInspect.
In the ClientCertificateOverrides section, add the following entry:

<ClientCertificateOverride HostRegex="RegularExpression" CertificateSerialNumber="Number" />

where:

RegularExpression is a regular expression matching the host URL (example: .*austin\.microfocus\.com).

Number is the serial number obtained in Task 1.
Save the edited file.

Enable Macro Validation

Most dynamic application scans require user authentication to expose the complete surface of the application. Failure of the login macro to log in to the application results in a poor quality scan. If the login macro quality is measured before the scan, then low quality scans can be avoided.

Select Enable macro validation to enable Fortify WebInspect to test for inconsistencies in macro behavior at the start of the scan. For more information about the specific tests performed, see Testing Login Macros.

Use a login macro for forms authentication

This type of macro is used primarily for Web form authentication. It incorporates logic that will prevent Fortify WebInspect from terminating prematurely if it inadvertently logs out of your application. When recording this type of macro, be sure to specify the application's log-out signature. Click the ellipsis button to locate the macro. Click Record to record a macro.

Note: The Record button is not available for Guided Scan, because Guided Scan includes a separate stage for recording a login macro.

Login Macro Parameters

This section appears only if you have selected Use a login macro for forms authentication and the macro you have chosen or created contains fields that are designated username and password parameters.

If you start a scan using a macro that includes parameters for user name and password, then when you scan the page containing the input elements associated with these entries, Fortify WebInspect substitutes the user name and password specified here. This allows you to create the macro using your own user name and password, yet when other persons run the scan using this macro, they can substitute their own user name and password. This also applies to parameters for phone number, email, and email password that are used in two-factor authentication scans.

If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Basic Scan or Guided Scan in Fortify WebInspect.

For information about creating parameters using the Web Macro Recorder, see the Web Macro Recorder help.

Use a startup macro

This type of macro is used most often to focus on a particular subsection of the application. It specifies URLs that Fortify WebInspect will use to navigate to that area. It may also include login information, but does not contain logic that will prevent Fortify WebInspect from logging out of your application. Fortify WebInspect visits all URLs in the macro, collecting hyperlinks and mapping the data hierarchy. It then calls the Start URL and begins a normal crawl (and, optionally, audit). Click the ellipsis button to locate the macro. Click Record to record a macro.

Multi-user Login

You can use the Multi-user Login option to parameterize the username and password in a login macro, and then define multiple username and password pairs to use in a scan. You can also parameterize the phone number, email, and email password if two-factor authentication is required. This approach allows the scan to run across multiple threads. Each thread has a different login session, resulting in faster scan times.

Important! To use Multi-user Login, you must first select Use a login macro for forms authentication and record a new macro or select an existing macro to use. See Use a login macro for forms authentication.

To use multiple user logins to conduct the scan:

Select the Multi-user Login checkbox.

Note: If you clear the Multi-user Login checkbox prior to running the scan, the additional credentials will not be used during the scan. Fortify WebInspect will use only the original credentials recorded in the login macro.

Continue according to the following table:

To...	Then...
Add a user’s credentials	Under Multi-user Login, click Add. The Multi-user Credential Input dialog box appears. In the Username field, type a username In the Password field, type the corresponding password. Optionally, if two-factor authentication is required, then add the following criteria: Phone Number - corresponding phone number for the username (to receive SMS responses) Email - corresponding email address for the username (to receive email responses) Email Password - password for the email address (to receive email responses) Click OK. Repeat Steps a-e for each user login to add. Important! The number of shared requestor threads should not be more than the number of configured users. Requestor threads without valid users will cause the scan to run longer. Remember to count the original username and password in the parameterized macro as the first user when you configure multiple users. For more information, see Scan Settings: Requestor.
Edit a user’s credentials	Under Multi-user Login, select an entry in the table and click Edit. The Multi-user Credential Input dialog box appears. Edit the credentials as needed. Click OK.
Delete a user’s credentials	Under Multi-user Login, select an entry in the table to be removed. Click Delete.

For more information, see Multi-user Login Scans.

See Also

Scan Settings: Allowed Hosts

Scan Settings: Cookies/Headers

Scan Settings: Custom Parameters

Scan Settings: File Not Found

Scan Settings: Filters

Scan Settings: General

Scan Settings: HTTP Parsing

Scan Settings: JavaScript

Scan Settings: Method

Scan Settings: Policy

Scan Settings: Proxy

Scan Settings: Requestor

Scan Settings: Session Exclusions

Scan Settings: User Agent