Scan settings: Authentication

To access this feature in a Basic Scan, click the Edit menu and select Default Scan Settings or Current Scan Settings. Then, in the Scan Settings category, select Authentication.

Authentication is the verification of identity as a security measure. Passwords and digital signatures are forms of authentication. You can configure automatic authentication so that a user name and password is entered whenever OpenText DAST encounters a server or form that requires authentication. Otherwise, a crawl might be prematurely halted for lack of logon information.

Scan requires network authentication

Select this check box if users must log on to your website or application.

Authentication method

If authentication is required, select the authentication method as follows:

Authentication credentials

For all authentication methods except OAuth 2.0 Bearer, in the Authentication Credentials area:

  1. Type a user ID in the User name box.

  2. Type the user's password in the Password box.

  3. To guard against mistyping, repeat the password in the Confirm Password box.

Caution! OpenText DAST will crawl all servers granted access by this password (if the sites/servers are included in the “allowed hosts” setting). To avoid potential damage to your administrative systems, do not use a user name and password that has administrative rights. If you are unsure about your access rights, contact your System Administrator or internal security professional, or contact Customer Support.

For the OAuth 2.0 Bearer method, in the Authentication Credentials area:

  1. Click Configure.

    The Open Authorization Configuration dialog opens.

  2. Continue with Configuring OAuth 2.0 bearer credentials.

Client certificates

Client certificate authentication allows users to present client certificates rather than entering a user name and password. You can select a certificate from the local machine or a certificate assigned to a current user. You can also select a certificate from a mobile device, such as a common access card (CAC) reader that is connected to your computer. To use client certificates:

  1. In the Client Certificates area, select the Enable check box.

  2. Click Select.

    The Client Certificates window opens.

  3. Do one of the following:

    • To use a certificate that is local to the computer and is global to all users on the computer, select Local Machine.

    • To use a certificate that is local to a user account on the computer, select Current User.

      Note: Certificates used by a common access card (CAC) reader are user certificates and are stored under Current User.

  4. Do one of the following:

    • To select a certificate from the "Personal" ("My") certificate store, select My from the drop-down list.

    • To select a trusted root certificate, select Root from the drop-down list.

  5. Does the website use a CAC reader or a certificate that is password protected?

    • If yes, do the following:

      1. Select a certificate that is prefixed with “(Protected)” from the Certificate list.

        Information about the selected certificate and a Password/PIN field appear in the Certificate Information area.

      2. If a password or PIN is required, type it in the Password/PIN field.

        3. Note: If a password or PIN is required and you do not enter it at this point, you must enter the password or PIN in the Windows Security window each time it prompts you during the scan.

        Important! By default, OpenText DAST uses OpenSSL. If you are using a specific SSL/TLS protocol rather than OpenSSL, the Profiler portion of scan configuration may not work with certificates that are protected with a password.

      3. Click Test.

        If you entered the correct password or PIN, a Success message appears.

    • If no, select a certificate from the Certificate list.

      Information about the selected certificate appears below the Certificate list.

  6. Click OK.

Updating certificates in composite scan settings

The composite scan settings include a BIN file that contains encrypted certificate data. If you need to replace or update the client certificate in your composite scan settings, you can place the updated PFX or P12 file inside the certificates directory in the composite settings ZIP file. When OpenText DAST opens the settings, it will check for PFX and P12 files first. If none are present, then the BIN file will be decrypted and used. For more information about composite settings, see Application settings: General.

To replace or update the client certificate:

  1. Locate the encrypted BIN file in the certificates directory in your composite scan settings ZIP. The file name is a GUID, similar to the following:

    <your-scansettings.zip>\certificates\0b627638-efda-4d01-a83e-80ee3a79b4cf.bin

    Note: The default settings file location in Windows is C:\ProgramData\HP\HP WebInspect\Settings\.

  2. Place the updated PFX or P12 file into the same directory.

  3. Rename the PFX or P12 file the same name as the BIN file. Using the previous example, the file name will be as follows:

    0b627638-efda-4d01-a83e-80ee3a79b4cf.pfx

    — OR —

    0b627638-efda-4d01-a83e-80ee3a79b4cf.p12

    Important! Be sure to retain the original file extension.

  4. Optionally, if you want to retain an encrypted certificate in the settings, save the settings again and the BIN file will reflect the updated PFX or P12 certificate. The PFX or P12 certificates will be removed from the ZIP.

Tip: PFX and P12 certificates frequently require a password. Use one of the following options to provide the password for the settings:

Editing the proxy config file for OpenText DAST tools

When using tools that incorporate a proxy (specifically Web Macro Recorder, Web Proxy, and Web Form Editor), you may encounter servers that do not ask for a client certificate even though a certificate is required. To accommodate this situation, you must perform the following tasks to edit the SPI.Net.Proxy.Config file.

Task 1: Find your certificate's serial number

  1. Open the Microsoft Edge browser.

  2. Search the settings for "Internet Explorer compatibility" and enable the setting, if necessary.

  3. Select Internet Options.

  4. On the Internet Options window, select the Content tab and click Certificates.

  5. On the Certificates window, select a certificate and click View.

  6. On the Certificate window, click the Details tab.

  7. Click the Serial Number field and copy the serial number that appears in the lower pane (highlight the number and press Ctrl + C).

  8. Close all windows.

Task 2: Create an entry in the SPI.Net.Proxy.Config file

  1. Open the SPI.Net.Proxy.Config file for editing. The default location is C:\Program Files\Fortify\Fortify WebInspect.

  2. In the ClientCertificateOverrides section, add the following entry:

    <ClientCertificateOverride HostRegex="RegularExpression" CertificateSerialNumber="Number" />

    where:

    RegularExpression is a regular expression matching the host URL (example: .*austin\.spidynamics\.com).

    Number is the serial number obtained in Task 1.

  3. Save the edited file.

Enable macro validation

Most dynamic application scans require user authentication to expose the complete surface of the application. Failure of the login macro to log in to the application results in a poor quality scan. If the login macro quality is measured before the scan, then low quality scans can be avoided.

Select Enable macro validation to enable OpenText DAST to test for inconsistencies in macro behavior at the start of the scan. For more information about the specific tests performed, see Testing login macros.

Use a login macro for forms authentication

This type of macro is used primarily for Web form authentication. It incorporates logic that will prevent OpenText DAST from terminating prematurely if it inadvertently logs out of your application. When recording this type of macro, be sure to specify the application's log-out signature. Click the ellipsis button  to locate the macro. Click Record to record a macro.

Note: The Record button is not available for Guided Scan, because Guided Scan includes a separate stage for recording a login macro.

Login macro parameters

This section appears only if you have selected Use a login macro for forms authentication and the macro you have chosen or created contains fields that are designated username and password parameters.

If you start a scan using a macro that includes parameters for user name and password, then when you scan the page containing the input elements associated with these entries, OpenText DAST substitutes the user name and password specified here. This feature enables you to create the macro using your own user name and password, yet when other persons run the scan using this macro, they can substitute their own user name and password. This also applies to parameters for phone number, email, and email password that are used in two-factor authentication scans.

If the macro uses parameters for which values are masked in the Web Macro Recorder, then these values are also masked when configuring a Basic Scan or Guided Scan in OpenText DAST.

For information about creating parameters using the Web Macro Recorder, see the Web Macro Recorder help.

Use a startup macro

This type of macro is used most often to focus on a particular subsection of the application. It specifies URLs that OpenText DAST will use to navigate to that area. It may also include login information, but does not contain logic that will prevent OpenText DAST from logging out of your application. OpenText DAST visits all URLs in the macro, collecting hyperlinks and mapping the data hierarchy. It then calls the Start URL and begins a normal crawl (and, optionally, audit). Click the ellipsis button  to locate the macro. Click Record to record a macro.

Multi-user login

You can use the Multi-user Login option to parameterize the username and password in a login macro, and then define multiple username and password pairs to use in a scan. You can also parameterize the phone number, email, and email password if two-factor authentication is required. This approach allows the scan to run across multiple threads. Each thread has a different login session, resulting in faster scan times.

Important! To use Multi-user Login, you must first select Use a login macro for forms authentication and record a new macro or select an existing macro to use. See Use a login macro for forms authentication.

To use multiple user logins to conduct the scan:

  1. Select the Multi-user Login checkbox.

    Note: If you clear the Multi-user Login checkbox prior to running the scan, the additional credentials will not be used during the scan. OpenText DAST will use only the original credentials recorded in the login macro.

  2. Continue according to the following table:

    To... Then...
    Add a user’s credentials

    1. Under Multi-user Login, click Add.

      The Multi-user Credential Input dialog box appears.

    2. In the Username field, type a username

    3. In the Password field, type the corresponding password.

    4. Optionally, if two-factor authentication is required, then add the following criteria:

      • Phone Number - corresponding phone number for the username (to receive SMS responses)

      • Email - corresponding email address for the username (to receive email responses)

      • Email Password - password for the email address (to receive email responses)

    5. Click OK.

    6. Repeat Steps a-e for each user login to add.

    Important! The number of shared requestor threads should not be more than the number of configured users. Requestor threads without valid users will cause the scan to run longer. Remember to count the original username and password in the parameterized macro as the first user when you configure multiple users. For more information, see Scan settings: Requestor.
    Edit a user’s credentials

    1. Under Multi-user Login, select an entry in the table and click Edit.

      The Multi-user Credential Input dialog box appears.

    2. Edit the credentials as needed.

    3. Click OK.
    Delete a user’s credentials

    1. Under Multi-user Login, select an entry in the table to be removed.

    2. Click Delete.

For more information, see Multi-user login scans.

See also

Scan settings: Allowed Hosts

Scan settings: Cookies/Headers

Scan settings: Custom Parameters

Scan settings: File Not Found

Scan settings: Filters

Scan settings: General

Scan settings: HTTP Parsing

Scan settings: JavaScript

Scan settings: Method

Scan settings: Policy

Scan settings: Proxy

Scan settings: Requestor

Scan settings: Session Exclusions

Scan settings: User Agent