Many web applications employ authentication mechanisms to enhance user security. Netsparker supports these mechanism using its Interactive Login feature. Once you check the Interactive Login checkbox during the authentication process, a browser window allows you to enter the necessary data.
These are some scenarios in which you can use the Interactive login feature:
- The website requires a CAPTCHA (to be solved during authentication or to access a particular area)
- The website requires you to enter a dynamic token value like a 2FA PIN during authentication
- You are unable to configure Netsparker to complete the login form and want to manually perform authentication (i.e. the login form is rendered as a Flash/Silverlight/Java Applet embedded in the browser)
You can also mix and match the Interactive login functionality with automatic login capability and custom scripting support. For example, you might have a website that requires you to enter a regular username and password on the first page, and a 2FA PIN on second page. In such a case, you can configure the credentials and enable the Interactive login option. Netsparker will first submit the regular login form details, and then will prompt you with the interactive login browser, allowing you to enter the 2FA PIN.
How to Configure CAPTCHA, One Time Tokens and Two Factor Authentication Mechanisms
- Open Netsparker Standard.
- From the Home tab, click New. The Start a New Website or Web Service Scan dialog is displayed.
- Select the Form tab.
- In the Form Authentication section, enable the Enabled checkbox.
- In Login Form URL field, enter the URL.
- In the Personas field:
- Enable the Active option
- Enter the Username and Password
- Enable the Interactive login (Check this for OTP, CAPTCHA, etc.) checkbox.
- Click Verify Login & Logout to confirm that the login settings are correct.
- After login, click Click here to continue to complete this step and begin detecting logout detection.
- After verification, click Start Scan.
- Once Netsparker logs in, enter the 2FA and continue to scan.