Interactive scans

Web applications using certain types of anti-scanning technology, such as CAPTCHA, require an interactive scan configuration in OpenText DAST. In an interactive scan, you are presented with a browser window asking for user input for authentication. You can configure an automated interactive scan that will pause only when an input field is encountered. This pause affects only the Requestor thread that encounters the input field. The remaining threads are unaffected.

Interactive scan configuration works for CAPTCHA, RSA ID token fields, virtual PIN pads, virtual keyboards, and common access card (CAC) readers where the PIN or input is dynamic and changes.

Tip: For websites that use a CAC reader with a static PIN, you can configure the scan to use CAC certificates. See one of the following topics:

Note: Two-factor authentication does not require an interactive scan. You can configure fully-automated scans using two-factor authentication. For more information, see Using two-factor authentication.

Configuring an interactive scan

The following table describes the process for configuring an interactive scan.

Stage Description
1.

Prepare the web forms input file as follows:

  1. Record or enter the field name into the Web Form Editor tool.

  2. Right-click the form name and select Mark As Interactive.

  3. Save the web forms input file.

For more information, see the Web Form Editor chapter in the OpenTextâ„¢ Dynamic Application Security Testing Tools Guide.
2.

Are you using a client-side certificate that requires a dynamic PIN?

  • If yes, ensure that the client-side certificate is listed in the certificates list in your browser or manually import it. For example, in Microsoft Edge, access the Manage certificates dialog box in the Privacy, search, and services settings.

    This action temporarily loads the certificate into the Windows certificate store.

    Note: Plugging in the hardware token and entering the requested PIN may do this automatically.

  • If no, skip to Stage 3.

3.

Configure the scan method for interactive scan mode as follows:

  1. Open the Scan Settings: Method window.

  2. In the Auto fill web forms field, specify the web forms input file you created in Stage 1.

  3. Select the Prompt for web form values during scan (interactive mode) check box.

  4. Select the Only prompt for tagged inputs check box.

    Note: If this final check box is not selected, you will be prompted for all inputs encountered on the site.

4.

Are you using a client-side certificate that requires a dynamic password or PIN?

  • If yes, configure authentication to use the client-side certificate:

    1. Open the Scan Settings: Authentication window.

    2. In the Client Certificates area, select the Enable check box and browse to select the user's certificate.

      3. OpenText DAST uses this certificate until it times out and fails to enter the requested password or PIN, or until the hardware token is removed and Windows drops the certificate from the store.

  • If no, skip to Stage 5.

5.

Save the scan settings and use them in an OpenText DAST scan.

Important! You must watch for the pop-ups to enter the form value as needed.