One-Time Password (OTP)

If required by your application, configure AppScan® to use OTP when logging in.

If your application uses OTP, select one of the two options, otherwise leave the default setting: None.

When you record the login procedure, AppScan will extract the relevant parameters from the traffic and add them to the Automatic Form Fill list. They will also be shown in the lower part of OTP view. If AppScan fails to identify the parameters, you must add them yourself, either in this view or in Automatic Form Fill view.
Limitations:
  • Only one OTP type (TOTP or URL-generated) is supported per scan.
  • For TOTP only numerical values are supported.
  • OTP is supported only when the Chromium browser is used to record the Login. It is not supported if Internet Explorer is used.
Option Description

TOTP
For time-based one-time passwords, you must provide AppScan with:
  • Secret key
  • Password length (number of characters)
  • Hashing algorithm used (select from the dropdown)
  • Time step (in seconds)
Tip: The times on the AppScan machine and the tested server must both be accurate.

URL-generated OTP
If the OTP is accessible from a designated URL, you can configure AppScan to extract it from the URL’s response. You must provide AppScan with:
  • URL
  • Regular expression that will identify the OTP in the URL response.

None

OPT is not used by the site, or scanning those pages that use OTP is not required.
Details

OTP HTTP-Parameters

If you have selected one of the OTP types, then when you validate the Recorded Login procedure, AppScan will identify the required parameters needed from the traffic, and add them to the Automatic Form Fill list. They will also be shown here.

If AppScan® fails to identify the parameters, or if you use Automatic Login, you must add them yourself. Parameters must be comma separated.

How to identify the OTP HTTP-parameter

AppScan needs to know the name of the parameter that contains the OTP (in order to be able to login to the application), and usually identifies it when validating the Recorded Login procedure. If it fails to do so, or if you use Automatic Login, you must add the parameter yourself.

To identify the parameter:
  1. Open a browser and go to your application's login page.
  2. Click F12 to open the developer tools pane of the browser (opens to the right of, or underneath, the main browser pane).
  3. Click on the Elements tab to view the HTML code.

    When you select a part of the code, the element is highlighted in the main browser pane.

  4. Locate the element that highlights the OTP field.
    Example:
    <input type="text" name="OTPvalue" value="">
  5. The value of the name parameter, without the quotation marks, is the OTP HTTP parameter you need.
    Example:
    OTPvalue
  6. If there is more than one OTP HTTP parameter, separate them with commas.